Community discussions

MikroTik App
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 3:55 pm

I seem to be struggling with the correct VLAN configuration for this network diagram. Can someone advise what is incorrect? The switch doesn't seem to be receiving the trunk traffic for vlan156 correctly.
home_network (1).jpg
RB4011
# aug/22/2022 20:38:33 by RouterOS 6.48.6
# software id = 8PQW-VGK7
#
# model = RB4011iGS+

/interface bridge
add ingress-filtering=yes name=LanBridge protocol-mode=none pvid=156 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 mac-address=10:93:97:61:96:61 name=ether1-External speed=100Mbps
set [ find default-name=ether2 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:EE name=ether2-S1 speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:ED name=ether3-S1 speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:EC name=ether4-S1 speed=100Mbps
set [ find default-name=ether5 ] name=ether5-S1
set [ find default-name=ether6 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F5 name=ether6-S2 speed=100Mbps
set [ find default-name=ether7 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F4 name=ether7-S2 speed=100Mbps
set [ find default-name=ether8 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F3 name=ether8-S2 speed=100Mbps
set [ find default-name=ether9 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F2 name=ether9-S2 speed=100Mbps
set [ find default-name=ether10 ] name=ether10-S2
set [ find default-name=sfp-sfpplus1 ] name=sfp-brocade

/interface vlan
add interface=LanBridge name=LanBridge-vlan156 vlan-id=156
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=sfp-brocade loop-protect=on name=vlan156-Brocade vlan-id=156
add interface=ether10-S2 name=vlan156-WiFi vlan-id=156
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 name=vlan190-SmartHome vlan-id=190

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=auto
set 3 default-vlan-id=0
set 4 default-vlan-id=auto
set 5 default-vlan-id=auto
set 6 default-vlan-id=auto
set 7 default-vlan-id=auto
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=auto
set 11 default-vlan-id=auto

/interface list
add name=LAN
add name=WAN

/ip pool
add name=home-pool ranges=192.168.156.150-192.168.156.250
add name=vpn-pool ranges=192.168.8.10-192.168.8.30
add name=vm-pool ranges=172.16.156.50-172.16.156.99
add name=camera-pool ranges=10.180.1.100-10.180.1.120
add name=guest-pool ranges=192.168.199.100-192.168.199.200
add name=smarthome-pool ranges=10.190.1.100-10.190.1.199

/ip dhcp-server
add address-pool=home-pool disabled=no interface=LanBridge lease-time=1d name=gartin-net
add address-pool=camera-pool disabled=no interface=vlan180-Cameras lease-time=1d name=camera-net
add address-pool=guest-pool disabled=no interface=vlan50-Guest lease-time=1h name=guest-net
add address-pool=smarthome-pool disabled=no interface=vlan190-SmartHome lease-time=1d name=smarthome-net
add address-pool=vm-pool disabled=no interface=vlan172-VM lease-time=1d name=vm-net

/interface bridge port
add bridge=LanBridge interface=ether7-S2 pvid=156
add bridge=LanBridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156
add bridge=LanBridge interface=ether6-S2 pvid=156
add bridge=LanBridge interface=vlan156-Brocade pvid=156
add bridge=LanBridge interface=ether9-S2 pvid=156
add bridge=LanBridge interface=ether8-S2 pvid=156
add bridge=LanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan156-WiFi pvid=156

/ip neighbor discovery-settings
set discover-interface-list=!WAN

/interface bridge vlan
add bridge=LanBridge tagged=vlan156-WiFi,vlan156-Brocade untagged=ether8-S2,ether9-S2,ether7-S2,ether6-S2 vlan-ids=156

/interface list member
add interface=vlan50-Guest list=LAN
add interface=vlan172-VM list=LAN
add interface=vlan180-Cameras list=LAN
add interface=vlan190-SmartHome list=LAN
add interface=ether1-External list=WAN
add interface=vlan156-WiFi list=LAN

/ip address
add address=192.168.156.1/24 comment="Core Network" interface=LanBridge network=192.168.156.0
add address=172.16.156.1/24 comment=Local-VM-Gateway interface=vlan172-VM network=172.16.156.0
add address=192.168.8.1/24 comment="VPN Gateway" interface=LanBridge network=192.168.8.0
add address=10.180.1.1/24 comment=Cameras interface=vlan180-Cameras network=10.180.1.0
add address=192.168.199.1/24 comment="Guest Network" interface=vlan50-Guest network=192.168.199.0
add address=10.190.1.1/24 comment=SmartHome interface=vlan190-SmartHome network=10.190.1.0
As for the Cap AP
- wifi for home/vlan156 is working however slow
- unsure of how to get vlan190 working. I don't need a bridge right? Do I need the VLAN interface under the virtual wlan24?
# aug/22/2022 14:19:46 by RouterOS 6.48.4
# software id = VML7-F14K
#
# model = RouterBOARD cAP Gi-5acD2nD

/interface bridge
add name=lanBridge protocol-mode=none pvid=156 vlan-filtering=yes

/interface vlan
add interface=ether1 name=vlan156-Bridge vlan-id=156
add interface=ether1 name=vlan190-Bridge vlan-id=190

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=home supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=smarthome supplicant-identity=""

/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-eCee disabled=no frequency=auto mode=ap-bridge name=wlan5 security-profile=home ssid=MY_SSID vlan-id=156 vlan-mode=use-tag wireless-protocol=802.11

set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no installation=indoor mode=ap-bridge name=wlan24 security-profile=home ssid=MY_SSID vlan-id=156 vlan-mode=use-tag wireless-protocol=802.11

/interface vlan
add interface=wlan24 name=vlan156-2Ghz vlan-id=156
add interface=wlan5 name=vlan156-5Ghz vlan-id=156

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:AF:70:17 master-interface=wlan24 multicast-buffering=disabled name=wlan-Smart security-profile=smarthome ssid=SmartyPants vlan-id=190 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled

/interface vlan
add interface=wlan-Smart name=vlan190-Smarthome vlan-id=190

/interface bridge port
add bridge=lanBridge interface=ether2 pvid=156
add bridge=lanBridge ingress-filtering=yes interface=ether1 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged interface=vlan156-Bridge pvid=156
add bridge=lanBridge interface=vlan156-5Ghz pvid=156
add bridge=lanBridge interface=vlan156-2Ghz pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan190-Bridge pvid=190
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan190-Smarthome pvid=190

/interface bridge vlan
add bridge=lanBridge tagged=vlan156-Bridge untagged=ether2,vlan156-5Ghz,vlan156-2Ghz vlan-ids=156
add bridge=lanBridge tagged=vlan190-Bridge untagged=vlan190-Smarthome vlan-ids=190

/ip address
add address=192.168.156.3/24 interface=lanBridge network=192.168.156.0

You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 4:05 pm

(1) add bridge=LanBridge interface=vlan156-Brocade pvid=156

A VLAN is not a bridge port! Remove.
The SFP has nothing to do with LAN bridge anyway.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 6:09 pm

I do have questions on the vlans.
Where is vlan156 traffic going mostly.
Is there something on vlan156 that all users will be accessing a lot and if so which port is located on...........
Same with all the other vlans? (172,180,190)
Is it all traffic out internet or to local servers and if so where are servers located etc...

I am thinking there has to be a better way to organize/optimize your requirements,,,,,,, but not sure.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 6:12 pm

Your CAPAC is configured weirdly but if it works it works.
what is not clear to me is what is the Management or Trusted VLAN??

Can I assume that vlan156 also acts a a managment vlan as well as a data vlan.
In other words all the users on vlan156 should have access to config all smart devices ??
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 9:02 pm

Thanks @anav.

Yes, vlan156 is the trusted/mgmnt. These are all my personal devices. I would be fine/happy the vlan156 was untagged (if that's easier) everywhere except going towards the Brocade over the sfp trunk but I don't know how this looks going to the CapAC. I might have noticed slow speeds on CapAC, but won't really know until I get 4011 straightened out.

I have firewall rules to prevent ingress to LanBridge (vlan156). vlan172 gets a bunch of traffic the other vlans do not. I didn't include the firewall in the config since I'm just trying to figure out the bridging/trunking.
The SFP has nothing to do with LAN bridge anyway.
So how do you specify the trunk? Do I just add the VLAN interfaces to the SFP interface? Like so?
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 9:03 pm

pass the full config of the rB4011 meanwhile will work on the capac.................
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 23, 2022 9:29 pm

This cleans up the capac to work properly and will be fully reachable from 156 via the trunk port from RB4011 to the trunk port ether1 on the capac.
I didnt include the wifi settings as they should be fine (separate from vlan and bridge settings).
Getting the most out of your wifi is another topic altogether
my capac is set to 5Ghz A/N/AC, 20/40 Ce AND 2Ghz to G/N 20

You will see at the bottom of the config I added an optional set of config lines that would allow you to setup the ether2 on the capac to
a. provide emergency access if the bridge hiccups OR
b. a safe place to configure the capac settings separate from the bridge.

My recommendation is the first thing you do is remove ether2 from the bridge, give it a name,
add the IP address suggested and probably done, Next plug in your laptop to ether2 of the capac and enter in an IP address of lets say
192.168.5.5 in the ipv4 settings and you should be in.

Then do the rest of the configuration from this access. :-)
I can do this because the capac is in an accessible location, if its not, its worthwhile running a long ethernet cable to a location where you can put your laptop and plug it in for future work.
# model = RouterBOARD cAP Gi-5acD2nD
{fixed}
/interface bridge
add name=capBridge protocol-mode=none pvid=1 vlan-filtering=yes
/interface vlan
add interface=capBridge name=vlan156-Trusted vlan-id=156
/interface bridge port
add bridge=capBridge interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=capBridge interface=wlan5 pvid=156 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=wlan24 pvid=156 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=virtualWLANX pvid=180 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=capBridge interface=virtualWLANY pvid=190 ingress-filtering=yes frame-types=admit-priority-and-untagged
/interface bridge vlan
add bridge=capBridge tagged=capBridge,ether1 untagged=wlan5,wlan24 vlan-ids=156
add bridge=capBridge tagged=capBridge untagged=virtualWLANX vlan-ids=180
add bridge=capBridge tagged=capBridge untagged=virtualWLANY vlan-ids=190
/ip address
add address=192.168.156.3/24 interface=vlan156-Trusted network=192.168.156.0
{Added}
/interface list
add name=MGMT
/interface list member
add interface=vlan156-Trusted list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip dns
set allow-remote-requests=yes servers=192.168.156.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.158.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
{CONSIDER ADDING}
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/ip address
add address=192.168.5.0/24 interface=ether2-emergaccess
/interface list member
add interface=vlan156-Trusted list=MGMT
add interface=ether2-emergaccess list=MGMT  {new}
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 4:02 pm

Should I be doing `use tag` and setting VLAN ID (to 156) in the wlan interfaces? Or just needed in the bridge port vlan?

But when I turned on vlan-filtering in the router (RB4011) I lose network access on both the Cap and Brocade. Ether ports 6-9 work. Something isn't correct with the trunking.

- Should `pvid` on the bridge be 156 or 1?
- I have tried enabling/disabling ingress-filtering
/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no name=lanBridge protocol-mode=none pvid=156 vlan-filtering=yes

/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=sfp-brocade name=vlan156-Brocade vlan-id=156
add interface=ether10-S2 name=vlan156-WiFi vlan-id=156
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 name=vlan190-SmartHome vlan-id=190

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge disabled=yes ingress-filtering=yes interface=ether10-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan156-Brocade pvid=156
add bridge=lanBridge interface=vlan156-WiFi pvid=156

/interface bridge vlan
add bridge=lanBridge tagged=vlan156-Brocade,vlan156-WiFi untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 5:04 pm

I messed around with the config a ton and eventually got RB4011 + CAP working for vlan156.

STILL BROKEN: vlan156 to Brocade and vlan190 to the CAP.

vlan172 is working just fine on Brocade....
cap-working-vlan156-only.txt
rb4011-working-vlan156-no-brocade.txt
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 6:37 pm

Yeah, I suppose the RB4011 and Capac have to be on the same wavelength vis-a-vis how the bridge is setup (default vlan-id=1).

I setup my capac the way I do, so the wireless settings are just wifi settings, no vlan settings within wifi settings.
Will take a look later today, bit busy at the moment.
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 7:26 pm

WEIRD! I saw another post of yours and made some changes and it's working for vlan156 wired/wifi/sfp! However, I think the CAP is still incorrect.

Changed:
- `vlan156-Brocade` was removed from sfp.
- Added generic `vlan156` to `lanBridge` interface
- Bridge Port: removed `vlan156-Brocade` and replaced it with just the sfp interface
- Bridge VLAN: tagged sfp

So how do I get the ether10S2 working like the SFP? Because following the same config logic doesn't work (tested).
# aug/24/2022 12:20:12 by RouterOS 6.48.6
# software id = 8PQW-VGK7
#
# model = RB4011iGS+
# serial number = AAAF09C9E66C
/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no name=lanBridge protocol-mode=none pvid=156 vlan-filtering=yes

/interface vlan
add interface=lanBridge name=vlan156 vlan-id=156  # MOVED vlan156-Brocade to this
add interface=ether10-S2 name=vlan156-WiFi vlan-id=156  # WIFI WORKS if I keep it like this
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=ether10-S2 name=vlan190-SmartHome vlan-id=190
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=vlan156-WiFi pvid=156

# Doing the same for ether10-S2 does not work like it does for Brocade/sfp so I have it disabled
add bridge=lanBridge disabled=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156

/interface bridge vlan
add bridge=lanBridge tagged=sfp-brocade,vlan156-WiFi untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 8:21 pm

Spoke too soon, I tried again, and I was able to get rid of `vlan156-Wifi` and just use the ether10S2 interface. So now the cap is configured as you suggested and the virtual wlans are working.

So networking is looking good across subnets except now I have a loop....
- Loop Protect: `on` doesn't help
- Turning on STP brings down the network
interface,warning sfp-brocade: bridge port received packet with own address as source address (b8:69:f4:e6:b9:b5), probably loop 
RB4011:
/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156

/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=lanBridge name=vlan156 vlan-id=156
add interface=sfp-brocade name=vlan172-VM vlan-id=172
add interface=sfp-brocade name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 name=vlan190-SmartHome vlan-id=190

/interface bridge vlan
add bridge=lanBridge tagged=sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
CapAC:
/interface bridge
add name=capBridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=capBridge name=vlan50-Guest vlan-id=50
add interface=capBridge name=vlan156-Trusted vlan-id=156
add interface=capBridge name=vlan190-Smarthome vlan-id=190

/interface bridge port
add bridge=capBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=capBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan5 pvid=156
add bridge=capBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan24 pvid=156
add bridge=capBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-Smart pvid=190

/interface bridge vlan
add bridge=capBridge tagged=ether1,capBridge untagged=wlan24,wlan5 vlan-ids=156
add bridge=capBridge tagged=ether1,capBridge untagged=wlan-Smart vlan-ids=190
add bridge=capBridge tagged=capBridge,ether1 untagged=wlan-Guest vlan-ids=50

/ip address
add address=192.168.156.3/24 interface=vlan156-Trusted network=192.168.156.0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 9:15 pm

You work fast LOL. I have electricians, sheet metal workers and refrigerants at the home at the moment and thus not able to keep up. ;-)
Will loook at your latest two configs when I can. I am sure its almost there.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 11:07 pm

On the capac, the only tagged=bridge entry required is for the management vlan.
Thus this
/interface bridge vlan
add bridge=capBridge tagged=ether1,capBridge untagged=wlan24,wlan5 vlan-ids=156
add bridge=capBridge tagged=ether1,capBridge untagged=wlan-Smart vlan-ids=190
add bridge=capBridge tagged=capBridge,ether1 untagged=wlan-Guest vlan-ids=50

Should be this.......
/interface bridge vlan
add bridge=capBridge tagged=ether1,capBridge untagged=wlan24,wlan5 vlan-ids=156
add bridge=capBridge tagged=ether1 untagged=wlan-Smart vlan-ids=190
add bridge=capBridge tagged=ether1 untagged=wlan-Guest vlan-ids=50
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 24, 2022 11:21 pm

(1) I am confused by your RB4011 setup.
If you are running VLAN156 on the bridge as you have here stated in two ways.........
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade pvid=156

The issue.........
- You have stated by adding the PVID=156 that this is either an access port or hybrid port. However the frametypes stated mean the port is a Trunk port (vlans only).
Suggest if its meant as a hybrid port, get rid of frame types. On the other hand if its truly a trunk port Get rid of the pVID setting.

(2) For the /interface vlan setting
/interface bridge vlan
add bridge=lanBridge tagged=??????, sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156

Guess what you missed to tag .......... the bridge!!
Should be.......
/interface bridge vlan
add bridge=lanBridge tagged=lanBridge, sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156

(3) After looking at the interface bridge vlan settings, its clear on the /interface bridge ports
you only need to remove the PVID=156 as it appears to be a trunk port for sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Sat Aug 27, 2022 5:50 pm

@anav

OK I configured as suggested. It took a few minutes to "set" so I was probably just impatient when I tested before. Almost there...
I still have this loop issue. I had a (wifi) chromecast device that kept sneaking onto the VM DHCP (vlan172) which is crazy because 172 isn't even hanging off the wifi. I kept deleting the Dynamic DHCP record and it kept coming back. Finally I deleted the record but rebooted the chromecast and it's back on the 156 network with the correct IP. The logs appear to indicate that 0.0.0.0 is receiving the DHCP packet and it's going to all DHCP servers?

looop.jpg
# aug/27/2022 10:24:52 by RouterOS 6.48.6
# software id = 8PQW-VGK7
#
# model = RB4011iGS+

/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=lanBridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=ether10-S2 loop-protect=on name=vlan50-Guest vlan-id=50
add interface=lanBridge loop-protect=on name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=sfp-brocade loop-protect=on name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 loop-protect=on name=vlan190-SmartHome vlan-id=190

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156

/interface bridge vlan
add bridge=lanBridge tagged=lanBridge,sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
add bridge=lanBridge tagged=lanBridge,sfp-brocade vlan-ids=172
add bridge=lanBridge tagged=lanBridge,sfp-brocade vlan-ids=180

/ip address
add address=192.168.156.1/24 comment="Core Network" interface=vlan156-Home network=192.168.156.0
add address=172.16.156.1/24 comment=Local-VM-Gateway interface=vlan172-VM network=172.16.156.0
add address=192.168.8.1/24 comment="VPN Gateway" interface=vlan156-Home network=192.168.8.0
add address=10.180.1.1/24 comment=Cameras interface=vlan180-Cameras network=10.180.1.0
add address=192.168.199.1/24 comment="Guest Network" interface=vlan50-Guest network=192.168.199.0
add address=10.190.1.1/24 comment=SmartHome interface=vlan190-SmartHome network=10.190.1.0

/ip pool
add name=home-pool ranges=192.168.156.150-192.168.156.250
add name=vpn-pool ranges=192.168.8.10-192.168.8.30
add name=vm-pool ranges=172.16.156.50-172.16.156.99
add name=camera-pool ranges=10.180.1.100-10.180.1.120
add name=guest-pool ranges=192.168.199.100-192.168.199.200
add name=smarthome-pool ranges=10.190.1.100-10.190.1.199

/ip dhcp-server
add address-pool=home-pool disabled=no interface=vlan156-Home lease-time=1d name=gartin-net
add address-pool=camera-pool disabled=no interface=vlan180-Cameras lease-time=1d name=camera-net
add address-pool=guest-pool disabled=no interface=vlan50-Guest lease-time=1h name=guest-net
add address-pool=smarthome-pool disabled=no interface=vlan190-SmartHome lease-time=1d name=smarthome-net
add address-pool=vm-pool disabled=no interface=vlan172-VM lease-time=1d name=vm-net

You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)  [SOLVED]

Sat Aug 27, 2022 6:19 pm

(1) Too fancy on the bridge, leave it to default!!! The only thing needed 99% on bridge is unique name if you want one and activate vlan-filtering=yes.
So, GET RID OF admin-only-vlan tagged and ingress filtering. Only required at /interface bridge ports. Keep it simple!!

(2) Just not sure about your ether10??? Why is the pvid still there. Clearly you are sending it out as part of a trunk port iaw with your /interface bridge vlan settings??
Note in the same line you state admit-only-vlan tagged ???? Thus another clue that the pvid is wrong!!

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2 pvid=156

/interface bridge vlan
add bridge=lanBridge tagged=lanBridge,sfp-brocade,ether10-S2 untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
add bridge=lanBridge tagged=lanBridge,sfp-brocade vlan-ids=172
add bridge=lanBridge tagged=lanBridge,sfp-brocade vlan-ids=180
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Tue Aug 30, 2022 11:58 pm

I'm 98% there! Thanks for all your help so far. I've added the bridge and removed PVID as you suggested.

So get this. On the Brocade, all the VLANs work except for vlan156!! Vlan 172, 180, 190 when I plug in, I get a DHCP address, can ping the gateway, can get to the internet (when not blocked by firewall). WiFi vlan156 works fine! It's just the brocade vlan156. I plug into one of the brocade vlan156 ports and I get a DHCP address but I can't ping anything. I thought it might be firewall somehow so I added an INPUT/FORWARD allow rule for my IP address and I could see that packet counter but no improvement. I ran Torch on the sfp-brocade and I can see "156" in the VLAN column for traffic. Is traffic not routing back? Does the Brocade switch need a virtual interface IP address in VLAN 156 to route (I don't have that for the other VLANs)?
# aug/30/2022 08:30:24 by RouterOS 6.48.6
# software id = 8PQW-VGK7
#
# model = RB4011iGS+

/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no ingress-filtering=yes name=lanBridge protocol-mode=none vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598 mac-address=10:93:97:61:96:61 name=ether1-External
set [ find default-name=ether2 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:EE name=ether2-S1 speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:ED name=ether3-S1 speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:EC name=ether4-S1 speed=100Mbps
set [ find default-name=ether5 ] name=ether5-S1
set [ find default-name=ether6 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F5 name=ether6-S2 speed=100Mbps
set [ find default-name=ether7 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F4 name=ether7-S2 speed=100Mbps
set [ find default-name=ether8 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F3 name=ether8-S2 speed=100Mbps
set [ find default-name=ether9 ] l2mtu=1598 mac-address=E4:8D:8C:0B:60:F2 name=ether9-S2 speed=100Mbps
set [ find default-name=ether10 ] name=ether10-S2
set [ find default-name=sfp-sfpplus1 ] name=sfp-brocade

/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=lanBridge name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=lanBridge name=vlan180-Cameras vlan-id=180
add interface=lanBridge name=vlan190-SmartHome vlan-id=190

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=auto
set 3 default-vlan-id=0
set 4 default-vlan-id=auto
set 5 default-vlan-id=auto
set 6 default-vlan-id=auto
set 7 default-vlan-id=auto
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=auto
set 11 default-vlan-id=auto

/interface list
add name=Isolated
add include=none name=WAN
add name=LAN

/ip dhcp-server option
add code=150 name=option150 value=0x04C0A89CB3

/ip pool
add name=home-pool ranges=192.168.156.150-192.168.156.250
add name=vpn-pool ranges=192.168.8.10-192.168.8.30
add name=vm-pool ranges=172.16.156.50-172.16.156.99
add name=camera-pool ranges=10.180.1.100-10.180.1.120
add name=guest-pool ranges=192.168.199.100-192.168.199.200
add name=smarthome-pool ranges=10.190.1.100-10.190.1.199

/ip dhcp-server
add address-pool=home-pool disabled=no interface=vlan156-Home lease-time=1d name=home-net
add address-pool=camera-pool disabled=no interface=vlan180-Cameras lease-time=1d name=camera-net
add address-pool=guest-pool disabled=no interface=vlan50-Guest lease-time=1h name=guest-net
add address-pool=smarthome-pool disabled=no interface=vlan190-SmartHome lease-time=1d name=smarthome-net
add address-pool=vm-pool disabled=no interface=vlan172-VM lease-time=1d name=vm-net

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface bridge vlan
add bridge=lanBridge tagged=sfp-brocade,ether10-S2,lanBridge untagged=ether8-S2,ether9-S2,ether6-S2,ether7-S2 vlan-ids=156
add bridge=lanBridge tagged=lanBridge,ether10-S2,sfp-brocade vlan-ids=190
add bridge=lanBridge tagged=lanBridge,sfp-brocade vlan-ids=180

/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

/interface list member
add interface=vlan50-Guest list=Isolated
add interface=vlan172-VM list=Isolated
add interface=vlan180-Cameras list=Isolated
add interface=vlan190-SmartHome list=Isolated
add interface=ether1-External list=WAN
add interface=vlan156-Home list=LAN

/ip address
add address=192.168.156.1/24 comment="Core Network" interface=vlan156-Home network=192.168.156.0
add address=172.16.156.1/24 comment=Local-VM-Gateway interface=vlan172-VM network=172.16.156.0
add address=192.168.8.1/24 comment="VPN Gateway" interface=vlan156-Home network=192.168.8.0
add address=10.180.1.1/24 comment=Cameras interface=vlan180-Cameras network=10.180.1.0
add address=192.168.199.1/24 comment="Guest Network" interface=vlan50-Guest network=192.168.199.0
add address=10.190.1.1/24 comment=SmartHome interface=vlan190-SmartHome network=10.190.1.0

/ip dhcp-client
add default-route-distance=3 disabled=no interface=ether1-External use-peer-dns=no


/ip dhcp-server network
add address=10.180.1.0/24 dns-server=10.180.1.1 gateway=10.180.1.1 ntp-server=10.180.1.1
add address=10.190.1.0/24 dns-server=10.190.1.1 gateway=10.190.1.1 ntp-server=10.190.1.1
add address=172.16.156.0/24 dns-server=172.16.156.1 gateway=172.16.156.1 ntp-server=172.16.156.1
add address=192.168.156.0/24 dns-server=192.168.156.1 gateway=192.168.156.1 ntp-server=192.168.156.1
add address=192.168.199.0/24 dns-server=192.168.199.1 gateway=192.168.199.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=250 max-concurrent-tcp-sessions=200 servers=8.8.8.8,1.1.1.1

/ip firewall address-list
add address=10.180.1.0/24 list=Cameras
add address=10.190.1.0/24 list=SmartHome
add address=10.190.1.0/24 list=Guest
add address=172.16.156.0/24 list=VMs

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=ether1-External
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1-External protocol=udp
add action=drop chain=forward connection-state=invalid,new,untracked dst-address=!10.50.1.0/24 out-interface-list=Isolated src-address=10.50.1.0/24
add action=drop chain=forward connection-state=invalid,new,untracked dst-address=!10.180.1.0/24 out-interface-list=Isolated src-address=10.180.1.0/24
add action=drop chain=forward connection-state=invalid,new,untracked dst-address=!10.190.1.0/24 out-interface-list=Isolated src-address=10.190.1.0/24
add action=drop chain=forward connection-state=invalid,new,untracked dst-address=!172.16.156.0/24 out-interface-list=Isolated src-address=172.16.156.0/24
add action=drop chain=input dst-port=53 in-interface=ether1-External port="" protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1-External port="" protocol=udp
add action=drop chain=input dst-port=161 in-interface=ether1-External port="" protocol=tcp
add action=drop chain=input dst-port=161 in-interface=ether1-External port="" protocol=udp
add action=drop chain=input dst-port=123 in-interface=ether1-External port="" protocol=tcp
add action=drop chain=input connection-state=invalid,new,untracked dst-port=123 in-interface=ether1-External port="" protocol=udp
add action=drop chain=input dst-port=8291 in-interface=ether1-External protocol=tcp
add action=drop chain=input dst-port=80 in-interface=ether1-External protocol=tcp
add action=drop chain=input connection-state=invalid,new,untracked in-interface=ether1-External
add action=drop chain=forward comment="Block camera internet" out-interface=ether1-External src-address-list=Cameras
add action=drop chain=forward comment="Block SmartHome Internet" out-interface=ether1-External src-address-list=SmartHome

/ip firewall nat
# Rest hidden for privacy
add action=masquerade chain=srcnat comment="generic masq" out-interface=ether1-External

/ip traffic-flow
set cache-entries=4k interfaces=ether4-S1

/ip traffic-flow ipfix
set first-forwarded=no icmp-code=no icmp-type=no igmp-type=no ip-header-length=no ip-total-length=no is-multicast=no tcp-ack-num=no tcp-flags=no tcp-seq-num=no tcp-window-size=no ttl=no udp-length=no

/ip upnp
set enabled=yes show-dummy-rule=no

/ip upnp interfaces
add interface=ether1-External type=external
add interface=vlan156-Home type=internal

BTW, I believe I resolved that loop error I was getting by removing "Dual-Mode" from Default Vlan 1 on Brocade. Now the Brocade should only be sending Tagged traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 31, 2022 12:29 am

Not that it should make a difference but set this to none......
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

YOur MT is setup correctly, sorrry cannot help with your non-mt switch settings as I dont have that unit........
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 31, 2022 1:41 am

I plug into one of the brocade vlan156 ports and I get a DHCP address but I can't ping anything.
The above suggests that the Brocade access port is setup correctly. And that it is probably a firewall issue. Although it does assume you are getting an ip address from the home-pool (192.168.156.150-192.168.156.250), which you don't explicitly state.

/interface list
add name=Isolated
add include=none name=WAN
add name=LAN

/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

/interface list member
add interface=vlan50-Guest list=Isolated
add interface=vlan172-VM list=Isolated
add interface=vlan180-Cameras list=Isolated
add interface=vlan190-SmartHome list=Isolated
add interface=ether1-External list=WAN
add interface=vlan156-Home list=LAN

But I see no LAN or vlan156-Home in your /ip firewall filter stanza.

The other thing I see that looks odd to me is that you are creating vlan interfaces on interfaces that belong to the bridge. I think that is a configuration error.
Note Well: (edit) The following was accidently copied from post #16 (as noted by @anav in post #21. See my follow up in post #22
/interface vlan
add interface=ether10-S2 loop-protect=on name=vlan50-Guest vlan-id=50
add interface=lanBridge loop-protect=on name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=sfp-brocade loop-protect=on name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 loop-protect=on name=vlan190-SmartHome vlan-id=190
Last edited by Buckeye on Wed Aug 31, 2022 6:32 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 31, 2022 3:21 am

@buckeye, I looked at that for a long time and he is not wrong in terms of assigning vlans directly to the etherport, that is always possible.
But what you cannot do is then assign them the same vlans on the bridge etc to the same port....... I dont see that???

Where did you find this config it is the wrong one....................
/interface vlan
add interface=ether10-S2 loop-protect=on name=vlan50-Guest vlan-id=50
add interface=lanBridge loop-protect=on name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172

add interface=sfp-brocade loop-protect=on name=vlan180-Cameras vlan-id=180
add interface=ether10-S2 loop-protect=on name=vlan190-SmartHome vlan-id=190

If you look at the config posted just above it reads differently and the interfaces are the lanBridge as expected???
/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=lanBridge name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=lanBridge name=vlan180-Cameras vlan-id=180
add interface=lanBridge name=vlan190-SmartHome vlan-id=190
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 31, 2022 4:08 am

@buckeye, I looked at that for a long time and he is not wrong in terms of assigning vlans directly to the etherport, that is always possible.
If you look at the config posted just above it reads differently and the interfaces are the lanBridge as expected???
/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=lanBridge name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=lanBridge name=vlan180-Cameras vlan-id=180
add interface=lanBridge name=vlan190-SmartHome vlan-id=190
It appear that when I added that second part I went too far back and quoted from the wrong post. But still what would be the reason for defining vlan 50 and 172 on ports that belong to the bridge?

I don't remember seeing that done in any example in the documentation. If ether10-S2 and sfp-brocade were not defined to be part of the bridge under /interface bridge port, then I wouldn't have mentioned it. (but I better check the correct post before inserting my foot in my mouth again).
I'm 98% there! Thanks for all your help so far. I've added the bridge and removed PVID as you suggested.

So get this. On the Brocade, all the VLANs work except for vlan156!! Vlan 172, 180, 190 when I plug in, I get a DHCP address, can ping the gateway, can get to the internet (when not blocked by firewall). WiFi vlan156 works fine! It's just the brocade vlan156. I plug into one of the brocade vlan156 ports and I get a DHCP address but I can't ping anything. I thought it might be firewall somehow so I added an INPUT/FORWARD allow rule for my IP address and I could see that packet counter but no improvement. I ran Torch on the sfp-brocade and I can see "156" in the VLAN column for traffic. Is traffic not routing back? Does the Brocade switch need a virtual interface IP address in VLAN 156 to route (I don't have that for the other VLANs)?

/interface bridge
add admin-mac=E4:8D:8C:0B:60:ED auto-mac=no ingress-filtering=yes name=lanBridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=ether10-S2 name=vlan50-Guest vlan-id=50
add interface=lanBridge name=vlan156-Home vlan-id=156
add interface=sfp-brocade loop-protect=on name=vlan172-VM vlan-id=172
add interface=lanBridge name=vlan180-Cameras vlan-id=180
add interface=lanBridge name=vlan190-SmartHome vlan-id=190

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=auto
set 3 default-vlan-id=0
set 4 default-vlan-id=auto
set 5 default-vlan-id=auto
set 6 default-vlan-id=auto
set 7 default-vlan-id=auto
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=auto
set 11 default-vlan-id=auto

/interface bridge port
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-S2 pvid=156
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-brocade
add bridge=lanBridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10-S2
I have highlighed the parts that don't seem to me to be correctly used together. The blue parts don't go together, and the red parts don't do together (at least if I understand correctly).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Wed Aug 31, 2022 4:20 pm

Understood, it took me a long time to wrap my head around it but think of the bridge as a different layer.

So a port can carry VLANS X,Y,Z
A port can be part of a bridge carrying vlans A, B, C

There is no conflict. At least is my understanding.........
One has to be cognizant any firewall rules pertaining to the bridge do not affect vlans, x, y, z.
 
nitrag
just joined
Topic Author
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: VLAN confusion (Trunk + CapAC)

Thu Sep 01, 2022 5:36 pm

I am happy to report that I did have an error in the Brocade config for vlan156 which enable "webauth" somehow. We are now 100% up and running with correct VLAN config! Thank you so much for your help, patience, and teachings @anav!
 
Zips
just joined
Posts: 6
Joined: Sat Feb 11, 2017 6:09 pm

Re: VLAN confusion (Trunk + CapAC)

Thu Sep 01, 2022 6:11 pm

I am happy to report that I did have an error in the Brocade config for vlan156 which enable "webauth" somehow. We are now 100% up and running with correct VLAN config! Thank you so much for your help, patience, and teachings @anav!
This was a great reading, I'm trying to do something similar with a RB1100AHx4, @nitrag, would you mind posting your configuration, I'm very new to all this and it gets too complicated for me, maybe If I can see how you got it done, I can understand it better and learn more!.

Thank You.

-Z
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN confusion (Trunk + CapAC)

Thu Sep 01, 2022 7:17 pm

@nitrag, the issue really is the over complexity of your setup. There is no need, that I can fathom for the convoluted schema.

one bridge
assign all vlans to the bridge.

Use bridge ports and Bridge vlans to deliver vlans where needed.
Splitting them up the way you did causes blurred vision LOL

Who is online

Users browsing this forum: haedertowfeq and 31 guests