Page 1 of 1

VLANs + port-isolation does not work - limitation or bug?

Posted: Thu Jan 02, 2020 2:43 pm
by bmann
When testing some configuration I've found the issue below:

1. configured VLANs for untagged and tagged traffic -> it seems working fine
(details in post: viewtopic.php?f=2&t=155103)
2. configured port isolation - all ports forward-to port1 -> it does NOT work

Tested on:
1. hAP lite
- RouterOS v6.44.6 and v6.46.1
- Atheros8227

That does not work in both versions.

Note: I think that port-isolation worked w/o any VLANs, when all ports where in one pure bridge (switch).
(not sure now with it)

2. RB2011
- v6.46.1
- Atheros8327 (used ports ether1 through ether5)

Same problem as w/ hAP lite. It does not work.

On RB2011 and Atheros8327 is workaround to create a rule and redirect all ports to port1.
Then the VLANs work and ports are isolated too. (but Atheros8227 does not support rules).

In the manual is note, that port isolation should work with all switch chips.

Because the rule on RB2011 works and port isolation does not, I would guess it as some bug,
as I would expect similar logic behind is used with rules and port isolation.

Can someone, maybe from Mikrotik, clarify on combination of both features?

Re: VLANs + port-isolation does not work - limitation or bug?

Posted: Tue Jan 14, 2020 5:48 pm
by bmann
It's limitation of switch chips. The documentation has been update by mikrotik team. ... _isolation

Warning: Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (a vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.