Community discussions

 
jampr
just joined
Topic Author
Posts: 9
Joined: Thu Oct 19, 2017 9:54 am

RB962 untagged not working

Wed May 02, 2018 12:12 am

Hi all,

i have done a simple configuration. I want to get access to VL100 via untagged ether2. Ether1 is trunk and is working fine. on ether2 attached notebook I am not able to ping the ip 192.168.1.51 nor the gw ip 192.168.1.1. what am I doing wrong?
t
# may/01/2018 23:04:57 by RouterOS 6.43rc5
# software id = 
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add fast-forward=no name=inter-bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=ether1 name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=inter-bridge interface=ether1 pvid=100
add bridge=inter-bridge interface=ether2
/interface bridge vlan
add bridge=inter-bridge tagged=ether1,inter-bridge untagged=ether2 vlan-ids=100
add bridge=inter-bridge untagged=ether2 vlan-ids=1
/ip address
add address=192.168.1.51/24 interface=vlan100 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Berlin
/system package update
set channel=development
/system routerboard settings
set silent-boot=no
 
sindy
Forum Guru
Forum Guru
Posts: 3910
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB962 untagged not working

Wed May 02, 2018 12:21 am

what am I doing wrong?
In
/interface bridge port
, the
pvid
value says with what VLAN ID tagless packets incoming through that port should be tagged, so you have swapped that parameter between
ether1
and
ether2
if you really wanted VLAN 100 to be untagged (access mode) on
ether2
and tagged (trunk mode) on
ether1
.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RB962 untagged not working

Wed May 02, 2018 1:53 am

can you clarify your requirement??
 
jampr
just joined
Topic Author
Posts: 9
Joined: Thu Oct 19, 2017 9:54 am

Re: RB962 untagged not working

Wed May 02, 2018 10:19 am

ok, I've changed the pvid of ether2 to vlan-id=100 and did a reboot. But again no luck to ping 192.168.1.51. I am confused a little bit. The VL1 is for the backlplane(cpu access/layer3)?

my requirement is to get access to the entire VL100 network from my notebook (on ether2) which needs to be untagged.

added at 10:19
and need access to 192.168.1.51 (management of this mikrotik)
/added

added at 12:04
and on winbox I can see under bridge -> Hosts the notebook mac address. But it it listed with a VID 100. So it seems, that the VLAN Tag 100 is not removed on egress ether2
/added.
/interface bridge
add fast-forward=no name=inter-bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=ether1 name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=inter-bridge interface=ether1 pvid=100
add bridge=inter-bridge interface=ether2 pvid=100
/interface bridge vlan
add bridge=inter-bridge tagged=ether1,inter-bridge untagged=ether2 vlan-ids=\
    100
add bridge=inter-bridge untagged=ether2 vlan-ids=1
/ip address
add address=192.168.1.51/24 interface=vlan100 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/system clock
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: RB962 untagged not working

Wed May 02, 2018 5:03 pm

try this
/interface bridge
add fast-forward=no name=inter-bridge vlan-filtering=yes
/interface vlan
add interface=inter-bridge name=vlan100 vlan-id=100
/interface bridge port
add bridge=inter-bridge interface=ether1 pvid=100
add bridge=inter-bridge interface=ether2 pvid=100
/interface bridge vlan
add bridge=inter-bridge tagged=ether1,inter-bridge  vlan-ids=100
/ip address
add address=192.168.1.51/24 interface=vlan100 network=192.168.1.0
 
sindy
Forum Guru
Forum Guru
Posts: 3910
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB962 untagged not working

Wed May 02, 2018 5:38 pm

Problem #1: a port cannot be an untagged member of two VLANs simultaneously: with which of the two VLAN IDs should an ingress tagless packet be sent to?
/interface bridge vlan
add bridge=inter-bridge tagged=ether1,inter-bridge untagged=ether2 vlan-ids=100
add bridge=inter-bridge untagged=ether2 vlan-ids=1
So the line for
vlan-ids=1
must not be there.

Problem #2: if you set a pvid for a port, tagless ingress packet will be tagged with that VLAN ID - good, ingress packets tagged with that VLAN ID will be let in unchanged - also good, but egress packets tagged with that VLAN ID will be untagged while sent out over the wire, so if the connected equipment doesn't have the same pvid setting, it will ignore them or tag them into another VLAN.
/interface bridge port
add bridge=inter-bridge interface=ether1 pvid=100
add bridge=inter-bridge interface=ether2 pvid=100
So the first line should read "
add bridge=inter-bridge interface=ether1 pvid=1
(because the
pvid
is a mandatory parameter and value 1 is least harmful)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jampr
just joined
Topic Author
Posts: 9
Joined: Thu Oct 19, 2017 9:54 am

Re: RB962 untagged not working

Wed May 02, 2018 10:07 pm

try this
....
Thanks chechito.This was one half of the solution. After setting the IP onto the new vlan interface as you suggested, I had access from the untagged ether2 to the router.
/interface vlan
add interface=inter-bridge name=inter-bridge.vl100 vlan-id=100

BUT: I was not able to reach any device via tagged ether1 port.
this I could solve by adding vlan100 interface on ether1 to the bridge, too
 /interface vlan
add interface=ether1 name=vlan100 vlan-id=100

/interface bridge port
add bridge=inter-bridge interface=vlan100 pvid=100

Don't ask my why, but it is working. Now I want to access different VLANs (200 and 300) with the same bridge. I just have to keep an eye on mixing untagged traffic with that.
 
sindy
Forum Guru
Forum Guru
Posts: 3910
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB962 untagged not working

Wed May 02, 2018 11:16 pm

You have mixed together two approaches and I have missed that in your original config export.

One approach: attach the tagged side of
/interface vlan
to
ether1
and make its tagless side one member of a bridge such as
bridge-vlan-100
, the second member of the same bridge would be
ether2
.

This way, you need one
/interface vlan
for each ethernet interface on which you want the VLAN to be accessible tagged. If you want an IP address of the router in that VLAN, the IP configuration should be attached to
bridge-vlan-100
. And when a packet is forwarded between two tagged interfaces of that VLAN, it comes in tagged via the first interface, gets untagged by the
/interface vlan
, bridged tagless to the other
/interface vlan
, and tagged by it before getting sent out via the other interface. All that is done in software. And you need one bridge per VLAN.

With this approach,
vlan-filtering
makes no sense because there is just a single vlan per bridge, i.e. you define the membership of an interface in a VLAN using
/interface vlan
attached to that interface.

Example for
ether1
and
ether3
as trunk ports for vlan IDs 100 and 200,
ether2
as access port for vlan ID 100 and local IP address in vlan ID 200:
/interface bridge
add name=b100
add name=b200

/interface vlan
add name=v100-e1 interface=ether1 vlan-id=100
add name=v200-e1 interface=ether1 vlan-id=200
add name=v100-e3 interface=ether3 vlan-id=100
add name=v200-e3 interface=ether3 vlan-id=200

/interface bridge port
add bridge=b100 interface=v100-e1
add bridge=b100 interface=v100-e3
add bridge=b100 interface=ether2
add bridge=b200 interface=v100-e1
add bridge=b200 interface=v100-e3

/ip address
add address=192.168.33.34/24 interface=b200


The other approach: you make a single common bridge for all VLANs. For each member Ethernet interface you define up to one VLAN ID (the
pvid
) for which it will act as access port (i.e. tagging packets on ingress with that VLAN ID and untagging packets with that VLAN id on egress). If you want to have an IP address of the router in that VLAN, you create a single
/interface vlan
, attach its tagged side to that single bridge, and attach the IP configuration to its tagless side.

In that case,
  • tagged packet with any VLAN ID gets in tagged and is bridged to the egress interface still tagged;
  • untagged packets from outside get tagged with the
    pvid
    of the ingress interface;
  • tagged packets from inside get untagged if their VLAN ID matches the
    pvid
    of the egress interface.
If you plan to activate
vlan-filtering=yes
on the common bridge, you have to first specify member trunk ports for each vlan (or a list of vlans if all ports are in trunk mode) in
/interface bridge vlan
list; the
pvid
values from
/interface bridge port
configuration cause the corresponding ports to be placed to the list of access ports for the VLAN ID in this table automatically, but it only happens when you switch
vlan-filtering
to
yes
. What is totally confusing is that if you have created an
/interface vlan
for a VLAN ID because you want an IP address in that VLAN, it doesn't get access to the VLAN on the bridge automatically and you must add the bridge itself to the list of trunk ports.

Example for
ether1
and
ether3
as trunk ports for vlan IDs 100 and 200,
ether2
as access port for vlan ID 100 and local IP address in vlan ID 200 (the same resulting functionality as the example above):
/interface bridge
add name=ball vlan-filtering=no

/interface vlan
add name=v200 interface=ball vlan-id=200

/interface bridge port
add bridge=ball interface=ether1
add bridge=ball interface=ether3
add bridge=ball interface=ether2 pvid=100

/ip address
add address=192.168.33.34/24 interface=v200


With
vlan-filtering=no
, packets tagged with any vlan ID will flow freely between
ether1
,
ether2
,
ether3
, only packets with VLAN-ID 100 will be untagged when egress via
ether2
. If you want to set
vlan-filtering
on bridge
ball
to
yes
to restrict which VLANs may be forwarded and which not and you are connected via one of the ports of the bridge, you first have to configure the membership of ports in VLANs, otherwise you lose access to the router.
/interface bridge vlan
add bridge=ball vlan-ids=100 tagged=ether1,ether3
add bridge=ball vlan-ids=200 tagged=ether1,ether3,ball


You can combine these two approaches together in some cases if you know well what you are doing, but you cannot simultaneously make the same interface a member of a bridge and a carrier interface for an
/interface vlan
; if you do that, weird things happen.

Yet another approach is to use vlan filtering at switch chip level, but that's one more can of worms and it is too late down here. There are other topics on this forum explaining that approach. It gives you hardware switching but in more complex L2 networks it can cause trouble so you have to think twice before taking that way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jampr
just joined
Topic Author
Posts: 9
Joined: Thu Oct 19, 2017 9:54 am

Re: RB962 untagged not working

Thu May 03, 2018 12:37 am

You have mixed together two approaches and I have missed that in your original config export.

aaah, ok. Now it is working as expected. My problem was, that untagging on egress only works if the bridge pvid is 'different' than the pvid of bridge itself. Now I understand
the detour with vlan 1. Thanks for your very detailed explanation. But it is not intuitive. If I define a port per vlan as untagged, I want it untagged. regardless which pvid is defined on bridge itself.

here is my working config:
/interface bridge
add fast-forward=no name=inter-bridge vlan-filtering=yes
/interface vlan
add interface=inter-bridge name=vl100 vlan-id=100
/interface bridge port
add bridge=inter-bridge interface=ether1
add bridge=inter-bridge interface=ether2 pvid=100
/interface bridge vlan
add bridge=inter-bridge tagged=inter-bridge,ether1 untagged=ether2 vlan-ids=100
/ip address
add address=192.168.1.51/24 interface=vl100 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
 
sindy
Forum Guru
Forum Guru
Posts: 3910
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB962 untagged not working

Thu May 03, 2018 12:54 am

My problem was, that untagging on egress only works if the bridge pvid is 'different' than the pvid of bridge itself
Strange. I've concentrated on this two days ago because this is what I expected (that
pvid
of the
interface bridge
itself interacts with
pvid
of
interface bridge port
) and it clearly didn't (on hAP ac lite), but I admit I was looking at the ingress direction, i.e. whether tagless ingress packets remain tagless if the two
pvid
values match, and they didn't. On the other hand, tagless packets did remain tagless if
/interface bridge port pvid
was 1 (again regardless what the
/interface bridge pvid
was). But I do admit I didn't check the egress operation, and that I didn't check with both
pvid
values different from 1, I always had at most one of them different from 1.

I'll have one more look at it tomorrow. Gute nacht.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 134 guests