I’d like to validate my setup with you. All is working as expected but I am a bit concerned it’s correct setup and there are no issues that may come up in future.
Conceptually there are 4 VLANs:
100 for management only
200 for LAN
201 for Guest LAN
61 for separate test subnet
HAP AC is connected to the main switch via eth1. WiFis are managed by CAPsMAN and there are two networks:
home (VLAN 200)
guest (VLAN 201)
Exported relevant parts of the config:
/interface bridge
add fast-forward=no name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=eth1-uplink
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
/interface vlan
add interface=bridge name=vlan100 vlan-id=100
/ip address
add address=x.x.x.x/24 interface=vlan100 network=x.x.x.x
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=201 vlan-mode=secure
set 2 default-vlan-id=200 vlan-mode=secure
set 3 default-vlan-id=200 vlan-mode=secure
set 4 default-vlan-id=61 vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=eth1-uplink
add bridge=bridge interface=eth2
add bridge=bridge interface=eth3
add bridge=bridge interface=eth4
add bridge=bridge interface=eth5
/interface ethernet switch vlan
add independent-learning=yes ports=eth1-uplink,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=yes ports=eth1-uplink,eth3,eth4,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=yes ports=eth1-uplink,eth2,switch1-cpu switch=switch1 vlan-id=201
add independent-learning=yes ports=eth1-uplink,eth5,switch1-cpu switch=switch1 vlan-id=61
My main concern is that the bridge doesn’t have VLAN Filtering enabled. The reason is that with this feature ON, hardware offload is not supported and I cannot get full 1gbps speed on eth1-eth5 ports. With the setup above I have everything I need and … all seems to be working fine.
Is it valid bridge configuration? Why packets between WlanX and EthX interfaces are properly switched even if VLAN Filtering is not enabled on the bridge?
Your config is fine, this was the way to do it in ROS <=6.41 …
Actually the setting of frame-types in
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=eth1-uplink
does nothing as long as you don’t have vlan-filtering=yes set on bridge.
If VLANs are configured this way, then bridge is acting as “dumb” switch. It doesn’t care about VLANs, where they are allowed to flow and from where … it’s up to configuration of member ports to deal with it. For ether ports you did it in /interface ethernet switch part, and for wireless you do it in /interface wireless with vlan-mode=use-tag vlan-id=XX. For bridge interface you do it by creating /interface vlan.
Problem would arise if you used interfaces which are not VLAN aware (or are VLAN transparent), such as some point-to-point interfaces.
It is supposed to be done using bridge functionality (as if /interface ethetnet switch did not exist). This way bridge acts as “smart” switch. The configuration is simplified and unified between all different interface types, one doesn’t have to care about multiple switch chips (if device has multiple), …
But, as you already stated, all HW offload is lost (except on CRS3xx series). There are a few devices which feature switch chip but MT doesn’t allow to configure VLANs on them (e.g. RB4011 or RB750Gr3) so one has to use bridge-way. There are devices where CPU is powerful enough and CPU-switch interconnect fast enough that bridge-way is actually wire-speed (most of the time), two of such devices are hAP ac2 and RB4011 … hAP ac is not one of them.
Many thanks again for lots of information. I had done simple testing using iperf and had noticed that CPU in HAP AC - like you mentioned - is not powerful enough. It was not bad, however CPU was 99% busy and allowed for ~800mbps (single connection) vs. 1% CPU and ~930mbps with switch chip. I am very happy with my current setup.
BTW this unified way of setting up bridge w/ VLANs is awesome. Also good to hear that other devices are powerful enough to handle full speed with CPU.
