Hardware VLAN

Rockyboa · Sun Jun 16, 2019 8:08 pm

I'm trying to configure a simple setup using the hardware offloading feature of VLAN table inside the Atheros 8327 switch chip.

First question:
I have a RB1100AH router where a configure the ether5 in trunk port with untagged traffic on VLAN ID 1 and Tagged traffic on VLAN ID 2. Can I add an IP address to VLAN ID 2, say 192.168.2.1?

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=1
add ports=ether5 switch=switch1 vlan-id=2

/interface vlan
add interface=bridge1 vlan-id=1 name=MGMT

/ip address
add address=192.168.91.1/24 interface=MGMT

/interface ethernet switch port
set ether5 default-vlan-id=1

I tried to create a new bridge-vlanid2, but it wont let me add a port that is already part of a bridge (in my case bride-vlanid1) with a specific vlan-id. So I assume that VLAN tagging as a very limited visibility inside that switch chip and is not "bridgeable" with bridge VLAN, nor the old interface VLAN.

CZFan · Sun Jun 16, 2019 8:29 pm

Yes,

/interface vlan
add interface=bridge1 vlan-id=2 name=vlan2

/ip address
add address=192.168.2.1/24 interface=vlan2

Also see...
https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

Rockyboa · Mon Jun 17, 2019 6:44 am

CZFan,

Thank you for this reply. So then, it will no be possible to run a dhcp server from a switch vlan nor a bridge vlan?

Rock.

sindy · Mon Jun 17, 2019 8:10 am

So then, it will no be possible to run a dhcp server from a switch vlan nor a bridge vlan?

The switch chip knows nothing about L3 (IP). The CPU is connected to one of the ports of the switch, so the bridge VLAN and the switch VLAN are interconnected. So you attach the DHCP server to the same place where you've attached the IP address for VLAN 2, i.e. to the interface vlan whose tagged side is connected to the bridge1.

Rockyboa · Tue Jun 18, 2019 9:21 pm

At the other end of this trunk port (now with an interface VLAN and DHCP serving some IPs to my new guest VLAN), I have a hAP ac.

After struggling with the first implementation of this wiki (https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless I'm still unable to get this bridge vlan working correctly.

The main difference in my setup is that I kept the untagged VLAN ID 1 default on the bridge port as well as the tag VLAN 2 for my guest network. The default VLAN 1 is working as expected but not the VLAN 2 which now include the virtual wireless port (in tag mode on VLAN 2) as described in the tutorial.

The only way it works is by adding a interface VLAN 2 on my cAP ether1 port, and create two brides. This scenario seams to be not recommended.

Anybody achieve this simple setup using the VLAN bridge port functionality. Both devices are running 6.44.3

Rock.

Rockyboa · Wed Jun 19, 2019 4:25 pm

I think it will help if I post my cAP ac configureation

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=canada disabled=no distance=indoors frequency=auto mode=ap-bridge \
    name=wlan-2GHz ssid=AEPONYX-2GHz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada disabled=no distance=indoors frequency=\
    auto mode=ap-bridge name=wlan-5GHz ssid=AEPONYX-5GHz wireless-protocol=\
    802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    aeponyx!1234 wpa2-pre-shared-key=**********
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed name=aeponyx-guest-profile \
    supplicant-identity="" wpa-pre-shared-key=********** \
    wpa2-pre-shared-key=aeponyx!1234
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    76:4D:28:6D:25:D5 master-interface=wlan-2GHz multicast-buffering=disabled \
    name=wlan-guest-2GHz security-profile=aeponyx-guest-profile ssid=\
    AEPONYX-guest-2GHz vlan-id=2 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    76:4D:28:6D:25:D6 master-interface=wlan-5GHz multicast-buffering=disabled \
    name=wlan-guest-5GHz security-profile=aeponyx-guest-profile ssid=\
    AEPONYX-guest-5GHz vlan-id=2 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
    
/interface bridge
add admin-mac=74:4D:28:6D:25:D3 auto-mac=no comment=defconf fast-forward=no \
    name=bridge_AEPONYX protocol-mode=none vlan-filtering=yes
add disabled=yes fast-forward=no name=bridge_guest protocol-mode=none
/interface bridge port
add bridge=bridge_AEPONYX comment=defconf interface=ether1
add bridge=bridge_AEPONYX comment=defconf interface=ether2
add bridge=bridge_AEPONYX comment=defconf interface=wlan-2GHz
add bridge=bridge_AEPONYX comment=defconf interface=wlan-5GHz
add bridge=bridge_guest disabled=yes interface=wlan-guest-2GHz
add bridge=bridge_guest disabled=yes interface=wlan-guest-5GHz
add bridge=bridge_guest disabled=yes interface=ether1-guest-vlan2
/interface bridge vlan
add bridge=bridge_AEPONYX tagged=ether1 untagged=\
    wlan-guest-2GHz,wlan-guest-5GHz vlan-ids=2

also, I have the automated VLAN being created, here is a print ourput:

Flags: X - disabled, D - dynamic 
 #   BRIDGE				VLAN-IDS 	CURRENT-TAGGED                       CURRENT-UNTAGGED                      
 0   bridge_AEPONYX		2			ether1                              
 1 D bridge_AEPONYX		1                     								bridge_AEPONYX                        
 																ether1                                
 																ether2
 																wlan-2GHz

SO I would guess that this will actually bridge my VLAN interface id 2 on my RB1100. Do I actually need to create also a VALN interface ID 2 on my cAP ether1 port?!

Rock.

sindy · Wed Jun 19, 2019 5:23 pm

I think it will help if I post my cAP ac configureation

It does.

You do the same thing twice which doesn't help. You've configured the guest wireless interfaces to tag frames as they forward them from the air to the brigde, and to untag them as they forward them from the bridge to the air. But at the same time, you have configured these wireless interfaces as tagless ports of the bridge, so each frame would be tagged twice, once by the wreless interface and another time by the vlan-filtering on the bridge.

In fact, as you probably don't need the cAP to actually filter the VLANs, you may even disable vlan-filtering on the bridge, which means that it will not tag/untag frames on ingress/egress and just forward them based on MAC addresses alone. With vlan-filtering=no, all the rows in /interface bridge vlan are ignored, and so are the pvid items in /interface bridge port.

As you want tagless and tagged frames to exist on ethernet interfaces, you cannot have one bridge for the tagged ones and another bridge for the tagless ones, as once the ethernet interface becomes a member port of a bridge, all frames get to the bridge. You can attach the tagged ends of as many /interface vlan as you want to a single /interface ethernet, but only if the ethernet interface is not a member port of a bridge. And there is no way to get only the tagless packets from the ethernet interface to a bridge.

So either use one tagged VLAN per each wireless network, attach two /interface vlan to each ethernet port, and make one bridge per each VLAN and make the two the corresponding /interface vlan (one per each ethernet) plus the two /interface wireless member ports of it.

Or use a single bridge for both, even without vlan-filtering as explained above, and attach just the two ethernet interfaces and the four wireless interfaces to it. The "normal" wireless interfaces without tagging/untagging, the "guest" wireless interfaces with. And deal with the rest on the RB1100 and whatever is connected to the other ethernet of the cAP.

Another possibility is to forget about VLANs completely, make the cAP really a cAP (controlled access point) only, and run CAPsMAN on the 1100. In that case, the separation of normal and guest wireless networks will be provided by CAPsMAN means. This approach works best if it is just another cAP which is connected to the other ethernet of the cAP directly connected to the 1100.

Rockyboa · Thu Jun 20, 2019 8:09 am

Sindy,

thank you for the detail information. Running through you explanation I think I do understand most of it, and indeed, if I disabled vlan filtering on the single brigde setup but leave the virtual wifi interface to tag on VLAN ID 2, it works as expected. So this single bridge configuration on cAP is working.

I also achieve dual bridge with each VLAN interface association to the right bridge.

The big question mark from reading your email was this statement you made:

As you want tagless and tagged frames to exist on ethernet interfaces, you cannot have one bridge for the tagged ones and another bridge for the tagless ones, as once the ethernet interface becomes a member port of a bridge, all frames get to the bridge. You can attach the tagged ends of as many /interface vlan as you want to a single /interface ethernet, but only if the ethernet interface is not a member port of a bridge. And there is no way to get only the tagless packets from the ethernet interface to a bridge.

So the way I read and understand that is: once you have assigned a ethernet interface to the bridge, this interface can be only be part of this bridge whatever it contains tag and/or untagged traffic. So if you want to differentiate between tag and untag on an interface and assign them on separate bridge this is where /interface vlan comes handy.

So to accomplish what I initially wanted, I went back to the virtual guest interface and remove the tag information. I also set VLAN ID to 2, but turns out that it didn't make a difference, and kept my single bridge in filtering mode as is and is also working! As soon as I connect wlan-guest-5Ghz appears in my VLAN 2 untagged.

/interface bridge vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                            VLAN-IDS        CURRENT-TAGGED               CURRENT-UNTAGGED         
 0   bridge_AEPONYX             2                     ether1                                        wlan-guest-5GHz          
 1 D bridge_AEPONYX		1                      bridge_AEPONYX           
                                                                        ether1                   
                                                                        ether2

As stated previously, I got back to my virtual guest interface and assign a value of 1 to the VLAN ID, still works, so I believe this information would be only important when tag is selected.

So the last test I did tried was to put back the virtual interface to tag on 2 and assigned them to the bridge, but in the tagged list. And again it worked!
/interface bridge vlan print

Flags: X - disabled, D - dynamic 
 #   BRIDGE                             VLAN-IDS      CURRENT-TAGGED                  CURRENT-UNTAGGED         
 0   bridge_AEPONYX             2                     ether1					
                                                                        wlan-guest-5GHz          
 1 D bridge_AEPONYX           1                      bridge_AEPONYX           
                                                                        ether1                   
                                                                        ether2

So thank you for your help, I'll now investigate CAPSMAN.

Rock.

Hardware VLAN [SOLVED]

Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN

Re: Hardware VLAN [SOLVED]

Who is online