Page 1 of 1

Untagged VLAN Access port on hEX

Posted: Wed Jun 27, 2018 6:11 am
by deltabravo191
Hello,

I have purchased a hEX routerboard to start learning some more about Mikrotik (loving it so far). I had a question regarding setting up a VLAN access port on the hEX. I can get it to send tagged VLAN info to the bridge (does DHCP and lets me hit the internet when I plug a smart switch into it and untag it at that end). But what I cannot figure out is how to get a port to just give an untagged VLAN.

I have messed around in the bridge and interface settings to make the specific port give untagged network but I cannot make that happen. Anytime I plug my PC in it does not give DHCP or internet access.

Thank you so much for your time,
Delta

Re: Untagged VLAN Access port on hEX

Posted: Wed Jun 27, 2018 9:46 am
by artz
If you want to use your hEX as a router and a switch at the same time, you should follow this guide:
https://wiki.mikrotik.com/wiki/Manual:Switch_Router

Re: Untagged VLAN Access port on hEX

Posted: Wed Jun 27, 2018 8:54 pm
by deltabravo191
Thank you. I have followed a few different guides, along with some help from reddit and it does not seem to be working. Can you take a look at my config:
# jan/02/1970 00:10:29 by RouterOS 6.42.4
# software id = XXXXX
#
# model = RouterBOARD 750G r3
# serial number = XXX
/interface bridge
add admin-mac=CC:XX:E0:B5:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.20-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan10 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Untagged VLAN Access port on hEX

Posted: Wed Jun 27, 2018 10:56 pm
by chechito
to do hardware accelerated vlan you have to use switch

try this guide

viewtopic.php?f=13&t=119383

Re: Untagged VLAN Access port on hEX

Posted: Thu Jun 28, 2018 6:53 am
by deltabravo191
to do hardware accelerated vlan you have to use switch

try this guide

viewtopic.php?f=13&t=119383
Thank you! I read your forum and the hEX does infact use a RB750GR3. I am finding this model specifically does not allow this feature. I emailed support and they sound like they are working on this being a feature in the future. No ETA. Wish I would have known before purchasing, I would have purchased a different router.

Anyhow, thank you again.

Re: Untagged VLAN Access port on hEX

Posted: Thu Jun 28, 2018 8:53 am
by chechito
to do hardware accelerated vlan you have to use switch

try this guide

viewtopic.php?f=13&t=119383
Thank you! I read your forum and the hEX does infact use a RB750GR3. I am finding this model specifically does not allow this feature. I emailed support and they sound like they are working on this being a feature in the future. No ETA. Wish I would have known before purchasing, I would have purchased a different router.

Anyhow, thank you again.
yes, you have to do vlan by software using bridging

update to the latest routeros 6.42.5 bridge implementation is very easy to use

Re: Untagged VLAN Access port on hEX

Posted: Tue Jul 03, 2018 2:55 pm
by squeeze
/interface bridge vlan
add bridge=bridge untagged=bridge,ether5 vlan-ids=10

Re: Untagged VLAN Access port on hEX

Posted: Thu Jul 05, 2018 8:20 pm
by idlemind
The only caveat to the previous post is you only can have one VLAN untagged at the bridge. So if you untag VLAN10 at the bridge you will want to tag all other VLANs. If you want an access port for VLAN10, you could also do this:

/interface bridge vlan add bridge=bridge untagged=bridge vlan-ids=1
/interface bridge vlan add bridge=bridge untagged=ether5 tagged=bridge1 vlan-ids=10