HW Switching/VLAN on PowerBox Pro / Find my fault

ste · July 19, 2018, 9:25am

What I want to do is access the Powerbox Pro from ethernet1 untagged and get all untagged Traffic from Port 2,3,4 tagged with VLAN3 on port1.

The Box could be accessed from port1 but Traffic from Port2,3,4 is not forwarded to Port1 at all.

\

jul/19/2018 11:12:19 by RouterOS 6.42.6

software id = MGUA-0S1T

model = 960PGS

serial number = XXXXXX

/interface bridge
add fast-forward=no name=bridge1
/interface vlan
add interface=bridge1 name=VLAN1 vlan-id=1
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=secure
set 1 default-vlan-id=3 vlan-mode=secure
set 2 default-vlan-id=3 vlan-mode=secure
set 3 default-vlan-id=3 vlan-mode=secure
set 5 default-vlan-id=1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 disabled=yes interface=sfp1
/ip firewall connection tracking
set enabled=no
/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=3
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=1
/ip firewall filter
add action=drop chain=input disabled=yes log=yes

mkx · July 19, 2018, 8:39pm

I have similar configuration on my RB951G: port ether5 is hybrid … untagged and VID 3999. THe untagged packets are translated to VID=2 and sent over trunk port to other devices. Port configuration which works for me is this:

/interface ethernet switch port
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure

If I understood manuals correct, then option “vlan-header=always-strip” means that tags will get stripped on egress if VID is equal to default-vlan-id, else tags will stay.

The rest of configuration is similar to yours.

ste · July 20, 2018, 11:12am

I have similar configuration on my RB951G: port ether5 is hybrid … untagged and VID 3999. THe untagged packets are translated to VID=2 and sent over trunk port to other devices. Port configuration which works for me is this:
/interface ethernet switch port
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
If I understood manuals correct, then option “vlan-header=always-strip” means that tags will get stripped on egress if VID is equal to default-vlan-id, else tags will stay.

The rest of configuration is similar to yours.

Thanks. I tried this and as described by Mikrotik wiki this has no effect:
‘In Gigabit switch chips when “vlan-mode=secure”, it ignores switch port “vlan-header” options. VLAN table entries handle all the egress tagging/untagging and works as “vlan-header=leave-as-is” on all ports.’