Community discussions

MikroTik App
 
soosp
newbie
Topic Author
Posts: 29
Joined: Sat Oct 02, 2010 7:10 pm

RouterOS 7 VLAN access problem on PPC architecture

Sun Apr 10, 2022 2:19 am

Hi all,

We had a problem with RouterOS 7 on PPC devices (e.g. RB850Gx2)

When the config below was applied on a PPC arch device it is unaccessible by WinBox or ssh. It is unable to communicate on IP, but switching and ping is working. MAC WinBox is working too.
On mipsbe architecture (e.g. RB450G) this config works well. I assume there is a bug in the VLAN handling of the PPC architecture.
/interface bridge add name=bridge-lan protocol-mode=none
/interface vlan add interface=bridge-lan name=bridge-lan.44 vlan-id=44
/interface ethernet switch port set 0 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch port set 1 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 2 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 3 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 4 default-vlan-id=44 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 5 default-vlan-id=0 vlan-mode=secure
/interface bridge port add bridge=bridge-lan interface=ether1
/interface bridge port add bridge=bridge-lan interface=ether2
/interface bridge port add bridge=bridge-lan interface=ether3
/interface bridge port add bridge=bridge-lan interface=ether4
/interface bridge port add bridge=bridge-lan interface=ether5
/interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=44
/ip address add address=192.168.44.91/24 interface=bridge-lan.44 network=192.168.44.0
/ip dns set servers=192.168.44.11,192.168.44.12
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.44.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
The ether1 is the trunk port and the others are access ports. I tested the access on the trunk and the access side too.
 
soosp
newbie
Topic Author
Posts: 29
Joined: Sat Oct 02, 2010 7:10 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Sun Apr 10, 2022 12:30 pm

I tested it on RB850Gx2 with bridge vlan filtering instead of switch config. In this case the router can be accessed via access ports (ether2-5) on IP but can't be accessed via trunk port. MAC WinBox has worked on both.
/interface bridge add ingress-filtering=no name=bridge-lan protocol-mode=none vlan-filtering=yes
/interface vlan add interface=bridge-lan name=bridge-lan.44 vlan-id=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-vlan-tagged ingress-filtering=no interface=ether1
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=44
/interface bridge port add bridge=bridge-lan frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=44
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2,ether3,ether4,ether5 vlan-ids=44
/ip address add address=192.168.44.91/24 interface=bridge-lan.44 network=192.168.44.0
/ip dns set servers=192.168.44.11,192.168.44.12
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.44.254 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 
soosp
newbie
Topic Author
Posts: 29
Joined: Sat Oct 02, 2010 7:10 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Sun Apr 10, 2022 12:35 pm

Both config above works well with RouterOS 6 on RB450G and RB850Gx2, but they works only on RB405G with RouterOS 7.
Personally I prefer the switch config variation because the hardware offload works on it only.
 
soosp
newbie
Topic Author
Posts: 29
Joined: Sat Oct 02, 2010 7:10 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Tue Apr 19, 2022 10:18 pm

This bug is still present in RouterOS 7.2.1 and 7.3beta33 too.
 
sultan26
just joined
Posts: 2
Joined: Mon Dec 27, 2021 12:16 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Tue Jun 07, 2022 2:19 pm

I am registering the same problem, last testing on RouterOS 7.3 Stable
 
bcall
just joined
Posts: 19
Joined: Thu Dec 03, 2015 8:52 am

Re: RouterOS 7 VLAN access problem on PPC architecture

Mon Dec 12, 2022 4:47 pm

I just upgraded my RB850gx2 to RouterOS 7.6 stable from 6.49.7. My VLAN config is similar to soosp's first config and I'm experiencing the same issue. I thought I had bricked my router when WinBox didn't reload after the 7.6 upgrade. It's not accessible via WinBox via IP or SSH, but it otherwise seems to be working fine, responds to ping, and can be accessed via MAC WinBox.

Regarding SSH, I have a series of firewall rules set up to block repeated SSH attempts. After the ROS 7.6 upgrade, I noticed my SSH attempts were blocking my own machine. I can see in my firewall logging that my machines SSH connection is accepted at first, but apparently a connection is never established. Subsequent attempts hit the SSH brute force rules and eventually block my own machine even though it should have been able to access it via SSH.

My RB750GL (which operates only as a switch in my network) upgraded to ROS 7.6 without any issues and is still accessible by IP with WinBox.

Is there a solution for this?
 
Ejcej
just joined
Posts: 8
Joined: Mon Jan 16, 2006 12:33 am
Location: Czech Republic
Contact:

Re: RouterOS 7 VLAN access problem on PPC architecture

Mon Jan 30, 2023 11:09 am

I reported the situation to support. Here is the answer.

Hello,

Thank you for the report!

We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions, unfortunately, I cannot provide a release date now.

Best regards,
Edgars P.
 
tbirdsaw
just joined
Posts: 3
Joined: Mon Apr 23, 2018 11:25 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Sat Feb 25, 2023 2:18 am

Just wanted to chime in, the issue still exists on a RB850Gx2 and ROS v7.7. I was using the RB850 as a CAPSMAN manager and DHCP/DNS server, and using a trunk port to communicate to three different VLANs. I noticed that DNS server capabilities and WinBox direct connection via IP stopped working, and spent the last two days troubleshooting it. However, CAPSMAN and DHCP continued to work during my testing.

Took me a lot of head scratching before I decided to duplicate the configuration on an mAP, which is working fine right now and has taken over duties temporarily. I finally searched on the forums, and this thread came up.

I also found that once a trunk port with a bridge configuration is put in place, even removing all VLAN configurations and turning off VLAN filtering does not appear to fix the problem. Only removing the trunk port from the bridge and then re-adding it seems to temporarily fix the access issue, until VLAN filtering is turned on again. Once it's turned on, all Winbox access is lost on that port.

I know the RB850Gx2 is an older platform on PowerPC, so while I'm slightly annoyed that there wasn't anything published other than this forum thread about it not working, I'm relieved that this bug doesn't seem to exist on the MIPS and ARM platforms, which is what most of my Routerboard equipment is based on.

I haven't tested it on an old RB1200 (PowerPC) that's still in production (running ROS6.48.5), but seeing as it it may be linked to the PowerPC platform I'll probably just upgrade that unit to a newer one.
 
tbirdsaw
just joined
Posts: 3
Joined: Mon Apr 23, 2018 11:25 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Mon Feb 27, 2023 8:32 pm

I was able to come up with a workaround for certain use cases. Disabling "Switch All Ports" allows ether1 to be used. I have not verified that the other ports work.

Turns out it seems to be related to how the Switch Chip is handled on the device. For my use case (CAPsMAN, DNS/DHCP, Router-On-A-Stick), I don't need the switch, so I disabled "Switch All Ports" which releases ether1 to the CPU. After that, bridging, VLANs, and IP access (and DNS) all work properly. Note that turning on "Switch All Ports" afterwards does not fix the issue, and in fact requires a reboot to gain access to the router.

For my use case, I think this is "good enough". I put a note in that pops up every time I remotely access this device to not use trunk ports with the switch so I don't accidentally lock myself out in the future.

I also verified that v7.8 still has the issue. Hope this helps someone.
 
soosp
newbie
Topic Author
Posts: 29
Joined: Sat Oct 02, 2010 7:10 pm

Re: RouterOS 7 VLAN access problem on PPC architecture

Mon Mar 13, 2023 12:20 am

The bug exists in RouterOS 7.8 too. Additionally my related support ticket was closed by MikroTik without any solution or substantive response.
I made some tests and found that the ping works on VLAN interfaces in both direction even with packet size 1500, but other communication methods doesn't.

Who is online

Users browsing this forum: Ahrefs [Bot], apitsos, Bing [Bot], GoogleOther [Bot], neki and 81 guests