Cannot do untagged VLAN in interface port with the RB750G r3 using the switch chip

tuxtlequino · May 2, 2018, 8:55pm

I had this router using the new bridge vlan configuration found in 6.41, but I was loosing the hardware acceleration so I decided to do the Switch conf. Here is what I have,

/interface bridge
add comment="VLANs bridge" name=br-switch vlan-filtering=no protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] comment="MainRouter Trunk - VLAN20, 99"
set [ find default-name=ether2 ] comment="Trunk - VLAN20, 99"
set [ find default-name=ether3 ] comment="Trunk - VLAN20, 99"
set [ find default-name=ether4 ] comment="Trunk - VLAN20, 99"
set [ find default-name=ether5 ] comment="Management - VLAN99"

/interface vlan
add interface=br-switch name=VLAN20 comment=Houses vlan-id=20
add interface=br-switch name=VLAN99 comment=Management vlan-id=99

/interface bridge port
add bridge=br-switch interface=ether1 hw=yes 
add bridge=br-switch interface=ether2 hw=yes
add bridge=br-switch interface=ether3 hw=yes
add bridge=br-switch interface=ether4 hw=yes
add bridge=br-switch interface=ether5 hw=yes

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=VLAN99

Now, in the normal switch configuration, one would do the following,

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=99
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is

But since this is a Gigabyte switch, one cannot set the “vlan-header” and I have to do the following,

/interface ethernet switch port
set ether1 vlan-mode=secure
set ether2 vlan-mode=secure
set ether3 vlan-mode=secure
set ether4 vlan-mode=secure
set ether5 vlan-mode=secure default-vlan-id=99
set switch1-cpu vlan-mode=secure

The problem is that now the trunks are working well, but not the ether5 interface. Since Mikrotik is kind of a mess when trying to figure out VLANs and the switch chip, I even tried adding the bridge vlan configuration in case that was the thing missing,

/interface bridge vlan
add bridge=br-vlans tagged=br-vlans,ether1,ether2,ether3,ether4 vlan-ids=20
add bridge=br-vlans tagged=br-vlans,ether1,ether2,ether3,ether4 untagged=ether5 vlan-ids=99

But nothing gives me access to the VLAN99 in ether5. Has someone managed to get this working?

sindy · May 2, 2018, 9:40pm

The key here is the datasheet of the switch chip. I don’t own RB750Gr3 myself so I haven’t looked for it, but I do own some hAP ac lite so I’ve had a look at the AR8227 used there and it can use the pvid to tag tagless packets on ingress, but on egress, you can choose to keep tags untouched, untag everything, or tag everything, but you cannot selectively untag by one particular vlan ID. So you cannot create a hybrid port which is an access one for a single VLAN and a trunk one for any number of other VLANs.

According to another topic it appears that MT7621 is not VLAN-aware at all, so it is physically impossible to have hardware switching and tagging/untagging on a single port at the same time, leaving aside different VLAN topologies.

hAP ac² also supports hardware encryption but its AR8327 is much more VLAN-friendly.

chechito · May 2, 2018, 10:03pm

if you dont intend to use new bridge implementation try routeros 6.40.8

tuxtlequino · May 2, 2018, 10:33pm

They should have a wiki for every one of the routers/switches that Mikrotik offers with examples. You are right about MT7621 not being VLAN-aware. I wonder if that is something they will fix sometime in the future. For now, the router is working well. I am thinking that I may be able to accomplish what I want by having a Hybrid trunk as the main trunk configure in the router upstream so that when I connect to the ether5, I get the tagger port. It will be more for curiosity sake since the VLAN I want is my management VLAN and I wouldn’t want someone to just connect to this VLAN by connecting to an open port somewhere.

Again, thank you!

tuxtlequino · May 2, 2018, 10:34pm

I would think that the problem would persist since as mentioned above, it has something to do with the actual chip used here. For now I will leave it as it is.

chechito · May 2, 2018, 11:42pm

The key here is the datasheet of the switch chip. I don’t own RB750Gr3 myself so I haven’t looked for it, but I do own some hAP ac lite so I’ve had a look at the AR8227 used there and it can use the pvid to tag tagless packets on ingress, but on egress, you can choose to keep tags untouched, untag everything, or tag everything, but you cannot selectively untag by one particular vlan ID. So you cannot create a hybrid port which is an access one for a single VLAN and a trunk one for any number of other VLANs.

According to another topic it appears that MT7621 is not VLAN-aware at all, so it is physically impossible to have hardware switching and tagging/untagging on a single port at the same time, leaving aside different VLAN topologies.

hAP ac² also supports hardware encryption but its AR8327 is much more VLAN-friendly.

yes ar8327 is best

supports independent learning on each vlan