Community discussions

MikroTik App
 
jfarre20
just joined
Topic Author
Posts: 4
Joined: Fri Sep 09, 2022 4:32 am

Vlan across two Bridges?

Fri Sep 09, 2022 5:01 am

I'm trying to find a solution to this strange network setup I've inherited from a managed wireless provider that is on their way out the door.

I've gotten almost everything working, except one vlan. I've attached a ms-paint mock up of the network layout.

Basically I have a fiber "wan" with some vlans attached, coming into a hEX S running ROS 7.5 in the SFP port.
This "wan" is on this port, untagged.
It also has 5 vlans tagged: 2, 36, 41, 200, 1061


The outcome is that we want ports 1, 2, 3 to be untagged traffic for some of these vlans, and ports 5-6 to be the community network.
This is where it gets weird, and I know its strange but I don't really want to change it, it works. there's lots of crazy configuration that I barely can decipher which seems to talk to a ruckus gateway and give out a specific subnet depending on the mac address connecting to the wap. Essentially there's about 888 vlans passed thru to the waps, all generated within the mikrotik on a bridge, with dhcp, nat rules, firewall rules, scripts, etc, containing those two ports (4, 5) and the 888 vlans.

I've achieved everything so far except getting one vlan (1061) from the fiber onto the wap, and routing access into the voip vlan when a specific IP is attempted to be accessed from anywhere on the 888 vlans on the community network side. I can actually ping everything from all vlans from the mikrotik terminal, its so tantalizingly close.

Here's what I've done so far:
The device was preconfigured with Wan on eth1 from a cable modem, ports 2, 3 inactive, and ports 4,5 + the 888 local vlans on a Bridge

I removed the wan configuration for eth 1, got rid of the modem, connected the newly installed fiber to sfp
I created a bridge, put the SFP and copper ports 1,2,3 + the vlans I want on this bridge. This is all working after vlan filtering, tagging, untagging, changing rules to use the bridge, etc.
Here's what I have working:
vlan 2 on the fiber comes out untagged on eth1
I can manage the mtk remotely from a machine on Vlan 2 on the other side of the fiber
vlan 36 on the fiber comes out untagged on eth2
vlan 41 on the fiber comes out untagged on eth3

I've left the existing bridge that was already configured for ports 4,5, and the 888 internal vlans.
I've adjusted the firewall rules and nat rules to use the SFPwan bridge, and the wap and its strange configuration is working and is online. All virtual ssids, and mac address registration based routing is functional.

Here's where I'm stuck:
I want to ONLY pass through vlan 1061 from the fiber into the bridge running the WAP ports. (Aka, tagged on ports 4,5). I dont want any of those other vlans on this wap bridge back feeding.
I want to re-route traffic to a specific IP on vlan 200 when a device on the internal vlans 2-888 requests that IP (almost treating it like a transparent VPN, maybe mangle and routing mark?)

I've recently discovered that you can't send a vlan across two bridges, so I'm stumped. I don't have enough ports free to make a loop cable to physically bridge 1061 across the two - it was the only idea I had.
I cannot have all ports on one bridge, it needs to be separate to prevent conflicting vlans from back feeding into the fiber.
Maybe it can be done but all the strange internal config would need to be re-engineered.

Any suggestions? We're expecting very little traffic on 1061 and 200, it'd be idle most of the time. I'm ok with any dirty hacks that hurt performance on those vlans
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan across two Bridges?

Fri Sep 09, 2022 12:55 pm

Just to understand why is the ISP feeding you a bunch of VLANS?
They should only be providing internet and hopefully with a public IP.
It is not unusual for an ISP to provide different services using vlans over that ethernet or wireless link (such as voip, tv, and internet), in this case it seems less clear.
 
jfarre20
just joined
Topic Author
Posts: 4
Joined: Fri Sep 09, 2022 4:32 am

Re: Vlan across two Bridges?

Fri Sep 09, 2022 2:54 pm

Just to understand why is the ISP feeding you a bunch of VLANS?
The ISP is providing a CG-Nat with DHCP. We're injecting tagged vlans via a smart switch at the dmarc in between the ISP and the fiber distribution switches

There is only one pair of fiber to the 52 cottages, we're trying to borrow the existing wiring.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Vlan across two Bridges?

Fri Sep 09, 2022 4:18 pm

Thanks, above my level of knowledge and just wanted to make sure, before I wasted your time LOL. Others will chime in I hope.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Vlan across two Bridges?  [SOLVED]

Fri Sep 09, 2022 4:24 pm

You could send a VLAN between two bridges, but that would involve bridge stacking, something like this:
/interface bridge
add name=bridge1
add name=bridge2

add name=vlanbridge

/interface vlan
add name=b1v1466 interface=bridge1
add name=b2v1466 interface=bridge2

/interface bridge port
add bridge=vlanbridge interface=b1v1466
add bridge=vlanbridge interface=b2v1466
Mind that this is really messing up with readability of config and is killing performance (only one bridge can be HW offloaded, the others do everything in software). So you may want to redesign L2 stuff in your hEX S to only have single bridge spanning all the ports.
 
jfarre20
just joined
Topic Author
Posts: 4
Joined: Fri Sep 09, 2022 4:32 am

Re: Vlan across two Bridges?

Sat Sep 10, 2022 1:00 am

You could send a VLAN between two bridges, but that would involve bridge stacking...
Great that worked!

Ran a speed test on the community network side - Performance is still at least 100mbps, which is what the WAN is capped to - so I think its fast enough.

Thank you!
You do not have the required permissions to view the files attached to this post.
 
User avatar
Lokamaya
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Nov 11, 2021 4:40 am
Location: Bandung

Re: Vlan across two Bridges?

Mon Mar 25, 2024 8:06 am

You could send a VLAN between two bridges, but that would involve bridge stacking, something like this:
I just know this is possible. Thanks.

Who is online

Users browsing this forum: Bing [Bot], mrbroadband, nike78 and 40 guests