bridge vlan setup (new way)

toxicfusion · 坐8月25, 2018 5:17 am

Hey there,

Since routerOS 6.41 - implementation of new vlan methodology. Took me awhile to wrap my head around the idea of it.. I think i understand. But upon me implementing it ad-hoc for a new customer of mine... Im struggling.

有人帮助吗?因为它让我看起来像个傻瓜配置uring a Mikrotik Powerbox Pro and a Hex S as downstream switches for a WISP install...

need eth1 to be a Trunk port (all ingress/egress) to be tagged.
need eth2 to be trunk port (all vlans tagged both directions)
need eth5 to be access for a poe phone (so gets DHCP address from upstream switch)

I got base of it working... I'm able to get IP address on the main Untagged network. But the Vlans are not passing. I cannot ping from the MikroTik devices other equipment on other vlan subnets.

However, once I receive an IP when connected to switch - I can ping devices on any subnet -- but only because they're attached to the upstream switch that is doing the vlan tagging. Anything connected to the MikroTik PowerBox or Hex S is not..

Jotne · 坐8月25, 2018 9:09 am

Do read this thread and you will understand some more.
viewtopic.php?f=2&t=138232
At the bottom, you will find how to do it with >=6.41 software.

mkx · 坐8月25, 2018 1:32 pm

Keep in mind that if you enable VLAN filtering on bridge (and without that VLANs essentially don't work), you loose HW offload and every packet passes CPU. This kills performance on slower routerboards, such as RG951G. I advise you to configure your Powerbox pro in the old way by using/interface ethernet switchsection.

toxicfusion · 坐8月25, 2018 5:55 pm

Thanks for input

When I configured bridge >> Vlans >> and Vlan >> ports

the bridge I added PVID and enabled vlan-filtering...

I had vlan-id's listed all throughout the bridge interface and specfied which ports are tagged and specified the one port that was to be untagged. Further, on the port that was untagged - i selected the port (within bridge menu) and specified the PVID for that interface... That appeared to work and showed it as untagged.

However, what was concerning was the master_vlan-bridge that i added PVID to, came up as 'untagged'. I even tried creating another bridge for the untagged traffic, no dice.

I ran out of time and have to fly back tomorrow. Was visiting family/friends and took on this job within certain number of days. I spent 6+ hours messing wtih both MikroTik devices with this new configuration and failed

Core router is a MikroTik RB1100Ahx4 (dude edition). Works fine as router on stick method.... But me trying to make the MikroTik routers do switching with vlans is mind numbing and makes me cry in a corner.

How would I go about setting within the Switch menu? I was looking to do that, but I didnt see where I could specify more than one ports. As I need ports 1-4 to be "trunk" ports that pass all vlans as tagged. As Access Points will be tied into them...

Lastly, I also was looking at creating bridges for the vlans (br_vlan10, br_vlan20, etc), add the physical interface and then the vlan interface to it... as I know for untagged traffic to work - the interface and vlan has to be part of a bridge.

I started doing the br_vlan aspect and just hit a road block of mass confusion as was getting entirely messy due to the number of VLANS and port assignments.

toxicfusion · 坐8月25, 2018 6:01 pm

Client/friend is most likely going to return the PowerBox Pro and the Hex S and I'll install Netonix Switches.. due to odd POE requirements.

switch in middle (hex X) was required as it accepted POE input (48dc), and outputted on port5 48dc - as there was a VOIP phone connected going into a camper/cabin. This was mounted inside an outdoor enclosure that Netonix Sells.. Then from a port I need to send all tagged traffic to a downstream switch (PowerBox Pro), As this is a corner area where a few AP's will be hung from..

Netonix are cost effective enough as just regular switches that will take less time to configure and me not crying. I was upset with myself - felt defeated. Only the untagged traffic was working with my config.

I'll take remote connection later today and post the config export of the middle downstream switch. PowerBox was pulled out and not powered on. (Was accessible). Config was identical.

toxicfusion · 坐8月25, 2018 6:08 pm

soooooo......

did I totally only miss one(1) setting this entire time?

I did NOT add the "master vlan_bridge" interface to the bridge >> ports >> vlan as interface to be tagged... is that entire issue?! As I only added the individual physical interfaces to the list of interfaces to be tagged.

Then From there, I do not need to set PVID on the master vlan_bridge interface? Just set the PVID on the ports (interface ports) that need to be access/untagged, as well as specify the physical port being untagged?

Hopefully its that simple. Otherwise I give up.

mkx · 坐8月25, 2018 9:50 pm

Here's excerpt from my home configuration. First I had RB951G with VLANs on switch ... then I wanted to see how to configure the same on bridge, this time on RBD52G (hAP ac2). The last config was in production for a couple of days.

As the goal of my exercise on RBD52G was to learn how to configure VLANs on bridge, both configs are actually identical as to device behaviour ... part from differences in WiFi (RB951G does not have 5GHz WiFi).

The scenario:

ether1 is trunk port towards router. It carries VLANs 40,41,42 and 3999 all tagged
ether2 is hybrid port for IPTV set-top box. It carries VLAN 40 untagged and 3999 tagged
ether3, 4 and 5 are access ports for VLAN 42
wifi runs two SSIDs: wifi-42 is for LAN access, tagged with VLAN 42 ... and wifi-guest-41 is VAP for guest access (without password), tagged with VLAN 41
VLAN 42 is main VLAN for home LAN and is also management VLAN, so device has vlan42 interface with its IP address.

开关芯片:

/interface bridge add admin-mac=E4:8D:8C:49:EE:4A auto-mac=no fast-forward=no name=bridge /interface ethernet set [ find default-name=ether1 ] name=ether1-router set [ find default-name=ether2 ] name=ether2-BOX set [ find default-name=ether3 ] name=ether3-AV set [ find default-name=ether4 ] name=ether4-TV /interface vlan add interface=bridge name=vlan-42 vlan-id=42 /interface ethernet switch set 0 mirror-source=ether1-router /interface ethernet switch port set 0 vlan-mode=secure set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure set 2 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure set 3 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure set 4 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure set 5 vlan-header=add-if-missing vlan-mode=fallback /interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether1-router,ether3-AV,ether4-TV,ether5 switch=switch1 vlan-id=42 add independent-learning=no ports=ether1-router,ether2-BOX switch=switch1 vlan-id=3999 add independent-learning=no ports=switch1-cpu,ether1-router switch=switch1 vlan-id=41 add independent-learning=no ports=switch1-cpu,ether1-router,ether2-BOX switch=switch1 vlan-id=40 /interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \ country=slovenia disabled=no frequency=2472 frequency-mode=\ regulatory-domain mode=ap-bridge name=wifi-42 security-profile=mkxNet \ ssid=mkxNet vlan-id=42 vlan-mode=use-tag wireless-protocol=802.11 \ wps-mode=disabled add disabled=no keepalive-frames=disabled mac-address=E4:8D:8C:49:EE:50 \ master-interface=wifi-42 multicast-buffering=disabled name=wifi-guest-41 \ ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \ wds-default-cost=0 wps-mode=disabled /interface bridge port add bridge=bridge interface=ether1-router add bridge=bridge interface=wifi-42 add bridge=bridge interface=wifi-guest-41 add bridge=bridge interface=ether2-BOX add bridge=bridge interface=ether3-AV add bridge=bridge interface=ether4-TV add bridge=bridge interface=ether5 /ip address add address=192.168.42.3/23 interface=vlan-42 network=192.168.42.0 /ip route add distance=1 gateway=192.168.42.1

Note: you define PVID for ports in/interface ethernet switch portwhere you also define how tags are treated on egress (option vlan-header). You need to add switch-cpu to the list of VLAN member ports for any VLAN to which router needs access (it is then present on bridge as tagged).
Settings for port 5 (=switch-port) are probably weird, it's legacy from the time when I was doing the config and my knowledge was even worse than it's now.

Bridge VLAN way:

/interface bridge add admin-mac=B8:69:F4:20:A5:49 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] name=ether1-router set [ find default-name=ether2 ] name=ether2-BOX set [ find default-name=ether3 ] name=ether3-AV set [ find default-name=ether4 ] name=ether4-TV /interface vlan add interface=bridge name=vlan-42 vlan-id=42 /interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \ country=slovenia disabled=no distance=indoors frequency=2452 \ frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-2G \ security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \ wireless-protocol=802.11 wps-mode=disabled set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \ country=slovenia disabled=no distance=indoors frequency=auto \ frequency-mode=regulatory-domain mode=ap-bridge name=wifi-42-5G \ security-profile=mkxNet ssid=mkxNet vlan-id=42 vlan-mode=use-tag \ wireless-protocol=802.11 wps-mode=disabled add disabled=no keepalive-frames=disabled mac-address=B8:69:F4:20:A5:50 \ master-interface=wifi-42-2G multicast-buffering=disabled name=\ wifi-guest-41 ssid=mkxGuest vlan-id=41 vlan-mode=use-tag wds-cost-range=0 \ wds-default-cost=0 wps-mode=disabled /interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-router add bridge=bridge interface=ether2-BOX pvid=40 add bridge=bridge interface=ether3-AV pvid=42 add bridge=bridge interface=ether4-TV pvid=42 add bridge=bridge interface=ether5 pvid=42 add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-2G add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-42-5G add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wifi-guest-41 /interface bridge vlan add bridge=bridge tagged=bridge,ether1-router,wifi-42-2G,wifi-42-5G untagged=ether3-AV,ether4-TV,ether5 vlan-ids=42 add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999 add bridge=bridge tagged=bridge,ether1-router,wifi-guest-41 vlan-ids=41 add bridge=bridge tagged=bridge,ether1-router untagged=ether2-BOX vlan-ids=40 /ip address add address=192.168.42.6/23 interface=vlan-42 network=192.168.42.0 /ip route add distance=1 gateway=192.168.42.1

Note that one needs to explicitly list all tagged and untaggedportsconnected to bridge in this case. Example: in switch chip way the wlan interfaces ("ports") were only listed as bridge members, but their VLAN settings were only set in the wireless interface definition itself. In bridge VLAN, the wireless interface definition is identical to the one in switch chip case, but they need to be listed as tagged members of bridge in/interface bridge vlansection of configuration.

And my warning (again!): configuring VLANs on bridge disables HW offload so all wired intra-VLAN data passes CPU rather than switch chip alone. While RBD52G was quite capable of wire-speed transfers between two ether ports (and load on CPU indicated that another wire-speed between different pair of ports would be possible), good ole RB951G maxed CPU load (100%) with one (almost) wire-speed transfer between a pair of ether ports, so I assume another wire-speed transfer over different pair of ether ports would not be possible.
In first scenario (switch chip), RB951G doeasn't even blink with eye while doing wire-speed transfers.

proximus · 坐8月25, 2018 10:20 pm

Keep in mind that if you enable VLAN filtering on bridge (and without that VLANs essentially don't work), you loose HW offload and every packet passes CPU. This kills performance on slower routerboards, such as RG951G. I advise you to configure your Powerbox pro in the old way by using/interface ethernet switchsection.

This can't be repeated enough. So many people tout the "new way", but there are major caveats that need to be considered.

Here is a good explanation from MT. Focus is on CRS, but also covers other RB's.
viewtopic.php?t=133129#p654102

mkx · 坐8月25, 2018 11:38 pm

So many people tout the "new way", but there are major caveats that need to be considered.

Here is a good explanation from MT. Focus is on CRS, but also covers other RB's.
viewtopic.php?t=133129#p654102

Thanks @proximus for reminder about the explanation from MT.

I'll add that the "new way" changed how bridge sees switched ports (pre-6.41 bridge only saw master port, now it sees all of them). Nothing changed regarding VLANs, doing it in switch part of configuration is completely legitimate configuration. So one should not avoid it just because it can be done on bridge.

Jotne · Sun Aug 26, 2018 1:47 am

@mkx
Thanks for you example. I am still learning VLAN and boy its complicated compare to Cisco and HP that I do know.
In the software bridge you are using VLAN aware Bride, so you need ROS >= 6.41

I may see some missing configuration in your example.
This:

add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999

should be this?

add bridge=bridge tagged=bridge,ether1-router,ether2-BOX vlan-ids=3999

You also need to tag vlan 3999 to the bridge?

Here is a visual drawing of you Software Bridge Vlan:/interface bridge vlanmakes it hard to do in 2D, should be a 3D drawing.
I will try to draw the开关芯片version when I do understand it.

Exemple p=682093 Bridge.jpg

mkx · Sun Aug 26, 2018 11:18 am

@mkx
I may see some missing configuration in your example.
This:
Code:Select all
add bridge=bridge tagged=ether1-router,ether2-BOX vlan-ids=3999

This is fine. If there's nothing to be done by RB for a particular VLAN, bridge doesn't have to be part of it. In my particular case, that VLAN is used by my ISP to deliver multicast of IPTV and what I'm doing is just to pass it on through my "switches" to "subscriber" devices while router parts don't need to touch it. This is same as not including switch-cpu in list of VLAN member ports in the classical way of doing the same.

nichky · Sun Aug 26, 2018 12:19 pm

Jotne well done

Jotne · Sun Aug 26, 2018 1:29 pm

@mkx
OK, so here 3999 is just floating between port 1 and 2.

You could add a security profile for the wireless, then this config would be just cut/paste

PS Drawing is updated, I did miss the link connecting Bridge/VLAN 3999 to the Bridge.

mkx · Sun Aug 26, 2018 4:46 pm

I omitted the wireless security profile so that readers of your topic have something to think about

Perhaps a few words to clarify things further. "bridge" is used in two quite distinct senses in this configuration exercise.
In first sense, as used in/interface bridge port, it is used as name of bridge which spans all member ports - either ethernet or wireless devices or higher-level devices such as PPPoE, VPN or some other tunneling setup. Or, in a perverse setup, untagged end of vlan pseudo-devices. It carries L2 frames, either tagged or untagged - that depends on port setup ... in any case, it doesn't care about VLAN tags while frames are within bridge just as smart switch doesn't ... until those frames get pushed out of bridge through one (or several) port.
In second sense, as it is used in/interface bridge vlan在端口列表中,它代表了更高的层的开发ice which can deal with L3 traffic through its IP address. And the second sense brings another mix of possible confusion: it can be used directly as part of non-VLAN setup (and in this case, everything is HW offloaded if possible on most RB devices), then it can be used again directly but as kind of access port of itself (being a bridge) with PVID set, and last it can be used in sense of trunk port and one needs to create vlan interfaces (with VID set, kind of access port again) to be able to use it as L3 device. Explicit use of vlan device compared to use bridge with PVID set brings (IMHO) clearer view over setup ... and possibility of using more than one VLAN locally in the RB device (a must on router but not in my example of usage as AP and smart switch).

toxicfusion · Mon Aug 27, 2018 6:17 pm

So just to clarify:

I have a single bridge that contains the VLAN ID's (listed) and then I'm specifying the ports to be tagged, and the ports to be untagged.

For the specified 'untagged' ports. I also under vlan > ports > I give it a PVID.

And further clarification sake (I think this is my issue). I need to include this SAME bridge interface as an interface to be tagged. As Right now, I'm only specifying the actual physical interfaces - and its not working - unable to pass traffic on vlans besides the untagged. I'm lost. So confusing with this overly complicated implementation.

toxicfusion · Mon Aug 27, 2018 6:23 pm

also since I'm specifying VLAN ID's under the bridge vlan setup. Do I still need to create /interface vlan(s) and pop them under a bridge interface or physical?

xvo · Mon Aug 27, 2018 6:36 pm

Everything right.

As for vlan interfaces: you need to create ones on top of the bridge only for the vlan-ids, for which you have specified the bridge itself as a tagged port - to attach the ip configuration (addresses, dhcp clients/servers etc.) for these vlans.
For "default" vlan id (that is set in PVID for the bridge itself) that is not necessary and instead of creating an interface, you can attach ip configuration to the bridge itself, but for it to work you need to add the bridge not as tagged, but as untagged port for this vlan.

toxicfusion · Mon Aug 27, 2018 6:46 pm

@xvo

Thank you for input. These MikroTik devices are really acting as switches -- they're hanging off a Cisco switch (upstream) and the core router is an RB1100ahx4..

So is my entire issue because I never added this master bridge interface to the list of interfaces that need to be set to tagged under bridge > vlans?

using an Hex S and PowerBox as switches hence need the ports to be trunked (tagged). Hanging off these MT's are Engenius AP's

So, I need to still add the VLAN' under /interfaces vlan under the master bridge that I create that specifies all the vlan Id's.

这些设备的管理,我可以离开device IP address on the bridge interface and it be accessible via a 'management port' or a port that I leave as untagged vlan PVID? as once it is connected to switch upstream - it will work or should be accessible from within the network.

xvo · Mon Aug 27, 2018 7:10 pm

@xvo

Thank you for input. These MikroTik devices are really acting as switches -- they're hanging off a Cisco switch (upstream) and the core router is an RB1100ahx4..

So is my entire issue because I never added this master bridge interface to the list of interfaces that need to be set to tagged under bridge > vlans?

using an Hex S and PowerBox as switches hence need the ports to be trunked (tagged). Hanging off these MT's are Engenius AP's

So, I need to still add the VLAN' under /interfaces vlan under the master bridge that I create that specifies all the vlan Id's.

If you don't need any routing between vlans performed on the devices in question, you don't need to create vlan interfaces and even add the bridge as a port for the vlans (except for the management vlan - to give an address the device itself).
Unless there is some device-specific issue, which can be the case with hex s, as it has some weird purely software vlan implementation.
Try it.
If it doest't work - add the bridge as tagged ports.
If it doesn't work still - add vlan interfaces for each vlan.
But on most devices it should work without that.

这些设备的管理,我可以离开device IP address on the bridge interface and it be accessible via a 'management port' or a port that I leave as untagged vlan PVID? as once it is connected to switch upstream - it will work or should be accessible from within the network.

Correct.

sindy · Mon Aug 27, 2018 7:22 pm

I'd correct it a small bit - for a given VID, you need to add bridge X itself to the list of tagged member ports of bridge X not only if you want to add an/interface vlanfor that VID, to which you could attach an IP configuration (static address or dhcp client), but also if you want to make some wireless or virtual interface a member port of that bridge for that VLAN. In another words, if you need the frames tagged with that VID to reach the CPU. I don't understand the reason why it has been done this way but it has. The only case when you may omit setting the bridge as a tagged member port of itself for a given VID is when it is enough that frames tagged with this VID are forwarded between Ethernet ports of the same switch chip - even though withvlan-filtering=yesthe actual forwarding is also done by the CPU.

toxicfusion · Mon Aug 27, 2018 7:25 pm

Thank you... Wish I seen this a moment ago.

I took remote connection to client computer and gained access to the Hex S

Added the vlan_bridge interface to the /bridge vlan > tagged port.

Was still able to ping and it dynamically displayed as tagged ports. I waited a minute as device was still accessible, took it out of safe mode. then re-enabled safe mode via winbox.

Then I modified the bridge_interface PVID (vlan-filtering=yes), I had PVID set to 10 (untagged network). I changed it back to default "1"

This broke my connection and lost ping/access to mikrotik Hex S. Even in safe mode, device not coming back. Not seeing it via MAC address neighbors. Just screwed self and now client going to be upset. port #5 is untagged as outputs POE 48v to a VOIP phone, other switch ports are tagged as ethernet running down to a powerbox to light up engenius AP's

I'll probably now need customer to remove this Hex S from the outdoor enclosure it is in and perform a reset.. and some how walk them through for me to restore the config file I saved on device.

I also tried untagging port at upstream switch to see if. gain access. Nope

I'm assuming I broke it as I didnt add /interface vlan vlan-id= to the bridge_interface... as will need inter-vlan

sindy · Mon Aug 27, 2018 7:45 pm

If you haven't disabled the mac-server, the client doesn't need to excavate the device from the outdoor enclosure and can connect using Winbox to its MAC address rather than the IP address, on any port except the WAN by default. If, on top of that, the client has some other internet connection (a mobile one), you can use e.g. TeamViewer to do the necessary configuration yourself remotely rather than instructing the client what to click.

toxicfusion · Mon Aug 27, 2018 7:49 pm

Mac-server is available - i used mac address to connect prior when I was onsite and locked myself out before.

Switch is not showing within winbox as mac neighbor. I'll need client to go with laptop and unplug the phone (this is in port) and connect laptop via ethernet cable (just swapping with phone). As computer I'm remotely connected onto at moment is into the primary/core switch (same switch hex S hangs off). But I believe will need to be directly connected to Hex S for mac-neighbor to display.

Then I should be able to help via TeamViewer.

no cell reception at client site as a remote RV campground - hence need for WiFi throughout - was entire project. 90% of everything is working. Even MikroTik Hotspot setup with portal and Userman vouchers... Just the far side of campground was needing to use a PowerBox as no electrical available. This is problem - and making me feel defeated with the new vlan method. I'm use to just doing Trunk VLAN (Router on stick). Never done vlan on mikrotik as intended to act as a switch.

toxicfusion · Mon Aug 27, 2018 7:54 pm

so for configuration sake it appears I need following:

/interface bridge vlan_master

add all my physical interfaces that need to be tagged, as tagged ports
添加vlan_master桥作为标记的成员
add untagged port that will be access port
add the list of VLAN ID's..

within /bridge ports
add PVID=10 to the physical interface (as be access port mentioned above)

vlan_master (primary bridge), vlan-filtering=yes (was on before)
vlan_master PVID=10 (primary vlan ID and same vlan ID that is default for untagged traffic)

do I still need to:

/interface vlan
create ALL vlans to the vlan_master interface??? Or only create the untagged vlan (vlan 10)

I should of did a config export really fast prior to making changes and then lost access. Just been stressful and felt defeated.

almost about to pull trigger on 3 Netonix switches.. and call it a day. as need 48v and 24v. (hex S was doing 48v as phone attached), then downstream from that was the PowerBox that was doing 24v to 2 AP's to handle far side...

xvo · Mon Aug 27, 2018 8:03 pm

I'd correct it a small bit - for a given VID, you need to add bridge X itself to the list of tagged member ports of bridge X not only if you want to add an/interface vlanfor that VID, to which you could attach an IP configuration (static address or dhcp client), but also if you want to make some wireless or virtual interface a member port of that bridge for that VLAN. In another words, if you need the frames tagged with that VID to reach the CPU. I don't understand the reason why it has been done this way but it has. The only case when you may omit setting the bridge as a tagged member port of itself for a given VID is when it is enough that frames tagged with this VID are forwarded between Ethernet ports of the same switch chip - even though withvlan-filtering=yesthe actual forwarding is also done by the CPU.

I can't confirm that.
I have a wAP ac configured in the way, that two vlans enter tagged in eth1 and leave to both wlan1 and wlan2 tagged as well.
The vlan untagging is done based on Access List on the wlan interfaces.
And only for one of the vlans I have a vlan interface on top of the bridge.

The same true for virtual interfaces - prior to setup mentioned above I had one of the vlans end on two virtual wlan interfaces, again with no connection to the bridge itself.

Both ways it works as intended.
So either this thing is device-dependent, or this doesn't apply to wireless interfaces, as they can turn out to be that connection to cpu themselves.

sindy · Mon Aug 27, 2018 8:05 pm

What is the current timeframe? I'd need a drawing to tell you the right configuration, I'm unable to understand it clearly from your various posts, and I need to get moving in half an hour or so.

sindy · Mon Aug 27, 2018 8:07 pm

So either this thing is device-dependent, or this doesn't apply to wireless interfaces, as they can turn out to be that connection to cpu themselves.

It may even be version dependent, as last time I've tried and came to this conclusion I was runnnig 6.41.something.

toxicfusion · Mon Aug 27, 2018 8:12 pm

会很快。Waiting on client to get laptop and connect (swap with phone) and see If I can regain access to this Hex S device

here is quick topology:

RB1100AHX4 (core) >> Cisco POE switch (SW01) >> HEX S >> MT PowerBox. >> AP

RB1100AHX
eth12 & 13 > trnk (bond lacp). vlans 10,20,40,60,88. >> to cisco switch

Hex S: (outdoor enclosure)
eth1 - Trunk port back to Cisco POE. (cisco switchport trunk, vlans 10,20,40,60,88)
eth2 - to downstream Powerbox
eth3 - empty
eth4 - empty
eth5 - PVID 10, untagged, IP Phone connected

PowerBox Pro:

eth1 - Trunk back to Hex S
eth2 - to AP (vlan 88)
eth3 - to AP (vlan88)

Powerbox - All ports need to be tagged, as the AP's configured have SSID's and vlans associated.

sindy · Mon Aug 27, 2018 8:27 pm

OK. Hope I haven't forgotten anything. I don't know into which of the VLANs you want to place the management IP address of the hEX S itself, so I refer to it asmgmt-vlan-id在下面。调整the nameall-vlan-bridgeand other names as you need.

/interface bridge
add name=all-vlan-bridge vlan-filtering=yes pvid=1

/interface bridge port
add bridge=all-vlan-bridge interface=ether1 pvid=1
add bridge=all-vlan-bridge interface=ether2 pvid=1
add bridge=all-vlan-bridge interface=ether5 pvid=10

/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=all-vlan-bridge,ether1,ether2 untagged=ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2

/interface vlan
add vlan-id=mgmt-vlan-idinterface=all-vlan-bridge name=vlan-mgmt

/ip address
add address=x.x.x.x/m interface=vlan-mgmt

Don't forget about the default route.

toxicfusion · Mon Aug 27, 2018 8:33 pm

Thanks Sindy! This is pretty much what I will have after fact. my missing component was I forgot (was naive to it) to have the vlan_master bridge interface set as tagged

question:

/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=all-vlan-bridge,ether1,ether2 untagged=ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2

you list 2 different add statements. I only had one large interface bridge vlan. Where I listed all vlan ID's, and all the tagged and untagged. Will it let me create two? I create the untagged vlan ID seperate

Note: mgmt of device I want on the primary subnet which is VLAN 10 - which is also untagged. SO that is probably why I lost access to device as even though eth1 is trunk port, ingress is tagged.. I had interface=all-vlan-bridge PVID set to 10 and was working just fine. but when I changed that bridge PVID back to default '1'. I lost connection and it never rolled back.

I will create a secondary mgmt / access IP address and create the /interface vlan vlan-id=mgmt-vlan-id (88)

toxicfusion · Mon Aug 27, 2018 8:37 pm

default route...

route all back to core switch IP or should I just route all to default IP of the Mikrotik RB1100 router?

ip route 0.0.0.0/24 to IP ADDR of router?

sindy · Mon Aug 27, 2018 8:50 pm

default route...
route all back to core switch IP or should I just route all to default IP of the Mikrotik RB1100 router?
ip route 0.0.0.0/24 to IP ADDR of router?

I'd say

/ip route add dst-address=0.0.0.0/0 gateway=ip.addr.of.rb1100.in.vlan.10
(if the own IP address of the hEX S is in VLAN 10 of course)

question:
/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=all-vlan-bridge,ether1,ether2 untagged=ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2

you list 2 different add statements. I only had one large interface bridge vlan. Where I listed all vlan ID's, and all the tagged and untagged. Will it let me create two? I create the untagged vlan ID seperate

All the VLANs on one line must have the identical tagged/untagged settings for all ports, and all member ports of the same VLAN must be on a single line. Which means that each VLAN with at least one untagged (access) port must have its own line. Hence two lines, one listing all the VLANs which have all member ports tagged, and an individual line for VLAN 10 which has one port untagged.

Note: mgmt of device I want on the primary subnet which is VLAN 10 - which is also untagged. SO that is probably why I lost access to device as even though eth1 is trunk port, ingress is tagged.. I had interface=all-vlan-bridge PVID set to 10 and was working just fine. but when I changed that bridge PVID back to default '1'. I lost connection and it never rolled back.

Well, that was the other way how to do it, which is out of the usual thinking about switches. On a normal switch, you cannot have tagless frames inside the switch. Here you can - if you set bridge'spvidto 10, ingress packets tagged with VID 10 get untagged as they enter the bridge. So in that case, you attach the IP configuration for VLAN 10 directly to the bridge, not to/interface vlan.
In that case, the complete configuration would look as follows (differences highlighted, assuming that the IP configuration should stay in VLAN 10).
/interface bridge
add name=all-vlan-bridge vlan-filtering=yes pvid=10

/interface bridge port
add bridge=all-vlan-bridge interface=ether1 pvid=1
add bridge=all-vlan-bridge interface=ether2 pvid=1
add bridge=all-vlan-bridge interface=ether5 pvid=10

/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=ether1,ether2 untagged=all-vlan-bridge,ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2

/interface vlan
add vlan-id=mgmt-vlan-id interface=all-vlan-bridge name=vlan-mgmt

/ip address
add address=x.x.x.x/m interface=all-vlan-bridge

But you can have only a single VLAN-ID untagged on a bridge of course.

Going offline for two or three hours.

toxicfusion · Mon Aug 27, 2018 9:12 pm

All the VLANs on one line must have the identical tagged/untagged settings for all ports, and all member ports of the same VLAN must be on a single line. Which means that each VLAN with at least one untagged (access) port must have its own line. Hence two lines, one listing all the VLANs which have all member ports tagged, and an individual line for VLAN 10 which has one port untagged.

Note: mgmt of device I want on the primary subnet which is VLAN 10 - which is also untagged. SO that is probably why I lost access to device as even though eth1 is trunk port, ingress is tagged.. I had interface=all-vlan-bridge PVID set to 10 and was working just fine. but when I changed that bridge PVID back to default '1'. I lost connection and it never rolled back.

Well, that was the other way how to do it, which is out of the usual thinking about switches. On a normal switch, you cannot have tagless frames inside the switch. Here you can - if you set bridge'spvidto 10, ingress packets tagged with VID 10 get untagged as they enter the bridge. So in that case, you attach the IP configuration for VLAN 10 directly to the bridge, not to/interface vlan.
In that case, the complete configuration would look as follows (differences highlighted, assuming that the IP configuration should stay in VLAN 10).
/interface bridge
add name=all-vlan-bridge vlan-filtering=yes pvid=10

/interface bridge port
add bridge=all-vlan-bridge interface=ether1 pvid=1
add bridge=all-vlan-bridge interface=ether2 pvid=1
add bridge=all-vlan-bridge interface=ether5 pvid=10

/interface bridge vlan
add bridge=all-vlan-bridge vlan-ids=10 tagged=ether1,ether2 untagged=all-vlan-bridge,ether5
add bridge=all-vlan-bridge vlan-ids=20,40,60,88 tagged=all-vlan-bridge,ether1,ether2

/interface vlan
add vlan-id=mgmt-vlan-id interface=all-vlan-bridge name=vlan-mgmt

/ip address
add address=x.x.x.x/m interface=all-vlan-bridge

But you can have only a single VLAN-ID untagged on a bridge of course.

This was the logic I was missing. I was struggling completely understanding prior to configuration as this is new to me since 6.41. I had general Idea prior my implementation but missed the aspect of including the 'all-vlan-bridge' interface as tagged port. Also now I know why need seperate /interface bridge vlan lines... I will work to implement this once I regain access to this mikrotik. Then I should be able to successfully configure the PowerBox Pro & everything will be working.

Only part of network (AP's) that are NOT working are the ones associated to the MikroTik devices that I mis-configured. Anything attached to the Cisco switch is working fine.

toxicfusion · Mon Aug 27, 2018 9:16 pm

I will add back PVID=10 to the all-vlan-bridge interface and correct the /bridge vlan settings.

Will this effect the eth1 being a trunk port? Considering its going to untag vlan 10 on ingress? What about vlan 10 traffic egress, that'll re-tag and so the upstream Cisco will ingest it back as tagged traffic?

I'll also create a secondary mgmt IP and set as a vlan (tagged). Just incase. As I think this will be fail-safe access if connectivity gets blipped as I make config changes.

/interface vlan
vlan-id=88
name=vlan-mgmt
interface=all-vlan-bridge

/ip address=192.168.88.251/24 interface=all-vlan-bridge

mkx · Mon Aug 27, 2018 10:49 pm

Well, bridge can be a bit confusing due to it's twin personality I already described in one of my previous posts.

So, if bridge is declared untagged (by setting PVID), then it's the interface personality of bridge that acts as untagged, while switch-like personality of bridge still carries those packets tagged. Hence ether1 will carry those packets tagged as it exchanges packets with switch-like personality of bridge, not interface personality of bridge.

这就是为什么,如果一个深入VLANs, it's better to declare bridge as tagged (by not defining PVID) and explicitly use/interface vlanwhenever routerboard device needs to interact with that VLAN. For example: if you decide to change PVID of "untagged" bridge, then IP address associated to bridge will move over to another VLAN where it most probably doesn't make any sense. This can happen with/interface vlan, but if name of this device resembles VLAN ID in some way, mistake is much easier to see (and avoid).

toxicfusion · Mon Aug 27, 2018 10:55 pm

Well, bridge can be a bit confusing due to it's twin personality I already described in one of my previous posts.

So, if bridge is declared untagged (by setting PVID), then it's the interface personality of bridge that acts as untagged, while switch-like personality of bridge still carries those packets tagged. Hence ether1 will carry those packets tagged as it exchanges packets with switch-like personality of bridge, not interface personality of bridge.

这就是为什么,如果一个深入VLANs, it's better to declare bridge as tagged (by not defining PVID) and explicitly use/interface vlanwhenever routerboard device needs to interact with that VLAN. For example: if you decide to change PVID of "untagged" bridge, then IP address associated to bridge will move over to another VLAN where it most probably doesn't make any sense. This can happen with/interface vlan, but if name of this device resembles VLAN ID in some way, mistake is much easier to see (and avoid).

Thanks for this insight! Clears up the logic behind it in my head (made it click per say).....

I've yet to regain access to the Hex S device - Client unavailable for me. Hopefuly i Will regain using mac-neighbor and then I should be able to just /interface vlan vlan=10 name=mgmt-vlan interface=all-vlan-bridge

and it will regain access. as I set the bridge PVID=1 (returned to default) as before I had it PVID=10, which made the bridge interface itself untagged and why I had access.

I will create a secondary IP address on device in seperate vlan as well and assign appropriately

sindy · Mon Aug 27, 2018 10:56 pm

Will this effect the eth1 being a trunk port? Considering its going to untag vlan 10 on ingress? What about vlan 10 traffic egress, that'll re-tag and so the upstream Cisco will ingest it back as tagged traffic?

Untagging and tagging work symmetrically between ingress and egress on the same port, and depends on portpvidand bridgepvidcombination. So ifether1haspvid=1and ether5 haspvid=10, the behaviour depending onpvidof the bridge will be the following:

bridge pvid=1:
- onether1, frames tagged with VID 10 stay tagged as they ingress to the bridge, and stay tagged as they egress from the bridge to the wire.
- onether5, tagless frames get tagged with VID 10 on ingress so become tagged on the bridge, and frames tagged with VID 10 get untagged on egress so they end up tagless on the wire
bridge pvid=10:
- onether1, frames tagged with VID 10 get untagged as they ingress to the bridge, and get tagged as they egress from the bridge to the wire. On the bridge itself they are tagless.
- onether5, tagless frames stay tagless as they ingress to the bridge, and stay tagless as they egress from the bridge to the wire.

In either case above, the line withvlan-ids=10in/interface bridge vlanmust follow the tagged/untagged membership of all ports involved as specified in/interface bridge port, so to stay consistent with the example above:

bridge pvid=1:vlan-ids=10 bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1 untagged=ether5
bridge pvid=10:vlan-ids=10 bridge=all-vlan-bridge tagged=ether1 untagged=all-vlan-bridge,ether5

我符合Metod关于这个,我更喜欢to have everything tagged on the bridge itself like in the normal world of switching and set thepvidof the bridge to same unused VID, because handling one VID in a specific way is confusing. There are very special cases where this makes sense but this is not one of them.

I'll also create a secondary mgmt IP and set as a vlan (tagged). Just incase. As I think this will be fail-safe access if connectivity gets blipped as I make config changes.
/interface vlan
vlan-id=88
name=vlan-mgmt
interface=all-vlan-bridge

/ip address=192.168.88.251/24 interface=all-vlan-bridge

This would be wrong because 192.168.88.251/24 would end up attached to the bridge itself so in VLAN 10. If you want it to be in VLAN 88, the last line must be
/ip address=192.168.88.251/24 interface=vlan-mgmt.

But I guess it was just a typo, right?

mkx · Mon Aug 27, 2018 11:00 pm

When relying on Winbox to fix errors done on VLAN config: don't. VLAN configuration, either done on bridge or switch chip, is L2 config and it is easy to cut your self from MAC winbox, which is L2 as well so VLAN config does affect it.
Default configuration limits MAC winbox access to interfaces, listed as members of/interface listLAN (and by default, that's only bridge). So it is essential to add all VLAN interfaces (defined in/interface vlan) to this interface list until L2 configuration is done and verified. After that, when management access over IP (ssh, winbox, wahtever) is verified, one can remove excess VLAN interfaces from LAN list.

toxicfusion · Mon Aug 27, 2018 11:21 pm

device IP is 192.168.128.251/24 (vlan 10 is subnet 192.168.128.0/24)

secondary IP would be 192.168.88.251/24 which is vlan 88

/ip address=192.168.128.251/24 interface=all-vlan-bridge
/ip address=192.168.88.251/24 interface=vlan-mgmt

@Sindy - I will work to do regular bridging method as you have described. Set the 'all-vlan-bridge' interface PVID=1 or 3999 (unused vlan), then /interface bridge vlan i configure my vlan-ids and port assignment as well as you outlined.

I still need access. .hopefully will have regained by this evening or tomorrow morning. Hopefully direct connecting via port #5 (PVID=10 untagged) - this is where the VOIP phone was connected. Going to have client connect laptop to that ethernet cable by disconnecting phone. I believe winbox will detect device via mac address... from there I can remotely make the changes via TeamViewer (connect via wifi and set ethernet tcp/ip address without default g/w)

sindy · Mon Aug 27, 2018 11:39 pm

Metod's warning is a valid one: I worked with the idea that you've kept the original bridge from the default configuration, which is a member of/interface list name=LAN, and have only renamed it. But if you have deleted it and/or moved all member ports away from it, there is no way to connect to the mac-server, and you'll need an USB-to-serial adaptor (and maybe another one for the PC) and a null-modem serial cable to get in again (or a reset to factory default configuration, depending on what is easier to handle).

toxicfusion · Mon Aug 27, 2018 11:48 pm

When i config'd the device I created a new bridge. was /interface bridge name=vlan_master

and under vlan_master ports, i had tagged=eth1, eth2, eth3, eth4, untagged=eth5

after your advice, i added 'vlan_master' to list of tagged members. broke when i removed PVID=10 to PVID=1 on the vlan_master bridge interface. whoops.

Worst case, I have known-good config saved to flash on that device which I've used prior to restore from my config mess ups when I was onsite. I can instruct client to perform reset and I'll restore config when remotely connected..

一旦我得到你advic和应用更改e and config layout - i should be 100%. Then I can reconnect the PowerBox Pro and configure that the same way. Once all set and done, will be no need for the Netonix switches and valuable experience/knowledge gained from this...

toxicfusion · Tue Aug 28, 2018 4:23 am

Ok Cool.. I want to thank you all for your help. I was able to regain access to the Hex S device and reconfigure, along with the PowerBox Pro..

Caveat or bug in 6.41.3 (hex S).

I tried to do PVID=1 on the /interface bridge all-vlan-bridge (as in example #1 provided by Sindy). I was not able to access device from core switch/network. So performed reset. I was able however, to get working 100% using the unorthodox method #2. Perhaps review config and let me know why?

# aug/27/2018 21:17:28 by RouterOS 6.41.3 # software id = QLBM-QQJI # # model = RB760iGS # serial number = 976C094D4A89 /interface bridge add fast-forward=no name=all-vlan-bridge pvid=10 vlan-filtering=yes add admin-mac=B8:69:F4:05:9B:D1 auto-mac=no name=bridge_switch /interface ethernet set [ find default-name=ether5 ] name=ether5_phone poe-out=forced-on /interface vlan add interface=all-vlan-bridge name=VLAN10_LAN-Mgmt vlan-id=10 add interface=all-vlan-bridge name=VLAN88_MGMT vlan-id=88 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /interface bridge port add bridge=all-vlan-bridge interface=ether2 add bridge=all-vlan-bridge interface=ether3 add bridge=all-vlan-bridge interface=ether4 add bridge=all-vlan-bridge interface=ether5_phone pvid=10 add bridge=all-vlan-bridge interface=ether1 /ip neighbor discovery-settings set discover-interface-list=LAN /interface bridge vlan add bridge=all-vlan-bridge tagged=ether1,ether2,ether3 untagged=ether5_phone,all-vlan-bridge vlan-ids=10 add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1,ether2,ether3 vlan-ids=20,40,60,88 /interface list member add comment=defconf interface=bridge_switch list=LAN add comment=defconf interface=ether1 list=WAN /ip address add address=192.168.88.251/24 comment=Bkup-Mgmt interface=VLAN88_MGMT network=192.168.88.0 add address=192.168.128.251/24 comment="Switch Mgmt" interface=all-vlan-bridge network=192.168.128.0 /ip dns set allow-remote-requests=yes servers=192.168.128.1 /ip dns static add address=192.168.88.1 name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add distance=1 gateway=192.168.128.1

PowerBox Config:

# 8月/ 27/2018 21:21:17 Roul雷竞技terOS 6.42.7 # software id = UNXD-I877 # # model = 960PGS # serial number = 8A320942F8E2 /interface bridge add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=all-vlan-bridge pvid=10 vlan-filtering=yes add admin-mac=B8:69:F4:0F:34:E1 auto-mac=no name=bridge_lan /interface ethernet set [ find default-name=ether2 ] poe-out=forced-on set [ find default-name=ether3 ] poe-out=forced-on set [ find default-name=sfp1 ] disabled=yes /interface vlan add interface=all-vlan-bridge name=vlan10_LAN vlan-id=10 add interface=all-vlan-bridge name=vlan88_MGMT vlan-id=88 /interface list add comment=defconf name=WAN add comment=defconf name=LAN add exclude=dynamic name=discover add name=mactel add name=mac-winbox /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /interface bridge port add bridge=all-vlan-bridge interface=ether2 add bridge=bridge_lan hw=no interface=sfp1 add bridge=all-vlan-bridge interface=ether3 add bridge=all-vlan-bridge interface=ether4 add bridge=all-vlan-bridge interface=ether5 pvid=10 add bridge=all-vlan-bridge interface=ether1 /ip neighbor discovery-settings set discover-interface-list=discover /interface bridge vlan add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4 untagged=ether5,all-vlan-bridge vlan-ids=10 add bridge=all-vlan-bridge tagged=ether1,ether2,ether3,ether4,all-vlan-bridge vlan-ids=20,40,60,88 /interface list member add comment=defconf interface=bridge_lan list=LAN add comment=defconf interface=ether1 list=WAN add interface=ether2 list=discover add interface=ether3 list=discover add interface=ether4 list=discover add interface=ether5 list=discover add interface=sfp1 list=discover add interface=bridge_lan list=discover add interface=all-vlan-bridge list=discover add interface=bridge_lan list=mactel add interface=bridge_lan list=mac-winbox /ip address add address=192.168.88.252/24 comment="backup mgmt" interface=vlan88_MGMT network=192.168.88.0 add address=192.168.128.252/24 comment="Mgmt IP" interface=all-vlan-bridge network=192.168.128.0 add address=192.168.99.252/24 interface=ether4 network=192.168.99.0 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add distance=1 gateway=192.168.128.1 /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system clock set time-zone-name=America/New_York /system identity set name="Bears PowerBox - Trailer" /system ntp client set enabled=yes primary-ntp=192.168.128.1 server-dns-names=0.us.pool.ntp.org /system routerboard settings set silent-boot=no /tool bandwidth-server set authenticate=no enabled=no /tool mac-server set allowed-interface-list=mactel /tool mac-server mac-winbox set allowed-interface-list=mac-winbox

toxicfusion · Tue Aug 28, 2018 4:46 am

last question - looking for tips or suggestions.

Thinking about buying the MikroTik mANTbox 12s (2.4ghz 120* setor) setup as AP Bridge. This to replace an OLD engenius 2.4ghz N radio.....

Would the vlan tagging be the same when associating to SSID's? As will need to associate / include the SSID & vlans into the same bridge-interface? All interfaces would be tagged

Be opposite, mgmt vlan on WAP would be vlan88

mkx · Tue Aug 28, 2018 8:53 am

When configuring WiFi interfaces as VLAN tagged, you need to do configuration like this:

# enable VLAN tagging on wlan interfaces ... all physical as well as virtual. VLAN IDs can be different on every wlan interface. # The commands below go on top of "regular" WiFi configuration. /interface wireless set [ find name=wlan1 ] vlan-id=42 vlan-mode=use-tag set [ find name=virtual_wlan ] vlan-id=666 vlan-mode=use-tag # If wlan interfaces are not yet members of bridge, add them as tagged (trunk) - no PVID!!! /interface bridge port add bridge=all-vlan-bridge interface=wlan1 add bridge=all-vlan-bridge interface=virtual_wlan # if wlan interfaces are members of bridge, change their VLAN settings. On wired (bridge) side, these interfaces carry tagged traffic! # adjust the commands below to fit the rest of /interface bridge vlan setup!!! /interface bridge vlan add bridge=all-vlan-bridge tagged=wlan1 vlan-ids=42 add bridge=all-vlan-bridge tagged=virtual_wlan vlan-ids=666

Just remember to set proper VID on both/interface wirelessas well as/interface gridge vlanand you're all set. The rest of setup (regarding ethernet ports) is just the same...

If, instead of using bridge VLAN ,one goes HW way using switch chip VLAN, VLAN-tagged wifi config is even simpler: you only define VLAN IDs on/interface wirelessexactly tha same as in config sample above, no need to do anything anywhere else (no VLAN-special setup on bridge).

sindy · Tue Aug 28, 2018 12:38 pm

I tried to do PVID=1 on the /interface bridge all-vlan-bridge (as in example #1 provided by Sindy). I was not able to access device from core switch/network. So performed reset. I was able however, to get working 100% using the unorthodox method #2. Perhaps review config and let me know why?

As you have published only the working configuration, there is nothing to review so I'm afraid it will remain and unsolved mystery - unless you'd try to revert to that confuguration just in order to learn what was wrong.

toxicfusion · Tue Aug 28, 2018 3:21 pm

When configuring WiFi interfaces as VLAN tagged, you need to do configuration like this:
Code:Select all
# enable VLAN tagging on wlan interfaces ... all physical as well as virtual. VLAN IDs can be different on every wlan interface. # The commands below go on top of "regular" WiFi configuration. /interface wireless set [ find name=wlan1 ] vlan-id=42 vlan-mode=use-tag set [ find name=virtual_wlan ] vlan-id=666 vlan-mode=use-tag # If wlan interfaces are not yet members of bridge, add them as tagged (trunk) - no PVID!!! /interface bridge port add bridge=all-vlan-bridge interface=wlan1 add bridge=all-vlan-bridge interface=virtual_wlan # if wlan interfaces are members of bridge, change their VLAN settings. On wired (bridge) side, these interfaces carry tagged traffic! # adjust the commands below to fit the rest of /interface bridge vlan setup!!! /interface bridge vlan add bridge=all-vlan-bridge tagged=wlan1 vlan-ids=42 add bridge=all-vlan-bridge tagged=virtual_wlan vlan-ids=666
Just remember to set proper VID on both/interface wirelessas well as/interface gridge vlanand you're all set. The rest of setup (regarding ethernet ports) is just the same...

If, instead of using bridge VLAN ,one goes HW way using switch chip VLAN, VLAN-tagged wifi config is even simpler: you only define VLAN IDs on/interface wirelessexactly tha same as in config sample above, no need to do anything anywhere else (no VLAN-special setup on bridge).

谢谢你的提示!我将试着switch chip vlan method first - and perhaps also the new bridge vlan way as well. I'll know more later today about the performance or lack there of when this old AP is installed at far side of campground. Few campers and sites ~1000ft LOS with some maple in way. I'm doubtful it will cut the mustard, as its an older ENH202 model. The mANT 2 12's seems it'll do the trick for this part of site. Wish MikroTik had some newer outdoor devices that were dual band 2.4/5ghz and do band steering. But I regress on that notion. I used what they had bought and that was new Engenius ENH620ext AP's (4) and a single ENH1750EXT (very nice). These are omni-radio's - not my suggestion; but had to use what they already had investment with. Rest of network is all MikroTik and Cisco for core switch.

@Sindy - i do have a backup file of the non working config, I would have to only need to flip the PVID=1 on the /bring interface vlan-all-master (but would most likely lose conn). After thinking about it though - I wonder if it 'broke' due to having the same mangement IP address specified on both VLAN10 interface as well as on the vlan-all-master bridge... could of been confused. But I dont feel like breaking it and not being on-site and having to get client involved again with having to remotely hop onto a laptop there. Everything is up and working and in production now.

~200Mbps throughput the Hex S device via Bandwidth Test to the RB1100ahx4

Who is online