I’m trying to create a Hybrid port. That can take tagged and untagged traffic.
So, lets say I want untagged traffic and vLAN 100 only.
According to the Wiki, What I need to do is
1.) set the CPU and Switch port to “Secure” or “Check” (Fall Back scares me)
2.) Create two entries in the vLAN table. One for vlan 0 and one for vlan 100 (Both authorizing the CPU and physical Port)
So, When I test with the vlan disabled, everything is fine.
As soon as I switch it to “Secure” or “Check” I can pass no traffic.
If I fire up torch, I receive no traffic, even though I am continually pinging the interface.
This indicates to me its strictly a switch chip issue at this point.
I have tried this on both switch chips
The odd thing is, if I allow vlan 1, I will see incoming ARP traffic on it.
Though, even if I create a vlan interface and address it, I only receive incoming ARP traffic.
Any thoughts, comments or suggestions are greatly appreciated.
I have exactly the same issue. Sadly there is no response to this post for several months
Note: Fall Back was default entry before it’s changed to disabled recently.
Default untagged VLAN is 1, not 0. VLAN 0 is an invalid VLAN ID.
VLAN identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be used as VLAN identifiers, allowing up to 4,094 VLANs. The reserved value 0x000 indicates that the frame does not carry a VLAN ID; in this case, the 802.1Q tag specifies only a priority and is referred to as a priority tag. On bridges, VID 0x001 (the default VLAN ID) is often reserved for a management VLAN; this is vendor-specific. The VID value 0xFFF is reserved for implementation use; it must not be configured or transmitted. 0xFFF can be used to indicate a wildcard match in management operations or filtering database entries.[7]
check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are present in vlan table, but incoming port does not match any port in vlan table entry does not get dropped.
I set this on my internet facing interface, and it went offline. This dropped all the traffic.
I guess my main issue is I find this explanation very confusing. My internet facing interface has no vlan tagging going on, so should it pass traffic with “check” enabled or not? Maybe I’m missing the context of “vlan tag”? Is this an internal vlan tag that I can’t see?
My goal in this is to drop any packet (frame?) that attempts to come into my internet facing interface with a vlan tag because I consider that a hack attempt. If someone can guess what vlans I am using then this packet should be dropped right? Not all traffic? I don’t know.
Note sure if it’s because I upgraded to 6.41 or used another vlan ID (64 instead of 0 or 1), but I could manage tagged and untagged traffic more easily once I added table vlan 64 on all ports, with all ports (including switch-cpu) on secure + default-vlan-id=64 + always strip.
That is, vlan 64 as default vlan untagged everywhere.
Then I could change one port default-vlan-id to something else (like 100) for it to be untagged on that port and tagged on others listed in the vlan table for vlan 100.
If it can help others, I figured out my main issue. Not the firmware, not the vlan id, just that hybrid ports (that is managing both tagged and untagged vlan) are not supported on all routers. The router won’t complain or say anything about that, it will just silently fail.
As per the wiki about hybrid ports, only QCA8337, AR8327 switch chips can do it. As per the table at the top of that page, one of the routers I was using for my tests was supporting it (Hex PoE) but not the other (Hex PoE lite)…
Moreover on these routers, as per the wiki, when “vlan-mode=secure”, it ignores switch port “vlan-header” options. I think the router should then complain when you configure something it’ll just ignore…
Yes, I noticed that too. I was converting a complicated setup to the new 6.41 bridiging on my RB2011, which has 2 switch chips.
On ports 1-5 which uses the Atheros8327 thinks went pretty well, but on ports 6-10 which uses a Atheros8227 I had strange issues.
Interesting is that it works just fine when you configure independent ports (no master-port) with both untagged and tagged VLAN
subinterfaces on versions up tpo 6.40, but it fails when trying to convert that configuration to a “switched” config with one master
port with all the VLANs on it and different switchports with different tagged and untagged VLANs. However, when doing that same
config in the new 6.41 VLAN-aware bridge it fails as well.
It is a little confusing. I always sort of assumed that the configuration of independent ports is just silently transformed into a
VLAN+switching config by the router. I.e. when you configure ether10 as an independent port without VLAN, it silently creates
some VLAN of which ether10 is an untagged member and the CPU-port is a tagged member, and puts a VLAN subinterface
on the CPU port, and that is what you as the user consider to be ether10. However, when doing it manually that way, it does
not work correctly. Strange…
