Community discussions

MikroTik App
 
mattycourtney
just joined
Topic Author
Posts: 6
Joined: Thu Dec 01, 2022 5:03 pm

Help needed with bridge VLANs & DHCP

Thu Dec 01, 2022 5:18 pm

I'm trying to create two VLANs on a bridge; vlan10-untrusted and vlan20-AE. Ether1-2 should be "hybrid ports" with vlan10 being the untagged VLAN, and Ether3 should be an access port for vlan10.

My ISP's GPON ONT is currently connected to Ether16, but I intend to replace that with a GPON SFP when it arrives. A PPPoE client is configured on both of those interfaces.

I can't figure out where I've gone wrong. My config is below, and I hope some fresh eyes can pick up what I've missed.
# dec/01/2022 21:50:54 by RouterOS 7.6
# software id = TDSR-7LYJ
#
# model = CCR2004-16G-2S+
/interface bridge
add add-dhcp-option82=yes admin-mac=18:FD:74:A2:32:B7 auto-mac=no dhcp-snooping=yes fast-forward=no frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Master Bedroom"
set [ find default-name=ether2 ] comment="Guest Bedroom"
set [ find default-name=ether3 ] comment="Living Room"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] comment=Management
set [ find default-name=ether16 ] comment="Etisalat ONT"
set [ find default-name=sfp-sfpplus1 ] comment="SFP GPON ONT"
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1,ether16 name=pppoe-etisalat user=username
/interface vlan
add interface=bridge1 name=vlan10-untrusted vlan-id=10
add interface=bridge1 name=vlan20-AE vlan-id=20
/interface list
add comment="contains all WAN interfaces" name=wan
add comment="contains all trusted interfaces" name=trusted
add comment="contains all untrusted interfaces" include=wan name=untrusted
add comment="contains all VLAN interfaces" name=vlans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=vlan20-AE name=vlan20_pool ranges=10.20.0.100-10.20.0.254
add comment=vlan10-untrusted name=vlan10_pool ranges=10.10.0.100-10.10.0.254
/ip dhcp-server
add address-pool=vlan20_pool comment=vlan20-AE interface=vlan20-AE name=vlan20_dhcp
add address-pool=vlan10_pool comment=vlan10-untrusted interface=vlan10-untrusted name=vlan10_dhcp
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 use-ipv6=no use-upnp=no
/caps-man manager interface
set [ find default=yes ] forbid=yes
/interface bridge port
add bridge=bridge1 comment="Master Bedroom (WAP)" interface=ether1 pvid=10
add bridge=bridge1 comment="Guest Bedroom (WAP)" interface=ether2 pvid=10
add bridge=bridge1 comment="Living Room" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2 vlan-ids=20
/interface list member
add interface=sfp-sfpplus1 list=wan
add interface=ether16 list=wan
add interface=pppoe-etisalat list=wan
add interface=vlan10-untrusted list=untrusted
add interface=vlan10-untrusted list=vlans
add interface=vlan20-AE list=vlans
add interface=vlan20-AE list=trusted
add interface=ether15 list=trusted
/ip address
add address=10.10.0.1/24 comment=vlan10-untrusted interface=vlan10-untrusted network=10.10.0.0
add address=10.20.0.1/24 comment=vlan20-AE interface=vlan20-AE network=10.20.0.0
/ip dhcp-server network
add address=10.10.0.0/24 comment=vlan10-untrusted gateway=10.10.0.1
add address=10.20.0.0/24 comment=vlan20-AE gateway=10.20.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=102400KiB max-concurrent-queries=10000 max-concurrent-tcp-sessions=50 use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept DNS & DHCP requests" dst-port=53,67,68 in-interface-list=!wan protocol=udp
add action=accept chain=input comment="accept management from trusted interfaces" dst-port=22,8291 in-interface-list=trusted protocol=tcp
add action=accept chain=input comment="accept icmp echo request" icmp-options=8:0-255 protocol=icmp
add action=drop chain=input comment="default drop" in-interface=!ether15
add action=accept chain=forward comment="forward established, related" connection-state=established,related in-interface-list=wan
add action=accept chain=forward comment="forward all traffic from VLANs to WAN" in-interface-list=vlans out-interface-list=wan
add action=accept chain=forward comment="forward from trusted to untrusted" in-interface-list=trusted out-interface-list=untrusted
add action=drop chain=forward comment="drop untrusted to trusted" in-interface-list=untrusted out-interface-list=trusted
add action=drop chain=forward comment="defaut drop"
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade traffic leaving WAN interfaces" out-interface-list=wan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Dubai
/system identity
set name=CCR2004-16G-2S+
/system leds
add interface=pppoe-etisalat leds=user-led type=interface-status
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool mac-server mac-winbox
set allowed-interface-list=trusted
Nothing is receiving DHCP on any of the ports, and I cannot figure out why.
Last edited by mattycourtney on Thu Dec 01, 2022 8:02 pm, edited 3 times in total.
 
mattycourtney
just joined
Topic Author
Posts: 6
Joined: Thu Dec 01, 2022 5:03 pm

Re: Help with bridge VLANS & DHCP

Thu Dec 01, 2022 5:23 pm

As far as I can tell, VLAN's are correctly configured as tagged / untagged on the bridge ports
/interface/bridge/vlan/print 
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE   VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 bridge1        10                  ether1          
                                     ether3          
                                     ether2          
1 bridge1        20  ether1                          
                     ether2                          
Last edited by mattycourtney on Thu Dec 01, 2022 5:31 pm, edited 1 time in total.
 
mattycourtney
just joined
Topic Author
Posts: 6
Joined: Thu Dec 01, 2022 5:03 pm

Re: Help needed with bridge VLANs & DHCP

Thu Dec 01, 2022 7:57 pm

The bridge is seeing the MAC addresses of devices that are plugged in to it, so at this point I'm assuming that it's a DHCP misconfiguration. I'm really struggling to figure out what's incorrect though.
/interface/bridge/host/print 
Flags: D - DYNAMIC; L - LOCAL; E - EXTERNAL
Columns: MAC-ADDRESS, VID, ON-INTERFACE, BRIDGE
#     MAC-ADDRESS        VID  ON-INTERFACE  BRIDGE 
0 DL  18:FD:74:A2:32:B7       bridge1       bridge1
1 D E 00:1D:63:4F:DB:5A   10  ether1        bridge1
2 DL  18:FD:74:A2:32:B7   10  ether1        bridge1
3 D E 34:3A:20:C5:9E:22   10  ether2        bridge1
4 D E 34:3A:20:C5:9F:F2   10  ether1        bridge1
5 D E 38:42:0B:E6:2D:15   10  ether3        bridge1
6 D E 70:61:BE:FF:25:13   10  ether1        bridge1
7 D E 8E:64:D6:3C:97:48   10  ether2        bridge1
8 DL  18:FD:74:A2:32:B7   20  ether1        bridge1
 
mattycourtney
just joined
Topic Author
Posts: 6
Joined: Thu Dec 01, 2022 5:03 pm

Re: Help needed with bridge VLANs & DHCP

Thu Dec 01, 2022 8:21 pm

I finally figured it out! I needed to add the bridge itself as a tagged port to each vlan
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether2 vlan-ids=20
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 12:08 pm

The Nth new topic about VLAN+DHCP last time ... I wonder why?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 6:33 pm

Because while the whole thing is quite simple, especially after you get it, some details may be less obvious when you're starting.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 7:40 pm

I guess one of most under-valued topics/tutorials is post explaining all the bridge functionalities by forum legend @sindy. I'd say that every new Mikrotik admin (i.e. people who leave QuickSet trap in quest for better configuration) should read it before even trying to change L2 setup (let alone adding VLANs into the mix).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 7:49 pm

Yes please all the admins and IT geeks go read that post, for home users, not a huge recommendation and its often more complex than they can handle.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 7:50 pm

The Nth new topic about VLAN+DHCP last time ... I wonder why?
Youtube misdirection :-)
 
mattycourtney
just joined
Topic Author
Posts: 6
Joined: Thu Dec 01, 2022 5:03 pm

Re: Help needed with bridge VLANs & DHCP

Sat Dec 03, 2022 8:07 pm

I guess one of most under-valued topics/tutorials is post explaining all the bridge functionalities by forum legend @sindy. I'd say that every new Mikrotik admin (i.e. people who leave QuickSet trap in quest for better configuration) should read it before even trying to change L2 setup (let alone adding VLANs into the mix).
Funnily enough, it was after I found that post that I was finally able to solve it (: @sindy is indeed a legend!
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Help needed with bridge VLANs & DHCP

Sun Dec 04, 2022 2:38 am

Youtube misdirection :-)
Which youtube videos are especially bad? With the reasons for your disliking them, i.e. they are "just wrong" (are factually incorrect, or give incorrect "explanations" for why things are done), "they are confusing" (not well explained, sometimes giving seemingly conflicting information), "they are not well prepared and just ramble on", etc.

Do you think there are any good ones?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Help needed with bridge VLANs & DHCP

Sun Dec 04, 2022 3:33 am

I guess one of most under-valued topics/tutorials is post explaining all the bridge functionalities by forum legend @sindy. I'd say that every new Mikrotik admin (i.e. people who leave QuickSet trap in quest for better configuration) should read it before even trying to change L2 setup (let alone adding VLANs into the mix).
With regard to @sindy's RouterOS bridge mysteries explained, while arguably one of the best discussions about the vlan-filtering bridge (and it was one of my primary sources of learning how MikroTik filtering bridge works, coming from EdgeOS ER-X switch0), there are some things that I don't agree with. And considering the source, I have to be very careful in disagreeing, but I think @sindy should review and possibly edit his post if he is convinced by my argument:

In [url-viewtopic.php?p=849580#p849580]post #1[/url] of RouterOS bridge mysteries explained, the following is stated:
And now the confusing points.

Since, when you add a “bridge”,
  • all the three elements (interface of a router, port of a switch, and the switch itself) are created,
  • the relationship among the three is a fixed one,
  • none of the elements has got any configuration parameter that would overlap with a configuration parameter of the remaining two,
the configuration parameters for all the three elements have been grouped on a single row of the /interface bridge table.

In particular:
  • parameters bearing the same names as those on the /interface bridge port rows, such as pvid or ingress-filtering, are parameters of the router-facing port of the virtual switch
  • parameters bearing the same names as those on the /interface ethernet rows, such as mtu or arp-timeout, are parameters of the switch-facing interface of the router
  • parameters that don’t fit to any of the two groups above are mostly parameters of the virtual switch; an exception are the admin-mac and auto-mac parameters, which are also parameters of the switch-facing interface of the router.
The name item is common for all the three elements. So when specifying the membership of the router-facing port of the switch in VLANs, the same name is used to identify the virtual switch and to identify the router-facing port:
/interface bridge vlan
add bridge=bridge-row-name vlan-ids=10,… tagged=bridge-row-name,…


In the bridge filter, the relationship of the frame to the router-facing port of the switch determines the chain to be used: input handles frames that egress from the virtual switch through that port, output handles frames that ingress to the virtual switch through that port, and forward handles frames that bypass that port.
The part I take issue with is

In particular:
  • parameters bearing the same names as those on the /interface bridge port rows, such as pvid or ingress-filtering, are parameters of the router-facing port of the virtual switch
Where I disagree is what /interface bridge port rows apply to; my claim is that they apply to the real exterior switch-ports, not the "internal" router-facing trunk port of the virtual switch. In other words these are analogous to configuring the switch-ports of the vlan-aware switch other than the "uplink" to the CPU/routing engine block; that uplink trunk is controlled by the /interface bridge vlan rows, and by the [optional] pvid specified in the /interface bridge which specifies the vlan that won't be tagged at the CPU end, (the switch-facing interface of the router). The pvid specified on the /interface bridge is the vlan on the switch ASIC that will be associated with the base bridge interface, and if not specified, it will be pvid 1.

See Bridge port settings for the "official" documenation, which agrees with my experience with playing with vlans on an RB760iGS with v7.2+ firmware (currently running v7.5).

If anyone disagrees with my understanding, please present your reasoning; if I am wrong I want to understand what I am misunderstanding.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help needed with bridge VLANs & DHCP

Sun Dec 04, 2022 5:30 pm

Do you think there are any good ones?

Sure there are good ones. Youtube is simply too a vast plain to know all which are good. Experience goes that there more videos which are bad or outdated than good and modern ones. It takes at least some experience to tell them apart which bew users sorely lack. Some of those then pop by and we have to help user to fix the mess ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Help needed with bridge VLANs & DHCP

Sun Dec 04, 2022 6:07 pm

Let's first talk about concepts, so let's forget about (potential HW offload). So there's a conceptual N-port switch named the same as bridge (consisting of ports explicitly configured as such plus port named the same as bridge) and the there's pseudo-interface named same as bridge availabke purely in ROS software (same as VLAN interfaces .. and interfaces named after physical ports and connected 1-to-1).

When creating bridge, properties configure either the "switch-like" entity, the port entity or interface entity. None of properties are considered as default values for other ports (configured explicitly), defaults are hard-coded (e.g. pvid=1 etc.) and not taken from bridge port.


When it comes to HW offload, bridge "switch-like" entity is fully offloaded to hardware. Bridge ports are naturally mapped to switch ports.
The bridge port entity can not be blindly mapped to switch-CPU interconnect, in case when there are other bridge ports which are not HW offloaded (e.g. wireless interfaces, CPU-connected SFP ports, etc.) this interconnect may have to carry more VLANs than are used by bridge interface ... we can only guess if the interconnect is then intelligently configured or it simply passes all VLANs.

Which means that bridge port entity is possibly always done in software and those properties are handled in software as well.

As to whether untagged packets, ingressing via pvid-enabled port, pass bridge "switch-like" entity untagged or tagged ... is another thing we can argue endlessly. Things complicate when different ports have different PVIDs configured and frame has to egress via multiple ports (e.g. because dst-MAC is not found in ARP table). So if things were done in KISS manner, every untagged frame would be unconditionally tagged with PVID on ingress, then swirching engine would determine correct egress port(s), then frame would be properly handled on egress (tag stripped if port is configured as untagged member of that VLAN). Which makes egress process simple (it doesn't depend on ingress port).
And bridge port can be treated in exactly the same manner ... which means that appropritate properties indeed apply to bridge port and not to other ports.

I don't know if my explanation contradicts your understanding, I do know I've had a disagreement with @sindy regarding untagged frames, pvid setting etc. (the KISS part of my explanation). This part doesn't matter much as each switch chip might follow diffetent logic and as long as end result is correct, internal workings don't matter.

Who is online

Users browsing this forum: ccrsxx, holvoetn and 36 guests