Assume a network with a wired only Router with 5 ports, with eth1-wan, eth2-external switch, eth3,4,5 going to local PCs.
The external “UNmanaged” switch has 5 ports, eth1-fromrouter, eth2-vlancapable WAP, eth3-5 going to local devices.
The only devices that can read and use VLANs are the router and the WAP.
The entire network runs on VLAN100 (home network) including one WLAN on the AP.
There is only one other vlan and its the guest VLAN200 and this only is utilized on a second WLAN on the AP.
Q. How does one config the router so that ETH2 is a hybrid port? The intention is be able to get vlan100 and vlan 200 to the AP and VLAN100 to the other devices.
I am not sure if this is even possible.
Almost…
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100
The /interface bridge vlan settings may be incorrect, it depends on what parameters you have specified for the bridge itself under /interface bridge.
Note untagged membership does not have to be explicitly stated under /interface bridge vlan, they will by added dynamically from the PVID settings under /interface bridge port (I’m not sure if RouterOS VLAN-aware bridge support has done this since it was first introduced, or if it happened in a later release).
On your umanaged switch any tagged broadcast traffic will also egress on ports 3-5, but should be ignored by non-VLAN-aware devices connected to those ports.
Mostly answered by @tdw, but since I already prepared post … here it goes:
So you want to have VLAN 100 tagged and untagged on ether2 at the same time?
Or is it that you want VLAN 200 tagged and VLAN 100 untagged on ether2?
The first one is not possible.
The second one is possible and config goes as follows: make VLAN 100 config as it is done for access ports (set PVID on port for ingress and add port as untagged member for egress) while VLAN 200 is done as it’s done for trunk ports (no PVID set for ingress and set as tagged for egress).
The other issue is setting of frame-types= … for trunk ports one can set it to admit-only-vlan-tagged and for access ports it’s natural to set it to admit-only-untagged-and-priority-tagged. But for hybrid port, it can only be set to admit-all (which seems to be default anyway).
On your umanaged switch any tagged broadcast traffic will also egress on ports 3-5, but should be ignored by non-VLAN-aware devices connected to those ports.
Things will likely be better because even dumb switch will forward frames mostly to correct ports so non-VLAN devices won’t see VLAN-tagged frames because switch won’t forward them there as FDB table won’t allow it… only a few frames if dst MAC address / port pairing is not known yet.
And even VLAN-blind end devices will simply ignore those as they will be treated as usual flooded frames.
The only consideration is possible VLAN leaking and if somebody is concerned about it, he should install managed switch and be done.