Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Post Reply
 
7487
just joined
Topic Author
Posts: 4
Joined: Mon May 22, 2023 9:48 pm

VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Fri Mar 08, 2024 2:58 am

Desired outcome...

Port1(WAN) is subjected to untagged traffic and vlan66 tagged traffic. VLAN 66 tagged is passed to all ports in the bridge and vise a versa, while the untagged traffic on port 1 is natt'd and routed to and from all ports on the bridge.

The second config fails to work, why? It acts like a network loop occurs on the bridge itself, but I cannot prove or disprove this. Furthermore, I'm mystified as to the way the bridge seems to inherit properties from physical ports. For example, put a DHCP server on a port, then put all your ports in the bridge, and suddenly there's DHCP on all the ports that were added to the bridge. It makes more sense to me to think of the bridge as a layer 3 capable device and to add the DHCP server to the bridge and let the ports inherit form it.

Is there a more efficient way to accomplish what the first configuration does without having to add vlan66 to a physical port?

VLAN on port then added to bridge works...
Code: Select all
# 2024-03-07 15:49:04 by RouterOS 7.14
# software id = 3T7B-55NM
#
# model = CCR2116-12G-4S+
# serial number = HFD09A9M9VZ
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="WAN ether1 "
/interface vlan
add interface=ether9 name="VLAN66 Private" vlan-id=66
add interface="WAN ether1 " name="VLAN66 Public" vlan-id=66
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface="VLAN66 Public"
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface="VLAN66 Private"
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether8
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge1 comment="VLAN66 Tagged" tagged="VLAN66 Private,VLAN66 Publi\
    c,bridge1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,\
    ether11,ether12,ether13" vlan-ids=66
add bridge=bridge1 comment="VLAN 1 Untagged" vlan-ids=1
/ip address
add address=192.168.100.1/24 comment=defconf interface=ether9 network=\
    192.168.100.0
/ip dhcp-client
add interface="WAN ether1 "
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN ether1 "
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no

VLAN directly on bridge, fails to pass traffic, private vlan interface refuses to come online in bridge vlan tab?
Code: Select all
# 2024-03-07 16:23:05 by RouterOS 7.14
# software id = 3T7B-55NM
#
# model = CCR2116-12G-4S+
# serial number = HFD09A9M9VZ
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="WAN ether1 "
/interface vlan
add interface=bridge1 name="VLAN66 Private" vlan-id=66
add interface="WAN ether1 " name="VLAN66 Public" vlan-id=66
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface="VLAN66 Public"
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface="VLAN66 Private"
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge1 comment="VLAN66 Tagged" tagged="VLAN66 Public,bridge1,ether\
    2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12\
    ,ether13,VLAN66 Private" vlan-ids=66
add bridge=bridge1 comment="VLAN 1 Untagged" vlan-ids=1
/ip address
add address=192.168.100.1/24 comment=defconf interface=ether9 network=\
    192.168.100.0
/ip dhcp-client
add interface="WAN ether1 "
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN ether1 "
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
Regards
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19500
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Fri Mar 08, 2024 3:52 am

What are the requirements for traffic flow that describes all users, devices, cherry picking a port is almost useless to give advice on,,,, configs are integrated animals.
A network diagram will help as well.
Top
 
CGGXANNX
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Thu Dec 21, 2023 6:45 pm

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Fri Mar 08, 2024 5:47 am

You could try:

* Put all ports, including ether1 which is your WAN port, under the main bridge.
* Under /interface/bridge/port, set PVID of ether1 to 1000. frame-types = admit-all.
* Under /interface/bridge/vlan configure vlan-ids=66 bridge=bridge1 with all ports and bridge1 as "tagged" like you already did
* Under /interface/bridge/vlan add entry for vlan-ids=1000 bridge=bridge1 tagged=bridge1. This entry will automatically have ether1 under "Current untagged"
* Under /interface/vlan add new VLAN1000 interface with vlan-id=1000 interface=bridge1

This new VLAN1000 interface will now be your untagged WAN interface (has untagged traffic coming to the ether1 port), you'll use it instead of "WAN ether1" in your configurations.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11682
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Fri Mar 08, 2024 9:03 am

Furthermore, I'm mystified as to the way the bridge seems to inherit properties from physical ports.

What you fail to uderstand is that bridge is a transparent ethernet entity. Whatever talks to one port can talk to other ports (this eventually depends on bridge config, such as VLAN settings). Read this explanation about different bridge personalities.

Eventually do as @CGGXANNX suggests: treat untagged WAN as yet another VLAN, untagged on wire.
Top
 
RhoAius
newbie
Posts: 31
Joined: Fri Jul 12, 2019 10:47 pm

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Fri Mar 08, 2024 4:55 pm

In both configurations your vlan and bridge logic is wrong.

In the first config
  • ether9 has a vlan interface (id 66)
  • WAN ether1 has a vlan interface (id 66)
  • then you add ether2-13 and both of these vlans in a bridge
    Up till here the only issue is that you cannot use "VLAN66 Private" in the bridge because the parent interface ether9 is also in the bridge.
    When an interface is "slave" to a bridge(master) all settings on that interface are irrelevant and the bridge should be addressed instead(ip/vlan/etc)
  • Then you instruct the bridge to tag vlan 66 on all ports
    ether2-13 are ok
    VLAN66 Private is disabled because the parent is a "slave"(ether9) thus being ignored
    VLAN66 Public will have all untagged traffic and tagged vlan 66
    But VlanId 66 will not work in VlanId66(VLAN66 Public) as this is not how you setup Q-in-Q vlan
  • Ip 192.168.100.1/24 should be set on the master port(bridge1) not on the slave(ether9)

    Logically you have WAN ether1
    • tagged 66 traffic(VLAN66 Public)
      • untagged traffic(basically your lan)
      • tagged 66 traffic(from all other ports in the bridge, more likely discarded because of the badly formed packed)
    • untagged traffic(internet)
In the second config
  • bridge1 has a vlan interface (id 66)
  • WAN ether1 has a vlan interface (id 66)
  • then you add ether2-13 and both of these vlans in a bridge
    Logically you cannot have a subinterface of the bridge(VLAN66 Private) in the same bridge
    VLAN66 Public suffers from the same issue as the first config
Top
 
7487
just joined
Topic Author
Posts: 4
Joined: Mon May 22, 2023 9:48 pm

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Mon Mar 11, 2024 9:08 pm

https://ibb.co/QP40gxX

Network topology pic as requested, there's not much to show. I have no control over the way that hybrid port comes into the router. In my opinion it should all come trunk'd.

CGGXANNX
That is worth a try, forcing the untagged traffic off vlan 1 it to another pvid should work.. Simply adding port 1 WAN to the bridge without doing that breaks the DCHP server etc.

MKX, that first pic in that "RouterOS bridge mysteries explained" post goes a long way, I just wish the other 2 pics had showed up for me. So maybe at this point I need to change the question entirely to something along the lines of, "Is there a way if creating, or assigning, a virtual port from the router to the switch, so as to negate the need to use a physical port in order to do this?" The bridge mysteries post talks about something like this being done automatically here "Now the software module called “bridge” in RouterOS implements three of the elements above: the switch-facing interface of the router, the router-facing port of the switch, and the switch itself. " But I'm not quite getting it. In my method I'm creating VLANS on the CPU port interfaces, so that I can force those interfaces into the bridge. Per RhoAius, there's problems in the first config, despite it working and all the interfaces appearing as up in winbox, because "you cannot use "VLAN66 Private" in the bridge because the parent interface ether9 is also in the bridge." So I think what RhoAius is saying is, move the DHCP server back to the bridge from port 9, where I'd really rather have it anyway, and delete:
Code: Select all
/interface vlan
add interface=ether9 name="VLAN66 Private" vlan-id=66
/interface vlan

because once I assign port 9 to the bridge, all aspects of that port are automatically available(slave) to the bridge, including VLAN66 Private.

Regards
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11682
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Mon Mar 11, 2024 9:49 pm

... "Is there a way if creating, or assigning, a virtual port from the router to the switch, so as to negate the need to use a physical port in order to do this?"

I'm pretty sure I don't understand your question.

When one creates a bridge, one gets all the bells and whistles. Now let's assune nothing gets offloaded to hardware.

So one gets:
  • "the switch" ... which, after adding ports, passes ethernet frames between member ports ... according to forwarding database (not to flood all ports with frames where port connecting towards destination is known) and according to VLAN setup (if configured)
    When looking at traditional "dumb" switch device, this function is performed by switch chip itself.
  • the "router-facing port of the switch" ... which has to be configured the same way as the rest of ports (e.g. VLAN settings). It's treated by switch the same way as the rest of ports which are eventually members of same switch
    When looking at traditional "dumb" switch device, this might be "upstream" port, connecting a "router on a stick" device.
    The rest of ports are then all those ether ports of the switch device (hard wired to switch chip), whike in ROS one can add very different interfaces (from ether ports to wireless interfaces, also L2 tunnel endpoints, etc.)
  • the "switch-facing interface of the router" ... which is then used for L3 interaction between router and the bridged network(s).
    There is no parallel to this in traditional switches, because this interface is already part of router entity. When looking at traditional router (one subnet per interface), this interface is similar to any of those stand-alone physical interfaces. So if looking at before mentioned "router-on-a-stick" which uses its ether1 port zo connect to dumb switch, then "switch-facing interface of the router" is the same as ether1 on that traditional router.

When L2HW offload comes to a pkay, things get mapped to underlying hardware to certain extent (e.g. the "router-facing port of the switch" gets mostly - but not entirely - mapped to the switch-CPU interconnect, etc.). But conceptually things don't really get any different.

So how does the question I quoted at the beginning of this post fit the 3 personalities I outlined?

Perhaps ... one doesn't have to assign any of physical interfaces to a port to have bridge up and running. But the usefulness of such bridge is quite limited (I'm not saying it is not useful at all, but those uses are niche cases).

If you're thinking about VLAN 66, which is only present on single bridge port (part of trunk or hybrid setup) ... that's not a problem at all ... because (remember!) it won't be only on singke port, it'll be also present on bridge port (switch-facing interface of the router) ... and bridge ("the switch") will safely pass VLAN 66 frames between both ports.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19500
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: VLAN interfaces assigned directly to the bridge verses a vlan to a port on the bridge?

Mon Mar 11, 2024 9:56 pm

Okay so basically it would appear that the MT is behind another device and getting
a. private IP and associated subnet incoming on ethernet cable as untagged traffic ( assumption is this is the LANIP of the MT on the upstream router LAN and thus also the WANIP of the MT )
b. tagged vlan66 which is WHAT?, ( assumption this is a private subnet with DHCP service and fw rules etc., being provided on the upstream device )

It would appear that vlan66, needs to reach some ports perhaps on the MT but perhaps also to other downstream devices via a switch. ( Assumption the MT is transparently moving this vlan for the upstream device to other users................

You need to make up your mind on what is the purpose and destination of vlan66. It is separate from the Ports on the MT where you want the MT to provide a DHCP natted LAN correct??? (unlike your description which says it needs to be on every port which sounds illogical)

I will make an assumption that there is only one port that is a trunk port carrying vlan66 to another switch etherport 9 and lets say ports 10-13 need to be associated with the upper router DHCP etc... and do not fall under either DHCP or firewall rules etc of MT router.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My solution and I assume that you get a fixed static WANIP of 10.10.10.2/24 just as an example.

/interface vlan
add name=vlan11-wan interface=bridge1 vlan-id=11 comment="to terminate to WAN"
add name=vlan20-LAN interface=bridge1 vlan-id=20 comment="local LAN"

/interface bridge port
add bridge=bridge1 interface="WAN ether1 " pvid=11 comment="incoming untagged traffic associated to vlan11"
add bridge=bridge1 interface=ether2 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether3 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether4 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether5 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether6 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether7 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether8 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge1 interface=ether9 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface=ether10 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=66
add bridge=bridge1 interface=ether11 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=66
add bridge=bridge1 interface=ether12 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=66
add bridge=bridge1 interface=ether13 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged pvid=66

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,"WAN ether1 ",ether9 untagged=ether10,ether11,ether12,ether13 vlan-id=66
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-id=20
add bridge=bridge1 tagged=bridge1 untagged="WAN ether1 " vlan-ids=11

/ip address
add address=192.168.100.1/24 comment=defconf interface=vlan20-LAN network=\
192.168.100.0
add address=10.10.10.2/24 comment=WAN interface=vlan11-wan network=10.10.10.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan20-LAN name=dhcp1
/ip dhcp-client
disabled=yes

/interface list members
add interface=vlan11-wan list=WAN
add interface=vlan20-LAN list=LAN
Top
Post Reply

Who is online

Users browsing this forum: Fogga, mikeyt, taramid and 20 guests
  4. RouterOS
  5. Beginner Basics