Community discussions

MikroTik App
 
binadhed
just joined
Topic Author
Posts: 3
Joined: Mon Mar 02, 2020 12:11 pm

Ether 9 doesn't connect to VLAN while others do.

Tue Nov 01, 2022 9:38 am

Good day,

It has been 2 days of me trying to get things working on my network setup and I think I am hitting a mental block trying to understand why Ether 9 doesn't work like the other untagged ports.

Topology.

Pfsense as firewall, untagged is main lan and then created vlan id 666 that will be trunked to a CRS326 running RouterOS, which in turn Trunks that to an RB4011 in a different room.

I finally get everything working using this way.

on CRS326 I added VLAN interfaces on eth1 (from pfsense) and on eth2 (going to RB4011) I did not add them under bridge like some suggest that didn't work when I tried or I might have missed something, I tagged eth1 and eth2 with vlan 666 on VLAN (Bridge window) and dynamically got an entry of untagged ports for vlan id 1.

on the RB4011 I added VLAN interface on eth1 (from CRS326) and then tagged eth1 for vlan 666 and then for access ports eth2. eth3 and eth9 I changed pvid to 666

I hope I am not missing any extra info that would be helpful but my issue is, when I plug a device say a laptop to eth2 or eth3 it gets an ip from pfsense from the vlan interface / dhcp that I set, but that doesn't happen on eth9.

I am still new to networking, and literally 2 days new in VLANs at least first time trying it, I know the concepts.

I tried changing the cable and it wasn't the case, the port works normally if I remove the vlan 666 and it will get regular ip from dhcp but when I make it exactly like eth2 and eth3 settings it just doesn't work.

I can use it as is, but I want to know why, is it my mistake, something I missed or is it with the router it self.

best regards,
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Tue Nov 01, 2022 6:33 pm

So it seems that config on RB4011 is playing tricks. Please post full config of that device: connect to it via CLI (e.g. open terminal in winbox or web GUI), then execute command /export hide-sensitive file=anynameyouwish, using favourite UI flavour fetch the resulting file, open it in favourite text editor and copy-paste the contents here - put it inside [code] [/code] block.
 
binadhed
just joined
Topic Author
Posts: 3
Joined: Mon Mar 02, 2020 12:11 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Mon Nov 07, 2022 4:06 pm

thank you for the reply.
# nov/07/2022 14:03:31 by RouterOS 7.6
# software id = 532B-3XKQ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = A283094F2BDA
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
    1000M-half,1000M-full,10000M-full,2500M-full l2mtu=1592 rx-flow-control=\
    auto speed=1Gbps tx-flow-control=auto
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3 pvid=666
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9 pvid=666
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=ether2 pvid=666
add bridge=bridge interface=*1A pvid=666
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2,ether3,ether9 vlan-ids=666
/ip address
add address=192.168.52.4/24 interface=bridge network=192.168.52.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.52.1 routing-table=main \
    suppress-hw-offload=no
/system identity
set name=Rb4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.52.1
/tool romon
set enabled=yes
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Mon Nov 07, 2022 6:30 pm

Config on RB4011 seems fine to me.

However, I have lurking in dark parts of my memory that on dual switch-chip devices with L2HW offload (RB4011 is one of them) there are occasionally problems with VLAN traffic passing between ports controlled by different switch chips. Which is the case with ether1 and ether9.

Tho things to test:
  1. Try to setup another ether port from first switch chip (those are ether1-ether5) the same way as ether9 is and see if it works as it should.
    I guess it will.
  2. just a wild guess: try to add bridge interface as tagged member of vlan 666 under /interface bridge vlan.
    The rationale about this suggestion is this: traffic between ether1 and ether9 has to pass the switch-CPU interconnects (both of them) and it could be that due to bug in how bridge config is offloaded in this case switch chips are not instructed to forward vlan 666 traffic towards CPU. When bridge is set as tagged member of VLAN on single switch chip devices, this enables bridge to interact with VLAN. Which is not what you want, but passing vlan 666 traffic between both switch chips might get enabled this way.
    BTW, if you don't create apppropriate vlan interface (anchored off bridge), ROS still won't interact with said vlan.
 
binadhed
just joined
Topic Author
Posts: 3
Joined: Mon Mar 02, 2020 12:11 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Fri Nov 11, 2022 2:45 pm

Thank you sir for the reply, I apologise for my slow response although I did click on notify me when a reply is posted but never got it.

I will do all the suggested, but I've been digging a lot during the past few days and because there is an overflow of information it is really hard to pinpoint the information that will be useful.

but I found this on the Wiki.
Note: For devices that have multiple switch chips (for example, RB2011, RB3011, RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering will not work on a hardware level between ports that are on different switch chips, this means you should not add all ports to a single bridge if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).
The RB4011 does have two switch chips and that is probably why, I think I have to set access ports on one switch instead of spliting them, since the trunk is on eth1 then access ports should only be between port 2 to 5. and If I will setup another trunk it should be on the range of the second switch chip.

nonetheless I will try the above setup although I don't think I will use that since I want hw offloading, and I think passing anything through the CPU will make the network on this side worse, which is one thing I am really trying to avoid.

Thank you again mkx! I appreciate your time in this.
 
erlinden
Forum Guru
Forum Guru
Posts: 1299
Joined: Wed Jun 12, 2013 1:59 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Fri Nov 11, 2022 3:06 pm

I think the bridge is missing in the /interface bridge vlan section.

Seems mkx already mentioned it...
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Sat Nov 12, 2022 12:06 pm

I think the bridge is missing in the /interface bridge vlan section.
Well, in usual setups where there's only one switch chip present, and if certain VLAN is only switched between certain ports but device (e.g. CRS used in strictly switch role) doesn't need to interact, it is not necessary to add bridge interface to the list of ports members of that VLAN (even more, for security etc. reasons it's better not to do it).

But RB4011 with its dual switch chips and relatively new HW offload implementation might be experiencing some kind of bug and hence my suggestion to add bridge interface as VLAN port to see if this works around the problem.
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: Ether 9 doesn't connect to VLAN while others do.

Sat Nov 12, 2022 2:05 pm

but I found this on the Wiki.
... VLAN filtering will not work on a hardware level between ports that are on different switch chips, ... VLANs between switch chips will not get filtered.

My suggestion may work around the first part of the quoted text. Indeed it won't work entirely on HW level as traffic between port groups will have to pass CPU. But feasibility of proposed solution depends on how traffic is passing over CPU-switch interconnects. If there's some funky metadata that gets exchanged and ROS doesn't pass it on to the other switch chip, then indeed things might not work. If OTOH the only problem is to include traffic of certain VLAN to the CPU-switch interconnect, then my proposal might just work. But I can't test it as I don't have any RB4011 myself to test with.
And I wouldn't worry about proper vlan filtering between both port groups. I would expect that each switch chip filters traffic on egress rgerdless the ingress port (even if that's CPU-switch interconnect).

But then I may be wrong on everything I wrote in this thread so far.

Who is online

Users browsing this forum: Ahrefs [Bot] and 24 guests