PowerBox Pro QCA8337 chip

toxicfusion · August 4, 2020, 2:53pm

Hello,

Very confusing with VLANS with the PowerBox [RB960RGS board] as it uses the QCA8337 switch chip. IF I use the new bridge VLAN method, it will disable HW Offloading and rely directly on CPU - and performance will suffer…

I’ve went ahead and configured the old/original method using the ethernet switch chip. Can anyone with experience take a look at my configuration and tell me if OK? I had to make ether5 my ‘out band port’, as once i set the switch port vlan-mode=secure… i lose ALL access to the ports [even when my Macbook ethernernet interface has vlan tag setup].

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features

Also VERY confusing if I should even use vlan-mode=secure and or with vlan-header-mode=leave-as-is or ‘add-if-missing’ ???

This powerbox will just be trunking VLANS to attached access points that have vlan tagged SSIDs…

ether1 - is main uplink to core switch for all vlans that’ll be passed.

# jan/02/1970 02:12:14 by RouterOS 6.45.8
# software id = P7CC-D6AJ
#
# model = RB960PGS
# serial number = D5320C360727
/interface bridge add name=all-vlan-bridge protocol-mode=stp
/interface bridge add admin-mac=48:8F:5A:61:78:74 auto-mac=no name=bridge_bkup
/interface ethernet set [ find default-name=ether1 ] comment="Trunk to SW01" name=ether1_sw01
/interface ethernet set [ find default-name=ether5 ] poe-out=off
/interface vlan add interface=all-vlan-bridge name=vlan10-data-lan vlan-id=10
/interface vlan add interface=all-vlan-bridge name=vlan20-CGNAT vlan-id=20
/interface vlan add interface=all-vlan-bridge name=vlan40-GuestWIFI vlan-id=40
/interface vlan add interface=all-vlan-bridge name=vlan60-AP-SSID vlan-id=60
/interface vlan add interface=all-vlan-bridge name=vlan88-mgmt-net vlan-id=88
/interface ethernet switch port set 0 vlan-mode=secure
/interface ethernet switch port set 1 vlan-mode=secure
/interface ethernet switch port set 2 vlan-mode=secure
/interface ethernet switch port set 3 vlan-mode=secure
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/snmp community add addresses=192.168.128.0/24,172.17.90.100/32 name=Public
/interface bridge port add bridge=bridge_bkup interface=ether5
/interface bridge port add bridge=all-vlan-bridge interface=ether1_sw01
/interface bridge port add bridge=all-vlan-bridge interface=ether2
/interface bridge port add bridge=all-vlan-bridge interface=ether3
/interface bridge port add bridge=all-vlan-bridge interface=ether4
/ip neighbor discovery-settings set discover-interface-list=none
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=20
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=40
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=60
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=88
/interface list member add interface=bridge_bkup list=LAN
/interface list member add interface=all-vlan-bridge list=LAN
/interface list member add interface=vlan88-mgmt-net list=LAN
/interface list member add interface=vlan10-data-lan list=LAN
/ip address add address=192.168.99.240/24 comment=bkup_Interface interface=bridge_bkup network=192.168.99.0
/ip address add address=192.168.128.240/24 interface=vlan10-data-lan network=192.168.128.0
/ip address add address=192.168.88.240/24 interface=vlan88-mgmt-net network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_sw01
/ip dns set allow-remote-requests=yes servers=192.168.128.1,192.168.88.1
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip route add distance=1 gateway=192.168.128.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=192.168.128.0/24,192.168.88.0/24
/ip service set ssh address=192.168.128.0/24,192.168.88.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip smb set allow-guests=no
/snmp set contact=XXXXX enabled=yes location="" trap-community=Public trap-version=2
/system identity set name=PowerBox-Site3
/system ntp client set enabled=yes primary-ntp=192.168.128.1 secondary-ntp=192.168.88.1
/tool bandwidth-server set authenticate=no enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no

toxicfusion · August 4, 2020, 3:07pm

per the MikroTik documentation.. its very confusing by what they mean. I need more specific config example to have clarity.

“For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.”

tdw · August 4, 2020, 5:39pm

You do not have the CPU switch port (switch1-cpu) in any of the /interface ethernet switch vlan statements so you will loose access.

toxicfusion · August 4, 2020, 7:43pm

Thank you for pointing me to that. I earlier discovered this after re-reading the MikroTik documentation MULTIPLE Times.. lol.

See to my new configuration.

Should I, or do I need to add the CPU switch port [switch1-cpu] to all the /interface ethernet switch vlan statements ?? or only for the VLANS where I want to be able to access the device from?

What about upstream access from core network switch, should be accessible from there as well?

# jan/02/1970 04:58:05 by RouterOS 6.45.9
# software id = P7CC-D6AJ
#
# model = RB960PGS
# serial number = D5320C360727
/interface bridge add name=all-vlan-bridge
/interface bridge add admin-mac=48:8F:5A:61:78:74 auto-mac=no name=bridge_bkup protocol-mode=none
/interface ethernet set [ find default-name=ether1 ] comment="Trunk to SW01" name=ether1_sw01
/interface ethernet set [ find default-name=ether5 ] poe-out=off
/interface vlan add interface=all-vlan-bridge name=vlan10-data-lan vlan-id=10
/interface vlan add interface=all-vlan-bridge name=vlan20-CGNAT vlan-id=20
/interface vlan add interface=all-vlan-bridge name=vlan40-GuestWIFI vlan-id=40
/interface vlan add interface=all-vlan-bridge name=vlan60-AP-SSID vlan-id=60
/interface vlan add interface=all-vlan-bridge name=vlan88-mgmt-net vlan-id=88
/interface vlan add interface=bridge_bkup name=vlan99-bkup-access vlan-id=1
/interface ethernet switch port set 0 vlan-mode=secure
/interface ethernet switch port set 1 vlan-mode=secure
/interface ethernet switch port set 2 vlan-mode=secure
/interface ethernet switch port set 3 vlan-mode=secure
/interface ethernet switch port set 4 vlan-mode=secure
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/snmp community add addresses=192.168.128.0/24,172.17.90.100/32 name=Public
/interface bridge port add bridge=all-vlan-bridge interface=ether5
/interface bridge port add bridge=all-vlan-bridge interface=ether1_sw01
/interface bridge port add bridge=all-vlan-bridge interface=ether2
/interface bridge port add bridge=all-vlan-bridge interface=ether3
/interface bridge port add bridge=all-vlan-bridge interface=ether4
/interface bridge port add bridge=bridge_bkup interface=vlan99-bkup-access
/ip neighbor discovery-settings set discover-interface-list=none
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=20
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=40
/interface ethernet switch vlan add independent-learning=no ports=ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=60
/interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether1_sw01,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=88
/interface list member add interface=bridge_bkup list=LAN
/interface list member add interface=all-vlan-bridge list=LAN
/interface list member add interface=vlan88-mgmt-net list=LAN
/interface list member add interface=vlan10-data-lan list=LAN
/ip address add address=192.168.99.240/24 comment=bkup_Interface interface=bridge_bkup network=192.168.99.0
/ip address add address=192.168.128.240/24 interface=vlan10-data-lan network=192.168.128.0
/ip address add address=192.168.88.240/24 interface=vlan88-mgmt-net network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_sw01
/ip dns set allow-remote-requests=yes servers=192.168.128.1,192.168.88.1
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip route add distance=1 gateway=192.168.128.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=192.168.128.0/24,192.168.88.0/24
/ip service set ssh address=192.168.128.0/24,192.168.88.0/24
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip smb set allow-guests=no
/snmp set contact=XXXXXXXX enabled=yes location="XXXXXXXX" trap-community=Public trap-version=2
/system identity set name=PowerBox-Site3
/system ntp client set enabled=yes primary-ntp=192.168.128.1 secondary-ntp=192.168.88.1
/tool bandwidth-server set authenticate=no enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no

toxicfusion · August 4, 2020, 10:17pm

Update:

Tested and working with the lastest configuration from my post above [see to code].

Also works when I configure a switch port interface with vlan-id=ID, I’m able to get untagged traffic passing.

toxicfusion · August 4, 2020, 11:24pm

UPDATE with issue:

I configured a router with a base config that will be used at production site.

ISSUE:

When connected to the upstream core switch/router. The untagged access port [computer] is unable to access the PowerBox. trying to access from vlan10, untagged to the management IP on the powerbox which is 192.168.88.240 [vlan88].

As the upstream core network is the 192.168.128.0/24 subnet vlan10 – need to be able to manage all the devices on subnet 192.168.88.0/24 vlan88.

When I connect to the upstream router [router on stick config]. I’m obviously able to ping and hit the downstream powerbox.

DHCP passing downstream to an untagged port on the powerbox switch setup works fine. But really need to be able to manage the 192.168.88.0/24 devices from the .128.0/24 vlan10 subnet.

how possible?

toxicfusion · August 5, 2020, 1:12pm

Appears I have to add the switch1-cpu to all vlan ports within switch menu in order to properly do inter-vlan? I was able to add the switch1-cpu to my vlan10 (primary network), and once I did that, I was able to reach this switch from the upstream core router via both subnets.

any further input from anyone. Or perhaps someone has a golden config template using the switch chip method?

tdw · August 5, 2020, 1:45pm

You only have to add it to VLANs which require access to the CPU, in your config you have IP addresses assigned to VLAN10 and VLAN88 so those should be sufficient.

If you have management via the VLANs on the all-vlan-bridge bridge I strongly recommend removing the bridge_bkup bridge as only one bridge can be hardware accelerated and the hidden port-based VLANs to multiplex traffic from the physical ethernet ports to the CPU can interact in weird ways with hardware 802.1Q VLAN switching.

toxicfusion · August 6, 2020, 5:03pm

Thank you for this info! When I added switch1-cpu to the vlan10 in the switch menu, I was able to hit the upstream router at it’s address on vlan10 and not only the vlan88, etc.

going to add mgmt IP to just the bridge interface – as I know the mikrotik bridge interfaces untag the traffic.