Default VLAN (PVID / native vlan) + VLAN on one port

TomHome · Tue Aug 23, 2016 11:19 pm

Hi,

I am trying to have 4 VLANs on ether5 and if the traffic is untagged (no VLAN id) I want the traffic to be part of VLAN5.
If I plug a non VLAN aware device on the port, I do not get comms

e.g: Linux without vlan aka eth0).
If I plug a VLAN aware device, it does work. (eg: Linux with eth0.5 or eth0.10)

So how do you set up a 'catch-all' VLAN where any untagged traffic goes into?
I think in Cisco land this is called 'Native VLAN' on a trunk port.

Router: RB750GL - 6.35.2

Configuration

[admin@MikroTik] /interface vlan> print
Flags: X - disabled, R - running, S - slave 
 #    NAME                           MTU ARP        VLAN-ID INTERFACE                        
 0 R  australia                     1500 enabled         20 ether5                           
 1 R  backbone                      1500 enabled          5 ether5                           
 2 R  france                        1500 enabled         10 ether5                           
 3 R  riot                          1500 enabled        666 ether5 
 
 [admin@MikroTik] /interface> ethernet switch print 
Flags: I - invalid 
 #   NAME          TYPE            MIRROR-SOURCE        MIRROR-TARGET        SWITCH-ALL-PORTS
 0   switch1       Atheros-8327    none                 none  
 
 [admin@MikroTik] /interface> ethernet switch port print 
Flags: I - invalid 
 #   NAME                   SWITCH                   VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1                 switch1                  disabled  leave-as-is               auto
 1   ether2-master          switch1                  disabled  leave-as-is               auto
 2   ether3                 switch1                  disabled  leave-as-is               auto
 3   ether4                 switch1                  disabled  leave-as-is               auto
 4   ether5                 switch1                  fallback  leave-as-is                  5
 5   switch1-cpu            switch1                  disabled  leave-as-is               auto

TomHome · Thu Sep 01, 2016 2:07 pm

If it helps, what I am trying to plug is a Unifi AP ... but this silly thing does not have vlan tagging for management

Therefore at the moment, the 3 x SSID are correctly tagged in their VLAN but the management interface is untag traffic I would like to send in VLAN5

mpreissner · Thu Sep 01, 2016 6:15 pm

What you're doing is creating a hybrid port. See the wiki...http://wiki.mikrotik.com/wiki/Manual:Sw ... d_Ports.29

abjadhoz · Tue Sep 06, 2016 3:57 pm

in ip arp select add and put mac address and ip of device you want connect to ros

TomHome · Sat Sep 24, 2016 2:25 pm

I tried and it does not work. I can't believe it is that hard.

I have one interface (eth5) with 4 VLANs on it. That's easy but how do we say in Microtik words: put anything untagged in VLAN 5.

Also, bloody Ubiquiti AP Pro if only the managed port could be tagged!

pe1chl · Sat Sep 24, 2016 2:49 pm

What do you mean with "when the traffic is untagged I want it to be part of VLAN 5"?
When it is VLAN 5 it is tagged with VLAN 5.
When you want it to be untagged, just use ether5.

richinuk · Sun Sep 25, 2016 1:54 am

Is this on a RB router or switch product?

If on a router I had the similar issue. I solved it by bridging the untagged interface ether5 to the outbound VLAN5 ether2.5. The problem this cased was that ether2.5 saw not only the untagged packets, but duplicates of all the tagged packets that came in to ether5.1, ether5.2 etc. So I put a bridge filter to remove anything with a vlan ethertype. Crude, but worked.

If on a switch - no idea. Never used a ROS based switch.

Rich

magchiel · Sun Sep 25, 2016 12:25 pm

I have one interface (eth5) with 4 VLANs on it. That's easy but how do we say in Microtik words: put anything untagged in VLAN 5.

/interface ethernet switch port
set ether5 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=fallback

TomHome · Mon Oct 03, 2016 11:40 pm

Hi guys,

@pe1chl: I am mean that if there is no VLAN tag on a packet (non VLAN aware traffic) inbound to the interface. I would like this traffic to be automatically tagged in a VLAN of my choice. FWIW, the feature I am after in Cisco land, it is called Native VLAN. In my case, the Ubiquiti Access Point can tag traffic from different SSID but it cannot tag its own management traffic (Silly!) so I need a port for the AP that has one VLAN per SSID and allow the management traffic (non VLAN aware) to be sent in the right layer2 (so DHCP will work for instance).

@richinuk: Yes it is on a router. RB750GL - 6.35.2. Would you mind sharing your config?

@magchiel : I am fairly sure I tried all possible combinations. I will try again yours and I will keep you posted. But that's the thing I am after, yes!

TomHome · Sat Oct 08, 2016 12:20 am

I have one interface (eth5) with 4 VLANs on it. That's easy but how do we say in Microtik words: put anything untagged in VLAN 5.
Code: Select all
/interface ethernet switch port
set ether5 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=fallback

This does not work. I don't get a default vlan id. In fact all tagged VLANs also stop working when the vlan-mode for the port is set to something else than 'disabled'

magchiel · Sat Oct 08, 2016 9:55 am

This does not work. I don't get a default vlan id. In fact all tagged VLANs also stop working when the vlan-mode for the port is set to something else than 'disabled'

Granted, it has been a while since I've configured VLANs on the switch chip, but vlan-mode=disabled ignores all VLAN tags so if configuring anything other and things stop working this suggests the configuration of your VLAN table is off.

Also, getting the VLAN configuration on both CPU and switch working in synergy can feel less than straightforward. If you actually want to do something with the traffic in /interface vlan, you have to configure the VLAN table and port for CPU as well, e.g.

/interface ethernet switch vlan
add ports=ether5,switch1-cpu switch=switch1 vlan-id=5
/interface ethernet switch port
set ether5 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=fallback
set switch1-cpu vlan-mode=fallback vlan-header=leave-as-is
/interface vlan
add name=backbone vlan-id=5 interface=ether5

If this doesn't do the trick for you, please share

/interface export

gauchi · Sat Oct 15, 2016 6:05 pm

Having exactly the same problem (connect unifi uap-ac-pro to a rb750 - I assume we will meet again on the ubiquity forums for radius-assigned vlans...), I did some experimenting.

It seems that for these hybrid ports, the VLAN tag usually only exists within the switch, i.e. there is no tag on the packet once it leaves the switch. VLAN-based rules still apply within the switch.

To get the packet actually tagged, the egress port (switch1-cpu in this case) has to be set to "add if missing". If this mode is set (make sure to add a VLAN interface on the cpu port first or you can't access your router any more) packets from the hybrid port get tagged and VLAN-aware systems on other ports, including the cpu, get packets from that port.
However, it seems that the answers do not get un-tagged if packets for the default VLAN arrive. Therefore the non-vlan-aware system cannot interpret the incoming responses. This can be fixed by setting the port to "always strip". In that configuration, communication is possible.

Unfortunately, "always strip" does exactly what it says: it strips all VLAN tags from packets leaving at this port. Therefore, you cannot use other VLANs on this port.

Therefore my conclusion is (for now) that hybrid ports do not seem to work properly at the moment.

I would be very grateful if anyone had any further advice for me regarding this topic since at the moment, the best solution that I can imagine would be to put the wireless lan controller (together with the radius server) on another switch port with the same default VLAN in order to get this thing running .

magchiel · Sun Oct 16, 2016 1:08 pm

I have been going through my old configs and the wiki page http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features which is not easy to interpret on this matter to say the least.

Having exactly the same problem (connect unifi uap-ac-pro to a rb750 - I assume we will meet again on the ubiquity forums for radius-assigned vlans...), I did some experimenting.
....

Therefore my conclusion is (for now) that hybrid ports do not seem to work properly at the moment.

VLAN Hybrid ports which can forward both tagged and untagged traffic are supported only by some Gigabit switch chips (QCA8337, AR8327)

-http://wiki.mikrotik.com/wiki/Manual:Sw ... d_Ports.29

So if it's just the plain RB750 you're right it's not working, but it's just not supported on your model.

I would be very grateful if anyone had any further advice for me regarding this topic since at the moment, the best solution that I can imagine would be to put the wireless lan controller (together with the radius server) on another switch port with the same default VLAN in order to get this thing running .

One workaround that springs to mind is to use bridges, e.g. bridge the ingress ethernetport with untagged traffic to a VLAN interface on the egress port. Haven't test it though.

Router: RB750GL - 6.35.2

This model should support hybrid ports according to the wiki.

I originally posted to use 'vlan-header=add-if-missing', but this works for trunk so my suggestion was off.
vlan-mode=leave-as-is with a default-vlan-id is appropriate for hybrid ports so:

/interface ethernet switch port
set ether5 vlan-mode=fallback vlan-header=leave-as-is default-vlan-id=5

'vlan-mode=fallback' however handles tags not present in the VLAN table as untagged. The big question now is if this also means they cannot get picked up anymore by RouterOS to interact with those configured under /interface vlan. As your config works with 'vlan-mode=disabled' I'd say it should work with 'vlan-mode=fallback' IF the vlan-header attribute is set correctly.

gauchi · Wed Oct 19, 2016 12:06 am

So if it's just the plain RB750 you're right it's not working, but it's just not supported on your model.

Thanks a lot, I think it is time to get a new board then - I wanted a second one for experimenting anyways - It is too annoying to be locked out by sending requests in the wrong order...

raymonvdm · Sun Oct 28, 2018 11:03 pm

I`m trying to tag untagged traffic comming in on ether2 to be tagged with vlan160. But i cannot get it to work.

I`m running RouterOS 6.43 on a 2011UiAS which has the Atheros 8327 switchchip.

Can anyone explain which steps to take? Since the above steps didn`t gave me a working setup

Default VLAN (PVID / native vlan) + VLAN on one port

Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Re: Default VLAN (PVID / native vlan) + VLAN on one port

Who is online