I have almost everything working, my VLAN's on my wifi are working and are automatically tagged via the datapath. But tagging via a ether port doesn't seem to do anything. I am using my hap AX3 as a AP connected via ether1 to my OPNsense router doing DHCP. Here everything is fine; when I tag my ethernet via my PC I get the correct subnet for that VLAN.
But when I omit VLAN tagging there's no tag added and I am receiving a address in the subnet without a TAG, all the settings in my bridge VLANs seem to be ignored.
Ether1 & Ether2 are my trunk ports.
I want my; Ether3 on pvid 199 - Ether4 on pvid 33 - Ether5 on pvid 22
I tried different configs, see below. But none of the ports receive a tag. They all work as there's no tag.
First why two ports to the upstream router that is wasteful.
Second, yes the router tends to burp when turning vlan-filtering=yes.
That is why I always recommend when doing vlans to configure the router from a safe spot off the bridge.
SO:
a. remove etherX from bridge (lets say ether2 as you already have ether1 connected to the router)
b. / interface ethernet
set (ether2) name=OffBridge2
c. /ip address
add address=192.168.77.0/30 interface=OffBridge2 network=192.168.77.0
d. /interface list member
add interface=OffBridge2 list=LAN add interface=OffBridge2 list=BASE
THEN:
Simply plug in laptop to ether2, change laptop IPV4 settings to 192.168.77**.2** and you should gain access.
In terms of your config… Lets try without assigning vlan ID in datapath first. Keep the isolation for users bit as that will have no ill effects. /interface wifi datapath
add client-isolation=yes disabled=no name=d_path
add client-isolation=yes disabled=no name=d_path_CCTV_
/interface bridge port { assuming ingress filtering is the default and should be on ALL bridge ports - unless the port is a hybrid port } add bridge=bridge ingress-filtering=yes rame-types=admit-only-vlan-tagged interface=ether1 comment=“trunk tor router”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=199 comment=“WWW 2”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=33 comment=“COM ROOM”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=22 comment=MGMT
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=“wifi Rudy” pvid=22
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=“wifi guests” pvid=55
Hi Anav, thanks for the tips.
Most helpfull for me was the config for the isolated port. That made testing lot easier.
Still I had to figure out things. But I finally managed it:
I don’t know but I was unable to make it work with a VLAN ID in the datapath.
As soon I removed the VLAN ID from the datapath I found it to work.
All the VLAN-id’s I configured in the bridge, including my WiFi-channels as untagged VLAN-interfaces.
I configured port 3 as isolated port, but port 2 is a second trunk port for me to connect a VLAN-switch from Netgear. I am not sure this is a good idea regarding bandwidth,
I didn’t do a IPERF test yet, but it works.
Question: Maybe it’s better for performance reasons to connect a dumb 4 port 2.5Gb/s switch between my server that has only 2 Ethernet ports ( 1 WAN, 1 LAN )?
NOW:
LAN → Mikrotik switch → NetGear VLAN switch
Maybe better:
LAN → Dumb switch
—> Mikrotik switch ( mostly used as multi WiFi - VLAN )
—> NetGear VLAN switch
I would add two things to the discussion, maybe you will find them helpful.
First, the “enable VLAN filtering” on the bridge level is one of worst names that could have been given to this option. With this option disabled, the bridge will act as a “dumb” switch, and will perform no VLAN aware activities, so the fact that PVID and other settings are ignored is actually the expected behavior. For any VLAN-aware behavior to occur this must be turned on.
Second, ingress-filtering. Generally it should be enabled. For access ports with admit-only-untagged-and-priority-tagged, for trunk ports as admin-only-vlan-tagged and for hybrid ports with admit-all frame types. Disabling ingress filtering allows packets to ingress to VLANs for which the port is not declared a member of, otherwise everything will work fine.
