VLAN and switch HW acceleration

Sorry for the long and complicated question(s). Maybe it also shows that I have no clue what I am doing .

So, I have a RB2011 with 2 switch chips, the first is an Atheros 8327 (port 1-5). I have a complex set-up with three VLANs (private, guest and device management). I have two WLANs also on the RB2011 (the real physical one is the private and a virtual one is the guest WiFi). The ports 1-5 are used for various purposes: the WAN, an access port (a server directly connected), a trunk (the three VLANs going tagged to another, smaller router) and a hybrid port (going to an access point with tagged private and guests VLANs and untagged device maangement VLAN). All VLAN staff is done in one (and currently only) bridge, having only the port 1-5, and the 2 WLANs connected to it). (Ports 6-10 I use for other dedicated purposes and I would not confuse you with those details.)

It works/worked almost perfectly.

When there is more traffic in-house or outside, then - as everything is done by the bridge SW - there are packet losses, and 100% CPU usage. So I tried to do HW acceleration with partial success.

• I switched off VLAN Filtering on the bridge (as I read it is a must). Still the ports connected have PVID set (the option is there in Bridge/Ports, not greyed, etc.). I have the feeling that that does not matter when the overall bridge VLAN filtering is switched off. I think that VLAN tags are not added to traffic, neither on the physical ports (access port and hybrid port) nor on the WIFI access points. I do not get IP on any of them. Q1: Does PVID setting on bridge/port matter at all when VLAN filtering is off on the bridge?

• I also tried to set VLAN details for the Switch1 as I read, adding VLANs to ports ether2-5 (Switch/Vlan) and setting the default VLAN under Switch/Port. As it is a 8327 chip, I read that the Header must be left “leave as is” and I only played around with the four options in VLAN mode, but I could not make the access point and the hybrid port work. (The trunk port works well with all the VLANs on it). Q2: Which VLAN mode shall I set in this case to get untagged incoming packets tagged and outgoing tagged packets untagged?

• Even if I could make the ether ports work with Switch chip I still do not see how to make the WiFi work. The only option I can think of is to remove the WiFi from the bridge, and make a separate bridge for the WLANs. The problem is how to use the same VLAN on two bridges? In interfaces/vlan every VLAN has a parameter called interface, but I do not see how to connect a VLAN to both bridges? So, I could make two sets of VLANs with the same VLAN id and connect them to the two bridges respectively. Then the next problem is that a DHCP server can only be connected to one interface, so probably I would need to duplicate all the DHCP servers as well. But then I still want e.g. the two guest DHCP servers to give IP from the same range. I know it is possible to add one pool to two servers, but never tried it. Q3. Is it possible, how I wrote it; isn’t there an easier option?

As a result of this set up, for the time being only the trunks and the tagged VLANs of the hybrid port work, but the non-tagged hybrid, the access port and the RB2011 WiFI not. The good news is that the CPU usage dropped and no packet loss.

• Now I would also like to use the HW acceleration on the WAN, but if I add ether1 to the bridge, I have an issue (no communication on ether1 at all). It is by nature an access port with no VLAN tag. Q4: What shall I add to the Switch parameters to make it work?

Thanks,

(p.s. I do not attach my configuration as it is large and messy, so I would appreciate some hints more than a concrete bug fixing).

No, as soon as you set vlan-filtering=no, all other VLAN related settings get ignored. That includes pvid and everything under /interface bridge vlan.

On my RB951G, which features single AR8327, this setup works just fine:

/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1-trunk switch=switch1 vlan-id=99
add independent-learning=yes ports=switch1-cpu,ether1-trunk,ether3,ether4,ether5 switch=switch1 \
    vlan-id=42
add independent-learning=yes ports=switch1-cpu,ether1-trunk switch=switch1 vlan-id=41
add independent-learning=yes ports=ether1-trunk,ether2 switch=switch1 vlan-id=3999
add independent-learning=yes ports=ether1-trunk,ether2 switch=switch1 vlan-id=40
add independent-learning=yes ports=ether1-trunk switch=switch1 vlan-id=2

ether1 is trunk, passing VLANs 2,40,41,42,99 and 3999 (all tagged). ether2 is a hybrid port, tagged for 3999 and access port for 40. Other ether ports are access (untagged) ports for VLAN 42.

Device is not used as router, it’s used as switch / wifi AP, so not all VLANs are sent towards switch1-cpu, only a few: 99 is management (device has /interface/vlan for it), VLAN 41 is for guest wifi and only virtual wireless interface is using same VLAN ID…

Note: I am aware that AR8327 and alikes ignore vlan-header property, but I still think one should set it to the proper value regardless.

It’s very easy … in addition to the setup above, I have single bridge with vlan-filtering=no. All wired ports are members of that bridge, both wifi interfaces as well (one physical and one virtual). Only two things are necessary to be set on wireless interfaces: vlan-id=42 vlan-mode=use-tag (with VLAN ID 40 on virtual wifi interface for guests).

If RB2011 is indeed main router, then the most straight-forward setup would be to use ether1 directly, not as a part of a bridge. Switch chip can’t offload anything in this case as all packets entering and leaving through this port have to be processed by main CPU (HW offload only helps with port-to-port switching, WAN requires routing).
However, if you insist on treating WAN as yet another subnet, then you can “invent” another VLAN for this purpose. Configure ether1 as access port of this VLAN (set default VLAN ID) and make switch1-cpu port tagged member of that VLAN. Then create vlan interface anchored to the grand unified bridge with WAN VLAN ID and use that interface as WAN interface. Be prepated for performance degradation though, this setup will require (in addition to all the processing when ether1 is used as separate interface) tagging/untagging in software (the vlan interface does it).

Thank you, it was extremely helpful. I spent two days on it, and now fixed it in 30 minutes…
Q1: I also thought it like that, thanks for the confirmation.
Q2: Two key things: It has to be “secure” (I tried that) AND switch1.cpu has to be set to “secure” as well. This is what I did not know and your “Set 5” helped to find!
Q3: I looked for it earlier and did not find, so I thought that it did not exist. Now, as you clearly said it does, I looked again and I had to change in the web interface to “advanced” as the VLAN option for the physical WiFi is hidden there.
Q4: I was also wondering how the WAN and LAN can be bridged, but I was told that it exists. Thanks for the confirmation that it cannot (or at least not economically) be made. I figured out that there are some L3 HW acceleration options, but not on this chipset. Still I wonder, how one can use this model for Gb communication if the CPU gets to 100% already at lower speeds (although with high packet number).

beware of this


https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips

No, not with RB2011 (or any other device with that weak CPU) when traffic is routed. Official test results indicate[*], that routing capacity of this device is somewhere around 250Mbps give or take, depending on complexity of firewall filters. To get gigabit speeds for routed traffic, you’d have to look at some device with much faster CPU, popular device with attractive price is hAP ac2 (wireless is a bonus which can be switched off if not needed).

[*]Many forum members find figure under “Routing 25 ip filter rules - 512 byte packets” to represent real-life performance pretty well.

There are use cases where it’s still economical to make WAN interface member of bridge … one of them (my own use case) is if ISP provides different services through VLANs and you don’t have to route all of them. In my case, my ISP provides IPTV as VLAN-tagged multicasts and the most efficient way of dealing it is to make WAN interface a hybrid port member of bridge. Then the multicast VLAN is brdiged/switched to ports where IPTV set top boxes connect while internet VLAN (it’s actually untagged from ISP) is used in the way I described in my post above (as being uneconomical as you put it).