After spending a few hours following the documentation from [url]here[https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29] i was not able to connect my LAN (tag VLAN) and WAN (untag VLAN) on the same cable to ether1 interface using the internal switch. I’m using RouterBOARD 962UiGS-5HacT2HnT with firmware v6.42.1 and the default configuration generated by “Quick Set”. When i add an extra VLAN interface everything is working as expected, only that CPU get overloaded when i transfer some files so i want to move this task directly to the QCA8337 switch by sending the frames of this vlan directly to local bridge (LAN). I will appreciate your help.
Please clarify. Are you forwarding packets between tagged LAN on ether1 and tagless LAN on some other port (i.e. the Mikrotik is switching or bridging these packets at L2), or are you forwarding packets between the WAN (tagless) and LAN (tagged) on the same ether1, so the Mikrotik is routing them between different L3 subnets?
OK, another reading in the morning confirms that what you want is really L2 wirespeed, no routing. Scuză-mă, dormeam deja.
What you need to do is to make the switch and the bridge cooperate properly. To do so, you need to create one common bridge for both WAN and LAN, which will reflect the fact that you have a single switch for both.
But before doing that, unless you are an adrenaline addict, remove one LAN port from the switch and assign a separate IP address in a separate subnet to it so that you had a management connection while you’ll be rebuilding everything else. Then reconnect your management PC to that port and do the rest from there.
The advantage of QCA8337 is that it supports true hybrid ports, so you don’t need to use the ugly hack making tagless packets wander on your bridge like with ar8227.
So what you do in general:
create a common brigde to be used for both WAN and LAN, with vlan-filtering=no and protocol=none at least for the start, and with pvid=1
choose a free VLAN ID for the WAN subnet
create one /interface vlan for LAN and one for WAN on the same bridge
move the WAN and LAN IP configurations from their old interfaces (supposingly, ether1 and bridge-lan) - static addresses, dhcp clients and/or servers, maybe even PPPoE clients… - to these new /interface vlan
modify your /interface list and firewall rules so that they follow these changes (add the new vlan interfaces to the corresponding lists and/or replace the references to old interfaces by references to the new ones in the firewall rules)
make all Ethernet interfaces except the management one member ports of the common bridge with pvid=1 under /interface bridge port
permit the two VLAN IDs (WAN, LAN) on the switch on all ports including the cpu one under /interface ethernet switch vlan
change the vlan-mode of all ports of the switch except the one you use for management and except the CPU port to secure under /interface ethernet switch port; while changing the vlan-mode of each port, set also its default-vlan: on ether1 to the VLAN ID of WAN and on all the other ports except the one you use for management to the VLAN ID of LAN.
Finally, you may reconnect the management PC to one of the LAN ports and align the management port settings with the LAN ports.
If you need configuration details, provide the VLAN IDs and the intended port roles - which will be WAN.access+LAN.tagged, which will be LAN.access, and which will be the management one.
This is one very wise suggestion. When I was a MT greenhorn (compared to my current state of being MT beginner) it took me around two weeks and around 50 factory resets to figure things out and stop me locking myself out of management access. I wish I started to follow this forum at least a few months before that
Actually I have very similar set-up up&running and @sindy described needed configuration steps marvelously.
Thanks for the tips. Just one more questions. Currently i keep the WAN as untagged VLAN on my switch and LAN as tagged VLAN. Is mandatory to move both to tagged VLAN’s?
permit the two VLAN IDs (WAN, LAN)
Maybe stupid question, but if i fix the VLAN task at QCA8337 switch level, do i still need to create the VLAN interfaces?
Sincerely, I don’t know because I don’t own any device with 8337. On 8227, you can use VLAN ID 0 to define on which ports of the switch tagless packets will be permitted and to let them get in without getting tagged on ingress (I actually suspect them to be tagged with VLAN ID 0 which makes the Mikrotik bridge handle them properly, because VLAN ID 0 is a value reserved for that purpose, i.e. to indicate that only the 802.1p priority field of the tag should be taken into account and otherwise the packet should be handled as a tagless one), but I have no clue whether the same approach would work on the 8337. If yes, you would make the /interface bridge itself the WAN interface, so you would attach the IP configuration to it, and only add one /interface vlan with the bridge as its carrier interface for the LAN.
Maybe stupid question, but if i fix the VLAN task at QCA8337 switch level, do i still need to create the VLAN interfaces?
Let’s say that the /interface vlan is there to extract the tagless part from the tagged packets because the L3 protocol stack (or, e.g., the PPPoE protocol stack) is unable to work with tagged packets. So you need one /interface vlan for each VLAN to which you want to attach something inside the router (IP configuration, PPPoE client, PPPoE server).
So as said, if you manage to explain the 8337 that what comes tagless to ether1 should be forwarded tagless to the CPU, your WAN IP will be on the /interface bridge itself and your LAN IP will be on the /interface vlan, as you probably need that the Mikrotik can route between the two.
But if e.g. you would have another VLAN on ether1, like one for IPTV, and you would like to let the switch forward it to one of the other ports to which your TV set would be connected, you would’t need any /interface vlan for this one as you wouldn’t need that the Mikrotik could access that VLAN.
I will provide more details, maybe i have a minor configuration issue and i don’t know. First, for me only ether1 and wifi’s interfaces are important, ether2-5 are not connected. On the switch where ether1 is connected i use untaged VLAN for WAN (pppoe connection) and VLAN 1 tagged for my LAN. Current setup is working with vlan interface created on ether1 and added to bridge, but when i transfer data the cpu go very high. When i set VLAN mode to secure on ether1 the WAN connection go down. However i go forward and tried to configure everything with the hope that vlan1 will be native added to the bridge and there will be no cpu overload when i transfer data inside the LAN… but again no luck. I paste here my non working configuration:
[admin@MikroTik] /interface ethernet switch> port print
Flags: I - invalid
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
0 ether1 switch1 secure leave-as-is auto
1 ether2 switch1 disabled leave-as-is auto
2 ether3 switch1 disabled leave-as-is auto
3 ether4 switch1 disabled leave-as-is auto
4 ether5 switch1 disabled leave-as-is auto
5 switch1-cpu switch1 secure leave-as-is auto
[admin@MikroTik] /interface ethernet switch> vlan print
Flags: X - disabled, I - invalid
# SWITCH VLAN-ID PORTS
0 switch1 1 ether1
switch1-cpu
[admin@MikroTik] /interface bridge> print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=proxy-arp arp-timeout=auto
mac-address=CC:2D:E0:31:E8:83 protocol-mode=none fast-forward=yes igmp-snooping=no
auto-mac=no admin-mac=CC:2D:E0:31:E8:83 ageing-time=5m vlan-filtering=no
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 1
[admin@MikroTik] /interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 I H ;;; defconf
ether2 bridge yes 1 0x80 10 10 none
1 I H ;;; defconf
ether3 bridge yes 1 0x80 10 10 none
2 I H ;;; defconf
ether4 bridge yes 1 0x80 10 10 none
3 I H ;;; defconf
ether5 bridge yes 1 0x80 10 10 none
4 I ;;; defconf
sfp1 bridge yes 1 0x80 10 10 none
5 ;;; defconf
wlan1 bridge 1 0x80 10 10 none
6 ;;; defconf
wlan2 bridge 1 0x80 10 10 none
7 LAN bridge yes 1 0x80 10 10 none
That changes everything as there is no direct path between the switch (sub)chip and the wireless (sub)chip, packets between the two are forwarded by the CPU.
So even if you manage to configure the switch chip the way you planned, your CPU will continue to choke by forwarding packets between the WLAN and the Ethernet.
So maybe rather than further losing your hair on this, go for hAP ac² or cAP ac which seem to have more effective CPU power available than hAP ac, and it seems that the initial problems with WiFi throughput have been resolved.
Mikrotik’s handling of VLAN ID 1 is a mystery alone, because if you set pvid=1 in /interface bridge port, tagless packets coming from outside through the port remain tagless on the bridge. So if you expect to have WAN tagless and LAN tagged with VLAN ID 1, I’m not sure it can ever work. But if it can, you would have to treat WAN as VLAN ID 0 as I’ve suggested, to keep it working with vlan-mode=secure - if the 8337 can work this way which I’m not sure about.
Just a technical remark, print shows current status including the dynamically created items, while export shows the configuration. Often both are necessary.
So please post also the output of /export hide-sensitive (obfuscating eventual public IP addresses as hide-sensitive removes only passwords).
If I may jump into this conversation (again): I highly recommend NOT to mix tagged and untagged (or implicitly tagged) traffic on (inside of) ethernet ports. When I was trying to get my set-up working, I suspect part of a problem was that I tried to use VLAN ID=1 on one of ports. When I changed that VLAN ID to something else, everything works just fine. And it kind of confuses me if there’s some untagged traffic over bridge/switch chip where I enable VLANs. So I take care of that by explicitly using VLANs even for traffic that is tagless on every other device in my LAN.
I think we are in accord here, I only had to do that once where the requirement was “untagged internet uplink and tagged IPTV on the same port of an 8227, and the IPTV has to be handed over tagless on another 8227 port by means of the 8227 alone, i.e. bypassing the CPU”. And as the 8227 doesn’t allow to selectively untag only one VLAN, I had to send the WAN packets tagless already from the bridge, which is the part @mariusmotea asked for as well.
