Community discussions

 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 87
Joined: Sun Oct 14, 2018 3:11 am

Use router as switch (switch chip), bridge needed?

Thu May 16, 2019 5:05 pm

I am using a HAPAC2 (Atheros 8327 switch chip) purely as a switch, in a VLAN environment. The reason I am using the switch chip, correct me if I am wrong, is my understanding that enabling vlans on the bridge will disable hardware offloading and will reduce the throughput of the HAPAC2 as a switch since all traffic will have to go through the CPU.

Port 1-4 are trunk ports : 1 = uplink, 2 = downlink, 3 and 4 = to Unifi APs which will tag particular SSIDs to a vlan.
Port 5 is an access port for VLAN 5.

I would like devices plugged into ports 2-4 to default to VLAN98. There is a hotspot running on this vlan, so if an anonymous device connects to an unprotected network jack, it is in the protected hotspot VLAN. That is my idea of protecting the network from anonymous devices. I would like the HAPAC2's mgmt vlan to be VL3.

Questions:
1. Do I need to create a bridge and add all ether ports to the bridge?
2. How do I set the HAPAC2's mgmt vlan to VL3?
3. I'm stumped on how to set the switch chip so that a random device plugged into say, port 3, will get the address on the existing dhcp server for VL98.

------

These are the relevant settings. There is no bridge set.

/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 default-vlan-id=5 vlan-header=always-strip vlan-mode=fallback
set 5 vlan-mode=fallback

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=5
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=99
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=98

/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1
 
Dude2048
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Sep 01, 2016 4:04 pm

Re: Use router as switch (switch chip), bridge needed?

Thu May 16, 2019 5:45 pm

 
tdw
Member Candidate
Member Candidate
Posts: 136
Joined: Sat May 05, 2018 11:55 am

Re: Use router as switch (switch chip), bridge needed?  [SOLVED]

Thu May 16, 2019 5:56 pm

Questions:
1. Do I need to create a bridge and add all ether ports to the bridge?
Yes, see https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip
2. How do I set the HAPAC2's mgmt vlan to VL3?
The example in the Wiki usese VLAN99 for management, adjust as required
3. I'm stumped on how to set the switch chip so that a random device plugged into say, port 3, will get the address on the existing dhcp server for VL98.
Configure as a "hybrid" port with VLAN98 untagged and the other VLANs tagged, see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29. Note this is only possible on gigabit switch chips (QCA8337, Atheros8327).

Be aware that management for UniFi devices is always untagged - you can't have a hybrid port on the Mikrotik which provides an untagged guest network if someone were to unplug an AP and connect a laptop, unless your UniFi management is on the guest network.
 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 87
Joined: Sun Oct 14, 2018 3:11 am

Re: Use router as switch (switch chip), bridge needed?

Sun May 19, 2019 2:06 am

Thank you for the link. That seems to work in the lab, although I have not tested every permutation of possible real condition.

This is that I did, as a guide for others. To summarise, what I am trying to do is use a HAPAC2 and POWERBOX-PRO as a VLAN enabled switch, using the speed of switch chip, bypassing the routing cpu.

/interface bridge
add name=bridge1 protocol-mode=none
Note: Bridge VLAN filtering is not enabled. If enabled, Hardware Offloading to the switch chip is disabled.

/interface ethernet
set [ find default-name=ether1 ] comment="UPLINK (TRUNK)"
set [ find default-name=ether2 ] comment="DOWNLINK (TRUNK)"
set [ find default-name=ether3 ] comment="HOTSPOT (TRUNK)"
set [ find default-name=ether4 ] comment="OFFICE VL10"
set [ find default-name=ether5 ] comment="CCTV VL35"
Note: default/native vlan for port 1 and 2 uplink & downlink is VL98 Hotspot (set from uplink switch). When a rogue device plugs in, they should be prevented from accessing anything of note. Office devices and server are on VL10.

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/interface vlan
add interface=bridge1 name="VL03 - Network Device" vlan-id=3
add interface=bridge1 name="VL05 - IT Admins" vlan-id=5
add interface=bridge1 name="VL10 - Servers & Office" vlan-id=10
add interface=bridge1 name="VL35 - CCTV" vlan-id=35
add interface=bridge1 name="VL98 - Old Hotspot" vlan-id=98
add interface=bridge1 name="VL99 - New Hotspot" vlan-id=99

/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=35 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=fallback

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=yes ports=ether1,ether2,ether3 switch=switch1 vlan-id=5
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether2,ether3,ether5 switch=switch1 vlan-id=35
add independent-learning=yes ports=ether1,ether2,ether3 switch=switch1 vlan-id=99

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="VL03 - Network Device"
Note: The HAPAC2 (and other network devices) is managed on VL3.
Last edited by ashpri on Sun May 19, 2019 2:38 am, edited 2 times in total.
 
ashpri
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 87
Joined: Sun Oct 14, 2018 3:11 am

Re: Use router as switch (switch chip), bridge needed?

Sun May 19, 2019 2:24 am

Configure as a "hybrid" port with VLAN98 untagged and the other VLANs tagged, see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29.
Note this is only possible on gigabit switch chips (QCA8337, Atheros8327).

Be aware that management for UniFi devices is always untagged - you can't have a hybrid port on the Mikrotik which provides an untagged guest network if someone were to unplug an AP and connect a laptop, unless your UniFi management is on the guest network.

Question: How would you accomplish hybrid ports on QCA9533 (Powerbox & Hap Lite) and QCA9531 (Hap AC Lite)?

Update: Looking at this post, it seems that other switch chips besides the QCA8337 and Ath8327 can accomplish hybrid ports. viewtopic.php?t=105102
 
mkx
Forum Guru
Forum Guru
Posts: 2482
Joined: Thu Mar 03, 2016 10:23 pm

Re: Use router as switch (switch chip), bridge needed?

Sun May 19, 2019 12:21 pm

I'm running RB951G, featuring Atheros 8327, with ether port as hybrid.

Configured like this:
/interface ethernet switch port
# port with index 4 below is ether5, which is hybrid: tagged VID=3999 
#          and untagged, which is tagged with VLAN tag VID=2 on ingress 
#          and VID=2 frames get untagged on egress
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=3999
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=2

The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.
BR,
Metod
 
tdw
Member Candidate
Member Candidate
Posts: 136
Joined: Sat May 05, 2018 11:55 am

Re: Use router as switch (switch chip), bridge needed?

Sun May 19, 2019 2:23 pm

The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.
Only for vlan-mode=secure where the VLAN table and port PVID determine what is tagged or untagged instead.

Who is online

Users browsing this forum: No registered users and 14 guests