Hello, opening this topic to share a recent experience and read any opinion before opening an unuseful ticket to support.
Before starting, I'm not an advanced user and the use cases for those devices are between home and small office, pretty basic config with a couple of VLANs configured following the wiki (help).

Weeks ago I noticed all devices from the network were unable to get the IP address, few changes of cables, port and problem was solved for me. The day after I get a call, the problem still exist, OK could be the unmanaged switch. Lucky me the device is RB4011 Wi-Fi version and devices are using wireless in the meantime.

Last weekend I spent a day yelling against a VoIP gateway unable to get the IP via DHCP, it worked the day before using a static IP, lucky me again to have a CRS326 connected to the router using a Trunk port and the specific VLAN configured to a port, worked immediately. OK is the eth5 fault, not the first time, again an RB4011 device.

In the end, I have two RB4011 devices with problems getting the IP, both configured in a similar way, ROSv7.8 and firmware update, strange.
Is anyone having a similar problem?

This is the relevant part of config: UPDATE: seems that the issue is related to Bridge Hardware Offloading not protocol-mode.

Right, I'll post more details later, in the meantime network diagram is very basic;
1) RB4011 Wi-Fi version with 3 VLANs -> TP-Link switch connected to ethernet4 (Access port). This device worked for more than a year with updates from 7.1 to 7.7 .
2) RB4011 with 4 VLANS, unable to get IP on ethernet5 (Access port) -> CRS326 connected to SFP+ (Trunk port). New device with V7.8.

Pretty sure that is not a config problem, devices were tested with the previous version of ROS without this problem.

UPDATE: protocol-mode=none seems that solved the problem in the first case, could be related only to RB4011 or the switch chip.

This is the relevant part of config:

Code: Select all

/interface bridge add name=Bridge protocol-mode=mstp frame-types=admit-only-vlan-tagged ingress-filtering=yes vlan-filtering=yes
/interface bridge port add bridge=Bridge interface=ether5 pvid=10 hw=yes
/interface bridge vlan add bridge=Bridge tagged=Bridge,sfp-sfpplus1 untagged=ether5 vlan-ids=10

According to Layer2 misconfiguration : VLAN filtering with multiple switch chips ether1 to ether5 should be in one bridge, while ether6 to ether10 in another on both types of RB4011 devices. Based on to the above mentioned section of the current documentation the following routers should have more than one bridges (based on the block diagrams):

• RB2011iL-IN
• RB2011iL-RM
• RB2011iLS-IN
• RB2011UiAS-IN
• RB2011UiAS-RM
• RB2011UiAS-2HnD-IN
• RB3011UiAS-RM
• RB4011iGS+RM
• RB4011iGS+5HacQ2HnD-IN
• RB1100AHx4
• RB1100AHx4 Dude Edition

However the default configuration for these devices does not follow the best practice described in the documentation. To make things a bit even more interesting the various RB2011 devices have different type of switch chips with different limitations and recommended settings.
Bridge IGMP snooping and bridge DHCP snooping (along with Option 82) disables Bridge Hardware Offloading on the bridges created on RTL8367 switch chips.

Nice catch @un9edsda!
I can be wrong, the link is for "...set up VLAN filtering (by using the /interface ethernet switch menu)", I used different approach and from what I remember bridge was offloaded, ports also.

It's curious how the first device worked for a long time and why disabling MSTP magically solved the problem !

I used different approach and from what I remember bridge was offloaded, ports also.

It's curious how the first device worked for a long time and why disabling MSTP magically solved the problem !

Thanks @Simonej.
For quite a few Mikrotik devices there are quite some caveats in case of at first sight simple configuration.
Regarding the "magical" solution have a quick search of the Layer2 misconfiguration section of the documentation for protocol-mode=none.
Also if you have time, possibility and willingness than have a test with the preferred way of Bridge VLAN Filtering for CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, MT7621 and MT7531 switch chips while keeping in mind the special needs of VLAN filtering with multiple switch chips by adapting the preferred configuration for the RTL8367 switch chip.
Also heed the warning:

By enabling vlan-filtering you will be filtering out traffic destined to the CPU, before enabling VLAN filtering you should make sure that you set up a Management port.

I emailed support after upgrading a couple of RB4011's to 7.

Their response was, with the hardware bridge support added to 4011, the CPU has to be used to bridge the two switch chips for VLANs that span both switches. It's as simple as tagging the "bridge" itself in all VLANs that you want to cross the two switches.

In other words, create one bridge, assign your VLANs to the bridge ports (like normal), and the bridge too, even if the VLAN isn't going to have an IP address. Only traffic that traverses the two switches (or is destined for the router for Internet etc.) will hit the CPU, so arrange your devices accordingly.

Thanks @sirbryan for clarification, waiting for support to know if mine is a bug.
Are you using MSTP on your devices? Or RSTP?

Using the extracted config to test with other devices and are working as expected.

Thanks @sirbryan for clarification, waiting for support to know if mine is a bug.
Are you using MSTP on your devices? Or RSTP?

RSTP.