Hi MTs,
I have some devices such as the hEX PoE, which don’t support Bridge VLAN Filtering but the Switch Chip support Vlam tabel.
I wonder how to maintain wire-speed hardware VLAN switching between the Switch Chip connected ports and still doing software VLAN switching between the Switch Chip and the SFP-Port via the CPU.
Most likely, the picture attach tells it better what I want to achieve:
thx
stefan
Use a bridge with vlan-filtering=no. You can configure specific VLANs on the hardware-offloaded ports ether1-ether5, however the software bridged ports will pass all tagged and untagged traffic.
You can restrict VLANs between the switch chip and the software bridge by configuring the switch1 cpu switch port, however the one thing you cannot do is exclude a VLAN to/from the SFP port if said VLAN is required by the Mikrotik itself to provide any services.
The ancient way of doing it is to use “one bridge per VLAN” approach. In modern ROS versions that’s on top of bridge spanning switch ports.
Example for two VLANs (and skipping the switch chip setup needed to set up VLANs on RJ45 ports):
/interface bridge
add name=bridge-ethernet
add name=bridge-v100
add name=bridge-v200
/interface vlan
add interface=bridge-ethernet name=be-v100 vlan-id=100
add interface=bridge-ethernet name=be-v200 vlan-id=200
add interface=sfp1 name=sfp-v100 vlan-id=100
add interface=sfp1 name=sfp-v200 vlan-id=200
/interface bridge port
add bridge=bridge-ethernet interface=ether1
add bridge=bridge-ethernet interface=ether2
add bridge=bridge-ethernet interface=ether3
add bridge=bridge-ethernet interface=ether4
add bridge=bridge-ethernet interface=ether5
add bridge=bridge-v100 interface=be-v100
add bridge=bridge-v100 interface=sfp-v100
add bridge=bridge-v200 interface=be-v200
add bridge=bridge-v200 interface=sfp-v200
If hEX PoE has to interact with any of VLANs, use interfaces bridge-v100 and bridge-v200 (as you surely know, each bridge implicitly contains also port with same name, its functionality is similar to switch1-cpu port on switch chip).
The “bridge per vlan” approach avoids problems mentioned by @tdw.
don’t be surprised if you have trouble combining hardware switch with software bridge
hex poe can sustain up to 600-700 mbps internet traffic using pure software bridging (using CPU)
please do not use vlan as a bridge port, is a bad practice
Is there any other way of using switch chip to deal with VLANs on RJ45 ports and use SFP port as VLAN-aware port bridged to RJ45 ports at the same time?
You’re right that using VLAN bridges can potentially cause some problems and OP should be aware of them. It’s up to OP to decide, whether performance drop/boost is worth of complication (compared to using single bridge with vlan-filtering enabled and switch chip setup removed).
Radical solutions available if you have a spare copper port:
Swap the fiber run for a copper one.
If the uplink must be fiber, interpose a cheap SFP to 1000Base-T media converter.
Either way, the current fiber traffic now goes thru the switch chip.
Hey,
I say wow, these answers came very quickly, did not expect that. Thank you very much.
I need some silent hours to process and read the written and referenced content.
I’ll try to explain what I understand as separated answer as different things are mentioned here
just double-checking, so you saying follow Other devices with a built-in switch chip - Basic VLAN switching - RouterOS - MikroTik Documentation but add
/interface bridge port
add bridge=bridge1 interface=sfp1 frame-types=admit-only-vlan-tagged
?
.
Let’s assume only ether1 and ether2 are in use other ports are switched off, so I would do:
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge port
add bridge=bridge1 interface=sfp1 frame-types=admit-only-vlan-tagged
/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add ports=ether2,switch1-cpu switch=switch1 vlan-id=20
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/ip address
add address=192.168.99.1/24 interface=MGMT
/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=99
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
If want to be able to configure it locally using a copper cable I add
/interface ethernet switch vlan
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99
/interface ethernet switch vlan
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99
.
.
The SPF is the uplink so I expect only allowed VLANs are sent from the uplink to the SFP.
I’m correctly understanding that you are saying I cannot add the following to the configuration above?
/interface bridge vlan
add bridge=bridge1 tagged=sfp1 vlan-ids=10
add bridge=bridge1 tagged=sfp1 vlan-ids=20
add bridge=bridge1 tagged=sfp1 vlan-ids=99
/interface bridge
set bridge1 vlan-filtering=yes
space is very rare but I might be able to supply the connected APs with an external power supply in a not to far feature, So I could replace it by an hEX S
Doing so depends if the limit will be hit at all:
.
.
but my setup does not contain any loops, my network topology is 100% cascading. The structure of VLAN on a bridge in a bridge - Layer2 misconfiguration - RouterOS - MikroTik Documentation would be closer but still different but the sketch helps quite a lot to understand the configuration given by mkx 
.
As I understood most issues are related to the fact, that frames are sent tagged but should be untagged to be compliant with international standards.
That would have to be extended by the Switch-Chip-VLAN-Switch as per Other devices with a built-in switch chip - Basic VLAN switching - RouterOS - MikroTik Documentation but replacing bridge1 by bridge-ethernet , wouldn’t it?
I rewrote you configuration to make easier to understand (for me):
#VLAN 100 FROM/TO SFP
/interface bridge
add name=bridge-v100
/interface vlan
add interface=sfp1 name=sfp-v100 vlan-id=100
/interface bridge port
add bridge=bridge-v100 interface=be-v100
add bridge=bridge-v100 interface=sfp-v100
#VLAN 200 FROM/TO SFP
/interface bridge
add name=bridge-v100
/interface vlan
add interface=sfp1 name=sfp-v200 vlan-id=200
/interface bridge port
add bridge=bridge-v200 interface=be-v200
add bridge=bridge-v200 interface=sfp-v200
#ETHERNET BRDIGE AS PER DOCUMENTATION
/interface bridge
add name=bridge-ethernet
/interface vlan
add interface=bridge-ethernet name=be-v100 vlan-id=100
add interface=bridge-ethernet name=be-v200 vlan-id=200
/interface bridge port
add bridge=bridge-ethernet interface=ether1
add bridge=bridge-ethernet interface=ether2
add bridge=bridge-ethernet interface=ether3
add bridge=bridge-ethernet interface=ether4
add bridge=bridge-ethernet interface=ether5
What you do here is basically “softwiring” port to port. The is a “softwire” per VLAN.
The sketch most likely may explain it better.
I cannot find that much documentation on this approach as Bridge-VLAN-Filtering is always recommended (for good reason).
In this configuration ROS switches frames according to the 802.1Q tag to the corresponding VLAN interface, doesn’t it?
If an interface does not exist, the frame is dropped.
(Just) for curiosity, how would I handle untagged frames?
The sketch represents the config great.
You don’t find any documentation about this way of configuring things because the bridge with vlan-filtering is here since years ago … IIRC it was 6.40 that brought VLAN-aware bridge making shown config method disadvised (to put it mildly). Previously this was tge only way of doing VLANs on anything apart from switch chip and even then there existed devices without switch chip (e.g. CCR1xxx devices except early CCR1009 model). Using vlan-filtering on bridge is much more elegant and simplifies configuration.
The way vlan interface works is the following: one creates vlan interface with command /interface vlan add interface= name= vlan-id= and has two ends; the tagged end (the red part) and untagged one (the green part). When tagged end sees frame, tagged with correct VID, it takes frame, strips the VLAN header and ejects it on untagged end. It ignores frames with wrong VID. In the other direction, it takes frame on the untagged end, adds VLAN header with configured VID and spits it out on tagged end. The underlying interface is (or can be) completely VLAN-unaware.
The problem with untagged frames is that AFAIK there isn’t an interface that only accepts untagged frames so you can’t construct anything analogous to bridge-per-vlan. Hybrid interface can be used directly for L3 because L3 can only work with untagged frames (and ignores tagged ones) but I don’t think you can bridge them without creating a bypass for tagged frames.
Reagrding post #9:
Setting frame-types= and the defintions in /interface bridge vlan have no effect when the bridge has vlan-filtering=no.
As noted in the documentation “On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.”
You cannot set vlan-filtering=yes as this is what disables the hardware offload to the switch chip, the results of mixing a VLAN-aware bridge and configuring the switch chip is not defined.
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=sfp1
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/interface ethernet switch port
set ether1 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=10
set ether2 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=20
set ether3 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=99
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add ports=ether2,switch1-cpu switch=switch1 vlan-id=20
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT
gives:
ether1 - VLAN 10 untagged
ether2 - VLAN 20 untagged
ether3 - VLAN 99 untagged
sfp1 - VLAN 10,20,99 tagged
and the Mikrotik is accessible on VLAN 99 with address 192.168.99.1
thx a lot for the configuration you wrote down my thoughts 
Now we have a best practice sample.
Would be great to see that in official help as well.
thx for all the details explanation. I would like to continue the clarification as it could be useful in certain scenarios although challenging to manage if the amount of VLAN increases significantly.
.
.
added to the sketch:
but the configuration discussed here would not cause problems as described in Layer2 misconfiguration - RouterOS - MikroTik Documentation, wouldn’t it?
The VLAN tagged/untagged is simple&controlled (only between VLAN interfaces) and is only point2point (interface2interface), like a VLAN-aware patch cable.
.
.
Is there an interface besides the VLAN interface what is VLAN-aware?
In the case of “vlan-filtering on bridge” it is the vlan-filtering what makes the interface VLAN-aware.
.
.
by assigning an IP to a hardware Interface and than route it?
.
.
bypass is bridge-v100 bridge-200?
.
.
could be handled by creating a “PVID=1-VLAN-Interface” like in sketch below?
why can I not just create a second software bridge with active VLAN-filtering
Just a few comments:
the “bridge per vlan” certainly does have a few shortcomings. Whether they will cause problems for your particular use case or not … is up to dilligent examination. And many of potential problems also depend on equipment connected to your device, some can trip the problem, some can survive.
Legacy wireless drivers (as opposed to the new wifiwave2 drivers) take parameters to deal with vlan tags (vlan-mode and vlan-id) … if configured thus, nowdays such wifi interface had to be set as tagged port member of bridge.
Example of problems with hybrid setup: let’s say you have two hybrid ports, sfp1 and sfp2. Sfp1 has untagged snd tagged vlans 10 and 20. Sfp2 has untagged and tagged vlan 10 (but not vlan 20). If you bridge both ports with a bridge directly (because you want to bridge the untagged frames), also tagged frames will pass via this bridge. The vlan bridges will be selective due to using vlan interfaces between interfaces and corresponding bridges. And besides, this kind of solution would be wrong because physicsl interface can either be bridge port or can be used as anchor for vlan interfaces (etc.), but not both, so your diagram with bridge-v1 spanning sfp1 and be-v1 is not valid.
You can’t connect things as per last diagram, because be-v100 and be-v200 are connected to bridge with untagged ends.
alright
.
.
that happens dynamically anyway if VLAN is used
/interface wireless
... vlan-id=111 vlan-mode=use-tag
.
.
.
ok, thx was curious if it could optimize
Thought of a theoretical case like
or my hAP ac3 where I want to at wire-speed between ports but wondered how to get the WLAN interfaces included:
but that is answered now 
There are two ways to do it with vlan-enabled bridge:
/interface wireless
set [ find name=wlan1 ] vlan-mode=no-tag
/interface bridge port
add bridge=bridge interface=wlan1 frame-types=admit-only-untagged-and-priority-tagged pvid=666
/interface bridge vlan
set [ find vlan-id=666 ] untagged=wlan1<,rest_of_untagged_ports>
/interface wireless
set [ find name=wlan1 ] vlan-mode=use-tag vlan-id=666
/interface bridge port
add bridge=bridge interface=wlan1 frame-types=admit-only-vlan-tagged
/interface bridge vlan
set [ find vlan-id=666 ] tagged=wlan1<,rest_of_tagged_ports>
The way #1 is onky possible with vlan-filtering enabled on bridge. The way #2 is also possible if bridge doesn’t do anything about vlans which was up to ROS version 6.40 or there about.
The way #1 is the contemporary way of doing it, wifiwave2 drivers don’t support tagging any more so I guess with time #2 will be gone.
However, on my audience running 7.2 the working config is #3:
/interface/wifiwave2
# nothing here, wifiwave2 drivers don't have any vlan-related settings
/interface bridge port
add bridge=bridge interface=wifi1 frame-types=admit-only-vlan-tagged pvid=666
/interface bridge vlan
set [ find vlan-id=666 ] tagged=wlan1<,rest_of_tagged_ports>
It doesn’t work without pvid set on bridge port. And doesn’t work if frame-types=admit-only-untagged-and-priority-tagged pvid=666 on bridge/port and wifi1 made member of untagged ports members of corresponding vlan. VLAN setup for ether ports work according to expectations. I’ve open a support ticket and waiting patiently for any kind of response.
it is a shame that #2 is not supported by wifiwave2 as that is the only option to allow hardware vlan switching through the switch chip and including the WLAN interfaces to the corresponding bridge (in case of e.g. hAP ac3)
I hope that more switch chip types will receive HW offload from bridge. Just like RTL8367 and MT7621 did with ROS 7.1. As most wifiwave2 devices currently run off QCA wifi chips, I guess that HW offload to AR8327/QCA8337 would solve the problem you mentioned.