I am using a HAPAC2 (Atheros 8327 switch chip) purely as a switch, in a VLAN environment. The reason I am using the switch chip, correct me if I am wrong, is my understanding that enabling vlans on the bridge will disable hardware offloading and will reduce the throughput of the HAPAC2 as a switch since all traffic will have to go through the CPU.
Port 1-4 are trunk ports : 1 = uplink, 2 = downlink, 3 and 4 = to Unifi APs which will tag particular SSIDs to a vlan.
Port 5 is an access port for VLAN 5.
I would like devices plugged into ports 2-4 to default to VLAN98. There is a hotspot running on this vlan, so if an anonymous device connects to an unprotected network jack, it is in the protected hotspot VLAN. That is my idea of protecting the network from anonymous devices. I would like the HAPAC2's mgmt vlan to be VL3.
Questions:
1. Do I need to create a bridge and add all ether ports to the bridge?
2. How do I set the HAPAC2's mgmt vlan to VL3?
3. I'm stumped on how to set the switch chip so that a random device plugged into say, port 3, will get the address on the existing dhcp server for VL98.
------
These are the relevant settings. There is no bridge set.
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 default-vlan-id=5 vlan-header=always-strip vlan-mode=fallback
set 5 vlan-mode=fallback
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=5
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=99
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=98
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=ether1
Re: Use router as switch (switch chip), bridge needed?
Should be something like this https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29
Re: Use router as switch (switch chip), bridge needed? [SOLVED]
Yes, see https://wiki.mikrotik.com/wiki/Manual:B ... witch_chipQuestions:
1. Do I need to create a bridge and add all ether ports to the bridge?
The example in the Wiki usese VLAN99 for management, adjust as required2. How do I set the HAPAC2's mgmt vlan to VL3?
Configure as a "hybrid" port with VLAN98 untagged and the other VLANs tagged, see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29. Note this is only possible on gigabit switch chips (QCA8337, Atheros8327).3. I'm stumped on how to set the switch chip so that a random device plugged into say, port 3, will get the address on the existing dhcp server for VL98.
Be aware that management for UniFi devices is always untagged - you can't have a hybrid port on the Mikrotik which provides an untagged guest network if someone were to unplug an AP and connect a laptop, unless your UniFi management is on the guest network.
Re: Use router as switch (switch chip), bridge needed?
Thank you for the link. That seems to work in the lab, although I have not tested every permutation of possible real condition.
This is that I did, as a guide for others. To summarise, what I am trying to do is use a HAPAC2 and POWERBOX-PRO as a VLAN enabled switch, using the speed of switch chip, bypassing the routing cpu.
This is that I did, as a guide for others. To summarise, what I am trying to do is use a HAPAC2 and POWERBOX-PRO as a VLAN enabled switch, using the speed of switch chip, bypassing the routing cpu.
Code: Select all
/interface bridge
add name=bridge1 protocol-mode=none
Note: Bridge VLAN filtering is not enabled. If enabled, Hardware Offloading to the switch chip is disabled.
/interface ethernet
set [ find default-name=ether1 ] comment="UPLINK (TRUNK)"
set [ find default-name=ether2 ] comment="DOWNLINK (TRUNK)"
set [ find default-name=ether3 ] comment="HOTSPOT (TRUNK)"
set [ find default-name=ether4 ] comment="OFFICE VL10"
set [ find default-name=ether5 ] comment="CCTV VL35"
Note: default/native vlan for port 1 and 2 uplink & downlink is VL98 Hotspot (set from uplink switch). When a rogue device plugs in, they should be prevented from accessing anything of note. Office devices and server are on VL10.
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface vlan
add interface=bridge1 name="VL03 - Network Device" vlan-id=3
add interface=bridge1 name="VL05 - IT Admins" vlan-id=5
add interface=bridge1 name="VL10 - Servers & Office" vlan-id=10
add interface=bridge1 name="VL35 - CCTV" vlan-id=35
add interface=bridge1 name="VL98 - Old Hotspot" vlan-id=98
add interface=bridge1 name="VL99 - New Hotspot" vlan-id=99
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=35 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=fallback
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether1,ether2,ether3,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=yes ports=ether1,ether2,ether3 switch=switch1 vlan-id=5
add independent-learning=yes ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether2,ether3,ether5 switch=switch1 vlan-id=35
add independent-learning=yes ports=ether1,ether2,ether3 switch=switch1 vlan-id=99
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="VL03 - Network Device"
Note: The HAPAC2 (and other network devices) is managed on VL3.
Last edited by ashpri on Sun May 19, 2019 2:38 am, edited 2 times in total.
Re: Use router as switch (switch chip), bridge needed?
Configure as a "hybrid" port with VLAN98 untagged and the other VLANs tagged, see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29.
Note this is only possible on gigabit switch chips (QCA8337, Atheros8327).
Be aware that management for UniFi devices is always untagged - you can't have a hybrid port on the Mikrotik which provides an untagged guest network if someone were to unplug an AP and connect a laptop, unless your UniFi management is on the guest network.
Question: How would you accomplish hybrid ports on QCA9533 (Powerbox & Hap Lite) and QCA9531 (Hap AC Lite)?
Update: Looking at this post, it seems that other switch chips besides the QCA8337 and Ath8327 can accomplish hybrid ports. viewtopic.php?t=105102
Re: Use router as switch (switch chip), bridge needed?
I'm running RB951G, featuring Atheros 8327, with ether port as hybrid.
Configured like this:
The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.
Configured like this:
Code: Select all
/interface ethernet switch port
# port with index 4 below is ether5, which is hybrid: tagged VID=3999
# and untagged, which is tagged with VLAN tag VID=2 on ingress
# and VID=2 frames get untagged on egress
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=3999
add independent-learning=yes ports=switch1-cpu,ether5 switch=switch1 vlan-id=2
The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.
Re: Use router as switch (switch chip), bridge needed?
Only for vlan-mode=secure where the VLAN table and port PVID determine what is tagged or untagged instead.The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.