Community discussions

MikroTik App
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

"Native" Untagged Vlan1 on a trunk

Tue Oct 04, 2022 4:59 pm

Hi team,
I ran into an issue that I am apparently not the only one to have.
On one site, I am currently migrating from a Cisco edge router to a MT RB3011, v7.5 stable.

eth4+5 bundled as a LAG to a switch, with a trunk on top of it (several tagged vlans, e.g. vl100 (transit VLAN to the “inside” firewall); vlan 2 (Management)…). Traffi from/to these vlans is working perfectly. The tricky part is that I also have a legacy VLAN1 (default vlan on Cisco) which cannot be decommissioned yet due to a technical limitation.

I know it’s a bad idea to use VLAN1 (as a default VLAN but also as a rule of thumb), and it will eventually be removed a few weeks after the migration (Q1 2023 at the latest). In the meantime, I must find a way to route this traffic from VLAN1 as for the other VLANS. I also have to use the same physical cable as there are no additional ones available as the racks are in different rooms

In Cisco language, what I want is just a “native vlan 1” on the trunk. I’ve tried to configure the switchport as vlan-mode=fallback, vlan-header=add-if-missing and Default-vlan-id=1 but it cuts me off (also for the tagged vlans).

When I leave the default settings (vlan-mode=disabled, vlan-header=leave-as-is and Default-vlan-id= not set), I see packets with VLANiD=1 coming into the interface eth4 (LLDP and 802.2 traffic) but no actual L3 payload (i.e. nothing from the source IP I am trying to ping from). Tagged vlans are working fine in this case, but not my vlan 1.

I read thiese posts here which gave me some hints, but I don’t really understand the logic behind it.
viewtopic.php?p=780499
viewtopic.php?p=563675
viewtopic.php?p=958993


What am I doing wrong?

Cheers
Denis
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: "Native" Untagged Vlan1 on a trunk

Tue Oct 04, 2022 11:15 pm

Post your configuration
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 1:02 am

show-sensitive=no
@kennnnnnnneth
remember to not "nicely" correct others,
especially with wrong instructions.

Miao.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 2:31 am

More instructive is that with vers7 the sensitive command is no longer required.
what is good to say is
.please post full config /export (minus serial number of router and any public WANIP info)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 3:31 am

I think @rextended's point was that the opposite of show-sensitive is hide-sensitive. show-sensitive=no is a syntax error.

hide-sensitive is the default in v7, but it still shows the SN (which is the "key" to cloud based config backups, if I understood one of @rextended's previous posts).

So you still need to look for information you feel is private. I don't know if the license key "software id" is sensitive, but I always remove it when I post configs. For example:

# oct/04/2022 20:24:18 by RouterOS 7.4
# software id = *******
#
# model = RB760iGS
# serial number = *********
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 10:34 am

@anav, ;)

@Buckeye

show-sensitive=no is a syntax error.

if I understood one of @rextended's previous posts
Exactly :)
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 12:30 pm

Thanks for your help, guys. Yes, the show-sensitive parameter was already set to hide sensitive data a while ago. I don't remember if the switch was made between 6.x and 7.x release, but it quite likely. I think it was around that time.

I stripped the really unrelated lines of config (LCD screen, NTP, scripts &scheduling, disabled FW rules... ) for better readability for those who will run into the same issue and read this post in the future.
The config is quite simple as I'm still in the staging phase. Here we go:
oct/05/2022 01:12:48 by RouterOS 7.5

# software id = X
#
# model = RouterBOARD 3011UiAS
# serial number = XXX

/interface bridge
add name=loopback0

/interface ethernet
set [ find default-name=ether1 ] mac-address=08:55:31:D2:37:07 name=eth1-WAN
set [ find default-name=ether4 ] mac-address=08:55:31:D2:37:0A name="eth4 - Transit LAG 10"
set [ find default-name=ether5 ] mac-address=08:55:31:D2:37:0B name="eth5 - Transit LAG 10"
set [ find default-name=ether9 ] mac-address=08:55:31:D2:37:0A name="eth9 - DMZ"
set [ find default-name=ether10 ] mac-address=08:55:31:D2:37:11 name="eth10 - MGT" poe-out=off

/interface vlan
add interface="eth9 - DMZ" name="vlan90 - DMZ" vlan-id=90
add interface=eth1-WAN loop-protect=off name="vlan2900 - ISP WAN" vlan-id=2900

/interface bonding
add arp-ip-targets=0.0.0.0 lacp-rate=1sec mode=802.3ad name=LAG10 slaves="eth4 - Transit LAG 10,eth5 - Transit LAG 10"

/interface vlan
add interface=LAG10 name="vlan1 - Legacy" vlan-id=1			// => This is my vlan that I don't get any reply from
add interface=LAG10 name="vlan2 - MGT" vlan-id=2
add disabled=yes interface=LAG10 name="vlan10 - SERVER-PRIVATE" vlan-id=10
add disabled=yes interface=LAG10 name="vlan15 - SERVER-PUBLIC" vlan-id=15
add disabled=yes interface=LAG10 name="vlan20 - WORKSTATIONS" vlan-id=20
add disabled=yes interface=LAG10 name="vlan30 - IPTEL" vlan-id=30
add disabled=yes interface=LAG10 name="vlan40 - PRINTERS" vlan-id=40
add disabled=yes interface=LAG10 name="vlan50 - LAB" vlan-id=50
add disabled=yes interface=LAG10 name="vlan60 - WLAN" vlan-id=60
add interface=LAG10 name="vlan100 - TRANSIT" vlan-id=100		//=> Working OK

/interface ethernet switch port
set 4 default-vlan-id=1 vlan-header=add-if-missing. // => this is what I tried and that curt me off. and when I remove it, VLAN100 traffic works correctly, but still no traffic on vlan1

/interface list
add comment=defconf name=WAN
add comment=TRANSIT name=TRANSIT
add comment="Out-of-Band Management" name=MGT
/interface bridge filter
add action=set-priority chain=output disabled=yes dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes

/interface bridge port
add bridge=*E ingress-filtering=no interface=*D

/ip firewall connection tracking
set enabled=yes

/ip neighbor discovery-settings
set discover-interface-list=all

/ip settings
set max-neighbor-entries=8192 rp-filter=loose

/interface list member
add comment="WAN" interface=eth1-WAN list=WAN
add comment="Management Interface" interface="eth10 - MGT" list=MGT
add comment=Transit interface=LAG10 list=TRANSIT
add comment="WAN" interface="vlan2900 - ISP WAN" list=WAN

/ip address
add address=172.16.2.10/24 comment=Management interface="vlan2 - MGT" network=172.16.2.0
add address=172.16.100.2/24 comment="Transit vlan 100" interface="vlan100 - TRANSIT" network=172.16.100.0
add address=172.16.0.1 interface=loopback0 network=172.16.0.1
add address=172.16.90.1/24 comment="Direct Internet Access DMZ" interface="eth9 - DMZ" network=172.16.90.0
add address=192.168.127.254/23 comment="Vlan1 - Legacy" interface="vlan1 - Legacy" network=192.168.126.0		//=> This is the IP I don't get any reply from

/ip firewall address-list
add address=172.20.20.0/24 disabled=yes list=NAT
add address=172.20.100.0/24 list=NAT

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="ACCEPT ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment=STAGING!!!!
add action=accept chain=forward comment=STAGING!!!!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=pppoe-WAN log=yes

/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=192.168.126.0/23

/ip route
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=172.16.100.1 pref-src="" routing-table=main suppress-hw-offload=no
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: "Native" Untagged Vlan1 on a trunk  [SOLVED]

Wed Oct 05, 2022 2:40 pm

There do not appear to be any valid bridge ports, are you using this purely as a router? If so, leave the switch settings at their default values and just attach the IP address to the bond interface:

/interface vlan
add interface=LAG10 name="vlan1 - Legacy" vlan-id=1
...
/interface ethernet switch port
set 4 default-vlan-id=1 vlan-header=add-if-missing
/ip address
add address=192.168.127.254/23 comment="Vlan1Native - Legacy" interface="vlan1 - Legacy"LAG10 network=192.168.126.0


the following refer to non-existant interfaces and can be removed:
/interface bridge filter
add action=set-priority chain=output disabled=yes dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes
/interface bridge port
add bridge=*E ingress-filtering=no interface=*D


From the MAC addresses under /interface ethernet you have likely restored a .backup from a different Mikrotik - this clones the MAC addresses of the oroginal device which will cause issues if both are present on the same L2 network. You can reset the interface MAC addresses to fix this.
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 3:29 pm

thanks for your reply and hints.

You are right regarding the bridge ports in my config. They aren't used...yet! But I need those to setup a Loopback interface which in turn will be used for OSPF and GRE/IPsec tunnels, which will happen in the next couple of days. So I will be needing these bridge ports.
From the MAC addresses under /interface ethernet you have likely restored a .backup from a different Mikrotik
Absolutely! I indeed took a running config from another site as a good part of the config is similar. These devices will not see each other on L2, however you have a good point, I will clean this up immediately.

I will also try your config and report here asap!
 
dot02
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jun 15, 2021 1:23 am

Re: "Native" Untagged Vlan1 on a trunk

Wed Oct 05, 2022 5:54 pm

I can confirm, it works! thanks a lot for your hints, I would never have found the solution myself.

so, to sum up for others who might have a similar issue: the key is to configure an IP address directly on the interphace (physical ethX or LAG, if any) for the native VLAN, but NOT creating a VLAN 1 on the LAG or physical interface itself.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Thu Oct 06, 2022 10:06 am

Wow, thank you for reminding me why I don't visit this forum very often <3
Is it because you can't provide instructions without checking them first?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Thu Oct 06, 2022 1:33 pm

Now ken, syntax is important and making up sheite is really not a good plan. If you got called out for it, just admit and move on and do better next time.
This is not a coddling forum. :-)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: "Native" Untagged Vlan1 on a trunk

Sat Oct 08, 2022 4:02 am

It is natural to feel defensive and uncomfortable when an honest mistake is pointed out in public.

The point is, try not to take comments as a personal attack.

Pointing out incorrect or bad advice is "standard operating procedure" in any technical forum I am aware of.

Many technical experts tend to be quite blunt and straight to the point, and probably tend more toward the "thinking" vs "feeling" personality types in the Myers & Briggs personality types.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Sat Oct 08, 2022 2:59 pm

I understand your advice was well intentioned, but we would be remiss for not correcting the error.
I often get schooled about my horrible advice, and its always a learning opportunity.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Sat Oct 08, 2022 10:38 pm

show-sensitive=no
@kennnnnnnneth
remember to not "nicely" correct others,
especially with wrong instructions.

Miao.
Someone explain me where is the rude part ...
there is also written Miao at the end ...
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: "Native" Untagged Vlan1 on a trunk

Sun Oct 09, 2022 1:22 am

I didn't even know what "Miao" meant until you pointed it out and I used DeepL to translate. I had assumed it was another form of Ciao, but it apparently is just "Meow", i.e. "what a cat says".
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Sun Oct 09, 2022 1:42 am

Miao (Meow)... because we both have a cat in the avatar :lol:
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: "Native" Untagged Vlan1 on a trunk

Sun Oct 09, 2022 12:17 pm

It seems that also cats meow differently in different parts of world :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: "Native" Untagged Vlan1 on a trunk

Sun Oct 09, 2022 1:27 pm

meoaderchi I thought, was the Italian "meow".. I was wondering why rextended was giving us the chinese "meow"

Who is online

Users browsing this forum: Amazon [Bot], apitsos, Bolendox, smirgo and 60 guests