L2 hell with Mikrotik and VLAN tags

foxonefoxone OG
in Help

Henlo,
i am having quite the trouble with my RB5009 router where I'm trying to create a VLAN for my various IoT devices. All ports are under a common bridge and this VLAN should either be reached using access ports (with non-vlan-aware devices) or via an ethernet port on which a proxmox server is running (where i will tag container ports with vlan 93).

However, i believe i am missing something because while i can succesfully get an IP via proxmox on any ethernet port by using VLAN 93, non-VLAN devices on port ether5 and ether6 do not get any kind or traffic. It looks like everything is dropped directly at the port, and i don't know why.

This is my current configuration:
[admin@MikroTik] > /export

/interface bridge
add admin-mac=78:9A:18:8D:5B:65 auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes

/interface ethernet
set [ find default-name=ether5 ] name=ether5_iot poe-out=off
set [ find default-name=ether6 ] name=ether6_iot

/interface vlan
add comment=IoT interface=bridge name=vlan_iot vlan-id=93
add comment="VLAN for WAN PPPoE" interface=ether1_ont name=vlan_ont100 vlan-id=100

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_iot ranges=192.168.93.100-192.168.93.200

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=pool_iot interface=vlan_iot lease-time=23h name=dhcp_iot

/interface bridge port
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5_iot internal-path-cost=10 path-cost=10 pvid=93
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6_iot pvid=93

/interface list member
add comment=defconf interface=bridge list=LAN
add comment="VLAN IoT" interface=vlan_iot list=LAN

/ip address
add address=192.168.88.1/24 comment="Network Appliances" interface=bridge network=192.168.88.0
add address=192.168.93.1/24 comment=IoT interface=vlan_iot network=192.168.93.0

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.93.0/24 dns-server=192.168.93.1 gateway=192.168.93.1

Does anybody have any idea on where my mistake is?

Comments

  • tetechtetech OG

    What version of ROS? No firewall?

    No ARP on the bridge? Try /interface bridge set arp=proxy-arp

  • Otus9051Otus9051

    It's Mikrotik, that's why.

    Thanked by (1)yoursunny

    youtube.com/watch?v=k1BneeJTDcU

  • foxonefoxone OG

    @tetech said:
    What version of ROS? No firewall?

    No ARP on the bridge? Try /interface bridge set arp=proxy-arp

    # 2024-03-01 07:49:28 by RouterOS 7.14
# software id = 2IJI-7WHC
#
# model = RB5009UPr+S+

/ip firewall filter
add action=accept chain=input comment="wan: allow wireguard" dst-port=15151 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

    I've tried, ARP is enabled but even proxy-arp makes no difference

  • tetechtetech OG

    I didn't look at which switch chip that model has, but see if the chip has a VLAN table. Possible the VLAN gets handled within the chip. Understand that I don't know exactly what is wrong but I am throwing out some ideas.

    [admin@mtk] > /interface/ethernet/switch/vlan print detail
Flags: X - disabled, I - invalid
 0   switch=switch1 vlan-id=4 ports=switch1-cpu,ether3 independent-learning=no

 1   switch=switch1 vlan-id=5 ports=switch1-cpu,ether3 independent-learning=no

 2   switch=switch1 vlan-id=6 ports=switch1-cpu,ether3 independent-learning=no
[admin@mtk] > /interface/ethernet/switch/port print detail
Flags: I - invalid
 0   name="sfp1" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is
     default-vlan-id=auto

 1   name="ether1" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is
     default-vlan-id=auto

 2   name="ether2" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is
     default-vlan-id=auto

 3   name="ether3" switch=switch1 vlan-mode=fallback vlan-header=leave-as-is
     default-vlan-id=auto

 4   name="ether4" switch=switch1 vlan-mode=disabled vlan-header=leave-as-is
     default-vlan-id=auto

 5   name="ether5-unid3" switch=switch1 vlan-mode=disabled
     vlan-header=leave-as-is default-vlan-id=auto

 6   name="ether6" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is
     default-vlan-id=0

 7   name="ether7" switch=switch2 vlan-mode=disabled vlan-header=leave-as-is
  • foxonefoxone OG

    Nope, the integrated switch "Marvel 88E6393X" does not seem to have any kind of VLAN setting.

  • host_chost_c Hosting Provider
    edited March 2

    @tetech said: Possible the VLAN gets handled within the chip.

    @foxone

    For the moment I am away out of town, bare with it a little, I can help you out later with this.

    VLAN is HW-Offloaded on 5009.

    but as I saw your settings, you will have to drop all config, it is wrong in all ways.

    In MKT you only work in the SW chip on gen CRS Switches 1 and if you use L3HW offload ( 5009 is not part of this )

    Write what ports you wish to be Access with what VLAN and what ports you wish to be Trunk.

    Host-C - VPS Services Provider - AS211462

    "If there is no struggle there is no progress"

  • foxonefoxone OG

    @host_c said:

    @tetech said: Possible the VLAN gets handled within the chip.

    @foxone

    For the moment I am away out of town, bare with it a little, I can help you out later with this.

    VLAN is HW-Offloaded on 5009.

    but as I saw your settings, you will have to drop all config, it is wrong in all ways.

    In MKT you only work in the SW chip on gen CRS Switches 1 and if you use L3HW offload ( 5009 is not part of this )

    Write what ports you wish to be Access with what VLAN and what ports you wish to be Trunk.

    Access ports should be the one i named _iot, with VLAN 93. All other ports should be trunk or no VLAN.

    Here's my full config: https://paste.debian.net/plainh/79ea7e06

  • host_chost_c Hosting Provider

    @foxone

    I will import this on a 5009 and modify it for you tomorrow

    Host-C - VPS Services Provider - AS211462

    "If there is no struggle there is no progress"

Sign In or Register to comment.

© LowEndSpirit 2024

ipv6 ready