In short I think RTL8367 should get a proper support for (at least) VLANs like other switch chips present in RB2011 or RB3011.
RTL8367 is a switch chip included in both RB4011 and RB1100AHx4 as the time of writing. While the default answer for VLANs on the forum for RB4011 is usually “just use CPU” is feasible it comes short at times. Sure, RB4011 is capable of doing a bidirectional 1Gb/s with ease using 2-4% of its CPU but there’s a bigger issue at play here:
(diagram for RB4011, same applies to RB1100AHx4)
The link between CPU and each of the two RTLs is just 2.5Gb/s. Each of the ports is capable of doing 2x1Gb/s (=10Gb/s). This is a pretty large disconnect - having a proper VLAN support on the switch chip would be nice. While the chip seems to support up to 32 VLANs in hardware the functionality is not exposed in ROS.
Can this feature be added to v7? Maybe someone from MT can at least explain why it was omitted? (I saw speculations that ROS uses VLANs internally to get separate ports on RTL but AFAIK these were just speculations)
Most likely the switch chip vlan layer is used inside ROS to provide individual (non-switched) ports functionality.
And as the switch chip can’t do vlan stacking, there is simply no additional vlan layer left.
You you plan to push a lot of L2 traffic within VLANs, then the RB4011 is simply a bad choise since it’s designed to be a router. I think you should consider buying a switch instead that is the correct device for the job.
RTL8367 is a very basic switch chip. But sure, they could have chosen to present it as two individual switches with a maximum number of 32 active VLANs (and routeros would only show three physical interfaces) but I think people would complain on that as well.
I was planning on buying an RB4011 as a combined switch/router, and one of the reasons to move away from consumer stuff was to venture into VLAN configurations where all my IoT stuff is separate and not connected to the internet, etc. ALL traffic will be on one or multiple VLANs.
Am I to understand I should not be getting the RB4011 for this?
RB4011 is completely fine for vlans as long as you don’t need to do vlan filtering in hardware.
You can either do vlan filtering in software on the CPU with all the features (but increased cpu usage), or get hardware switching by disabling RSTP and vlan filtering on a switch group and move all vlan filtering to separate hardware switches between the RB4011 and your devices. You could even use some mixed setup by dedicating one switch chip for one of your network with lots of vlan-internal traffic and configuring all the other networks as vlans on a separate bridge over the rest of the ports with filtering done in software.
Of course, hardware vlan filtering on this device would be great, but this limitation can be worked around in a lot of cases. It really depends on your network design and requirements if this is feasible.
Theoretically it should be possible to implement hw vlan filtering in cases when a bridge contains all the physical ports of one switch chip.
If you are planning to push a lot of L2 traffic within VLANs (as in heavy file transfers, heavy video streams etc.) then B4011 might be a bad choice yes. One workaround is to use one of the switch-groups as a “one vlan only”-group, then you can use the first group with vlan separation for less heavy workloads.
