Without the vlan-mode=secure option in switch1-cpu, the winbox connection trough ether5 is ok, but with that option enabled, I can connect to ROS only trough ether2 (untagged) or other ports that are not in the bridge.
thanks for your suggested hint. Maybe, I can use vlan 1 using vlan 100 internally into the ROS, using an access port untagged with a corresponding access port untagged for vlan 1 in our switch, this maybe could be a better solution.
For the meanwhile, we are using a sub optimal solution:
Unfortunately, this week I will have to solve other isssues, so I suppose, I will have to review this topic in the next weeks.
Two questions: what do you think about the configuration just attached? Is there some documentation where to find a well-explained and deep explanation about the effects of adding a vlan interface on another interface (as adding a vlan on a bridge)?
Your last configuration is against all good ROS practices … to put it mildly Transfers between ports ether2 and ether5 (both are members of same untagged (V)LAN) won’t be HW offloaded, and that’s exactly why you’re trying to configure stuff using /interface ethernet switch vlan and not /interface bridge vlan.
According to description of what you want to achieve in your first post, something like this might be close to needed config:
As you can see, the only notable difference is that the above code doesn’t use tagged VLAN with ID=1 (instead I’m using ID=1000). And slightly different settings in /interface ethernet switch port … actually it’s very close to example from manual about VLANs and switch chips.
You might want to experiment a bit with the vlan-header= setting … on my RB951G, which features AR8327 switch chip, this setting doesn’t seem to make much of a difference: on egress switch chip strips VLAN header for frames with VLAN ID equal to PVID (default-vlan-id= setting) … which is knowledge some forum members (@sindy for example) seem to have, but I haven’t found it documented anywhere. Your RB features QCA8337 switch chip which might behave in a slightly different way. I.e. on my RB, where port is hybrid (one VLAN is untagged on wire while the other is tagged), I have vlan-header=always-strip and both VLANs perform according to expectations.
My understandig is that vlan-header= affects egress frames. If that’s so, then configuration of ether5 port (from your first post) is not complete, you’d have to define default-vlan-id … because setting vlan-header=add-if-missing would add VLAN tag on egress frames which would live untagged inside RB but would have to get tagged on egress to wire. In your case that’s not the case, you want to have one VLAN untagged (and we’re tagging it to ID=1000 for RB internal operations).
and thanks for both your suggested configuration and the annotation on the vlan-header setting. I am currently waiting my boss to buy another hAP ac to follow the testing, as the one used during the last week has been already set aside for other uses…
Anyway, waiting to test the behavior, maybe a slight change in configuration, setting an unused vlan id in both the Mikrotik and the other network appliances (ie 999) as the pvid of ether5 would force to use always the id tag, as would be expected in a trunk port, when using the trunked vlans (3, 7, 15, 1000):
set ether5 default-vlan-id=999 vlan-mode=secure vlan-header=leave-as-is
And, by the way, another question (pardon me, vlan topics are just so foundamental in networking that I’d like to -really- understand…): if the only requirement was just the vlan routing (L3) of vlans arriving in a trunk port (just one, for ex., the ether5 of the preceding configurations), without any need of switching to other ports, would it be anyway adviceable to proceed in configuring h/w offload or, this time, only by software would be a good choice?
In this case port without HW offload (regardless the reason) would be fine as all the traffic would hit RB’s CPU anyhow.
But then … keeping in mind that HW offload is port-based … if a port was used solely for VLAN routing, that port does not have to be member of any bridge (security-wise it even should not be) … and in that case HW offload concept has no merit anymore… as HW offload only offloads inter-ethernet-port traffic.
When I add switch1CPU interface to be VLAN aware, I always lost connectivity to router and need to restore/reset to default.
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
Transfers between ports ether2 and ether5 (both are members of same untagged (V)LAN) won’t be HW offloaded, and that’s exactly why you’re trying to configure stuff using /interface ethernet switch vlan and not /interface bridge vlan.