Page 1 of 1

VLAN Configuration

Posted: Fri May 31, 2024 1:25 am
by DL7JP
Dear all,
my ISP is delivering Internet via VLAN 50 and VoIP via 40 (at ether5-TPP below). After quite some time I found a configuration that works with RouterOS when a VoIP-Cient (Fritzbox) is connected to ether4-VoIP, public Internet is routed via vlan50-INTERNET in this minimal test scenario:
# 2024-05-30 23:22:41 by RouterOS 7.15
# software id = MZRN-97EY
#
# model = RB450Gx4
# serial number = E1D80D856D6D
/interface bridge
add name=bridge-TPP
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Management
set [ find default-name=ether4 ] name=ether4-VoIP
set [ find default-name=ether5 ] name=ether5-TPP
/interface vlan
add interface=ether5-TPP name=vlan40-VoIP vlan-id=40
add interface=ether5-TPP name=vlan50-INTERNET vlan-id=50
/interface bridge port
add bridge=bridge-TPP ingress-filtering=no interface=ether4-VoIP
add bridge=bridge-TPP ingress-filtering=no interface=vlan40-VoIP
/ip dhcp-client
add interface=ether1-Management
add interface=vlan50-INTERNET
I want to transfer this working scenario to a bridge with vlan-filtering active, since it is part of a larger scenario of VLANs. Unfortunately, I miserably failed after trying various variants (tagged/untagged in the ports, etc) even in the minimal setup; example:
# 2024-05-30 19:49:43 by RouterOS 7.15
# software id = MZRN-97EY
#
# model = RB450Gx4
# serial number = E1D80D856D6D
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-TPP vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Management
set [ find default-name=ether4 ] name=ether4-VoIP
set [ find default-name=ether5 ] name=ether5-TPP
/interface vlan
add interface=bridge-TPP name=vlan50-INTERNET vlan-id=50
/interface bridge port
add bridge=bridge-TPP ingress-filtering=no interface=ether4-VoIP
add bridge=bridge-TPP ingress-filtering=no interface=ether5-TPP
/interface bridge vlan
add bridge=bridge-TPP tagged=bridge-TPP,ether5-TPP vlan-ids=50
add bridge=bridge-TPP tagged=bridge-TPP untagged=ether4-VoIP vlan-ids=40
/ip dhcp-client
add interface=ether1-Management
add interface=vlan50-INTERNET
The dhcp-client on vlan50-INTERNET is fine, but the VoIP-Client seems not to receive a response to dchp-requests. Any ideas how to resemble the first configuration with VLAN-filtering on a bridge?

Re: VLAN Configuration

Posted: Fri May 31, 2024 1:47 am
by tdw
The bridge name bridge-TPP refers to both the bridge and the implicit bridge-to-CPU bridge port so you are connecting VLAN 40 on ether4 untagged to the CPU tagged. To connect ether4 untagged to ether5 tagged requires the following change to /interface bridge vlan:

add bridge=bridge-TPP tagged=bridge-TPPether5-TPP untagged=ether4-VoIP vlan-ids=40

Re: VLAN Configuration

Posted: Fri May 31, 2024 7:29 pm
by DL7JP
Thanks for the suggestion, very much appreciated! However, neither
add bridge=bridge-TPP tagged=bridge-TPP,ether5-TPP,ether4-VoIP vlan-ids=40
nor
add bridge=bridge-TPP tagged=bridge-TPP,ether5-TPP untagged=ether4-VoIP vlan-ids=40
does the trick. There must be still a difference to the first configuration above, which is the only one that works for the VoIP client listening on ether4-VoIP.

Re: VLAN Configuration

Posted: Fri May 31, 2024 8:02 pm
by DL7JP
After some experiments I found a combination that works:
# 2024-05-31 16:56:29 by RouterOS 7.15
# software id = MZRN-97EY
#
# model = RB450Gx4
# serial number = E1D80D856D6D
/interface bridge
add ingress-filtering=no name=bridge-TPP vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Management
set [ find default-name=ether4 ] name=ether4-VoIP
set [ find default-name=ether5 ] name=ether5-TPP
/interface vlan
add interface=bridge-TPP name=vlan50-INTERNET vlan-id=50
/interface bridge port
add bridge=bridge-TPP ingress-filtering=no interface=ether4-VoIP pvid=40
add bridge=bridge-TPP ingress-filtering=no interface=ether5-TPP
/interface bridge vlan
add bridge=bridge-TPP tagged=bridge-TPP,ether5-TPP vlan-ids=50
add bridge=bridge-TPP tagged=bridge-TPP,ether5-TPP untagged=ether4-VoIP vlan-ids=40
/ip dhcp-client
add interface=ether1-Management
add interface=vlan50-INTERNET
The trick seems declaring "pvid=40" when adding ether4-VoIP to the bridge, and defining ether4-VoIP as untagged on the bridge. I don't understand the rationale behind it, but at least it works.

Re: VLAN Configuration

Posted: Sat Jun 01, 2024 2:04 am
by tdw
I hadn't spotted that was missing, having bridge-TPP in the tagged list for VLAN 40 is unnecessary.

Under /interface bridge port the pvid= setting specifies which VLAN untagged ingress traffic is assigned to.
Under /interface bridge vlan ports in the untagged= interface list have the VLAN tag removed on egress. This is optional as the list will be dynamically populated based on the port PVID setting - some people prefer to have an interface with both pvid= and untagged= settings but you have to remember to update both when changing a VLAN ID, others (myself included) prefer to only have the pvid= setting and rely on the dynamic population.

Re: VLAN Configuration

Posted: Sat Jun 01, 2024 4:05 pm
by DL7JP
Thanks a lot for the explanation, I am slowly starting to see clearer... the VLAN configuration od RouterOS is not exactly intuitive ;-).

Re: VLAN Configuration

Posted: Sat Jun 01, 2024 5:16 pm
by abbio90
if you want, I created a guide on VLANs and usage on different chipsets. you can find my guide here, you must activate the English language by clicking on the flag

https://foisfabio.it/index.php/2024/01/ ... otik-vlan/

Re: VLAN Configuration

Posted: Sun Jun 02, 2024 7:09 pm
by DL7JP
Thanks a bunch for all the hints! I nearly made it, here's a configuration that works on my router (TPP is the name of my ISP delivering vlan 50 (Internet) and 40 (VoIP), internally I use 1,15 and 25):
/interface bridge
add ingress-filtering=no name=bridge-TPP vlan-filtering=yes
add ingress-filtering=no name=bridge-VLANs vlan-filtering=yes

/interface bridge port
add bridge=bridge-VLANs frame-types=admit-only-untagged-and-priority-tagged interface=eth1-USR-NAS
add bridge=bridge-VLANs interface=eth13-Switch
add bridge=bridge-VLANs frame-types=admit-only-untagged-and-priority-tagged interface=eth9-IoT-Frontcam pvid=25
add bridge=bridge-VLANs frame-types=admit-only-untagged-and-priority-tagged interface=eth7-Guest pvid=15
add bridge=bridge-TPP interface=eth6-VoIP pvid=40
add bridge=bridge-TPP frame-types=admit-only-vlan-tagged interface=eth12-TPP

/interface bridge vlan
add bridge=bridge-VLANs comment=Guest tagged=bridge-VLANs,,eth13-Switch vlan-ids=15
add bridge=bridge-VLANs comment=IoT tagged=bridge-VLANs,eth13-Switch vlan-ids=25
add bridge=bridge-VLANs comment=USR tagged=bridge-VLANs vlan-ids=1
add bridge=bridge-TPP tagged=bridge-TPP,eth12-TPP vlan-ids=50
add bridge=bridge-TPP tagged=eth12-TPP vlan-ids=40

/interface vlan
add interface=bridge-VLANs name=vlan1-USR vlan-id=1
add interface=bridge-VLANs name=vlan15-Guest vlan-id=15
add interface=bridge-VLANs name=vlan25-IoT vlan-id=25
add interface=bridge-TPP name=vlan50-INTERNET vlan-id=50
As you see, I am using 2 bridges, one for my ISP and one internally. So far, so good ...

I then tried to move all interfaces and declarations to one bridge (bridgeVLANs), i.e.: 's/bridge-TPP/bridge-VLANs/g'). However, in this case my VoIP client can't register any more on VLAN 40. All else works fine. I ran out of ideas what the problem could be, any hints highly appreciated!

Re: VLAN Configuration

Posted: Mon Jun 03, 2024 7:18 pm
by tdw
Nothing obvious assuming that change is only applied to /interface bridge port (two entries), /interface bridge vlan (three entries on two lines) and /interface vlan (one entry) as you can't have two bridges with the same name. Do the Current Tagged and Current Untagged columns under Bridge > VLANs in Winbox show the ports to be assigned as expected?

Re: VLAN Configuration

Posted: Mon Jun 03, 2024 7:35 pm
by jaclaz
Semi-random thought, but the board is full of recommendations to not use vlan1, particularly when non-Mikrotik devices are in use, but not only, as it sometimes creates conflicts that are very difficult to detect.
Using vlan id 1 may be involved? (conflicting with the Fritzbox or some other device?)

Re: VLAN Configuration

Posted: Mon Jun 03, 2024 8:15 pm
by DL7JP
Semi-random thought, but the board is full of recommendations to not use vlan1, particularly when non-Mikrotik devices are in use, but not only, as it sometimes creates conflicts that are very difficult to detect.
Using vlan id 1 may be involved? (conflicting with the Fritzbox or some other device?)
Hm ... might be, since all else looks OK to me. The VoIP client is indeed a fritzbox, and the ISP delivers through copper from an Alcatel box to bridge-TPP. I also tried the reverse procedure, i.e. moving the LAN-side VLANs (1,15,25) to bridge-TPP where the ISP comes in. This works for about 10 minutes fine, then the LAN-side stops to route packets.

I guess I will try replacing VLAN 1 with another number and see...

Re: VLAN Configuration

Posted: Mon Jun 03, 2024 8:41 pm
by jaclaz
I found a post by tdw about (not) using VLAN 1 that explains some of the reasons why:
viewtopic.php?t=206946#p1071170

Even if it comes out that it has nothing to do with your issue, it remains "best practice" to not use it.

First rules of the Mikrotik club :wink: :
1) You do not use VLAN 1
2) You DO NOT use VLAN 1
3) ...

Re: VLAN Configuration

Posted: Sun Jun 09, 2024 11:20 pm
by DL7JP
I re-configured it today without using VLAN ID 1. Guess what: It works now!