I finally got rid of all my OpenWRT devices and have a Mikrotik-only network consisting of 3 hAP AC2-s (managed via CAPSMAN) and an RB4011. I have PPPOE towards the ISP and would like to configure the RB4011 to allow 3 separated networks (internal, IOT, guest - separate IP subnets with corresponding wireless networks and some wired devices for internal & IOT) but at the same time keep the hardware offloading enabled.
I’ve spent a considerable amount of time reading the available documentation and the common layer 2 misconfigurations but I don’t seem to be able to enable anything from the VLAN-related functions on the switch (most likely because it’s a dumb switch) but when I enable bridge VLAN filtering, I lose hw offloading immediately. Can you recommend what would be the best way to have both VLAN-s and hardware offloading on the RB4011? Should I split the bridge into 2 (for the 2 switch chips) and use a cross-connect cable between ether 5 & 6? Or should I forget about VLAN-s on the RB4011 if I want the hw offloading capability and restrict access using e.g. firewall rules?
My intention is to keep a fast network and isolate systems between those 3 zones (but allow some traffic, e.g. from internal to IOT and vice versa). I can post configs if that helps, but I’m ok with configuring the rest of the thing (IPv6, VPN, etc.) just can’t seem to get the bridge part right.
I don’t think you can have VLANs and hardware offloading at the same time on a 4011. The RTL8367 switch chips in there have no hardware support for VLAN filtering. I’d just configure the VLANs, live with the fact the CPU has to do the work, and see whether it’s fast enough. I don’t think using the firewall instead will win you anything.
I don’t think it matters. You just have to take into consideration that the two switch chips only have a 2.5Gbps uplink to the CPU, so that if you have to rely on the CPU to do the work, the switch chips are 2:1 oversubscribed, where they are wire speed with hardware offload active for traffic that stays on the same switch chip (local switching).
The SOC is supposed to be able to do 7.5Gbs, so it should be able to handle the 2 x 2.5G chip uplinks at full speed.
Disabling STP/RSTP isn’t a concern because I have a simple network setup; I was more interested in figuring out if it’s possible to somehow have the best of both worlds (VLAN & hw offload) by messing around the bridge setting. Seems like it’s not
