VLAN BRidge switch chip NAT Only using one core RB 3011 UiAS RM

Michiganbroadband · September 22, 2024, 6:26am

I’m a bit new to MicroTik and am scratching my head on this one.
I have put together a VERY simple setup and testing NAT Fasttrack switch chips CPU usage etc…
And this has me a bit stumped.
I have setup a very simple Bridge and untagged VLANs to two ports.
Internet is on one VLAN interface and the test PC is plugged into the other VLAN interface.
While using a single switch chip for all of this - I am not getting the full gigabit test speeds, I am about 150Mbps short of 1Gbps.
Also during HTTP speed tests (upload and download) Only one CPU core (core 0) is getting used heavily and other is barely used.
If I simply move the PC over (just plug it in) to the other switch chip (#2) port 6 same exact config, BOTH CPU cores get used equally (and a lot) and I get the full upload/download gigabit test speeds to the Internet. (it works a lot better).
I’m not getting why this is performing so much differently when it really shouldn’t be as far as I can tell.
BOTH switch chips have a dual 1Gb path to each CPU core, and I’d expect it to behave the same, or in some cases even better if all is on the same switch chip.
Quite the opposite going on here though.
No L3 offloading of course in this old router.
Very curious what I am missing here.

# 2024-09-22 06:14:52 by RouterOS 7.15.3
# software id = 
#
# model = RB3011UiAS
# serial number = 
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=33-Internet vlan-id=33
add interface=bridge1 name=47-Tenant vlan-id=47
/ip pool
add name=dhcp_pool0 ranges=172.16.44.1-172.16.46.250,172.16.47.2-172.16.47.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=47-Tenant lease-time=2d30m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=33
add bridge=bridge1 interface=ether2 pvid=47
add bridge=bridge1 interface=ether6 pvid=47
add bridge=bridge1 interface=ether7 pvid=33
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1,ether7 vlan-ids=33
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether6 vlan-ids=47
/ip address
add address=172.16.47.1/22 interface=47-Tenant network=172.16.44.0
add address=10.73.73.2/24 interface=33-Internet network=10.73.73.0
/ip dhcp-server network
add address=172.16.44.0/22 dns-server=10.73.73.31 gateway=172.16.47.1
/ip firewall filter
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=33-Internet
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.73.73.1 routing-table=main suppress-hw-offload=no
/lcd
set backlight-timeout=never
/system identity
set name=Broadview-RB3011
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.73.73.1
[admin@Broadview-RB3011] >

 /tool profile cpu=all
Columns: NAME, CPU, USAGE
NAME                CPU  USAGE
lcd                   0  0.5%
spi                   0  0%
ethernet              0  39.5%
console               0  0%
firewall              0  4.5%
networking            0  28.5%
management            0  1%
profiling             0  0%
bridging              0  17%
unclassified          0  4.5%
cpu0                     95.5%
lcd                   1  0.5%
ethernet              1  21%
console               1  0.5%
ssh                   1  0.5%
firewall              1  4%
networking            1  19.5%
neighbor-discovery    1  0.5%
management            1  3%
encrypting            1  0.5%
profiling             1  0%
bridging              1  10.5%
unclassified          1  4.5%
cpu1                     65%

mkx · September 22, 2024, 8:22am

RB3011 doesn’t offload anything to switch chips … apart from very basic switching (without VLANs).

With vlan-filtering enabled everything is processed by CPU, including bridge filters…

Michiganbroadband · September 22, 2024, 6:13pm

Thanks yes I also noticed this that I am not even getting any VLAN filtering done in the chips..
Tried a simple layer2 VLAN bridge and this is still going through the CPU. (with no routing or NAT) same IP subnet.
This answer still does not explain or answer why I am getting much different results using switch chip1 plus switch chip2 versus having everything on switch chip #1.
Both switch chips have a 1G pipe to each cpu core.
I’d expect to see that same CPU core usage when only using switch chip 1.
I also expected layer2 hardware offloading with VLANS.
There are checkboxes that a defaulted on for hardware offloading.
THis implies that it is available.
The switch chip settings themself also have their own VLAN settings. which also implies this is available.

CGGXANNX · September 23, 2024, 6:22am

The RB3011 has two QCA8337 switch chips, which means you should not use Bridge VLAN Filtering with it. The recommended way to setup VLANs is by using the /interface/switch submenus:

https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip

In your case, you need inter-VLAN routing, which means you should follow this example:

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Inter-VLANrouting

You should:

remove vlan-filtering=yes from the bridge1
remove the entries from /interface bridge vlan
reset the PVID on the ports under /interface bridge port.
create two bridges, each mapped to the ports of one switch chip
configure VLAN according to the guide with /interface ethernet switch vlan and /interface ethernet switch port, With separate switch chips (switch1, switch2) and separate bridges, the VLAN interfaces (which still have a bridge as parent interface) will not span the two switch chips, don’t forget the switch1-cpu and switch2-cpu ports because you need Layer 3 features to be accessible on the VLANs.

Michiganbroadband · September 23, 2024, 1:17pm

I will use this as a guide to try again.
Inter-VLAN routing is not what I am immediately testing and I did already have this working with Bridge VLAN filtering..
But of course will want this in the future.
What I am really trying to accomplish (first) is simply to have devices on the switch chip (ON the SAME VLAN) talk to each other directly at wire speed.
While still having inter-vlan connectivity to be able to reach other networks or the Internet + management. (cpu link).
I am still stuck on the very basic task of trying to get VLAN access ports to work without using bridge VLAN filtering. (using only VLAN settings on the switch chip).
It is very confusing first time at it.
Seems that there are a lot of older tutorials (not ROS 7)(and unclear if that matters much).
And most all of them simply instruct to use the bridge VLAN filtering option because it is easier.
I will try this again per your suggestion and see how it goes.
Thanks!

Michiganbroadband · September 23, 2024, 1:22pm

“reset the PVID on the ports under /interface bridge port”
Does that mean reset to default? or does that mean set them to the VLAN that they will be used on?
I’m a little unclear on why TWO bridges must be created?
Might make a lot more sense once I start trying this out.
But I am also coming from the Bridge VLAN filtering experience and how that worked where it only used one bridge.
-Steve

CGGXANNX · September 23, 2024, 4:28pm

You can achieve this with the VLANs configured on the switch chip, as described by the linked MikroTik’s documentation (with /interface ethernet switch vlan and /interface ethernet switch port). You should NOT use Bridge VLAN Filtering with QCA8337 because you’ll lose Hardware Offload.

From this table https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading you can see that turning on Bridge VLAN Filtering will disable Hardware Offload for QCA8337. If you read this page: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching you’ll see that Bridge VLAN Filtering is only recommended for models with switch chips that has Hardware Offload for that feature, namely the CRS3xx, CRS5xx series switches, CCR2116, CCR2216 and RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 switch chips. QCA8337 as well as the other Atheros chips should use the Other devices with a built-in switch chip section of that page. If you want hardware support for VLANs on those chips, you need to configure VLANs on the switch chip. There is even this warning:

This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP, and other devices.

And that section also links to this https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples with more examples, and you should just apply the “Inter-VLAN routing” example from there for your needs.

“reset the PVID on the ports under /interface bridge port”
Does that mean reset to default? or does that mean set them to the VLAN that they will be used on?

You reset the value to 1 because the PVID values under /interface bridge port are only used for Bridge VLAN Filtering (it’s under the “bridge” menu)

I’m a little unclear on why TWO bridges must be created?

Because the router has two switch chips with their own group of ports

And the switch chips do not see each other. If you send something between port 5 and 6, that has to go out of the one switch chip, through the main CPU, into the other switch chip. So, if you want all the switching to be done in hardware, by the switch chip (which can also do that with VLAN enabled) then you keep the traffics on each chip separated from the other switch chip, which means your bridge should not span the two chips.

You’ll only use the CPU links and the main CPU for layer 3 stuffs and inter-VLAN traffics, which requires the main CPU. If you follow MikroTik’s documentation and use the /interface switch submenus, you’ll see that the commands all work per switch chip (there’s a switch=switch1/switch=switch2 parameter). And when Layer 3 / Management / Inter-VLAN are needed, then the commands also involve the CPU port (switch1-cpu, switch2-cpu), which, in the diagram above, are the links between the switch chips and the main CPU, and within RouterOS these CPU ports are represented by the bridge interfaces! If you configure two bridges, then one will be mapped to switch1-cpu and one to switch2-cpu.

Michiganbroadband · September 23, 2024, 11:00pm

Yep, still completely confused and still trying.
No understanding on why I should created two bridges versus just one.
Because VLAN interfaces need their own for some reason??
Bride vlan filtering did not need this ( I realize that may be irrelevant) but it just add s to the confusion.
I currently do not understand why two will be needed and would like to understand why.
I also do not see TWO bridges being built in the example that has been referenced.
I also do not clearly see anywhere how to make a trunk VLAN port on the switch chip versus an access port.
There are also other nuances like this one that add to the confusion (On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
I am not clearly understanding what this means exactly and I need to get handle on it.
I can read it and it implies I need to set PVID to match access ports.
What am I supposed to do on trunk ports?
The example show setting up access ports, but then throws in the QCA8337 nuances meaning that I can’t just copy and paste the examples and I need to know what’s going on across ther board here.
I don’t and I am still trying to get myself to that point.
I need a clearer understanding of the building blocks.
And it still appears those building block and options are a bit different for different models.
I am still trying to do something relatively simple.
have TWO vlans, one public Internet facing and one facing a test LAN.
Be able to do NAT and routing to the Internet and have devices on the local LAN be able to send data to each other directly on switch chip ports.
I’m just struggling at the switch chip level and it’s settings..
I’m in good shape with the VLAN cpu interfaces. just have not figure out how to configure the switch chip to do VLAN CPU interface and trunk ports and access ports.
Thanks for the help I will keep at it until I figure it out.
But I am still quite lost and trying.
I have a very clear understanding on what I am trying to do but am failing at under standing the switch ship settings.
I also totally get that I am slow and may be just missing some basic points here.
I also have a CCR2004 which took care of this easily in hardware when just using bridge VLAN filtering.
These (RB3011) do not do this and I have to figure out how to get the same job done on the switch chips.

Michiganbroadband · September 23, 2024, 11:03pm

I see that your detailed reply came in while I was typing my last thoughts..
So please bear with me as I have not read all of that yet..
I will study your reply/references read some more and test.
Thanks!!!
-Steve

Michiganbroadband · September 23, 2024, 11:07pm

I am VERY clear on NOT using bridged VLAN filtering on this device/switch chip.
That was my intro to VLAN on Mikrotik and it works easily. (I’m still rather new on these).
But won;t work on this device.
So I am now in the process of learning and figuring how to make it work “the other way” using the switch chip.
Thank you for all of your hep and patience so far!
-Steve

Michiganbroadband · September 23, 2024, 11:14pm

I am still reading and am still unclear on the “create two bridges” directive.
Is there are reason that two are needed?
I was trying my basic tests on trying to do everything on one single switch chip. (for testing and simplicity). Not even using the second switch chip at this time.
Mission is to create two VLANS:

VLAN 10: access(untagged) on ports 1 and 2
VLAN 20: access(untagged) on ports 3 and 4
VLAN trunk (10 and 20 tagged) port 5 to external switch

VLAN trunk path to Switch1_CPU for management and L3 stuffs as mentioned.

-Steve

Michiganbroadband · September 24, 2024, 1:10am

Continuing at it here and trying the examples..
And as to be expected nothing is working, no traffic is yet passing or working.
The examples are:
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400

But then there’s a special note:
Does this mean that I absolutely have to use only "leave-as-is " for ALL settings as shown in the example (without these setting but other settings).
It’s thing like this that can really trip me up when it’s nto working.
Especially when I go and set them all to “leave-as-is” as the mote for my switch chip seems to imply and then it STILL is not passing traffic.
Making it harder to trace my mistakes.

On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.

Michiganbroadband · September 24, 2024, 2:00am

OK I do have it working perfectly now with two VLANS.
One VLAN is public IP/Internet.
The other is an internal NAT network.
Have two access pots for this VLAN and two for the Public Internet, One is bridged just for testing.
Two PCs on the LAN vlan (Mikrotik ports 3 and 1) are talking directly at gigabit speed (and not CPU usage in Miktrotik) as planned. LOL.
I am still further confused at what the “switch all ports” options in the switch chips does or does not do.
The documentation is unclear to me and it mentions “port 1 isolation from what?” exactly and also switch chip #2 also has this options and would that be port 5?
I have a single trunk port going to an external switch that I have not tested yet but that’s might be easy or already working..
I am getting tripped up on a lot of this as you can see in my previous posting and I still do not know what I’m doing quite yet..
But I can change one setting at a time to see what breaks functionality.
Anyhow I pretty much have it working but need to study and test a lot more now.. I have a great start.
I never did need to create two bridges at all so I’m not really sure what that was about unless that somehow was under some expectation I was going to try to use both switch chips.
I am familiar with jumping the two with an ethernet patch to gain to gain three more “wirespeed”-ish ports if ever “needed”

Michiganbroadband · September 24, 2024, 2:09am

I think I am clear now on why you said to create two bridges.
This may have simply assumed I would want to use more ports/more VLANs etc.
It it could still be strategically planned so certain hosts that need to send lot of traffic to each other would just need to be plugged into the same switch chip ports.
As the same VLANS could be replicated across both chips, and still could be planned/optimized carefully in how the traffic will be passed.

Michiganbroadband · September 24, 2024, 2:52am

Trunk port to downstream switch just works.

Michiganbroadband · September 24, 2024, 3:06am

switch-all-ports (no | yes; Default: yes)

Any ideas what is actually going on with this option?
It’s also available on switch chip #2 of course.
I have a switching bridge between ports 1 and 3 setup and I am getting full wirespeed between these ports with no CPU usage.
Toggling this option has no affect on this performance.
The explanation seems to suggest it effectively take port one out of the switch.

Am I correct in assuming this does not apply at all to my router which is an RB3011.
It seems that this option should not be available in the interface if it didn’t apply.
switch-all-ports (no | yes; Default: yes)

Changes ether1 switch group only on RB450G/RB435G/RB850Gx2 devices.

yes - ether1 is part of the switch and supports switch grouping and all other advanced Atheros8316/Atheros8327 features including extended statistics (/interface ethernet print stats).
no - ether1 is not part of the switch, effectively making it a stand-alone ethernet port, this way increasing its throughput to other ports in bridged and routed mode, but removing the switching possibility on this port.

CGGXANNX · September 24, 2024, 4:00am

No understanding on why I should created two bridges versus just one.
I currently do not understand why two will be needed and would like to understand why.
…
I am still reading and am still unclear on the “create two bridges” directive.
Is there are reason that two are needed?
…
I never did need to create two bridges at all so I’m not really sure what that was about unless that somehow was under some expectation I was going to try to use both switch chips.

This is the actual MikroTik’s recommendation for devices like the RB3011 (with multiple built-in switch chips), as you can read from one of the “warnings” under this section:

https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip

For devices that have multiple switch chips (for example, RB2011, > RB3011> , RB1100), each switch chip is only able to switch VLAN traffic between ports that are on the same switch chip, VLAN filtering > will not work on a hardware level between ports that are on different switch chips> , this means you > should not add all ports to a single bridge > if you are intending to use VLAN filtering using the switch chip, VLANs between switch chips will not get filtered. You can connect a single cable between both switch chips to work around this hardware limitation, another option is to use Bridge VLAN Filtering, but it disables hardware offloading (and lowers the total throughput).

Even if you are not using VLAN at all and only use the bridge, it’s still recommended to setup one bridge per available switch chip, and have no bridges span multiple switch chip, if you want the most efficiency. Think of a bridge as being a switch+layer 3 functionalities. You would prefer to have the switching part (layer 2 functionalities) completely handled by the switching hardware (the switch chip). And that only works if the whole bridge uses only one switch chip. Because otherwise, even if your devices on port 5 do not directly connect to devices on port 6, for instance, if your bridge spans the two switch chips, every time there are some broadcast or multicast traffics the ethernet frames will need to go from one switch chip to the other one by transiting through the main CPU, consuming its resources while not being hardware offloaded anymore.

But currently in RouterOS, if you create multiple bridges on one same switch chip, then only one of the bridges can be hardware offloaded, the rest of the bridges configured on that switch chip will be software only and processed by the CPU. If we combine the two information, then it’s most efficient when you create one and only one bridge per available switch chip, with the ports mapped accordingly.

Bride vlan filtering did not need this ( I realize that may be irrelevant) but it just add s to the confusion.

Even when you configure VLANs on newer devices with Bridge VLAN Filtering, if your device has multiple switch chips, for instance the CCR2004-16G-2S+ has two 88E6191X switch chips, and you want 100% of the layer 2 part of the bridge to be handled by hardware, it’s still recommended that you create two bridges, one per chips. If you have only one bridge, then any layer 2 traffic (normal switching) spanning the ports of different chips will have to involve the main CPU and not hardware offloaded. If you only have one bridge, everything still works, and the CCR2004 has a powerful enough CPU so you won’t notice the different at all when only switching traffic between the 1Gbps ports, but you are still losing efficiency and are not getting the most out of the L2 hardware and are not minimizing the main CPU’s usage. You can follow the conversion in this thread for more discussions:

http://forum.mikrotik.com/t/ccr2004-16g-2s-multiple-bridges-or-not/172985/1

Continuing at it here and trying the examples..
And as to be expected nothing is working, no traffic is yet passing or working.
The examples are:
/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=200
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=300
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=400

But then there’s a special note:
Does this mean that I absolutely have to use only "leave-as-is " for ALL settings as shown in the example (without these setting but other settings).
It’s thing like this that can really trip me up when it’s nto working.
Especially when I go and set them all to “leave-as-is” as the mote for my switch chip seems to imply and then it STILL is not passing traffic.
Making it harder to trace my mistakes.

Normally before changing

 vlan-mode=secure

for the entries under /interface ethernet switch port, you should populate the vlan configuration under /interface ethernet switch vlan first because the secure mode require information from the switch vlan table.

You can think of /interface ethernet switch vlan being somewhat similar to /interface bridge vlan where you specify the ports the VLAN ID can be used with (including the similarity that for layer 3 you need to add the bridge to the tagged list for Bridge VLAN Filtering, and for the swich chip you have to add the switchX-cpu, because the bridge represents the CPU-port, see this post http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1). The difference is that under /interface ethernet switch vlan you don’t include the tagged/untagged information like with Bridge VLAN Filtering.

As for the settings under /interface ethernet switch port it’s where you specify the PVID of the access and hybrid ports (similar to /interface bridge port). But it’s also where you explicitly turn on VLAN filtering for ingress traffics for the port (with Bridge VLAN Filtering you turn it on at the bridge level) with vlan-mode. The other difference is that under /interface bridge port you change the frame-type for Access/Trunk/Hybrid configuration and this is for ingress, and with /interface ethernet switch port the

vlan-header

setting is used for Access/Trunk/Hybrid configuration but it is a setting for egress traffic. Normally you set vlan-header like this according to the type of port (quoted from the documentation)

Sets action which is performed on the port for egress traffic.

add-if-missing - adds a VLAN tag on egress traffic and uses default-vlan-id from the ingress port. Should be used for trunk ports.

always-strip - removes a VLAN tag on egress traffic. Should be used for access ports.

leave-as-is - does not add nor remove a VLAN tag on egress traffic. Should be used for hybrid ports.

But for the QCA8337 and Atheros8327 (used in hAP ac² for instance) the type (Access/Trunk/Hybrid) can be infer by the switch chip from the other information provided (default-vlan-id as well as how many vlan id are enabled on the port) so

vlan-header=leave-as-is

should be used in all cases.

CGGXANNX · September 24, 2024, 4:23am

switch-all-ports (no | yes; Default: yes)

Any ideas what is actually going on with this option?
It’s also available on switch chip #2 of course.
I have a switching bridge between ports 1 and 3 setup and I am getting full wirespeed between these ports with no CPU usage.
Toggling this option has no affect on this performance.
The explanation seems to suggest it effectively take port one out of the switch.

Am I correct in assuming this does not apply at all to my router which is an RB3011.
It seems that this option should not be available in the interface if it didn’t apply.
switch-all-ports (no | yes; Default: yes)

Changes ether1 switch group only on RB450G/RB435G/RB850Gx2 devices.

yes - ether1 is part of the switch and supports switch grouping and all other advanced Atheros8316/Atheros8327 features including extended statistics (/interface ethernet print stats).
no - ether1 is not part of the switch, effectively making it a stand-alone ethernet port, this way increasing its throughput to other ports in bridged and routed mode, but removing the switching possibility on this port.

That setting should not be relevant to your RB3011 router. As the documentation stated, it’s only for the three devices listed. If we look at the block diagram for RB850Gx2, we can understand why it’s needed for that device:

That device has only one 1Gbps link between the switch chip and the main CPU. In case you want all 5 ports in one same bridge and switch between them, then you’ll need to connect ether1 to the Atheros8327 switch chip (by turning switch-all-port=yes), but then only one 1Gbps link will be available between all the ports and the main CPU.

But normally you would want to operate the RB850Gx2 as a router, with a WAN connection that is not part of the LAN bridge. If that’s the case, you can use ether1 as the WAN port. If you keep set switch-all-port=yes and remove ether1 from the main bridge, traffic between WAN (ether1) and LAN (bridge with the rest of the port) will have to go through the main CPU as usual (because CPU is needed for routing, NAT, firewall, etc…) but have to travel up and own through the single 1Gbps line. That’s why in this case switch-all-port=no should be used, ether1 will be decoupled from the switch chip and will get a dedicated 1Gbps line to the main CPU. Which means traffic between LAN and WAN no longer have to share the same 1Gbps link.

For your router RB3011 you don’t need this setting because there is no dedicated line between ether1 (or ether6) and the CPU, and there are two 1Gbps link between each switch chip and the main CPU anyway (but with the restriction that each link goes to one CPU core), see the diagram from my previous post above.

The hAP ac² is another device using the Atheros8327 switch chip, but also don’t need this setting because there is a 2Gbps link between CPU and switch chip (and no dedicated connection between ether1 and CPU)

Michiganbroadband · September 24, 2024, 7:52pm

I really appreciate all the time you put into helping me out here.
I made a large amount of progress here in just one day.
I of course have a log ways to go to be really a pro at this.
But I have it all working and also added the second switch chip/bridge and it became immediately apparent where and how I would need to use that.
I will continue to use all of the notes here for a long time.
Thank you.

Michiganbroadband · September 24, 2024, 11:07pm

I am very stuck on my next “problem”.
This is NOT any kind of production use but I am doing this to get a better understanding an just to put myself through this learning process.
I would like to get one of the same VLANs to be available via both switch chips, and I realize one will have to go through the CPU.
But I am trying to do this and see it work.
Also also figure out why it is not working at the moment (yet seems to pass some limited random traffic..
Kind of like once it learns one path (ARP?) the otehr possible path does not work at all.
I can ping some IP addresses from Chip #2 to Chip#1 but most I cannot and one that was working for a short time after reboot stopped working after awhile,
But still works on Chip 1 ports as expected.

I have everything working perfectly on switch chip #1.
Now I am trying to get access to one of the VLANs on switch chip #2
I pretty much tried duplicating my efforts that worked for chip #1
I also tried crating a new Bridge-2..
And this made no difference..
All is working perfectly port to port on the same VLAN for chip #1.
But I am trying to als get access to this working VLAN from CHIP #2.
It is not working correctly..
I very intermittently can get some limited traffic through it some ARPs resolve but most do not (this makes no sense).
And I can communicate with some hosts (same VLAN same broadcast domain) from Chip #2 to Chip #1 but it is for the most part not working.
But I get this strange thing that only a couple of IP/arp are working across the chips but most are not.
Same VLAN same IP subnet.
I realize this will go via the CPU but not sure why it is not working. or working solidly.
VLAN33 is the one I am testing.

Works perfectly on chip one ports 1 and 3.
But is not working from ports (1 or 3) to ports (9 or 10) through the chip.
9 and 10 are configured differently for testing (Bridge1/Bridge2).

/interface bridge
add name=BR-1
add name=BR-2
/interface vlan
add interface=BR-1 name=33-Internet vlan-id=33
add interface=BR-1 name=47-Tenant vlan-id=47
add interface=BR-1 name=70-video vlan-id=1
add interface=BR-1 name=99-MGMT vlan-id=99
/interface ethernet switch port
set 0 default-vlan-id=33 vlan-mode=secure
set 1 default-vlan-id=47 vlan-mode=secure
set 2 default-vlan-id=33 vlan-mode=secure
set 3 default-vlan-id=99 vlan-mode=secure
set 4 vlan-mode=secure
set 8 default-vlan-id=33 vlan-mode=secure
set 9 default-vlan-id=33 vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/ip pool
add name=dhcp_pool0 ranges=\
    172.16.44.1-172.16.46.250,172.16.47.2-172.16.47.254
add name=dhcp_pool1 ranges=172.16.99.100-172.16.99.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=47-Tenant lease-time=2d30m name=dhcp1
add address-pool=dhcp_pool1 interface=99-MGMT lease-time=2d30m name=dhcp2
/port
set 0 name=serial0
/queue simple
add disabled=yes max-limit=20M/20M name=20-test target=47-Tenant
/interface bridge port
add bridge=BR-1 interface=ether2
add bridge=BR-1 interface=ether3
add bridge=BR-1 interface=ether4
add bridge=BR-1 interface=ether5
add bridge=BR-1 interface=ether1
add bridge=BR-1 interface=ether9
add bridge=BR-2 interface=ether10
/interface ethernet switch vlan
add independent-learning=yes ports=ether5,ether3,switch1-cpu,ether1 switch=\
    switch1 vlan-id=33
add independent-learning=yes ports=ether5,ether2,switch1-cpu switch=switch1 \
    vlan-id=47
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 \
    vlan-id=99
add independent-learning=yes ports=ether9,ether10,switch2-cpu switch=switch2 \
    vlan-id=33
/ip address
add address=172.16.47.1/22 interface=47-Tenant network=172.16.44.0
add address=10.73.73.2/24 interface=33-Internet network=10.73.73.0
add address=172.16.99.1/24 interface=99-MGMT network=172.16.99.0
add address=172.16.70.1/24 interface=70-video network=172.16.70.0
/ip dhcp-server network
add address=172.16.44.0/22 dns-server=10.73.73.31 gateway=172.16.47.1
add address=172.16.99.0/24 dns-server=10.73.73.31 gateway=172.16.99.1
/ip firewall filter
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=33-Internet
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.73.73.1 routing-table=main \
    suppress-hw-offload=no