I have received my hAP ac2 recently. I spent most of my time since then reading through MT wiki pages and browsing through this forum in order to learn more about VLAN configuration. I've read the must-read topics on this forum such as viewtopic.php?t=143620. However still I need some explanation on few matters as most of those configurations I've found on MT wiki are for multi-device setup.
What I am trying to achieve is to set up a very simple home network using VLAN for isolation purposes:
- eth1 connected to ISP modem
- eth2 for management
- wlan-home (5GHz) with VID=10
- wlan-guests (5GHz) with VID=30
- wlan-iot (2.4GHz) with VID=20
mkx wrote at viewtopic.php?t=145402 that hAP ac2 has a powerful CPU thus one should go for vlan-filtering (bridge) approach and that there may be some instabilities when using VLANs with a switch-chip configuration. On the other hand hAP ac2 is marked as a device on MT wiki that supports switch-chip VLAN filtering.
So if I understood correctly what mkx wrote - here comes my first questions:
1. Are those 'instabilities' still the case? As some time has passed by since Feb 2019 (when that answer was posted).
2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all?
Another thing is that I am trying to set-up WLANs which according to the MT wiki page do not support switch-chip functionality either way:
Source: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_WirelessWarning: Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched, this does not affect Wireless interfaces as traffic through them cannot be offloaded to the switch chip either way.
3. Is there a way to walk around that limitation (other than buying a separate AP an connecting it to one of hAP ac2 physical ports)? Can I still use somehow switch-chip functionality with built-in WLANs interfaces of hAP ac2 or I am "doomed" for Bridge VLAN filtering without switch-chip capabilities?
I am most probably missing some general knowledge about how WLANs interfaces and switch-chip [don't]work together. But there are not stupid questions, ey? :)
Looking through the forum as well as through MT wiki I found few examples where eth1 is part of a bridge together with all other ports.
4a. Should the eth1 be part of a bridge for simple VLAN setup scenario as outlined at the beginning of this post?
4b. When would I want/don't want eth1 to be part of a bridge with all other ports?
Few closing questions:
5a. Do I need a bridge for each and every VLAN ? Some people tend to suggest single-bridge setup?
5b. When and why would I want to use single-bridge vs multi-bridge (1 bridge per VLAN) setup?
By inspecting RouterSwitchAP.rsc from viewtopic.php?t=143620 I can see the main CPU port (BR1) being added to the VLAN table.
Code: Select all
# L3 switching so Bridge must be a tagged member set bridge=BR1 tagged=BR1 [find vlan-ids=10] set bridge=BR1 tagged=BR1 [find vlan-ids=20] set bridge=BR1 tagged=BR1 [find vlan-ids=99]
6. Is it required to add CPU port for vlan-filtering to work? I believe I also saw somewhere configuration examples which do not add CPU port to the VLAN table. Is it mainly for management purposes here? OR is it for allowing DHCP servers etc. to be accessible from those individual VLANs ? Does it expose access to the device from those VLANs?
7. Some of configuration examples use eth1 as a tagged port for all VLANs. IF eth1 in my case is link to ISP modem. Should I also use that eth1 as tagged port for all my VLANs or I should rather use CPU port to allow for Bridge VLAN filtering?