Proper VLAN switching on router?

Hi,

Advice is needed, how to configure router in the following case:
ISP provide IPTV on vlan6. But STB located after switch, there is no possibility connect STB directly to the router.
Attached image contains current configuration. I think this config is wrong because vlan6 is bridged, no hardware offload occurs in this case.
Proper solution would be use switch chip features for vlan6 traffic. But I have encountered issues:

By setting vlan-filtering=yes for bridge - hardware offload sign H disappears from all of ports on that bridge. This happens on RB951G (Atheros-8327), on CRS109 (QCA-8513L), as well as on CRS326 (Marvell-98DX3236). Wiki “Bridge Hardware Offloading” states: only CRS3xx series switch chip is capable vlan filtering in bridge. Strange, that CRS326 Marvell-98DX3236 still disables HW offload (tested with two bridges - maybe this is the reason). Anyway this solution is not for me because I use RB951G.

According following wiki https://wiki.mikrotik.com/wiki/Manual:Switch_Router#VLAN_switching
I understand, that this case still can be solved by switch chip.
But ether1-gw interface is not in the bridge because of routing. I assume: if port is not in the bridge - no switching possible on that port.
So, this is dilemma - how to properly configure router RB9591G for vlan6 switching with HW offload, is it possible in this case?
Thanks for your opinion.

You can have a look in this nice vlan article http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Correct.

The assumption is correct.

In your simple topology, you can completely offload VLAN handling from the bridge to the switch chip, as you don’t need any spanning tree protocol and other advanced L2 functionality.

With vlan-filtering=no, the bridge software doesn’t do tagging and untagging of frames in software. So the CPU port of the switch chip will be a “hybrid” one, where one VLAN, the “LAN” one, will flow tagless, and another one, the “WAN” one, will flow tagged. The switch chip will take care of the rest. Let’s say we use VLAN 2222 for WAN, and 6 for the IPTV.

Be sure to do the following with safe mode active (Ctrl-X on command line, or the [Safe mode] button on GUI). Remember that the safe mode is only valid for a single configuration interface, so you cannot do part of the commands using CLI and another part using GUI. Before starting, disconnect the cable from ether1 as you’ll be redoing the firewall.

/interface vlan add name=bridge.wan.2222 vlan-id=2222 interface=bridge

/interface ethernet switch vlan
add vlan-id=1 switch=switch1 ports=switch1-cpu,ether2,ether3,ether4,ether5
add vlan-id=6 switch=switch1 ports=ether1,ether2,ether3,ether4,ether5
add vlan-id=2222 switch=switch1 ports=ether1,switch1-cpu

/interface ethernet switch port
set [find (!(name=ether1))] default-vlan-id=1 vlan-mode=secure
set [find name=ether1] default-vlan-id=2222 vlan-mode=secure

/interface bridge port
add bridge=bridge interface=ether1 pvid=2222

/interface bridge vlan
add vlan-ids=1 bridge=bridge untagged=bridge,ether2,ether3,ether4,ether5
add vlan-ids=2222 bridge=bridge untagged=ether1 tagged=bridge

/interface bridge set bridge vlan-filtering=no

The pvid=2222 in /interface bridge port and the whole /interface bridge vlan section are there only to let it still work even if you set vlan-filtering on the bridge to yes again.

Next, replace ether1 by bridge.wan.2222 everywhere in the firewall rules and, if you use (in|out)-interface-list=WAN in fireweall rules, also in the /interface list member list.

Last, move the WAN IP configuration (static or DHCP) from ether1 to bridge.wan.2222.

If you use /interface pppoe-client as WAN, you don’t need to modify the firewall rules and interface list, just change the carrier interface in /interface pppoe-client from ether1 to bridge.wan.2222.

Now you can connect the uplink cable back to ether1 and you should be up and running again.

By setting vlan-filtering=yes for bridge - hardware offload sign H disappears from all of ports on that bridge

Only CRS3xx series support HW offload in vlans…

Thanks for quick reply.
The key factor is that single VLAN6 (IPTV) is used in my case, WAN uses no VLAN.
@sindy:
Would you like to say, that bridge.wan.2222 is like a “fake” interface for routing, where in fact tag 2222 is removed by switch on port ether1 and on bridge?
Finally, ISP and LAN sees no VLAN2222 tags at all? Did I understood correctly?

Yes.

Very smart solution
Today I will test this approach on PROD. Will post reply about results later.
I think this sample is worth to mention in the wiki, for example here: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration
Thanks again.

Something is not OK. I take hAP mini (Atheros-8227), reset to blank, load following config:

/interface bridge
add name=bridge

/interface vlan
add interface=bridge name=bridge.wan.2222 vlan-id=2222

/interface ethernet switch port
set 0 default-vlan-id=2222 vlan-mode=secure
set 1 default-vlan-id=1 vlan-mode=secure
set 2 default-vlan-id=1 vlan-mode=secure

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether1 pvid=2222

/interface bridge vlan
add bridge=bridge untagged=bridge,ether2,ether3 vlan-ids=1
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=2222

/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether3 switch=switch1 vlan-id=1
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=6
add ports=ether1,switch1-cpu switch=switch1 vlan-id=2222

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge.wan.2222

Results:

1. DHCP client do not receive offer on bridge.wan.2222 interface.
2. On another Mikrotik (where DHCP is running) with torch I see broadcast 255.255.255.255:67 with VLAN 2222, it means 2222 tag is not removed on ether1

Trying to remove VLAN header by:

/interface ethernet switch port
set 0 default-vlan-id=2222 vlan-header=always-strip vlan-mode=secure

But that didn’t help.

Update:
after /interface bridge set bridge vlan-filtering=yes
DHCP client received offer on bridge.wan.2222 interface. But HW offload was disabled because of vlan-filtering=yes
Tag 2222 was removed by the bridge, switch do not removing this tag unfortunately.

Any ideas?

The 8227 is wrong, it doesn’t support selective untagging on egress, so hybrid ports (one VLAN passing through tagless and others tagged) cannot be freely configured on it. You can have just a single VLAN tagless on all the hybrid ports, so you would have to set the WAN as the native VLAN of the bridge (because then you can keep vlan-header=leave-as-is at ether1 and switch1-cpu) and do LAN by means of /interface vlan). But migrating the LAN from native VLAN to another one is a tricky job, so it is best to remove one ethernet from the bridge, assign an own IP subnet to it, and do all the configuration through that port - and you’re still not safe from locking yourself out as you touch the switch chip’s switch1-cpu interface, so you still have to use safe mode. And with just three Ethernet interfaces in total, it requires a multi-step process:

• first, while connected via ether3, make ether2 the management port as described above, and re-connect the management PC to it (maybe with Winbox connection via MAC address there is less space for locking yourself out but then you have to make sure that all your virtual and physical interfaces are on the /interface list permitting access for MAC access under /tool mac-server)
  then, set up an /interface vlan interface for the LAN subnet, e.g. with vlan-id=10, move the L3 configuration of the LAN (IP address and DHCP server) to it
  then, set up the vlan-header on ether3 to always-strip and set its default-vlan-id to 10
  then, make switch1-cpu and ether3 member ports of vlan 10 on the switch chip, and set their vlan-mode to secure. At this moment, you should be able to connect the PC to ether3, get an IP address via DHCP from there and continue the setup from there.
• next, you make ether1 a member port of the bridge and set its vlan-mode in the switch settings to secure. If I remember well, you have to make switch1-cpu and ether1 member ports of VLAN 0, but maybe VLAN 1 will do as well. Nowhere to test right now.
• next, attach the WAN L3 configuration to the bridge, and adjust the firewall. At this moment you should have internet access again.
• now adding ether1 and ether2 as member ports to switch VLAN 6 (the IPTV one) and setting vlan-mode of ether2 to secure will make the IPTV VLAN flow tagged between these two ports
• adding ether2 also as a member port to switch vlan 10 will make it available tagged on that port, so you can connect the CRS with a trunk port.

Thanks for explanation,
seems to be attempts in test lab with Atheros-8227 failed. Going to configure directly on PROD with Atheros-8327. Keep in touch.

Can confirm, script from post #3 working on Atheros-8327.
Didn’t apply “/interface bridge vlan …”, because I am not going to use vlan-filtering in the bridge on this router.
I paste all config at once via terminal, no disconnection occurred, Winbox connection to router was from LAN.
After changes CPU load dropped to 0-3%, sometimes I see 5%.
@sindy: this is an amazing, could not have imagined such an elegant solution, thanks

Solution we have developed in this thread requires two Mikrotiks, second Mikrotik (CRS in schema) needed for removing vlan6 tag.
I am curious how ISP solved that with single router, because if I order internet service from ISP with their router (Technicolor TG789vacV2) it is allowed to plug STB to any LAN port.
I know exactly - STB itself unable do vlan tagging. It points that vlan6 not present in the LAN. Unfortunately I have no ISP router for analysis.
The first idea how it could work is MAC based vlan. Could be Technicolor router contains the list of STB vendors MAC addresses with the mask.
Another idea - could be configured IGMP proxy.
Do you have experience in such situations, is it possible to solved this situation with single Mikrotik router with possibility to plug STB to any port, or connect STB after non managed switch? Thanks.