VLAN Trunk Port Problem

fobo · Wed Dec 29, 2021 5:17 pm

Hi,

I try to set-up my first VLAN for my home network, however, somehow I do not manage to get it to work.
For a first test I simply want to use the RB5009 as a DNS Server to hand out IP addresses in the range 10.0.20.10-10.0.20.254 for the VLAN, use port 3 as trunk port and a switch to tag the traffic from the devices.

network.png

The setup for the switch is as follows:

switch.PNG

The configuration of the RB5009 is as follows:

[admin@MikroTik] > export hide-sensitive
# dec/29/2021 16:12:20 by RouterOS 7.0.5
# software id = 9KD3-E92X
#
# model = RB5009UG+S+
# serial number = EC190FC639BF
/interface bridge
add admin-mac=DC:2C:6E:3E:DA:4D auto-mac=no comment=defconf name=bridge
add name=extern-bridge pvid=40 vlan-filtering=yes
add name=intern-bridge pvid=10 vlan-filtering=yes
add name=iot-bridge vlan-filtering=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=intern-dhcp ranges=10.0.10.10-10.0.10.254
add name=iot-dhcp ranges=10.0.20.10-10.0.20.254
add name=extern-dhcp ranges=10.0.40.10-10.0.40.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=intern-dhcp interface=intern-bridge name=intern-dhcp relay=10.0.10.1
add address-pool=iot-dhcp interface=iot-bridge name=iot-dhcp relay=10.0.20.1
add address-pool=extern-dhcp interface=extern-bridge name=extern-dhcp relay=10.0.40.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=iot-bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=iot-bridge tagged=ether3 untagged=bridge vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.10.1/24 interface=intern-bridge network=10.0.10.0
add address=10.0.20.1/24 interface=iot-bridge network=10.0.20.0
add address=10.0.40.1/24 interface=extern-bridge network=10.0.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.100.1/32 gateway=ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I get a link, but not even an IP-Address assigned...
Now I hope somebody can point me in the right direction

anav · Thu Dec 30, 2021 2:52 pm

First to work with vlans best to read this excellent article with examples.
viewtopic.php?t=143620

One bridge.
All subnets get vlans (dont use bridge for dhcp is my recommendation, keeps it simple apples to apples)

Do not use multiple bridge.
Simply setup/identify the vlans to the bridge interface
ALL vlans require IP address, IP POOl, dhp-server dhcp-server network.
Setup interface bridge ports
Setup interface bridge vlans
Almost done.

Do use the reference, and by the way their management vlan 99
can be your homevlan or trusted vlan, one doesnt need necessarily a separate management vlan and rule of thumb is the vlan that the admin uses all the time.
All smart devices attached tot he router such as switches should get their IP from this vlan subnet etc.........

As for external switches I will have a look later once the MT config is fixed, no point otherwise.
Typically though all trunk ports on the switch keep their native VLAN1, and access ports lose their native vlan1 which is replaced by the PVID of the vlan passing data to dumb devices.
More on that later.

fobo · Fri Dec 31, 2021 1:13 pm

Thank you very much for your help so far, as a beginner in network infrastructure and RouterOS it is quite tough and the learning curve is steep.

I already know how to structure the network and tried to follow your approach to use a single bridge interface and assign VLANs to it.
My new configuration is based on the excellent VLAN topic you suggested, however, when I try to access the router through one of the configured trunk ports (eg. ether4 or ether8) which should be in the base/MGMT VLAN I do not even get an IP address assigned, I am locked out of the device with WinBox (connect with MAC also does not work) and I don't understand why.

Can you please have a look at my configuration:

###############################################################################
# Topic:		Home Network Router Configuration
# RouterOS:		7.0.5
# Date:			31.12.2021
# Notes:		Start with a reset (/system reset-configuration)
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Router"


#######################################
# VLAN Overview
#######################################

# 10 = base (=MGMT)
# 20 = iot
# 30 = voip
# 40 = surveillance
# 50 = extern


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge protocol-mode=none vlan-filtering=no


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Leave pvid set to default of 1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=sfp-sfpplus1

# egress behavior
/interface bridge vlan

# These need IP Services (L3), so add Bridge as member
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=50


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=40
add bridge=bridge interface=ether7 pvid=50
add bridge=bridge interface=ether8 pvid=10

# egress behavior
/interface bridge vlan

# These need IP Services (L3), so add Bridge as member
set bridge=bridge tagged=bridge [find vlan-ids=10]
set bridge=bridge tagged=bridge [find vlan-ids=20]
set bridge=bridge tagged=bridge [find vlan-ids=30]
set bridge=bridge tagged=bridge [find vlan-ids=40]
set bridge=bridge tagged=bridge [find vlan-ids=50]


#######################################
# IP Addressing & Routing
#######################################

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="8.8.8.8"

# WAN facing port uses DHCP on Starlink
/ip dhcp-client add interface=ether1

# Static Route to Starlink MGMT
/ip route add comment="Starlink Management Page" distance=1 dst-address=192.168.100.1/32 gateway=ether1


#######################################
# IP Services
#######################################

# "base" VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=base-vlan vlan-id=10
/ip address add interface=base-vlan address=10.0.10.1/24
/ip pool add name=base-pool ranges=10.0.10.10-10.0.10.254
/ip dhcp-server add address-pool=base-pool interface=base-vlan name=base-dhcp disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1

# "iot" VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=iot-vlan vlan-id=20
/ip address add interface=iot-vlan address=10.0.20.1/24
/ip pool add name=iot-pool ranges=10.0.20.10-10.0.20.254
/ip dhcp-server add address-pool=iot-pool interface=iot-vlan name=iot-dhcp disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1

# "voip" VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=voip-vlan vlan-id=30
/ip address add interface=voip-vlan address=10.0.30.1/24
/ip pool add name=voip-pool ranges=10.0.30.10-10.0.30.254
/ip dhcp-server add address-pool=voip-pool interface=voip-vlan name=voip-dhcp disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1

# "surveillance" VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=surveillance-vlan vlan-id=40
/ip address add interface=surveillance-vlan address=10.0.40.1/24
/ip pool add name=surveillance-pool ranges=10.0.40.10-10.0.40.254
/ip dhcp-server add address-pool=surveillance-pool interface=surveillance-vlan name=surveillance-dhcp disabled=no
/ip dhcp-server network add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1

# "extern" VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=extern-vlan vlan-id=50
/ip address add interface=extern-vlan address=10.0.50.1/24
/ip pool add name=extern-pool ranges=10.0.50.10-10.0.50.254
/ip dhcp-server add address-pool=extern-pool interface=extern-vlan name=extern-dhcp disabled=no
/ip dhcp-server network add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1       list=WAN
add interface=base-vlan    list=BASE
add interface=iot-vlan     list=VLAN
add interface=voip-vlan    list=VLAN
add interface=surveillance list=VLAN
add interface=extern-vlan  list=VLAN

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow base-vlan full access to the device for Winbox, etc.
add chain=input action=accept in-interface=base-vlan comment="Allow base-vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp-sfpplus1]

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from base-vlan, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes

Sob · Fri Dec 31, 2021 2:03 pm

If you do this:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=10

followed by this:

/interface bridge vlan
set bridge=bridge tagged=bridge [find vlan-ids=10]

you reset previous config and end up with just tagged=bridge, i.e. you remove ether2, ether3 and sfp-sfpplus1.

Then in firewall, you probably want to let base vlan access internet too.

anav · Fri Dec 31, 2021 2:20 pm

Hi Fabo it is not uncommon to struggle a bit with winbox, and bridges etc........... par for the course, but do stick with it.
I recommend much use of SAFE MODE when making changes.

As for being locked out of the router when the bridge config changes are made is why I made this article for this very reason.
To configure the bridge from OFF the bridge, to avoid that issue.....

Read this. (and use the wired version).
viewtopic.php?t=181718

+++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of your config when are you getting locked out?

I note that the last step is to turn on bridge vlan filtering. Its probably here that the router burps, but it should come back okay when it restarts?

/interface bridge add name=bridge protocol-mode=none vlan-filtering=no to YES

Overall the config is spot on! Looking Good!
You have set ether2,ether3 and sfpplust1 on the bridge and they are all trunk ports (can carry one or more vlans)
You have set access ports to 4,5,6,7,8 and the pvids accordingly.

For interface bridge vlan settings, one must know that the Router will create dynamically (on the fly) the untagging required based on the setup on bridgeports for access ports.
They wont show up in your exports if not being used.
The only stipulation is that you have to ensure that for every vlan-id associated with access ports a BRIDGE is tagged ( as you stated )
Looking at the interface bridge vlan settings you constructed for the trunk ports, it is clear that all vlan-ids noted in the access ports have a bridge tagged so you are good to go......

Everything looks good thus far!!

The firewall rules are also SAFE and OKAY but can be improved later.
The only change I would ask you to make is this. This allows you to add or subtract BASE list members and is more flexible and will be used right away.
We will change it further down the line but after this change can focus on getting up and running.

FROM
add chain=input action=accept in-interface=base-vlan comment="Allow base-vlan Full Access"
TO
add chain=input action=accept in-interface-list=BASE

{ we are modifying what it says currently which is allow any user on the Base VLAN full access to the router, to allow any list member we have associated with the list BASE to have full access to the router. Input chain rules are for traffic to/fro the router WAN to router and LAN to router. Forward chain rule are for traffic through the router WAN to LAN, LAN to LAN, LAN to WAN. }

As I stated in the link to the article in this post, take one bridge port and configure it for access to the router and finish the configuring from there.......
Note you will need to (if ether5 is the port) do the following below...........

Which brings us finally to the interface list members, the BASE vlan is also a vlan and for accuracy should be included:

/interface list member
add interface=ether1 list=WAN
add interface=base-vlan list=BASE
add interface=base-vlan list=VLAN
add interface=ether5 list=BASE
add interface=iot-vlan list=VLAN
add interface=voip-vlan list=VLAN
add interface=surveillance list=VLAN
add interface=extern-vlan list=VLAN

Now you should see the utility and flexibility of the Base Interface list.
By adding ether5 to the list, it now has full access to the router (since we modified the firewall rule), and its included in discovery and the winmac server!!!

fobo · Mon Jan 03, 2022 11:34 am

Hey Sob, Hey anav,

First of all, happy new year to both of you, and thank you very much for your great support and the time spent in solving my issue.
Everything works fine now, the network is segmented and I have a great starting point!

The bridge VLAN settings were definitely overwritten and using BASE as an interface list instead of the interface itself in the firewall rule is a great suggestion.

Regarding the first point, I really want to split the configuration script in two sections for the Trunk- and Access Ports, however, I was not able to add the untagged interfaces after the tagged ones so I have the following right now:

[url]
# egress behavior
/interface bridge vlan

# These need IP Services (L3), so add Bridge as member
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether4,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether6 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether7 vlan-ids=50
[/url]

How can I add the untagged interfaces after adding the tagged ones without overwriting them?

anav · Mon Jan 03, 2022 3:23 pm

Hi, there one does not split the setting as you wish, there is no need.

There are two main sections for assigning the vlans.
1. Interface Bridge Ports.
This is where identify
a. which ports and wlans will be on the bridge
b. detail on which is a trunk port, an access port and more rarely a hybrid port.
c. In the case of access port, one assigns a PVID to the line, which tells the router which vlan will be tagged inbout and untagged outbound.

Notes;
- A trunk port carries one more vlans headed towards a smart device that can read vlans
- An access port carries one vlan and the purpose is to tag traffic with this vlan when it comes from a dumb device and then untag the vlan before sending it back to the dumb devce.
- By use of the pVID above the router will automatically/dynamically create untagg vlan rules and thus they do not need to be inserted into the config if that PVID is already tagged on the bridge.

Then we get to
2. The Interface Bridge Vlans.
a. Each VLAN should get its own line,
b. Each trunk port needs to be tagged and each access port needs to be untagged ***
c. any etherport involved in a trunk port needs to be tagged.
d. each pvid needs to be tagged to the bridge at least once.
e. the base or trusted vlan has to be tagged to the bridge at least once.

*** Each access port is untagged automatically/dynamically but I prefer to manually insert them so I can easily in my config script see what I have done, otherwise they wont show.

As to your question showing a part config is useless for me and in this case showing vlans without bridge port is not all that useful. however
looking at the below, it seems fine.
Point1 - ether2,3,spf+ are trunk ports carrying vlans 10,20,30,40,50
Point2 - ether4,8 are access ports carrying vlan 10
Point2 - ether5 is an access ports carrying vlan 20
Point2 - ether6 is an access ports carrying vlan 40
Point2 - ether7 is an access ports carrying vlan 50
Note: Since vlan 30 was not detailed anywhere assuming its not being carried to a dumb device......

add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether4,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether6 vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 untagged=ether7 vlan-ids=50

In conclusion, your config is proper and should be left alone.
If you wanted to use a minimal config and not put in the untagged since they are created automatically it would look like.

add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus vlan-ids=40
add bridge=bridge tagged=bridge,ether2,ether3,sfp-sfpplus1 vlan-ids=50

this would also be correct. Now just to add a point lets say
that you had vlan 60 and it was a PVID on the bridge port for port 12 and it was not going on any trunk ports, it would be written on your CONFIG as:
add bridge=bridge tagged=bridge untagged=ether12 vlan-ids=60

If you were using the shorter notation it would be
add bridge=bridge tagged=bridge vlan-ids=60

VLAN Trunk Port Problem

VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Re: VLAN Trunk Port Problem

Who is online