Community discussions

MikroTik App
 
Woodster1975
just joined
Topic Author
Posts: 5
Joined: Sun Jun 14, 2020 6:50 pm

Bridge with VLAN filtering

Sun Sep 25, 2022 3:22 pm

Hi everyone, I have a problem with VLAN filtering on a bridge running on a 4011. I have a VLAN (VLAN id 100) which is attached to the bridge with a corresponding L3 interface. DHCP is configured and without VLAN filtering enabled on the bridge, everything works as expected. Once VLAN filtering is enabled traffic stops passing. I have tagged VLAN 100 on the outgoing interface. As soon as VLAN filtering is disabled, traffic resumes. Relevant config as follows:

/interface bridge
add ingress-filtering=no name=Home-NW-Bridge vlan-filtering=yes
/interface bridge port
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether2
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether3
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether6
/interface bridge vlan
add bridge=Home-NW-Bridge tagged=ether2,ether3,ether6 vlan-ids=100


Interface I am testing this on is ether2. 4011 is running ROS7.5. Any suggestions?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge with VLAN filtering

Sun Sep 25, 2022 4:32 pm

Did you follow this guide............................ viewtopic.php?t=143620
By the way, dont tell me another person that likes mixing apples and oranges.
if your are going to run vlans and bridge,
then make all subnets vlan on one bridge and dont have the bridge do anything
in other words only vlans get ip pool, ip address, dhcp-server, dhcp-server network etc......

In any case you need to read the link make any adjustments and then
post your full config /export (minus the serial number and any public WANIP info)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge with VLAN filtering

Sun Sep 25, 2022 5:05 pm

I'd say that relevant config is a bit more than was posted. You have DHCP on some VLAN interface, right? That interface must be listed as tagged in /interface bridge vlan.
 
Woodster1975
just joined
Topic Author
Posts: 5
Joined: Sun Jun 14, 2020 6:50 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 4:57 pm

Hi everyone,

I have a IP address, DHCP server, IP pool etc configured on the VLAN which is attached to the bridge. See below:

/interface ethernet
set [ find default-name=ether2 ] comment="Access Point"
set [ find default-name=ether3 ] comment=Powerline
set [ find default-name=ether6 ] comment="KVM Host"
/interface bridge
add ingress-filtering=no name=Home-NW-Bridge vlan-filtering=yes
/interface vlan
add interface=Home-NW-Bridge name=Guest vlan-id=100
/interface bridge port
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether2
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether3
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether6
/interface bridge vlan
add bridge=Home-NW-Bridge tagged=ether2,ether3,ether6 vlan-ids=100
/ip address
add address=192.168.101.1/24 interface=Guest network=192.168.101.0
/ip pool
add name=Guest_Pool ranges=192.168.101.10-192.168.101.254
/ip dhcp-server
add address-pool=Guest_Pool interface=Guest name=Guest-DHCP
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=192.168.100.1 gateway=192.168.101.1
/interface bridge port
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether2
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether3
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether6
/interface bridge vlan
add bridge=Home-NW-Bridge tagged=ether2,ether3,ether6 vlan-ids=100

The use case here is just a simple guest network, tagged onto an interface which has my regular network untagged using a Hybrid port configuration (ether2). One point which is worth mentioning again is that this configuration works as expected until VLAN filtering on the bridge is enabled. The aim here is to simply restrict the amount of VLANs that are tagged on a Hybrid port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 5:55 pm

Sorry you only have one subnet identified, and thus not sure what you are trying to do......
Why mixing apples and oranges and making config more complex, no need for hybrid ports for example.
.
You need two vlans.
vlan100 guests
vlan10 normal users.

/interface vlan
add interface=Home-NW-Bridge name=vlan_Guest-100 vlan-id=100
add interface=Home-NW-Bridge name=vlan_Home-10 vlan-id=10
/ip address
add address=192.168.101.1/24 interface=vlan_Guest-100 network=192.168.101.0
add address=192.168.10.1/24 interface=vlan_Home-10 network=192.168.10.0
/ip pool
add name=Guest_Pool ranges=192.168.101.10-192.168.101.254
add name=Home_Pool ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=Guest_Pool interface=vlan_Guest-100 name=Guest-DHCP
add address-pool=Home_Pool interface=vlan_Home-10st name=Home-DHCP
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=192.168.100.1 gateway=192.168.101.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1

Where you have it wrong is the /interface bridge ports and /interface bridge vlan settings.
However, before a clear answer can be provided, we need to know what you are connecting to on etherports 2 through X.
To dumb PC/printer
To smart switch
To something else

What is it that can accept a hybrid flow of traffic for example on your ether2??


ASIDE DISCUSSION: By the way, it matters not how many vlans are tagged on a hybrid port, the key is ONLY one untagged vlan can be assigned but as many tagged vlans you wish.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 6:07 pm

Or you can just do what I already suggested and set tagged=Home-NW-Bridge,ether2,ether3,ether6.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 6:21 pm

Yes, as I noted where the problems lay, that is one of them but again, going to name you "cart before the horse" Sob.
You fail to note the incomplete /interface bridge port settings as well and thus that would not really fix all the issues.

Which means the OP doesnt understand the bridge filtering process and one liner answers are not helpful for the OP to learn.
Let alone the fact that the OP is throwing around the words hybrid, and its not clear why and the fact that he thinks one needs to limit the number of tagged vlans on a hybrid port is another clue to the need for education.

@OP: Please read this as a starting point - viewtopic.php?t=143620

Oh wait, I already did and its clear the OP made a very weak effort in that regard and thus he needs a leg up to learn, not snippets of answers!!!
 
Woodster1975
just joined
Topic Author
Posts: 5
Joined: Sun Jun 14, 2020 6:50 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 6:43 pm

Hi Anav,

Thanks for your reply.
I have my home network configured directly on the bridge, complete with it's own IP address, DHCP server & pool etc (I omitted that detail from the config I supplied as this element is working fine). Ether2 is connected to an access point. I also have a KVM host connected to ether6 which uses various VLANs for VMs that reside on it. On my access point I have configured a 'Guest' SSID which utilises VLAN 100 for clients. This works perfectly if I switch off VLAN filtering on the bridge Home-NW-Bridge. If I enable it, traffic stops passing on VLAN 100. From the documentation I have read, it appears that under the '/interface bridge vlan' context the command to permit and tag the VLAN(s) once filtering is enabled on the required interface(s) is in my case 'add bridge=Home-NW-Bridge tagged=ether2,ether3,ether6 vlan-ids=100'. This does not appear to work for me.

My reason for wanting to restrict the amount of VLANs on a hybrid port is due to security. At home it doesn't matter about including every VLAN on a hybrid interface. If I wanted to use this in a business environment I would want to prune only the specific VLANs to meet the clients requirements. In the Cisco world on a switchport the command to permit only the required VLANs would be: 'switchport trunk allowed vlan x,y,z'.
Last edited by Woodster1975 on Mon Sep 26, 2022 6:48 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 6:44 pm

@anav: And I'm going to name you, "fix everything else before or instead the actual problem" anav. :D

OP posted partial config first and judging by those repeating parts, next attempt is also edited and probably incomplete. So a hint what's clearly wrong could be enough.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 7:47 pm

Yes, of course, the OP is claiming about getting wet, but one cannot save the world unless one understand all the interconnected worlds problems LOL. Once we get hunger. famine out of the way we can work on shelter.....

@OP i figured you had gone down the rabbit(sob) hole of mixing up bridge and vlans. I personally as soon as I start using vlans on a bridge take away the bridge from any duties other than being a simple bridge. It makes life clean consistent and simple.]
Regardless you can do it anyway you like. :-) ( sentence added to make Sob happy )

However which AP are you using on ethe2. Is it smart AP? if so is it Mikrotik??
Most of them expect vlans on a trunk port except UNIFI as they come default expecting the management or trusted subnet untagged all the data vlans tagged
So once we have sorted out what monster you are using...........

as for # of vlans, you only send vlans to a device that are required, so there is security pairing down here. Functionality/requirements drive the vlans going through any interface.
Security is ensuring firewall rules are applied where necessary and one can add ingress filtering and frame types on the /interface bridge port settings.......... for a full vlan scenrio.
Hybrid ports usually dont have such settings.
Last edited by anav on Mon Sep 26, 2022 7:56 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19117
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 7:56 pm

So assuming the home lan untagged is what you want to reach the AP, and vlan100 tagged

/interface bridge port
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether2
add bridge=Home-NW-Bridge ingress-filtering=no interface=ether3
add bridge=Home-NW-Bridge ingress-filtering=no=interface=ether6
/interface bridge vlan
add bridge=Home-NW-Bridge tagged=Home-NW-Bridge,ether2 vlan-ids=100
 
Woodster1975
just joined
Topic Author
Posts: 5
Joined: Sun Jun 14, 2020 6:50 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 8:31 pm

Hi Anav,

Thank you for your reply. The missing part of the config was not tagging the VLAN on the bridge. I had this:
/interface bridge vlan
tagged=ether2,ether3,ether6 vlan-ids=100

Your suggestion was to configure it like this:
tagged=ether2,ether3,Home-NW-Bridge,ether6 vlan-ids=100

With the VLAN tagged it is now working as expected.

As a further discussion point, I am happy to move the bridge layer 3 config to a VLAN if this is Mikrotik's recommended configuration. Will schedule in a maintenance window with the family and get this done.

Either way, it is now working perfectly.

Thanks very much for your help.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 8:33 pm

I personally as soon as I start using vlans on a bridge take away the bridge from any duties other than being a simple bridge.
And I usually do the same, the uniformity of using VLAN interfaces for all VLANs seems more clear and easier to understand. But it's not that big difference, if instead of one VLAN interface you use the bridge directly, it's just another interface.
 
Woodster1975
just joined
Topic Author
Posts: 5
Joined: Sun Jun 14, 2020 6:50 pm

Re: Bridge with VLAN filtering

Mon Sep 26, 2022 8:50 pm

Makes sense, thanks for the help guys 😊

Who is online

Users browsing this forum: anav, Majestic-12 [Bot], simonefil and 94 guests