I am coming from a WatchGuard background and started using MikroTik about a couple of weeks ago, so bare with me if I get my concepts wrong. Here is the problem that I am trying to solve.
I have a MikroTik hEX. My external / internet interface is on ether1. ether2 is used as a hybrid port for non-tagged traffic and vlan traffic (vlan id 20). The non-tagged network has a different ip pool (10.10.10.0/24) than the vlan 20 network (10.10.20.0/24). I have security cameras on vlan 20. They are accessible from the internet through a dstnat rule. All of that is just working fine. No issues.
Now, I also want to connect a weather station to ether5 on the hEX and want it to be on the same vlan as the cameras (vlan 20). The weatherstation does not send tagged packets. In the case of WatchGuard, I was able to configure the interface to ‘add tags for incoming packets’ and ‘remove tags from outgoing packets’. That way the weatherstation worked just fine and it was part of vlan 20.
I have one bridge of which ether2-ether5 and vlan 20 are members. I have tried a lot of things (including changing bridge config, adding bridges, etc) to make such a configuration work, but no success. How do I correctly add ether5 to be used for vlan 20 and still be able to access that vlan from the outside using a dstnat rule?
Thanks for your response. Yes, I did read this (along with a lot of other material). However, I don’t see my case reflected. Devices (i.e. cameras, weatherstation) that are on the vlan are not supposed to go out on ether1 (internet) with tagged traffic and I need to be able to have incoming packets from the internet (ether1) be directed to the vlan. May be my case is reflected in the article you mention but I do not understand it.
Please note that I have tagged and untagged traffic on ether2 (that’s hybrid, isn’t it?) and as long as I just do that things are working the way I want them to. The issue I have is that I don’t know how to add ether5 as an ‘access port’ for the same vlan that is connected to ether2.
In summary: I am receiving tagged traffic for vlan 20 on ether2 (along with untagged traffic) and would like to have ether5 to be on the same vlan 20. Only one device is connected to ether5. The device should only receive untagged packets, but the hEX on ether5 should consider that ‘port’ to be part of the vlan.
I am sure that if I were to add a switch in b/w ether5 and the device (my weatherstation) that adds tags b/w the hEX and the switch and removes the tags b/w the switch and the weatherstation things would work. So, I am essentially looking at the hEX to do that.
Thanks for pointing at that documentation. I had previously misinterpreted the term ‘vlan filtering’ as if this would filter vlans when it fact, it actually turns it on. With this flag set to ‘on’ the bridge things are now working as expected.