Advanced VLAN setup HAP AC RouterOS

Hello all

I have a nice litte HAP AC I want to use as my home switch, my internet router, my multi SSID WiFi and my firewall device (everything ;). I have my internal home LAN (VLAN 1 - 10.0.1.0/24), DMZ (VLAN 2 - 10.0.2.0/24), IoT LAN (VLAN 3 - 10.0.3.0/24), privat LAN (VLAN 4 - 10.0.4.0/24) and a guest LAN (VLAN 5 - 10.0.5.0/24). All VLAN should have DHCP and different VLAN should be allowed on multiple, but different, interface.

This is how I would like it to be in my HAP AC:

Eth1: Routed WAN interface (not included in this question - no VLAN)
Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged
Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged
Eth4: Vlan2 - Untagged Vlan 4 Tagged
Eth5: Vlan1 - Untagged
SFP: Vlan 1, 2, 3, 4, 5 Tagged
USB LTE: Routed WAN backup interface (not includet in this question - no VLAN)

As you probably understand from my VLAN names, some of the VLAN should be able to route traffic between each other and some of the VLAN should absolutly not route traffic more then out over WAN (with very hard restriction, like NTP only

If someone could help me with some sort of example configuration, I would be very happy. Like a bunch of CLI lines for VLAN, Bridges and maybe also where I should add DHCP (bridge or vlan). Also, do I get any problem if I only add my firewall rules with src/dst IP-nets and leave the interfaces empty, or is it better to also add vlan (or bridge) interfaces to the rules?

BTW, I use the lates RouterOS and I have configured different vlan trunks on switches in the past, HP, Cisco and others. But sorry to say, I just cant figure this out in RouterOS

Many thanks for any help I can get.

Best Regards

• Per Håkansson

See the link in my signature. I also recommend you go with the RB4011, (the hAP ac² might work) so that you have enough CPU power to use the unit as a switch. It all depends on how much traffic goes from your PC to a local NAS or whatever.

Hi Per,
perhaps this will work for ether4???

/bridge ports (ingress behaviour)
add bridge=mybridge interface=eth4 pvid=2 admit-all-frames

/bridge interface vlans (egress behaviour)
add bridge=mybridge tagged=mybridge,eth2,sfp untagged=eth4 vlan-id=2
add bridge=mybridge tagged=mybridge,eth2,eth3,eth4,sfp vlan-id=4

Might be challenging for bridging. Further, your Tik might be a bit too short for the routing duties: it’s only a single core, but MT rates it at 950mbps with full frames so might just work.

But you’ll need to use switch vlan filtering functionality, not the one of bridge.
Examples are here https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29

Also note SFP is not switched, but goes through cpu, so any load on SFP will “kill” cpu. Same goes for wifi. And lets not forget, total bw from sw → cpu is 1gb.

Following the example:

• add all eth2-5 ports to bridge
• e2-e4 are hybrid (access + trunk)
• e5 is access only
• sfp is trunk only
• adjust switch to your liking

SFP being part of bridge/vlans but not part of swtich will be problematic, I think. Is reducing number of ports an option?

As of 6.41+ this advice is irrelevant and dated. Please use the bridge with automatic hardware offload. If you read his link in depth you’ll see MikroTik suggest the same thing. The software in the device will toggle the hardware features on and off as needed or as is capable for your device. This was done to alleviate issues with the old switch chip system which let you configure features the hardware didn’t support and therefore didn’t work or work correctly like VLANs via switch chip on the Hex. Additionally it gave us a consistent model to configure VLANs on MikroTik devices.

So it would be better to do it this way?
Eth1: Vlan 1, 2, 3, 4, 5 Tagged
Eth2: Vlan1 - Untagged Vlan 2, 3, 4, 5 Tagged
Eth3: Vlan1 - Untagged Vlan 3, 4, 5 Tagged
Eth4: Vlan2 - Untagged Vlan 4 Tagged
Eth5: Vlan1 - Untagged
SFP: Routed WAN backup interface (not included in this question - no VLAN)
USB LTE: Routed WAN backup interface (not included in this question - no VLAN)

I understand that the HAP AC might have some limitation regarding packet switching in this setup. But its only my home network and my Internet link are only 100/10. Yes, I do have a NAS connected (Eth 5), but I’m not in hurry I rather like to have a ’clean’ setup. That’s why I like the HAP AC, it handles everything in a single box. It’s beautiful.

Thank you Pcunite for the ”Using RouterOS to VLAN”, I will read through it an then try to use it in my box. I will also try to follow your example Sabastia. Sooner or later I will probably understand VLANs also in RouterOS, it cant be impossible

Thank you all

• Pelle

The MikroTik wiki on hardware offload bridging is what you want. It is then possible to setup the ports how you want with the appropriate commands. Nothing special. Also, I agree in a home network it’s not a huge concern to hit the CPU for some tasks. You know the limitation it can cause and that’s all that matters. I used to use a Hex for VLANs and a lot more. Almost all of it was CPU bound but even on my geeky LAN it wasn’t a big enough bottleneck to cause significant concern either. The reason it was replaced was due to stagnant feature development around IPv6. Ubiquiti is not so they got my upgrade money.

I’m all for dialogue and interaction, but you’re just uninformed.

• “Please use the bridge with automatic hardware offload”, sure as long as no special features are used. vlan filtering is one of them. Once set/enabled, hardware offloading goes OUT THE WINDOW. Read it in the docs. But because I’m kind: look in the column of “Bridge vlan filtering” https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading
• “toggle the hardware features on and off as needed”: see above, once ONE such feature is activate no more HW offloading
• the adjustments you describe above is not a SINGLE action, it’s a process at Mikrotik, and they are still doing it under the hood. hardware is not used to its full potential yet when using bridge features. Only “legacy” switch interface allows full hardware use at this time. (except maybe for their flagship switch CRS3xx)

So in the future please FIRST do your homework, before making wrong statements.

Your last setup is better as it isolates vlans to switch chip only, and makes usage of switch based vlan implementation feasible, see the links given before. You would end up with full hardware offload support.

If performance is not your priority however, use wiki https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29 & pcunite extensive thread, for info on how to setup using the bridge. Know that once you enable “vlan-filtering=yes” ALL goes through cpu, and since you only have one…

Nope not misinformed just been doing the new switch config since they first released. I’m not going to ever suggest anyone to dig through docs to try and understand what chip is inside their device. MikroTik introduced the feature to simplify it and have said they intend to move forward with that model. The op doesn’t really care about hardware switching performance which is 100% moot for any layer 3 action anyways. It only matters for 2 PC’s on the same VLAN communicating over the wired ports on the same VLAN.

That said, yes MikroTik like with so many features, cough IPv6, have done about 80% of the feature work. Until they have fully migrated the automated toggling over for all the hardware we’re going to have these discussions. It’s one of many reasons every purchasing decision I’ve made in the last two years has went to another company. At least others like Ubiquiti have demonstrated they can respond to customer needs in a timely and complete fashion. Instead of getting distracted with stuff like kid control and LTE modem support for two years.