Hello,
simple question. How to tag all ingress traffic from one interface with VLAN ID. For example from wifi AP which is not able to tag it. I am able to bridge, switch, trunk… some VLAN, but I can not get it tagged on Mikrotik side.
Thanks
Three possibilities:
- create an /interface vlan with vlan-id set to the VID you want to tag that interface with on ingress/untag on egress, set the interface of this /interface vlan to the name of the bridge on which this VID should exist tagged, create another bridge (bridge-my-vlan) and make both the /interface vlan and the interface you want to use as access one for the VID
- make the interface a member port of the bridge on which this VID should exist tagged using /interface bridge add port bridge=bridge-name interface=interface-name pvid=your-VID and /interface bridge vlan add vlan-ids=your-VID bridge=bridge-name tagged=bridge-name untagged=interface-name and set vlan-filtering on bridge-name to yes (activate safe mode before this last step, if it eventually cuts your access to the box by taking it, it will be reverted in a minute)
- depending on your RB model, it may be possible to do the same using switch chip features
Hello,
thank you… but it is not working. Maybe I am missing something. Could you please send exact command to create such setup?
Second part is, how to test it? Now I am still pinging device on “tagged” port, even if my interface is not tagged.
So - lets try to prepare two HW ports on Mikrotik. Both as tagged and thus able to communicate only together. Not to other ports. Even if all ports on RB are in a same bridge (switch). So all ports are able to communicate together. When you get tagged one port, you are not able to communicate with this one. When you get tagged another one port, you are able to communicate to tagged, but not to other ports.
I really thank you for cooperation.
interface bridge add name=br1 vlan-filtering=yes
interface bridge vlan add untagged=br1 vlan-ids=1
interface bridge vlan add tagged=br1,ether2 untagged=ether3 vlan-ids=2
interface bridge port add bridge=br1 interface=ether2 pvid=1
interface bridge port add bridge=br1 interface=ether3 pvid=2
interface vlan name=br1-vlan2 interface=br1 vlan-id=2
- Tells ether3 to place untagged packets it receives into VLAN2 and emit all VLAN2 packets destined for hosts attached to or behind ether2 out as untagged.
- Tells ether2 to receive and send packets for VLAN2 as tagged packets.
- The last line adds a layer 3 interface you can apply an IP address to for VLAN2 if you’d like.
Exact commands can be suggested for a known environment, so follow my automatic signature and state which of the existing interfaces should be converted to an access port of which VLAN and on which existing bridge that VLAN should be.
Again, not knowing the particular configuration prevents anyone from suggesting a meaningful test. The test is easier if the VLAN has a local interface with an IP address on your RB and more complex if it doesn’t, i.e. if the RB only handles that VLAN on L2.
@idlemind’s configuration above gives ether2 as tagged port in vlan 2 and ether 3 as tagless (access) port to that vlan.
If you would want your exact example, i.e. both ether2 and ether3 as access ports to vlan 2, you would modify just two lines there:
interface bridge vlan add tagged=br1 untagged=ether2,ether3 vlan-ids=2
interface bridge port add bridge=br1 interface=ether2 pvid=2