I am still confused on how to setup VLAN on Mikrotik. I do know ho to do it on Cisco/HP and other but what is correct, I am not sure. RB750Gr3 Running 6.42.6
Use of VLAN ID 1 is somehow mysterious, so I suggest to use VLAN ID 10 instead. To use VLAN ID 1, you would have to do some modifications to the above.
nichky, somewhere on this forum someone of the Mikrotik staff mentioned hardware VLAN support on hEX r3 “in future”, but I am unable to find that post now.
So I gave @Jotne the instruction how to do it in software. To see a menu item in Winbox/WebFig/sometimes even CLI does not always mean that the feature actually works. So try to configure something like /interface ethernet switch port set ether5 vlan-mode=secure or /interface ethernet switch vlan add vlan-id=20 ports=ether5 switch=switch1. You either get an error message, which means that the “future” mentioned in that post has not come yet, or you’ll get no error message and subsequent print will show the command has changed the settings, which will mean that future is here and the manual has not been updated.
Jotne, I wrote the reasons why I’ve suggested use of VLAN ID 10 instead of VLAN ID 1 in the end of that post. Basically it is because Mikrotik supports the idea of “hybrid” bridge where tagless frames can exist inside the bridge, something you won’t find on switches like Cisco Catalyst. Normally, if you set some pvid value in /interface bridge port item, tagless frames get tagged on ingress with the VLAN ID specified this way. But if that pvid value matches the pvid value set on the bridge itself, they get in tagless.
So the same configuration with VID 1 used instead of VID 10 should look the following, but it is without any warranty and you have to test yourself:
On Atheros8227, the VLAN support is weird in terms that it cannot selectively untag only frames belonging to port’s pvid on egress. This makes it impossible to use true hybrid ports where the access VLAN would be tagged internally, but you can make use of the fact that tagless frames may exist internally to have pseudo-hybrid ports for one “tagless VLAN” while the rest of VLANs are tagged, and still have hardware switching.
I am starting to understand why so many have problem with VLAN on the MT boxes.
It does not show how to do it on the different devices and some device support different ways to do it.
I would guess that using switch chip (hardware) would be faster than software.
If so, that should clearly be stated along with what VLAN types work with what hardware.
On the RB750Gv3 I did try this line on port3 since its not in use:
It gives some hope, but you’d have to do a complete setup and see how it behaves. I don’t have that box anywhere, as for all my applications the hAP ac² is as good as it and in some aspects superior to it.
It does but well hidden between the lines. In the “VLAN Example 1 (Trunk and Access Ports)”, the following is stated:
Setting “vlan-mode=secure” ensures strict use of VLAN table.
Setting “vlan-header=always-strip” for access ports removes VLAN header from frame when it leaves the switch chip.
Setting “vlan-header=add-if-missing” for trunk port adds VLAN header to untagged frames.
“Default-vlan-id” specifies what VLAN ID > is added for untagged ingress traffic > of the access port.
So nothing about specific handling of default-vlan-id on egress, which means that none such behaviour happens. Confirmed by practical experiments and study of the switch chip datasheet which miraculously can be found on the web for the 8227.
In the “VLAN Example 2 (Trunk and Hybrid Ports)”, there is:
In Gigabit switch chips when “vlan-mode=secure”, it ignores switch port “vlan-header” options. VLAN table entries handle all the egress tagging/untagging and works as “vlan-header=leave-as-is” on all ports.
It means what comes in tagged, goes out tagged as well, > only “default-vlan-id” frames are untagged at the egress of port> .
So the 8327 supports real hybrid ports.
My experience with Mikrotik documentation is that it is usually exact and when it seems to you that something is missing in the documentation by mistake, it is caused by your wishful thinking because it is actually missing in the product.
I just want to say thank you for this post.
I struggled with a similar problem and got completely lost in the documentation.
This simple example was just what I needed.
Also… I agree the default vlan1 behaves very mysteriously (at least to me) on Mikrotik devices.