Hi everyone, this is my first question in this forum.
I got a switch which have 1 trunk (tagged) port and 4 access port (untagged).
I have my untagged ports with their respectives VLAN IDs but in "Ports" i do have the default PVID in each port.
It is working fine but i would like to know WHY? as far as i know PVID MUST match the VLAN ID.
I also know if i set the PVID for each port, it will create dinamically the untagged VLAN ID for each different PVID set in the port window.
As you can see in the following pictures, there is one VLAN dinamically created with VLAN 1 for all ports as untagged.
I show some pictures attached.
Why is it working if PVID must match the VLAN ID? This is just a question in order to understand deeply those concepts in MikroTik.
PVID question!
You do not have the required permissions to view the files attached to this post.
Re: PVID question!
This thread is the best resource for vlans...........
viewtopic.php?f=13&t=143620
Caveat the below is based upon my experience with ROUTER vlans on a bridge with bridge filtering (not switch based vlans).
Basically bridge ports are used to identify trunk ports and access ports when vlans are involved.
The pvid is entered for access ports as this controls the ingress functionality/rules for that port.
Typically we also besides the PVID add the following security additions. ingress-filtering enabled and allow-frames-only untagged and high priority.
This applies equally to etherports and WLANs.
The interface bridge vlans are used to dictate egress traffic rules.
In this case we identify tagged vlans (trunk ports) and untagged vlans (access ports) and of course the associated vlan-ids.
Some confusion comes into play when people use their bridge as their DHCP server and main lan. The problem is that the default PVID of the bridge and managed devices=1.
This leads to confusion and issues down the line. Much better to let the Bridge and managed devices keep their default pvid setting for bridge and trunk ports and put the homevlan on its own vlan (like 11).
viewtopic.php?f=13&t=143620
Caveat the below is based upon my experience with ROUTER vlans on a bridge with bridge filtering (not switch based vlans).
Basically bridge ports are used to identify trunk ports and access ports when vlans are involved.
The pvid is entered for access ports as this controls the ingress functionality/rules for that port.
Typically we also besides the PVID add the following security additions. ingress-filtering enabled and allow-frames-only untagged and high priority.
This applies equally to etherports and WLANs.
The interface bridge vlans are used to dictate egress traffic rules.
In this case we identify tagged vlans (trunk ports) and untagged vlans (access ports) and of course the associated vlan-ids.
Some confusion comes into play when people use their bridge as their DHCP server and main lan. The problem is that the default PVID of the bridge and managed devices=1.
This leads to confusion and issues down the line. Much better to let the Bridge and managed devices keep their default pvid setting for bridge and trunk ports and put the homevlan on its own vlan (like 11).
Re: PVID question!
This thread is the best resource for vlans...........
viewtopic.php?f=13&t=143620
Caveat the below is based upon my experience with ROUTER vlans on a bridge with bridge filtering (not switch based vlans).
Basically bridge ports are used to identify trunk ports and access ports when vlans are involved.
The pvid is entered for access ports as this controls the ingress functionality/rules for that port.
Typically we also besides the PVID add the following security additions. ingress-filtering enabled and allow-frames-only untagged and high priority.
This applies equally to etherports and WLANs.
The interface bridge vlans are used to dictate egress traffic rules.
In this case we identify tagged vlans (trunk ports) and untagged vlans (access ports) and of course the associated vlan-ids.
Some confusion comes into play when people use their bridge as their DHCP server and main lan. The problem is that the default PVID of the bridge and managed devices=1.
This leads to confusion and issues down the line. Much better to let the Bridge and managed devices keep their default pvid setting for bridge and trunk ports and put the homevlan on its own vlan (like 11).
Hi!, i really appreciate your response but i dont really understand.
Which PVID should i use on my bridge and which should i use on my trunk port (which of course is inside the bridge)?
Why is it working if all ports including the whole bridge with the PVID=1? when there is different untagged vlans on my access ports?
Sorry my english isnt the best, thanks again!
Re: PVID question!
No worries, Zock and I do encourage you to read the link reference several times to fully understand it. (draw your own network diagrams and config and compare how you do for example).
The best thing to do about the bridge is leave it at default settings pvid=1 is the default.
We are not going to use that and is not needed for our vlans. The Bridge does not need any other vlan assigned to it and does not need its own subnet etc.....
Best to keep things clean and not loaded on the bridge (CPU).
So lets say you have
eth2- trunk port to a managed switch (vlan11, vlan 22, vlan 33, vlan 44) switch connects to homepc, another mt access point, unmanaged switch with gamebox, appletv)
eth3-trunk port to a mikrotik access point (vlan11, vlan22, vlan 44)
eth4- home PC (on vlan 11)
eht5-home printer on vlan 11)
vlan11 home lan
vlan22 guest wifi
vlan 33 media
vlan 44 smart devices
eth2 is a trunk port carrying vlans 11,22,33,44)
eth3 is a trunk port carrying vlans 11,22,44)
eth4 is an access port
eth5 is an access port
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
the managed switch has trunk port msEth1 carrying vlans 11,22,33,44
msEth2, to the MT access point is a trunk port carrying vlans, 11,22,33 (11 for home wifi users, 22 for guest wifi users and 33 for smart devices)
msEth3 is an access port for vlan44, connected to an unmanaged switch connected to an apple tv and game box
msEth4 is an access point connected to a home pc for vlan11
bridge ports for access ports/wlans require the pvid of the vlan, which tells the router or switch that packets ingressing the port require to be tagged with vlan11
bridge interface vlans are untagged for ethports/wlans which tells the router or switch upon egress from this port, the tagged packets are stripped off.
I hope that helps clarify things somewhat. Just ignore pvid=1, its there it remains, it doesnt interfere with your vlans.
As a note, many other brands have pvid=1 as the default pvid setting. For all trunk ports its best not to remove or modify this setting for interoperability.
Just configure the rest of the vlans appropriately on the trunk ports. Access ports are different and should not have pvid=1 as any setting for the most part.
The best thing to do about the bridge is leave it at default settings pvid=1 is the default.
We are not going to use that and is not needed for our vlans. The Bridge does not need any other vlan assigned to it and does not need its own subnet etc.....
Best to keep things clean and not loaded on the bridge (CPU).
So lets say you have
eth2- trunk port to a managed switch (vlan11, vlan 22, vlan 33, vlan 44) switch connects to homepc, another mt access point, unmanaged switch with gamebox, appletv)
eth3-trunk port to a mikrotik access point (vlan11, vlan22, vlan 44)
eth4- home PC (on vlan 11)
eht5-home printer on vlan 11)
vlan11 home lan
vlan22 guest wifi
vlan 33 media
vlan 44 smart devices
eth2 is a trunk port carrying vlans 11,22,33,44)
eth3 is a trunk port carrying vlans 11,22,44)
eth4 is an access port
eth5 is an access port
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
the managed switch has trunk port msEth1 carrying vlans 11,22,33,44
msEth2, to the MT access point is a trunk port carrying vlans, 11,22,33 (11 for home wifi users, 22 for guest wifi users and 33 for smart devices)
msEth3 is an access port for vlan44, connected to an unmanaged switch connected to an apple tv and game box
msEth4 is an access point connected to a home pc for vlan11
bridge ports for access ports/wlans require the pvid of the vlan, which tells the router or switch that packets ingressing the port require to be tagged with vlan11
bridge interface vlans are untagged for ethports/wlans which tells the router or switch upon egress from this port, the tagged packets are stripped off.
I hope that helps clarify things somewhat. Just ignore pvid=1, its there it remains, it doesnt interfere with your vlans.
As a note, many other brands have pvid=1 as the default pvid setting. For all trunk ports its best not to remove or modify this setting for interoperability.
Just configure the rest of the vlans appropriately on the trunk ports. Access ports are different and should not have pvid=1 as any setting for the most part.
Re: PVID question!
Thanks for corrections anav.
1., 2., 3 Corrected.
4. Hmm, I removed this based on our earlier discussion but I suppose this specific rule somehow managed to get restored when I took backups and restored them at some point. Removed.
5. Thanks, this is clever
6. Atm I'm not using RoS7.x Wireguard but instead spin up a Wireguard container to my home server using Terraform. So the config is a bit different here because of that. Might consider using router for Wireguard in near future though.
After new tests it looks like there might be something wrong elsewhere. If I run iperf3 from server -> desktop pc my transfer rate is about 95MBytes/s.
1., 2., 3 Corrected.
4. Hmm, I removed this based on our earlier discussion but I suppose this specific rule somehow managed to get restored when I took backups and restored them at some point. Removed.
5. Thanks, this is clever
6. Atm I'm not using RoS7.x Wireguard but instead spin up a Wireguard container to my home server using Terraform. So the config is a bit different here because of that. Might consider using router for Wireguard in near future though.
After new tests it looks like there might be something wrong elsewhere. If I run iperf3 from server -> desktop pc my transfer rate is about 95MBytes/s.