I have a couple of new RB1100AHx4 with ROS 6.43 (LTS). They both came with a default config which included the following lines:
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
I cannot get rid of these lines. I have tried CLI, WinBox, WebFig. Complete factory reset, etc. From only the CLI, I can change the default-vlan-id numbers, but not remove them. The switch port page in WinBox/WebFig gives me an error whatever I do. Even if I try to save the page with no changes! So the CLI believes the existing config is an error?
Is it impossible to NOT use VLANs?
I tried to ignore this and go on, but it appears that the RB is forwarding L2 packets to all ports regardless of actual network config. How can any router operate with all ports in a forced bridge?
My config I need 3 ports, WAN, LAN, and OOB MGMT. I do not use tagged VLANs. Routing only, no firewall except to protect the device itself. Public IPs on both sides, so NAT, DHCP, etc. For now just the single router. I have implemented this exact router position on hardware from 3 different vendors previously, from Ubiquiti to Cisco. It should very simple routing setup.
On any other router this would be easy with no forced bridge-all config. On switches I isolate the OOB MGMT network port with a hard VLAN. On routers it is normally not necessary because they only forward what they are told to. The MGMT net is not routed anywhere. The admin servers have interfaces directly on this network.
So from here on it gets even more messy. Obviously the RB1100AHx4 has 3 of the RTL8367 switch chips. I tried dividing into 3 default-vlan-ids by switch chip. No joy.
I have tried:
bridges the "new way"
bridges the "old way"
vlans on bridges
vlans on individual ports
bridges without vlans
No firewall filters
Strict firewall filters
loose firewall filters
Firewall filters on the input chain only
I tried dropping all filters, including input chain, in the lab
The non-documentation gets really messy with several different ways to do things based on various obsolete software and different hardware. There are references to current software with other hardware. References to this hardware with unspecified (but clearly older) software. Nothing is up-to-date for this current combination.
Without hard VLANs, I get all the expected effects of L2 loops, STP/RSTP/MSTP problems, forwarding to strange places, etc. With every VLAN setup I have tried I get errors and/or no forwarded traffic.
This is getting completely ridiculous. I have to believe Mikrotik is actually capable of basic operation or they wouldn't be used as much as they are.
What gives? What is the correct way to make a basic routing configuration?