Is this only cosmetic bug in Winbox?
in terminal I can see HW ofload active but Winbox shows off.
If I disable VLAN filtering I can see HW offload in Winbox.

Here is the Brige config. It is working.. But I havent tested performace yet…

/interface bridge
add ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no \
    max-message-age=20s mtu=auto name=bridge-local priority=0x8000 protocol-mode=rstp pvid=1 transmit-hold-count=6 vlan-filtering=\
    yes
/interface bridge port
add auto-isolate=no bridge=bridge-local broadcast-flood=yes disabled=no edge=auto frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=no interface=ether1 internal-path-cost=10 learn=auto path-cost=10 point-to-point=auto priority=0x80 pvid=1 \
    restricted-role=no restricted-tcn=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bridge=bridge-local broadcast-flood=yes disabled=no edge=auto frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes ingress-filtering=no interface=ether2 internal-path-cost=10 learn=\
    auto path-cost=10 point-to-point=auto priority=0x80 pvid=15 restricted-role=no restricted-tcn=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bridge=bridge-local broadcast-flood=yes disabled=no edge=auto frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes ingress-filtering=no interface=ether3 internal-path-cost=10 learn=\
    auto path-cost=10 point-to-point=auto priority=0x80 pvid=20 restricted-role=no restricted-tcn=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bridge=bridge-local broadcast-flood=yes disabled=no edge=auto frame-types=\
    admit-only-untagged-and-priority-tagged horizon=none hw=yes ingress-filtering=no interface=ether4 internal-path-cost=10 learn=\
    auto path-cost=10 point-to-point=auto priority=0x80 pvid=21 restricted-role=no restricted-tcn=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface bridge vlan
add bridge=bridge-local disabled=no tagged=ether1,bridge-local untagged=ether2 vlan-ids=15
add bridge=bridge-local disabled=no tagged=ether1,bridge-local untagged=ether3 vlan-ids=20
add bridge=bridge-local disabled=no tagged=ether1,bridge-local untagged=ether4 vlan-ids=21

The CLI is showing the same as Winbox, what you circled in CLI just means the HW setting has been enable, does not mean it is active. To see in CLI if it is active, then look on far left side, there will be a “H” flag indicating it is active, in the screenshot you sow there are no “H” flags, so not active.

HW Offloading is currently only available in CRS3 series with VLAN Filtering=yes

to do vlan without loosing HW acceleration of bridging (aka switching) you have to do vlans on switch menu

There is no switch menu Winbox in 6.42.4

In CLI i can see it..

NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS

0 switch1 Atheros-8327 none none


Will try later to set it via CLI and test. And yes the speed is terrible 5MB/s the gateway is HEXGr3 and gets 33% CPU load… but in anyway this is terrible even for software..
I must check speed between ports of hAPAC2 to see if the problem is on HEX or hAPAC2..
Will post results later

The hAP ac² dose have a switch chip (Atheros 8327) with vlan switching support and is supported in routeros. The RB750Gr3 have also a switch chip (MT7621) with vlan switching support but is on yet implemented in routeros. So on the RB750Gr3 you only can use software switch if you need vlans. See the Wiki page.

Sadly I know that.. I have configured the swicth chip via CLI and is working.

/interface ethernet switch port
set 0 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=15 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=21 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=15
add independent-learning=yes ports=ether1,ether3 switch=switch1 vlan-id=20
add independent-learning=yes ports=ether1,ether4 switch=switch1 vlan-id=21

vlan15 has switch-cpu so I can manage it from ROS.
But sadly this almost the same as old config minus master-slave. Instead we use bridge port for all interfaces now
Thats progress! Pun intended…

So to sum it up:

1. Switch Menu in Winbox is missing (hAP AC2 - 6.42.4).. Would be nice if someone else can confirm.
2. Configuring it via CLI works and HW offload is working
3. New Bridge implementation is incomplete (at best) as documented in Wiki.

@Mikrotik: It would be nice to see something you finish when you start..Lots of things are unfinished (new Bridge implementation but you pushed it out on current channel), semi working (Usermanager without native IKEv2 EAP support for users, different switchchips with different config options or lack thereof HEXGr3) or working with limitations (Again IKEv2 split-tunnel jumps to mind ) .
As customers, resellers and implementators we are strugling while you iron out errors. Many times it was asked to stop new stuff and bugfix existing features.
And I know Bugfix is the old bridge implementation considered safe and so on.. But thats just an excuse…

Current channel is beta only. If you don’t like to participate in beta testing programme, stay in bugfix channel.

Both confirmed.

As someone who just got a hAP ac² as his first RouterOS device, I did a lot of RTFM in the Wiki and – assuming I’m not completely misguided – there seems to be a lot of inconsistencies and unanswered questions regarding VLAN handling documentation:

• https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading tells me, that HW offload will be disabled as soon as I use bridge VLAN filtering on Atheros-8327 devices. However, it seems to be possible to get the same result by configuring the Atheros-8327 chip via /interface ethernet switch with vlan-mode=secure while keeping hw switching between physical ports. I dont get, why this chip features cannot be used to implement transparent HW offload for bridges with vlan-filtering=yes where possible and completely get rid of the manual switch chip config?
• https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples uses vlan-header=always-strip and vlan-header=add-if-missing in some examples for plain access- or trunk-ports but leaves it out in others, without explaining if and why this explicit settings should be necessary with vlan-mode=secure.
• https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Untagged talks about the necessity of adding a trunk-port to the same vlan but doesn’t tell you why this should be required. Is this some workaround for a hardware bug?
• https://wiki.mikrotik.com/wiki/Manual:Switch_Router doesn’t even mention bridge vlan-filtering (apart from redirecting CRS users) and assumes everyone will want to use HW offload, but the example configuration doesn’t even benefit from HW accelerated L2 switching as there is only one physical interface in each VLAN.
• In contrast, https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless recommends bridge vlan-filtering and fails to mention the lack of HW offload if you decide to put additional physical interfaces into the same VLANs.
• https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless#Example_with_simple_bridge_and_wireless_vlan-mode stacks a VLAN interface on top of a wireless interface which is already configured with vlan-id=111 vlan-mode=use-tag before bridging it. This seems at least unnecessary if not entirely wrong, as the wireless interface should already take care of setting/stripping and evaluating the tag, according to https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#VLAN_tagging.

Implementing different vlan-separated wifi networks with while keeping hw switching on the ethernet ports in the same vlans, although a simple task, turned out to be quite challenging, as the documentation basically forced me to draw my own conclusions and assumptions upon device- and software-behaviour after reading a lot of manual-pages and examples. Even after reading all this stuff it’s hard to tell if I figured out a good solution.

My hAP ac² came preloaded with 6.41.3; am I really expected to downgrade to 6.40.8 if I wish to run non-beta software?
I was under the impression, that “current” means stable, “bugfix only” is something like LTS and the beta stuff can be found in “development”/“release candidate”.

huntah - can you please elaborate what is missing in the new bridge implementation and what should be added to the wiki page?

whatever -

1. Bridge VLAN filtering is not so easy to implement on these switch chips.
2. Which examples are missing vlan-header values? If you are talking about the hybrid port setup, then by default it is set to “leave-as-is” and should be set to such value, there is also an explanation written already in the wiki, but I still updated this exact entry to contain this value either way.
3. I edited the warning, it was meant to point out that if you want to forward a VLAN and you want to access the device through an access port, then you are forced to add the access port, the CPU port and the trunk port in a single VLAN table entry, this unintentionally gives access to the CPU from the trunk port as well.
4. Noted, I added a clarification when trying achieve this type of setup when a device does not have a built-in switch chip.
5. Noted, warning is now added.
6. In that example it was required create those interfaces in order to achieve the VLAN filtering from ether2 side since other VLANs can be received on that interface.

Your setup is a bit tricky since you require VLAN filtering and hardware offloading. You could do this by using a bridge without VLAN filtering and by using bridge firewall rules on ports that cannot be hardware offloaded, you can use both “in-interface” and “out-interface” parameters in conjunction with “vlan-id” parameter to achieve VLAN filtering. VLAN tagging and untagging for Ethernet ports can be done in /interface ethernet switch, tagging/untagging for WLAN interfaces is not going to be possible, though “use-tag” parameter does that instead.

whatever, indeed, mikrotik should ship devices preloaded by bugfix only and let only the brave admins to change the channel or install whatever else.

i agree

try this guide to make vlans

http://forum.mikrotik.com/t/vlan-using-integrated-switch-chip-routeros/106952/1

Wow, thank you for the extensive reply and sorry for my late response.

ok, noted.

Yeah, I was referring to the hybrid example where the trunk is leave-as-is. After re-reading I realize that the requirement to set anything else is apparently limited to certain switch chips and shouldn’t concern the hap ac2.

I get why the vlan interfaces on ether2 are required, but why shouldn’t I add wlan1 and wlan2 directly to the same bridge if they are already configured with use-tag?

Thank you for the suggestion, I ended up with a non-filtering bride and tried to make sure that all traffic entering the bridge will always be tagged properly (via vlan interface for gateways, use-tag on wifi and secure mode on cpu-switch port). Appears to be working fine so far.