Hi, new to the forum and a happy mikrotik user at home for some years. I'm not a network engineer.
I've read and re-read the mikrotik documentation in wiki, old and new docs and read "the excellent post" for VLANS by a forum member with diagrams and all. I'm still puzzled.
My setup is working but I seek to understand the trunk port part. The main reason is that my router is OPNSense, based on freebsd that has limited support for mixed traffic with and without VLAN tags.
I am using a CSS326 where port 1 is my "uplink" to my Router.
From the documentation, I am using the "Trunk and Access Ports" setup.
This is my setup and works flawlessly:
On the switch my trunk port is:
VLAN tab.
Port 1: "Trunk" port VLAN mode is enabled, VLAN receive "any", Default VLAN ID "1", Force VLAN ID is disabled
Ports 18,19,20: Access ports VLAN mode is enabled, VLAN receive "any", Default VLAN ID "200", Force VLAN ID is disabled

VLANs tab.
VLAN ID = 200, Name "name I gave it", Port Isolation enabled, Learning enabled, Mirror disabled, IGMP Snooping enabled, members: trunk and access ports.

On the router the VLAN is set as child of the LAN interface. The services like dhcp and others are set on each phisical LAN interface and VLAN interface separately.

The way I read the documentation, this has my trunk port being port 1, with both tagged 200 for the traffic from the access ones and tagged 1 for the traffic from all other access ports that have no tag set; but I am uncertain if this is a correct setup. Never had a problem but all the traffic is coming via this route.
This is the question: Is my understanding correct that port 1 "trunk" is sending all the traffic tagged with vlan id 200 from-to the vlan ports AND vlanid 1 for everything else?
Or is it sending mixed tagged and untagged traffic? A traffic capture on the router port shows me no traces of VLAns (Ether type 0x800) for all frames I can see. Hence, could it be that all traffic is stripped of VLAN information and is ALL sent untagged?
I ask bacause although I've not had problems. freebsd asks to not mix tagged and untagged traffic on the same interface, so I want to know if I should make changes to avoid problems down the road.
Thanks for any assistance.

Please help. I know it is a basic question but all my reading has left me stumped.

I'm not a Unix guy but I know in Linux you want to have one VLAN per interface and you can have multiple virtual interfaces based on one physical interface. Not sure if you need to create multiple virtual interfaces to support the multiple VLANs in place?

Thanks for responding. I am OK with the parent interface part, something I need to ask the freebsd people.
The question here is about clarifying the documentation for Mikrotik interfaces. Thanks though.
Anyone else can please chip in?

Ok allow me to illustrate the source of my uncertainty.
Docs have this for Trunk and Access (my use, except my trunk is Ether1):


So it seems the only way the switch knows it is a trunk is because it is member of all the VLANs, but some of the remaining ports are not in a VLAN. They would be left as VLAN Mode: optional; VLAN Receive: any. Still the trunk will carry both traffic, the VLAN and non-VLAN one. All good I think.

Then the next section advises to set access ports as Strict-only untagged and the Trunk as strict-only tagged.

Here is my confusion, as the text on above this example, that explains what these settings do read:
VLAN Mode (disabled | optional | enabled | strict; Default: optional) - VLAN filtering mode, these options are relevant to egress ports (except for strict mode).
- strict - Enabled VLAN filtering with additional ingress filtering, which checks if the ingress port is a member of the received VLAN ID in the VLAN table. Received packets on the ingress port with a VLAN ID that does not match with the VLAN table will be dropped. Default VLAN ID must be specified for access ports since it will be used to tag ingress traffic and untag egress traffic for a certain port.

So. To begin with, settings only relevant to egress ports. Ether2 is trunk, does that make it an egress port? If yes, then the strict setting that applies is that traffic from both tagged and untagged access ports going out from it will be untagged. Is that correct reading?
But then the example picture has Ether2 trunk as all traffic tagged. I am so very unclear.
Help me understand please.

Ingress and egress are about the direction of a (tagged) frame when passing a port. Ingress port is the port which receives tge frame (from the wire). Egress port is the port via which frame ultimatelly leaves the switch (or there may be multiple in some particular cases).

The first screenshot is about egress ... so setting about which ports will allow frame to exit switch. If a port is not member of a VLAN, then frame tagged with that VID will not exit via that port. Ever.
The second screenshot is (mostly) about ingress. VLAN mode strict means that VIDs of ingress frames will be matched against (egress) VLAN port membership and if port is not member of certain VLAN, it won't accept such frame on ingress. And VLAN receive is setting about untagged frames: are they allowed on ingress or not. If they are (settings "any" or "only untagged"), then they will be tagged with Default VLAN ID on ingress. And here's also egress dependency: when untagged frames are allowed on ingress, frames tagged with VID matching Default VLAN ID will get tag stripped on egress.

Your network drawing and screen captures look fine. The only thing I would do different is uncheck "Port Isolation" on all ports - unless you really understand what that does on that page.

Your network drawing and screen captures look fine. The only thing I would do different is uncheck "Port Isolation" on all ports - unless you really understand what that does on that page.

I wish I could take credit. They are taken from the product help pages and I followed for my setup https://wiki.mikrotik.com/wiki/SWOS/CSS326-VLAN-Example and https://help.mikrotik.com/docs/pages/vi ... ionExample and I'll review the port isolation, thanks.

Ingress and egress are about the direction of a (tagged) frame when passing a port. Ingress port is the port which receives tge frame (from the wire). Egress port is the port via which frame ultimatelly leaves the switch (or there may be multiple in some particular cases).

The first screenshot is about egress ... so setting about which ports will allow frame to exit switch. If a port is not member of a VLAN, then frame tagged with that VID will not exit via that port. Ever.
The second screenshot is (mostly) about ingress. VLAN mode strict means that VIDs of ingress frames will be matched against (egress) VLAN port membership and if port is not member of certain VLAN, it won't accept such frame on ingress. And VLAN receive is setting about untagged frames: are they allowed on ingress or not. If they are (settings "any" or "only untagged"), then they will be tagged with Default VLAN ID on ingress. And here's also egress dependency: when untagged frames are allowed on ingress, frames tagged with VID matching Default VLAN ID will get tag stripped on egress.

Thanks for taking the time. I think I begin to form an understanding. Let me run it past you.
I'm thinking, the VLAN tab use of other than default ID of 1 creates a VLAN table. There I have say a VLAN 200. Now I have a table with 200 and 1.
Now I apply your explanation, and I need to read a few more times, mostly because with network traffic going in both directions, the concept of an egress and ingress port I'm failing to grasp yet.
So I think then if I plug a device into port 6 in the example, that is not tag aware and sends traffic in untagged (say arp queries or dhcp requests), then the switch will look in the table and this is ingress , and as per VLAN mode strict, find it matches the table with "a" VLAN and accept it.
Now for the egress part, and in my mind this is the going out via trunk part ie, Eth2. The port is member also of this VID so outward traffic is allowed. So my client gets its traffic in Eth6 and accepted, goes out via Eth2 also accepted and goes its merry way.
Am I close?
But then to complete the picture though, I also have a client, also not vlan tag aware, plugged into Eth9, port 9. Doing the same thing, sending traffic in to set itself up. This one as above explanation with switch looking up the table but matches VID 1 instead. Traffic accepted on ingress.
And then the real bugging question. When the traffic goes out on Eth2, is it all tagged or all untagged or mixed (traffic that came from Eth2 and Eth9) ?. You see, I read that the traffic from Eth9 has tag stripped on its way out as per explanation. And now the example picture doesn't work showing with all tagged.

Meaning of "VLAN mode = optional" is this: Disabled VLAN filtering. Handle packets with VLAN tag ID that is not present in VLAN table just like packets without VLAN tag.

In laymans words: if VLAN mode is set to optional, then switch will handle frames according to VLAN receive setting, but will not enforce constraints (such as allowed VIDs on ingress).

How the switch internally handles untagged frames is not entirely clear. My mental picture (which fully explains how bridge in ROS works) says, that switch will add a tag with VID set to default VLAN ID on ingress to untagged frames. And then switch will internally handle those frames just like frames with any other VID set. When it comes to egress ... possibly SwOS allows untagged frames on egress if "VLAN receive" is set to allow untagged frames on ingress (even though the option name implies it doesn't apply to egress) and then strips VLAN tags from frames which internally carry VID equal to "default VLAN ID".
In your particular case this would mean that ether2 will not allow any untagged frame on egress (because it's set to allow only tagged frames on ingress) and thus traffic from ether9 won't flow through ether2. However, traffic fro mether9 could egress through ether1, ether3, ether4 and ether5 because they are set to pass untagged frames and their default VLAN ID is set to 1.

The ambiguity above would be resolved if there was an egress table also for VLAN ID 1 (there are for 200, 300 and 400), where ports members of VLAN 1 would be explicitly configured.
This is actually similar to how ROS bridge treats ports with PVID (devault VLAN ID) set ... it adds those ports as untagged ports to corresponding VLANs automatically. But in this case you wouldn't have to add e.g. ether7 to VLAN 300 explicitly (setting default VLAN ID would suffice).

Ok, very useful. And I should have provided the context to begin with.
That is that I am using Eth2 as what I've been thinking Trunk but I've started doubting it.

I'm physically linking the CSS via Eth2 to my router. There on this router I have a VLAN 200 setup with the parent interface "LAN".
On the CSS I have the device on the port Eth9 and based on your explanation, port accepts untagged frames. Also on a workstation on Eth5 for instance, will have frames accepted and will tag default VID.

In your particular case this would mean that ether2 will not allow any untagged frame on egress (because it's set to allow only tagged frames on ingress) and thus traffic from ether9 won't flow through ether2. However, traffic fro mether9 could egress through ether1, ether3, ether4 and ether5 because they are set to pass untagged frames and their default VLAN ID is set to 1.

From Eth9 through Eth1, Eth3 ..." part makes sense as cross-access-ports behaviour. From here is where I get lost, apologies i.e. trunking.
How do I then setup a trunk port in CSS, that is one that will carry both traffic originating and destined for both Eth8 that is in a VLAN and say port Eth5 that is not?

Terminology slightly varies between vendors. Generally there are 3 types of ports (when it comes to VLANs) and in MT dialect they are called:

• access port
  Port which only accepts untagged frames on ingress and only transmits untagged frames on egress. It has set "default VLAN ID" or PVID which defines which VLAN this port belongs to.
• trunk port
  Port which only allows tagged frames on ingress and egress. It can be member of one or more VLAN, membership is configured in some sort of list or table (e.g. "members" portion of first screenshot in your post #5 above).
• hybrid port
  (some vendors call it "trunk with native VLAN")
  Port which accepts bot tagged and untagged frames on ingress, also transmirs both tagged and untagged frames on egress. It has "default VLAN ID" or PVID set. It is also member of one or more VLANs.

So if your main router is configured to work with untagged frames (parent device) and with tagged frames (vlan interface gor VLAN 200, configured off parent interface), this would mean it works as hybrid interface and ether2 on CSS needs to be configured as hybrid as well.

Note: when frame leaves switch untagged, it looses all information about which VLAN it belonged before egressing switch. You can thus use different ID for marking untagged frames on connected switches (in other words: you don't have to care about how main router works with untagged frames internally when configuring CSS).
So to avoid ambiguity about VID 1 (which is often treated in a special way in their configuration by many vendors), you could use different VLAN ID for your main LAN. You would then set default VLAN ID to that value (e.g. 666) on all access ports intended to link LAN devices and on ether2 (untagged part of hybrid port towards main router). You would also explicitly set all access and hybrid ports as members of that VLAN. For the VoIP VLAN (VLAN 200) access ports you'd set default VLAN ID to 200 and set all those ports as members of said VLAN. You'd also set ether2 as member of VLAN 200 but since its default VLAN ID is different, this then makes switch to use ether2 as tagged port for that VLAN.

That is brilliant, a great explanation.
Now I understand my "trunk" is carrying both tagged and untagged but also have a way to use only tagged if that's what the router requires.
Much obliged @mkx. You have been a great help. Thank you.!

As way of update, I am unable to set the router to be hybrid. That is a limitation of the underlying operating system and the reason I want to move from either all tagged or all untagged on the wire.
I just can't seem to be able to get the "trunk" port to have all traffic tagged.
Following the advice I've changed the default VID from 1 to 100 for all ports that are not in the VLAN 200.I'll post new screenshots in a while when I'm off the work pc seeking more advice.
Checked with wireshark packet captures at the router interface after each change (the ones that didn't lock me out of the network that is).

So now with my actual settings for a fresh view please.
This is my setup of VLAN and VLANs tabs. This is a CSS326.

I have three ports on VLAN200 and the rest on default. Port 1 (uplink1) is what I want to be my "trunk" and hence made member of both VLANs.



I have changed the Default VLANID with 100 instead of 1 for all ports not members of VLAN 200.



With these settings, I am getting both tagged and untagged packets on the trunk as seen by a packet capture on the other end of the wire, on the router that has the port as the parent interface called LAN and the VLAN virtual interface hanging off it with VLAN tag 200.
Capture on the parent with tag for that port:



Capture on the parent without tag for other ports:


Capture on the VLAN for completeness (this one no tags).



If I change the VLAN receive on the trunk to "only tagged", I get locked out and have to connect physically to the switch to undo it.
What settings do I need to change for all traffic to go in and out of trunk tagged please?
p.s. I'm doing this whilst on Wifi which is provided by an Access Point plugged into the VLAN 100 ports (eero_office).

Can you post the System tab. The secret to why you get locked out is likely there.
Get the lockout issue resolved BEFORE you do the rest or else you will likely get locked out again.

On the VLAN tab, I would change all the untagged ports to either disabled or strict and set them to untagged only.
On the VLAN tab, change port 1 to Tagged only, and set the default VLAN to some dummy number (it won't be used since it will be tagged only). I use 970 plus the port number.
On the VLANs tab, uncheck Port Isolation on VLAN 100 (unless you REALLY understand what it does ON THAT TAB).

Sure, here is the system tab:



I'll await your instruction before proceeding with the suggestions. With my thanks.

I have finished the setup and is all ok now.
All traffic arrives tagged now via the trunk. I used the settings you advised me to use. Strict and only tagged.
Changed the default VLAN Id to 100 for all access ports, including trunk that aren't part of VLAN 200 that I want to separate.
Disabled port isolation on both VLANs on the VLANs tab.
I have added VLAN 100 my default to "Allow from VLAN" in System tab. I had to reset the switch to know that was missing.
kc666 and mkx - I wouldn't have done without your help. The documentation for SwOS is extremely limited. You chaps have taken time using and gaining the experience of it and impart this knowledge to the community. For that, I thank you. Mikrotik are lucky to have you giving to this community.
Have a great day.

Glad you got ti working. I have been using SwitchOS for years and every switch has VLAN trunks (between switches or between a router and a switch), and most also have hybrid ports for my managed WiFi access points that use untagged traffic for management and different VLANs for each WiFi SSID.

Any other questions feel free to ask.