I have made some tests with 8227 switch chip and the result is that VLAN ID 0 (which is normally reserved to indicate that the 802.1Q tag only carries the CoS information) can be used to control handling of tagless packets on the switch chip, so you can have
- internet uplink tagless together with IPTV tagged on the same physical interface (ether1)
- tagless IPTV alone on another physical interface (ether4)
- if required, tagless LAN on the remaining physical interfaces (ether2, ether3) still with "hardware acceleration" (forwarding by the switch chip) between these two interfaces.
To do that from the default CPE configuration, you need to:
- keep the currently existing bridge (referred to as "bridge-lan"), with member ports ether2 and ether3 and the current LAN IP configuration attached to it, except that you would change the "hw" setting to "no" in "/interface bridge port" settings. Detach ether4 from that bridge.
- create another bridge (named e.g. "bridge-wan" or just "bridge" if the final goal is to implement point 3 above as well), with "protocol=none"
- attach the WAN IP configuration (static, dhcp client, pppoe client - whatever) directly to "bridge-wan" itself, and make ether1 a member port of "bridge-wan" with "hw=yes"; if anything in your firewall refers to "ether1", make it refer to "bridge-wan".
At this point, you should still have access to internet.
Next, you would prepare the VLAN filtering/membership rules in the switch chip:
/interface ethernet switch vlan
add switch=switch1 vlan-id=0 ports=switch1-cpu,ether1
add switch=switch1 vlan-id=50 ports=ether1,ether4
add switch=switch1 vlan-id=33 ports=switch1-cpu,ether2,ether3
The last line above, with vlan-id=33, is only necessary if you want hardware-accelerated forwarding between ether2 and ether3.
Now it is time to activate safe mode - if you eventually lose connection to the box if one of the following steps is wrong, it is enough to wait a minute or two and then connect again.
The following step is to change VLAN handling (vlan-mode and vlan-header) on the switch chip ports. By default all of them are set to "vlan-header=leave-as-is vlan-mode=disabled".
/interface ethernet switch port
set switch1-cpu default-vlan-id=0 vlan-mode=secure
set ether1 default-vlan-id=0 vlan-mode=secure
set ether4 default-vlan-id=50 vlan-mode=secure vlan-header=always-strip
At this point, you should have IPTV working (forwarding between tagged ether1 and tagless ether4 done by the switch chip), internet uplink working, and access to the LAN working as well.
If you want the hardware-accelerated forwarding between ether2 and ether3, do the following, again with safe mode activated:
- create a new "interface vlan" with "vlan-id=33" and "interface=bridge-wan" and e.g. "name=vlan33"
- attach to it a new IP subnet (a temporary one, so do not configure a DHCP server on it if you can set up the address of your PC manually)
- modify your firewall so that it handles packets to/from "vlan33" the same way like packets to/from "bridge-lan"
- depending on to which port out of (ether2, ether3) you are connected, change the other one's VLAN handling:
/interface ethernet switch port set etherX default-vlan-id=33 vlan-mode=secure vlan-header=always-strip
/interface bridge port set [find interface=etherX] bridge=bridge-wan hw=yes
- log out, reconnect your PC to etherX (and configure manually its IP settings if you haven't configured a DHCP server for VLAN 33), and log in again to Mikrotik's address in VLAN 33
- repeat the setting above for the other LAN port
- move the original LAN IP configuration from "bridge-lan" to "vlan33" in parallel to the temporary one. You can have several IP subnets on the same interface but you can only attach a single DHCP server to an interface, so if you had to configure a DHCP server on vlan33, you now have to remove it before you can attach the one serving the original LAN subnet to it.
- log out and either change your PC's IP configuration back to DHCP client or just disconnect and reconnect the cable if you haven't changed the IP configuration to static
- log back in with the original IP address of your LAN.
- remove references to bridge-lan and bridge-lan itself
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.