hAP AC VLAN Trunk with SFP

Hello!
I try to configure a hAP AC with VLAN support but my setup does not work. Unfortunately the client on eth3 can not reach the dhcp-server via SFP-Port.
SFP = trunk-connection
eth3 = access port with vlan-id 401

VLAN-ID 100 = Management



Does anybody see whats the problem here?

Thank you!

[admin@hAP] > export
# oct/28/2020 19:19:23 by RouterOS 6.46.1
# software id = RCKC-HI24
#
# model = RB962UiGS-5HacT2HnT
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full auto-negotiation=no rx-flow-control=on tx-flow-control=on
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=100-mgmt vlan-id=100
add interface=bridge1 name=401-public vlan-id=401
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=401 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=401
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=ether4,ether5,bridge1,sfp1 untagged=ether3 vlan-ids=401
add bridge=bridge1 tagged=bridge1,ether4,ether5,sfp1 untagged=ether1 vlan-ids=100
/interface ethernet switch vlan
add independent-learning=no ports=ether3,ether4,ether5,ether2,ether1 switch=switch1 vlan-id=401
add independent-learning=no ports=ether1,ether5,ether2,ether4 switch=switch1 vlan-id=100
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.100.1 certificate=request discovery-interfaces=100-mgmt enabled=yes interfaces=wlan1,wlan2 lock-to-caps-man=yes
/ip address
add address=192.168.100.51/24 interface=100-mgmt network=192.168.100.0
/ip dns
set servers=192.168.100.1
/ip route
add distance=1 gateway=192.168.100.1

Hello!
Finally I found the problem. VLAN-Filtering was disabled on the bridge.
However, at the moment only 8 Mbit download and 20 Mbit upload are possible when connected at eth3.
With wireless we have at least 25 Mbit down.
Are there any other performance related settings?
Thank you very much!

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    auto-negotiation=no rx-flow-control=on tx-flow-control=on
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge1 name=100-mgmt vlan-id=100
add interface=bridge1 name=401-public vlan-id=401
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3 pvid=401
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether4,ether5,sfp1 untagged=ether1 vlan-ids=\
    100
add bridge=bridge1 tagged=ether5,ether4,sfp1,bridge1 untagged=ether3 vlan-ids=\
    401
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.100.1 certificate=request \
    discovery-interfaces=100-mgmt enabled=yes interfaces=wlan1,wlan2 \
    lock-to-caps-man=yes
/ip address
add address=192.168.100.51/24 interface=100-mgmt network=192.168.100.0
/ip dns
set servers=192.168.100.1
/ip route
add distance=1 gateway=192.168.100.1

You are mixing two configuration possibilities together: bridge vlan filtering (which is done in software on this device) and switch vlan filtering (which is done on the switch chip).
No good can come out of it.

You need to choose one depending on what better suit your needs:

1. Bridge vlan-filtering: ease of configuration, but degraded performance and higher CPU load.
2. Switch vlan-filtering: a little more difficult, but near wire-speed between host in the same vlan on physical ports, and with no impact on CPU.

Keep in mind that traffic to/from wireless, between different vlans, or WAN ↔ LAN will be processed by CPU anyway.

Someone here has reported issues with VLAN filtering on the switch chip on 6.46.something. If you have hw=yes on all the /interface bridge port rows (which is the default so if the hw field is not in the export, it is set to yes) and you still need vlan-filtering=yes on the bridge in order that it worked, the direct forwarding between ports of the switch chip doesn’t work. If it worked, the frames would not get to the CPU and be tagged/untagged and forwarded there.

Hello!

Thank you for your fast answer. Unfortunately the SFP-Port is not available in switch config mode.

So you don’t think it is possible to use near wirespeed config with a sfp Port?

Thank you!

Oh yes, you’re right:

Thank you!
Do you have an idea why wire-performance is so bad compared to wireless performance?

You are right.
No it’s not possible for SFP ↔ other ports.
But it should be possible to maintain wirespeed between other ports.
I guess that’s the same situation as with wireless interfaces - as they are available only via CPU, you need to send tagged traffic to switch1-cpu in switch menu, and then it can be sent out tagged from sfp port.
The only difference is that wireless interface has some vlan settings and is capable of tagging/untagging frames on its own, while sfp interface can’t.
So it’s not clear what to do if for example you need frames to be untagged leaving the sfp port.
Or if not all the vlans available on cpu should be forwarded to sfp (probably bridge filter should be used).