Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Issues with Configuring VLAN and LAN on the Same Port on RB5009  [SOLVED]

Post Reply
 
smx52
just joined
Topic Author
Posts: 3
Joined: Sun Apr 28, 2024 1:48 am

Issues with Configuring VLAN and LAN on the Same Port on RB5009

Sun Apr 28, 2024 2:19 am

Hello everyone,

I'm attempting to configure both VLAN and LAN functionality on the same port simultaneously on my MikroTik RB5009. Here's what I've done so far:

  • I created VLAN50 on the bridge for ether3 as untagged and VLAN100 as tagged.
  • I added both vlan100 and vlan50 under 'Interfaces > VLAN'.
  • I set up IP addresses and a DHCP server for these VLANs.

The issue arises when I connect my computer to ether3. I receive an IP from the VLAN100 tagged interface, but no IP from the untagged LAN line. If I change the PVID of ether3 under 'Bridge > Ports', I can then get an IP via the LAN, but I lose connectivity over VLAN100.

I've tried several approaches, such as creating separate bridges for each VLAN and interlinking them, but nothing seems to work. Either the LAN network connects or the VLAN does, but never both simultaneously.

Previously, I used a TP-Link ER605 router, where configuring tagged/untagged LAN ports to work at the same time was just a few clicks away.

Additionally, I noticed that even without configuring other Ethernet ports, like ether7, when connected to it, the ARP table on the MikroTik shows the IP of VLAN50's network.

My main goal is to establish separate, isolated networks that can interact through nested VLANs. This setup aims to support basic Wi-Fi access points on OpenWRT routers, where VLAN and LAN from ether3 are mapped to the WAN of OpenWRT. This allows OpenWRT to extend ether3`s LAN network to its LAN ports, provide its own Wi-Fi access point, and link any VLAN's from MikroTik's ether3 to its related Wi-Fi access point.

Can anyone help troubleshoot this setup or suggest configurations that might resolve these issues?

Thank you!

Here is my basic test setup :
Code: Select all
# software id = YNHJ-D8KX
#
# model = RB5009UG+S+
# serial number = X
/interface bridge
add admin-mac=78:9A:18:C5:71:EF auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=HXNET vlan-id=100
add interface=bridge name=Management vlan-id=10
add interface=bridge name=SXNET vlan-id=50
add interface=sfp-sfpplus1 name=vlan111 vlan-id=111
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool5 ranges=192.168.50.2-192.168.50.254
add name=dhcp_pool6 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool5 interface=SXNET name=dhcp1
add address-pool=dhcp_pool6 interface=HXNET name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2
add bridge=bridge interface=ether7
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=ether7,bridge untagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=50
add bridge=bridge tagged=ether3,bridge vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan111 list=WAN
add interface=Management list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.10.1/24 interface=ether8 network=10.66.10.0
add address=192.168.50.1/24 interface=SXNET network=192.168.50.0
add address=192.168.100.1/24 interface=HXNET network=192.168.100.0
add address=192.168.99.1/24 interface=Management network=192.168.99.0
add address=192.168.50.1/24 interface=ether3 network=192.168.50.0
/ip dhcp-client
add interface=vlan111
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input disabled=yes in-interface=ether8
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 dhcp-server
add address-pool="" interface=*1D name=server1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
vingjfg
Member
Member
Posts: 344
Joined: Fri Oct 20, 2023 1:45 pm

Re: Issues with Configuring VLAN and LAN on the Same Port on RB5009

Sun Apr 28, 2024 8:01 am

Hi there.

If you do the following, does your computer get an IP in vlan 50?
Code: Select all
/interface bridge port
set [find interface=ether3] pvid=50
If you don't have a pvid defined for a bridge port, its default is whatever is defined as pvid for the bridge itself, which you can get with a bridge print. By default default, that's pvid=1. in your case, that would correspond to the L3 interface "bridge" with IP 192.168.88.1/24, there is no DHCP server on it so that may explain why you are not getting an IP without the PVID statement on the switch port.
Code: Select all
[admin@mainrouter] > /interface/bridge/print         
Flags: X - disabled, R - running 
 0 R ;;; Main bridge
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled arp-timeout=auto mac-address=18:FD:74:FA:22:34 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=18:FD:74:FA:22:34 ageing-time=1m priority=0 
     max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no dhcp-snooping=no port-cost-mode=short
You can check what the status is for tagged/untagged using bridge vlan print.
Code: Select all
[admin@mainrouter] > /interface/bridge/vlan/print  
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 bridge         1                  bridge          
                                    wifi3           
;;; Imprimantes et petits appareils (non IOT)
1 bridge       500  bridge          ether2          
                    wifi3                           
;;; VLAN pour les IOT
2 bridge       501  bridge                          
                    wifi3                           
;;; Routage et management
3 bridge      4000  bridge                          
                    wifi3                           
;;; Guest network with hotspot
4 bridge       502  bridge                          
                    wifi3
Lastly, when you say that you are getting an IP in VLAN100, are you using a tagged interface on your computer as well?
Top
 
smx52
just joined
Topic Author
Posts: 3
Joined: Sun Apr 28, 2024 1:48 am

Re: Issues with Configuring VLAN and LAN on the Same Port on RB5009

Sun Apr 28, 2024 1:24 pm

@vingjfg:
Yes, exactly. When I set the PVID to 50, my computer does get an IP from VLAN 50. And when my computer's network interface is configured for VLAN 100 (tagged), it receives an IP from VLAN 100, but only if the PVID isn't set.

If you don't have a pvid defined for a bridge port, its default is whatever is defined as pvid for the bridge itself, which you can get with a bridge print. By default default, that's pvid=1. in your case, that would correspond to the L3 interface "bridge" with IP 192.168.88.1/24, there is no DHCP server on it so that may explain why you are not getting an IP without the PVID statement on the switch port.


I have now removed the default IP (192.168.88.1), but the issue persists. Although an IP from VLAN 50 appears in the ARP list, the interface shown is 'bridge'. Here are the screenshots of the ARP list and interface settings:
Image

(SXLAN=VLAN50, HXLAN=VLAN100)
Image

I even tried assigning the VLAN 50 IP directly to the bridge, which unfortunately did not resolve the issue.

Image



How can we configure the bridge to recognize ether3 as part of the SXLAN (VLAN50) network and its DHCP server?

Here are the current bridge settings:
Code: Select all
[admin@MikroTik] > /interface/bridge/print  
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1514 arp=enabled arp-timeout=auto mac-address=78:9A:18:C5:71:EF protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=78:9A:18:C5:71:EF ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 
     vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long
bridge/vlan print:
Code: Select all
[admin@MikroTik] > /interface/bridge/vlan/print  
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge       111                                  
1   bridge        10  bridge                          
2   bridge        50  bridge          ether3          
3   bridge       100  bridge                          
                      ether3                          
4 D bridge         1                  bridge          
                                      ether3          
                                      ether8
Top
 
User avatar
vingjfg
Member
Member
Posts: 344
Joined: Fri Oct 20, 2023 1:45 pm

Re: Issues with Configuring VLAN and LAN on the Same Port on RB5009  [SOLVED]

Sun Apr 28, 2024 2:02 pm

Wow wow wow!

An IP should be present once and only once - remove the IP addresses assigned directly to ether3 - this interface should be L2 only, no IP.

The IP addresses must be on the VLAN interfaces.

Can you reconfigure it for the following:
  • IP addresses on the VLAN interfaces, not on ether3
  • ether3 is PVID50, with VID100 tagged
Your computer must have a subinterface with VID 100.

Can you show the output of following command once the above is done?
Code: Select all
/interface/bridge/host/print
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19638
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Issues with Configuring VLAN and LAN on the Same Port on RB5009

Sun Apr 28, 2024 2:43 pm

A bridge port can express 3 use cases.
- trunk port carrying multiple vlans ( all tagged )
- an access port carrying one vlan ( untagged )
- a hybrid port carrying one vlan (untagged) and one or more vlans (tagged).

In the case of trunk or hybrid the receiving device must be able to handle both tagged ( trunk only) and untagged vlans (hybrid both)
One example is a phone that needs the tagged vlan and passed the untagged vlan to a connected PC.
Another- Unifi devices come default expecting the management vlan untagged and all the data vlans tagged.

Thus, connecting a PC, a 'dumb' device to either a trunk port or hybrid port is just plain wrong.
Last edited by anav on Sun Apr 28, 2024 7:48 pm, edited 1 time in total.
Top
 
smx52
just joined
Topic Author
Posts: 3
Joined: Sun Apr 28, 2024 1:48 am

Re: Issues with Configuring VLAN and LAN on the Same Port on RB5009

Sun Apr 28, 2024 7:32 pm

Thanks Thanks Thanks!

After cleaning up the IPs, everything began to work like a charm.
Wow wow wow!

An IP should be present once and only once - remove the IP addresses assigned directly to ether3 - this interface should be L2 only, no IP.

The IP addresses must be on the VLAN interfaces.

Can you reconfigure it for the following:
  • IP addresses on the VLAN interfaces, not on ether3
  • ether3 is PVID50, with VID100 tagged
Your computer must have a subinterface with VID 100.

Can you show the output of following command once the above is done?
Code: Select all
/interface/bridge/host/print
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests
  4. RouterOS
  5. Beginner Basics