Need help with L3 VLAN (2024)

Hello,
I just bought a hAP ax3 and I tried configuring a L3 VLAN.
I have my laptop connected to port ether1. The laptop's interface is set to 192.168.55.2/24.
The ether1 interface on the device does not have any IP configured.
I created a L3 VLAN named VLAN1 and added it to ether1. I set the ip address of it to 192.168.55.1/24.

The two machines won't ping each other.

If I set the IP to ether1 instead of VLAN1, I can ping the two machines.
If I create a bridge and add both VLAN1 and ether1 to the bridge, the interface stops working.

Here's my complete configuration:

[admin@MikroTik] > export# 2024-03-10 17:17:37 by RouterOS 7.12.1# software id = **ELIDED**## model = C53UiG+5HPaxD2HPaxD# serial number = **ELIDED**/interface vlanadd interface=ether1 name=VLAN1 vlan-id=1/ip neighbor discovery-settingsset discover-interface-list=!dynamic/ip addressadd address=192.168.55.1/24 interface=VLAN1 network=192.168.55.0/ip firewall filteradd action=accept chain=forwardadd action=accept chain=inputadd action=accept chain=output/system clockset time-zone-name=Europe/Zurich/system noteset show-at-login=no

What am I missing?
It's been 3 hours that I'm wrestling with this problem.

As long as the port using the vlan is not on the bridge its a viable path.
If you have the vlan on the bridge then you should use all vlans and the bridge does no DHCP etc...
Do not use VLAN1 for anything carrying data..........
If your router gets a public IP, then your firewall rules are your biggest issue.

This is not a config, its a few lines that are mostly useless.

• VLAN is a L2 concept, it has nothing to do with layer 3 from the OSI model.
• Your laptop is on the normal (untagged) broadcast domain
  But you set your router on the vlan 1 broadcast domain(thus packets are tagged from ether1)
  The devices are in 2 different broadcast domains(L2) this is why they cannot communicate
• You cannot bridge a parent interface with its child subinterface(ether1 and vlan1 tied to ether1)

With your config example the vlan1 is completely useless.

• VLAN is a L2 concept, it has nothing to do with layer 3 from the OSI model.
• Your laptop is on the normal (untagged) broadcast domain
  But you set your router on the vlan 1 broadcast domain(thus packets are tagged from ether1)
  The devices are in 2 different broadcast domains(L2) this is why they cannot communicate
• You cannot bridge a parent interface with its child subinterface(ether1 and vlan1 tied to ether1)

With your config example the vlan1 is completely useless.

Thank you. I resolved the issue by associating the Layer 3 VLAN with the bridge, making VLAN1 a subinterface of the bridge. I then connected ether1 to the bridge as a port. Following that, I enabled VLAN filtering and configured ether1 to be untagged for VLAN 1, so that packets leaving ether1 have their VLAN 1 tag removed.

By the way, I believe that what are referred to as Layer 3 VLANs should actually be termed virtual interfaces. However, in MikroTik terminology, virtual interfaces and Layer 2 VLANs share the same designation.

Additionally, I find it peculiar that MikroTik treats the bridge as both a Layer 2 switch and a Layer 3 interface.

Additionally, I find it peculiar that MikroTik treats the bridge as both a Layer 2 switch and a Layer 3 interface.

If one is pedantic as to what a particular entity does, then bridge actually has 4 personalities ... and there's a good explanation of all of them.

As to L3 VLANs: it's a pitty to (ab)use a well defined technical acronym (Virtual LAN as defined by IEEE 802.1Q) for something that is otherwise also (well) known as "IP subnet". There's simply no logic to call VLANs few subnets on "LAN" side of a router ... what's so Virtual about them?