I want to configure VLANs on my ac3; one of these vlans is a "management" vlan (vlan 5) and I want to make the switch's web interface available on this vlan only.
Cables are connected like this:
Code: Select all
[ hAP ac3 (ether1) (ether2) (ether3) (ether4) (ether5)----]-----(poe)--------[--(port 1) (port2).... CSS 610 ]
Hopefully relevant router configuration:
Code: Select all
# apr/06/2021 23:23:48 by RouterOS 6.48.1
# software id = TANH-DJAS
#
# model = RBD53iG-5HacD2HnD
# serial number = Dxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge1
/interface vlan
add interface=bridge1 name=vlan-dmz vlan-id=30
add interface=bridge1 name=vlan-lan vlan-id=10
add interface=bridge1 name=vlan-mgmt vlan-id=5
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-mode=secure
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface ethernet switch vlan
add independent-learning=yes ports=ether4,ether5,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
/ip address
add address=172.19.1.1/24 interface=vlan-lan network=172.19.1.0
add address=172.19.2.1/25 interface=vlan-wifi-ap network=172.19.2.0
add address=172.19.3.1/24 interface=vlan-dmz network=172.19.3.0
add address=172.19.0.1/24 interface=vlan-mgmt network=172.19.0.0
With this setup, I can ping the switch from ac3, but note that the VLAN Receive setting on the "uplink" port of the switch (port1) is to accept "any", both tagged and untagged. As soon as I change this to "only tagged", the ping from ac3 starts to time out.
So the router sends the ping via the vlan-mgmt interface (172.19.0.1/24) and it reaches the switch untagged. This is where I'm getting confused, I expected traffic going out from ether5 to the switch to be tagged. It's obvious that I'm lacking some understanding here, can someone shed some light? How can I make traffic for the switch's ip addressed be sent out tagged as vlan 5?