I am new to MikroTik and currently starting with a hAP ac² (Atheros8327 switch chip).
What I want to do is creating some VLANs in RouterOS but I am absolutely lost with all the different ways of configuring them.
A lot of examples create one Bridge per VLAN. However, what I understood so far is, that this should be avoided on simple routers because they can only handle a single bridge via hardware offloading.
I also found the way about configuring VLANs in the “Switch” menu of RouterOS. One tutorial I have seen tells that this is an old way of configuring it and it shall not be used anymore. However, on https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip exactly this is done.
Is MikroTik only going the “Switch menu” way in this example because only a Switch and not a Router shall be configured in the example?
As you can see, I am really confused.
Shall I configure the VLANs via the Switch menu in my hAP ac² or will using a single Bridge with hardware offloading activated reach the same performance on the hAP ac²?
What is the difference between using the Switch menu and using the configuration directly on a Bridge?
Is the Switch menu only a simplified configuration options for the case that only switching (without routing) is the use-case and for more complex scenarios (with routing) a bridge with HW-Offloading shall be used? But if so, what is the difference of using the Switch menu and binding this switch to the CPU port for additional routing capapbilty?
If important: My device currently runs under the latest version of RouterOS 6. (Would there be any benefit or drawback with an upgrade to RouterOS 7?)
IMO you know more already than you’re giving yourself credit. Sharing your privacy redacted exported configuration can help us better help you.
I favor “Inter-VLAN routing” path (single bridge with hardware offload option) as it has options for CPU process like fancy routing or firewall rules.
Some value devices can’t route (Layer 3) at wire speed and use cases where firewall is unwanted will benefit from a switch level (Layer 2) solution.
The full answer to your questions are it depends upon your exact requirements and the compromises that must be made to fulfill them.
The links Jotne provided are very good material. Be careful, it might take you more then one read to understand how it should be working.
Also, examples in that first link were made with ROS6 as base (Wifiwave 2 wasn’t even there yet for ROS), things can be slightly different in ROS7 (which does not mean the concept changed, just some commands or settings).
For what I need, especially that first reference helped me a lot.
But you have to apply patience and a bit of a flexible mind when something doesn’t work from the first attempt.
I have only a hEX S (RB760iGS based on MT7621 Soc with CPU and switch ASIC) so I use v7 and the vlan-filtering bridge.
For the hAP ac² with the Atheros8327, I don't think there is currently hardware support for vlan-filtering bridge, even in v7. So if you want the best performance (why not?) then using the config in the first link you posted (which uses bridge, but then configures vlans using the switch chip) is the way to go. Note that the main difference between the two links you posted, is that in the first the CPU is "connected" to both vlans on the switch chip, where in the second the device is configured only as a switch, and there is only a single vlan "connected to the switch".
From first link: Note both vlan 10 and 20 are "connected" to the vlan interfaces in the CPU. This allows the CPU to route between vlans the switch-ports are connected to.
Add each port to the VLAN table and allow these ports to access the CPU in order to make DHCP and routing work:
Where in the second link: Note only a single vlan interface is created (MGMT) and that is the only vlan with a "connection" to the CPU's vlan interface.
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3 switch=switch1 vlan-id=30
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
Be aware that if you only have one [bridge/switch]-port in each configured vlan, then the traffic between the ports will need to be routed. And if the traffic is routed, then it is going through the CPU anyway, so whether the vlans are hw offloaded or not isn’t going to make a measurable difference in performance.
But if you have multiple ports that are in the same vlan, then it doesn’t need to be routed, and you will see a difference in performance if it is switched by the switch ASIC vs being “bridged in software” by the CPU.
I know of no downside to configuring it so the switch chip is handling the vlan operations even when the CPU is involved, other than the configuration complexity. The “advantage” of using the vlan-filtering bridge is that it is the new “standard” way to do things, and if you then move the config to another device there will be less changes. But on the hAP ac², if you use the vlan-filtering bridge setup, the “switch like” behavior will all be done in software on the CPU, and it will not be as fast (and will use more CPU if you have multiple ports in the same vlan).
