Two VLANs in a bridge or two bridges

Posted: Sat Aug 03, 2019 12:17 pm
by ros44
My router is hAP ac2 and I might change it with RB4011.

Should I set up two bridges (WAN_BRIGE: port 1+2) and (LAN_BRIGE: port 3+4+5+wlan1+wlan2) or should I go for one bridge with two VLANs?

I have this question for a while. Also in the post Using RouterOS to VLAN your network (viewtopic.php?f=13&t=143620) both @pcunite and @mkx mention something in this direction.

My ISP is giving me an IPTV set-top-box that should be in the same broadcast domain as the WAN port of the router. The initial installation was with a dumb switch connecting the set-top-box, my router's WAN port and the cable from the ISP. I removed the switch and now port 1 and port 2 of my MikroTik are members of WAN_BRIGE and port 3-5, wlan1, 2 are members of LAN_BRIGE.

1. Should I continue using two bridges or go for one bridge with two VLANs? What are the pros and cons? Which setup is faster/CPU friendly and more secure and will not disable HW offloading?

2. Do I need to use /interface ethernet switch for anything in any of the scenarios above or it is deprecated since 6.41? I still cannot figure out that.

Posted: Sat Aug 03, 2019 12:58 pm
by mkx
Option with two bridges allows HW offload on ether ports of one of bridges (probably you want this on LAN bridge), while single-bridge-multiple-VLAN does not if VLANs are configured on bridge..
If functionality-wise you're happy with your current setup, then you should stick to it.

If you stick to two bridges, then /interface ethernet switch submenu is not needed. If you switch over to single bridge VLAN, then you can either configure VLANs on bridge only or you can do VLANs on switch chip (it seems that RBD52G features some minor bugs in that regard so if you go the switch chip way and experience ether port hangups, you'd have to go the bridge-VLAN way to avoid instabilities).

Posted: Sun Aug 04, 2019 10:11 pm
by ros44
Thank you, Metod. This is my 3rd weekend reading the wiki and the forum + watching MUM videos. I want to deep dive.

I still cannot overview hat is the difference between configuring VLAN in the bridge or doing it via the switch menu? My OCD kicks in and I am trying to figure out when to use what.

1. If I add everything in one bridge and then set up two VLANs via the switch menu would this make the switch-chip do all the job and not bother the CPU? Would this be equal to having HW offloading on two bridges?

Obviously configuring things in the switch menu is more error-prone.
2. Am I right to assume that adding all interfaces in one bridge and then making a wrong config in the switch menu exposes the risk of bridging the interface I use for WAN and the LAN interfaces or at least leaking some packets in the network of the ISP? While using the bridge menu and adding my interfaces in two separate bridges will be more idiot-proof.

Also in the wiki, it is said that:
The reason why only one bridge has the hardware offloading flag available is because the device does not support port isolation. If port isolation is not supported, then only one bridge will be able to offload the traffic to the switch chip.

Then in another wiki page, it is said:
Port isolation provides the possibility to divide (isolate) certain parts of your network, this might be useful when need to make sure that certain devices cannot access other devices, this can be done by isolating switch ports. Switch port isolation is available on all switch chips since RouterOS v6.43.
3. Is this a contradiction?

I would appreciate keywords to search for, links to articles or anything that will give me a real in-depth understanding of this topic.

Update: I found a few forum posts that have some of my questions and I will take time to read them as well.