Just my 5 cents: it indeed is PITA to work with switch vlans because export doesn’t show port names in /interface/ethernet/switch/port … [igprint[/i] does though so ou can check if you configured port correctly by observing output of print. At the same time it is possible to use port names instead of numbers when execuing set commands … to make sure you’re setting up the right port.
If it is for a learning experience, then keep going. You will learn a lot more when things don’t go smoothly and you are required to put a lot of effort into the problem.
But if your time is worth much, then it probably does not make business sense, as you probably won’t be using the device specific knowledge much in the future, since it is a discontinued device, with an obsolete switch ASIC.
Are you only using these are switches, or are you using other features as well? Are both devices the same? What version of firmware are you using?
I have got something working, I’m not sure what the exact issue is but maybe it doesn’t like a mix of tagged and un-tagged traffic. I now have vlan 3 on eth 3 and vlan 4 on eth4 and both are working. I’m going to play around a bit more and see what I can find out.
See this thread RB2011 How connect ports from differ HW switch ? and post #2 and post #4 about the limitations of the 8227. I don’t know if it applies to the 724x or not, but would not be surprised.
This from Switch Chip Features (hint use “Browser find on page” e.g. in Windows Ctrl-F, then enter Atheros7240)
Also look in the VLAN Example 2 (Trunk and Hybrid Ports) section, where it says that only some chips support. And does not list 8227 or 7240 (but also doesn’t list many chips that do support it, they may have not updated the documentation yet).
For Atheros8316, Atheros8227 and > Atheros-7240 > switch chips, the switch-cpu port will always participate in the host learning process when at least one hardware offloaded bridge port is active on the switching group. It will cause the switch-cpu port to learn MAC addresses from non-HW offloaded interfaces. This might cause a packet loss when a single bridge contains HW and non-HW offloaded interfaces. Also, packet loss might appear when a duplicate MAC address is used on the same switching group regardless if hosts are located on different logical networks. It is recommended to use HW offloading on all switch ports or keep it disabled on all switch ports.
in Management access configuration it has this about the 7240 under untagged:
To setup management port using untagged traffic on a device with the Atheros7240 switch chip, you will need to set vlan-header=add-if-missing for the CPU port.
I have got it working. It appears the switch chip works differently in the 751. The 2 changes I needed to make were
- If using vlans then everything has to have a vlan. You can’t have un-tagged and tagged traffic. So no hybrid ports.
- You need to use add-if-missing instead of leave-as-is on the trunk ports. The trunk port could be a physical port or the CPU port.
I don’t know what’s going on inside the switch chip but my guess is that with the Atheros7240 doesn’t add the vlan tag until packets egress the trunk port. So a packet will come in to an access port, traverse the switch chip without a vlan tag and then have the tag added at the trunk port. That’s why you need to use add-if-missing.
With the Atheros 8227 I presume the vlan tag is added as the packet ingresses the access port. That’s why you need to use leave-as-is at the trunk port.
I have this config working on 2 devices, a 751ui and a 951ui, and they communicate quite nicely with a trunk between them. I moved my no vlan traffic onto a vlan. I can transfer traffic at 30mbit (speed of my internet) through the 751 and CPU stays at idle.
One other thing I wanted to mention was the reason I was keen to keep this in hardware is I split the device at the left of the diagram (few posts up) into 2 devices in order to have 2 radios. So there is an additional need to have it hardware as traffic from the PC will go via the 751 and it is obviously a slower device. The 751 will also have wifi clients which will go through the CPU so end of the day it might not matter that much.
Thanks everyone for your help.
wired wired wireless
PC <-----> 751ui <-----> 951ui <-----> 951ui <-----> internet
Config I used. This is just test config:
eth2 → trunk
eth3 → access port vlan3
eth4 → access port vlan4
eth5 → access port vlan5
cpu port → trunk
/interface bridge
add name=BRIDGE_MAIN protocol-mode=none
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=5 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=5 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
/interface bridge port
add bridge=BRIDGE_MAIN interface=ether1
add bridge=BRIDGE_MAIN interface=ether2
add bridge=BRIDGE_MAIN interface=ether3
add bridge=BRIDGE_MAIN interface=ether4
add bridge=BRIDGE_MAIN interface=ether5
/interface vlan
add interface=BRIDGE_MAIN name=VLAN3 vlan-id=3
add interface=BRIDGE_MAIN name=VLAN4 vlan-id=4
add interface=BRIDGE_MAIN name=VLAN5 vlan-id=5
/ip pool
add name=POOL3 ranges=192.168.3.100-192.168.3.110
add name=POOL4 ranges=192.168.4.100-192.168.4.120
add name=POOL5 ranges=192.168.5.25-192.168.5.30
/ip dhcp-server
add address-pool=POOL4 disabled=no interface=VLAN4 name=SERVER4
add address-pool=POOL3 disabled=no interface=VLAN3 name=SERVER3
add address-pool=POOL5 disabled=no interface=VLAN5 name=SERVER5
/ip address
add address=192.168.4.1/24 interface=VLAN4 network=192.168.4.0
add address=192.168.3.1/24 interface=VLAN3 network=192.168.3.0
add address=196.168.5.1/24 interface=VLAN5 network=196.168.5.0
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
Of course you can have hybrid ports, it just has to be done properly, but not being conversant with switch chip, cant help you, can do it my sleep for bridge vlan filtering though…
That makes sense especially post #2
“There are also issues with Atheros fast ethernet (10/100Mbps) switch chips, they do not support hardware offloaded hybrid ports”
That’s the issue I found. Although the 951ui is Atheros fast ethernet (Atheros8227) and it does support hybrids. From what I found, if you try to run a hybrid port on the 7240 then things can go so screwy you need to reset the config. Several times I’ve thought this 751 was faulty but keeps turning out to be me that’s faulty 
It’s possible there’s some config that would work but someone in another thread did confirm hybrids don’t work and I have been running hybrid ports in the 951ui till the cows come home with no issues, so I don’t think there’s anything wrong with my config. When I tried hybrid ports with the 751 I got so locked out of the device on some configs I had to wipe the device and start fresh. It was also common to need reboots. Once I got rid of hybrids it was 100% stable
KK understood, perhaps older MT units were POS in that regard…
A search for 8227 will find several threads where it is claimed that the 8227 switch won’t do hybrids correctly in hardware. Here’s one. Hybrid VLAN port on Atheros8227