Community discussions

MikroTik App
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Switch Chip VLAN Switching in Software Bridge

Sun Apr 03, 2022 9:36 pm

Hi MTs,
I have some devices such as the hEX PoE, which don't support Bridge VLAN Filtering but the Switch Chip support Vlam tabel.

I wonder how to maintain wire-speed hardware VLAN switching between the Switch Chip connected ports and still doing software VLAN switching between the Switch Chip and the SFP-Port via the CPU.
Most likely, the picture attach tells it better what I want to achieve:
Soft.-Bridge + Switch VLAN.png
thx
stefan
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Switch Chip VLAN Switching in Software Bridge

Sun Apr 03, 2022 10:58 pm

Use a bridge with vlan-filtering=no. You can configure specific VLANs on the hardware-offloaded ports ether1-ether5, however the software bridged ports will pass all tagged and untagged traffic.

You can restrict VLANs between the switch chip and the software bridge by configuring the switch1 cpu switch port, however the one thing you cannot do is exclude a VLAN to/from the SFP port if said VLAN is required by the Mikrotik itself to provide any services.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Sun Apr 03, 2022 11:04 pm

The ancient way of doing it is to use "one bridge per VLAN" approach. In modern ROS versions that's on top of bridge spanning switch ports.

Example for two VLANs (and skipping the switch chip setup needed to set up VLANs on RJ45 ports):
/interface bridge
add name=bridge-ethernet
add name=bridge-v100
add name=bridge-v200
/interface vlan
add interface=bridge-ethernet name=be-v100 vlan-id=100
add interface=bridge-ethernet name=be-v200 vlan-id=200
add interface=sfp1 name=sfp-v100 vlan-id=100
add interface=sfp1 name=sfp-v200 vlan-id=200
/interface bridge port
add bridge=bridge-ethernet interface=ether1
add bridge=bridge-ethernet interface=ether2
add bridge=bridge-ethernet interface=ether3
add bridge=bridge-ethernet interface=ether4
add bridge=bridge-ethernet interface=ether5
add bridge=bridge-v100 interface=be-v100
add bridge=bridge-v100 interface=sfp-v100
add bridge=bridge-v200 interface=be-v200
add bridge=bridge-v200 interface=sfp-v200
If hEX PoE has to interact with any of VLANs, use interfaces bridge-v100 and bridge-v200 (as you surely know, each bridge implicitly contains also port with same name, its functionality is similar to switch1-cpu port on switch chip).

The "bridge per vlan" approach avoids problems mentioned by @tdw.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Switch Chip VLAN Switching in Software Bridge

Mon Apr 04, 2022 4:58 am

don't be surprised if you have trouble combining hardware switch with software bridge

hex poe can sustain up to 600-700 mbps internet traffic using pure software bridging (using CPU)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Switch Chip VLAN Switching in Software Bridge

Mon Apr 04, 2022 5:00 am

The ancient way of doing it is to use "one bridge per VLAN" approach. In modern ROS versions that's on top of bridge spanning switch ports.

Example for two VLANs (and skipping the switch chip setup needed to set up VLANs on RJ45 ports):
/interface bridge
add name=bridge-ethernet
add name=bridge-v100
add name=bridge-v200
/interface vlan
add interface=bridge-ethernet name=be-v100 vlan-id=100
add interface=bridge-ethernet name=be-v200 vlan-id=200
add interface=sfp1 name=sfp-v100 vlan-id=100
add interface=sfp1 name=sfp-v200 vlan-id=200
/interface bridge port
add bridge=bridge-ethernet interface=ether1
add bridge=bridge-ethernet interface=ether2
add bridge=bridge-ethernet interface=ether3
add bridge=bridge-ethernet interface=ether4
add bridge=bridge-ethernet interface=ether5
add bridge=bridge-v100 interface=be-v100
add bridge=bridge-v100 interface=sfp-v100
add bridge=bridge-v200 interface=be-v200
add bridge=bridge-v200 interface=sfp-v200
If hEX PoE has to interact with any of VLANs, use interfaces bridge-v100 and bridge-v200 (as you surely know, each bridge implicitly contains also port with same name, its functionality is similar to switch1-cpu port on switch chip).

The "bridge per vlan" approach avoids problems mentioned by @tdw.

please do not use vlan as a bridge port, is a bad practice

https://help.mikrotik.com/docs/display/ ... interfaces
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Mon Apr 04, 2022 8:18 am

please do not use vlan as a bridge port, is a bad practice

Is there any other way of using switch chip to deal with VLANs on RJ45 ports and use SFP port as VLAN-aware port bridged to RJ45 ports at the same time?

You're right that using VLAN bridges can potentially cause some problems and OP should be aware of them. It's up to OP to decide, whether performance drop/boost is worth of complication (compared to using single bridge with vlan-filtering enabled and switch chip setup removed).
 
tangent
Forum Guru
Forum Guru
Posts: 1331
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Switch Chip VLAN Switching in Software Bridge

Mon Apr 04, 2022 8:44 am

Radical solutions available if you have a spare copper port:

1. Swap the fiber run for a copper one.

2. If the uplink must be fiber, interpose a cheap SFP to 1000Base-T media converter.

Either way, the current fiber traffic now goes thru the switch chip.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Wed Apr 06, 2022 6:19 pm

Hey,
I say wow, these answers came very quickly, did not expect that. Thank you very much.
I need some silent hours to process and read the written and referenced content.
I'll try to explain what I understand as separated answer as different things are mentioned here
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Wed Apr 06, 2022 6:20 pm

Use a bridge with vlan-filtering=no. You can configure specific VLANs on the hardware-offloaded ports ether1-ether5, however, the software bridged ports will pass all tagged and untagged traffic.
just double-checking, so you saying follow Other devices with a built-in switch chip - Basic VLAN switching - RouterOS - MikroTik Documentation but add
/interface bridge port
add bridge=bridge1 interface=sfp1 frame-types=admit-only-vlan-tagged

.
Let's assume only ether1 and ether2 are in use other ports are switched off, so I would do:
/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2

/interface bridge port
add bridge=bridge1 interface=sfp1 frame-types=admit-only-vlan-tagged

/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add ports=ether2,switch1-cpu switch=switch1 vlan-id=20

/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT

/ip address
add address=192.168.99.1/24 interface=MGMT

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=20
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=99
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
If want to be able to configure it locally using a copper cable I add
/interface ethernet switch vlan
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99

/interface ethernet switch vlan
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99
.
.
...however, the one thing you cannot do is exclude a VLAN to/from the SFP port if said VLAN is required by the Mikrotik itself to provide any services.
The SPF is the uplink so I expect only allowed VLANs are sent from the uplink to the SFP. 
I'm correctly understanding that you are saying I cannot add the following to the configuration above?
/interface bridge vlan
add bridge=bridge1 tagged=sfp1  vlan-ids=10
add bridge=bridge1 tagged=sfp1  vlan-ids=20
add bridge=bridge1 tagged=sfp1  vlan-ids=99

/interface bridge
set bridge1 vlan-filtering=yes
Last edited by PackElend on Wed Apr 06, 2022 6:47 pm, edited 1 time in total.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Wed Apr 06, 2022 6:21 pm

1. Swap the fibre run for a copper one. 
space is very rare but I might be able to supply the connected APs with an external power supply in a not to far feature, So I could replace it by an hEX S
Doing so depends if the limit will be hit at all:
hex poe can sustain up to 600-700 mbps internet traffic using pure software bridging (using CPU)
.
.
please do not use vlan as a bridge port, is a bad practice
https://help.mikrotik.com/docs/display/ ... interfaces
but my setup does not contain any loops, my network topology is 100% cascading. The structure of VLAN on a bridge in a bridge - Layer2 misconfiguration - RouterOS - MikroTik Documentation would be closer but still different but the sketch helps quite a lot to understand the configuration given by mkx :).
As I understood most issues are related to the fact, that frames are sent tagged but should be untagged to be compliant with international standards.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Wed Apr 06, 2022 6:22 pm

The ancient way of doing it is to use "one bridge per VLAN" approach. In modern ROS versions, that's on top of a bridge spanning switch ports.

Example for two VLANs (and skipping the switch chip setup needed to set up VLANs on RJ45 ports):
...
That would have to be extended by the Switch-Chip-VLAN-Switch as per Other devices with a built-in switch chip - Basic VLAN switching - RouterOS - MikroTik Documentation but replacing bridge1 by bridge-ethernet , wouldn't it?
I rewrote you configuration to make easier to understand (for me):
#VLAN 100 FROM/TO SFP
/interface bridge
add name=bridge-v100

/interface vlan
add interface=sfp1 name=sfp-v100 vlan-id=100

/interface bridge port
add bridge=bridge-v100 interface=be-v100
add bridge=bridge-v100 interface=sfp-v100


#VLAN 200 FROM/TO SFP
/interface bridge
add name=bridge-v100

/interface vlan
add interface=sfp1 name=sfp-v200 vlan-id=200

/interface bridge port
add bridge=bridge-v200 interface=be-v200
add bridge=bridge-v200 interface=sfp-v200


#ETHERNET BRDIGE AS PER DOCUMENTATION
/interface bridge
add name=bridge-ethernet

/interface vlan
add interface=bridge-ethernet name=be-v100 vlan-id=100
add interface=bridge-ethernet name=be-v200 vlan-id=200

/interface bridge port
add bridge=bridge-ethernet interface=ether1
add bridge=bridge-ethernet interface=ether2
add bridge=bridge-ethernet interface=ether3
add bridge=bridge-ethernet interface=ether4
add bridge=bridge-ethernet interface=ether5
What you do here is basically "softwiring" port to port. The is a "softwire" per VLAN.
The sketch most likely may explain it better.
VLAN on phy. interface +L2HW.png
I cannot find that much documentation on this approach as Bridge-VLAN-Filtering is always recommended (for good reason).
In this configuration ROS switches frames according to the 802.1Q tag to the corresponding VLAN interface, doesn't it?
If an interface does not exist, the frame is dropped.
(Just) for curiosity, how would I handle untagged frames? 
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Wed Apr 06, 2022 9:23 pm

The sketch most likely may explain it better.

...

I cannot find that much documentation on this approach as Bridge-VLAN-Filtering is always recommended (for good reason).
In this configuration ROS switches frames according to the 802.1Q tag to the corresponding VLAN interface, doesn't it?
If an interface does not exist, the frame is dropped.
(Just) for curiosity, how would I handle untagged frames? 
The sketch represents the config great.

You don't find any documentation about this way of configuring things because the bridge with vlan-filtering is here since years ago ... IIRC it was 6.40 that brought VLAN-aware bridge making shown config method disadvised (to put it mildly). Previously this was tge only way of doing VLANs on anything apart from switch chip and even then there existed devices without switch chip (e.g. CCR1xxx devices except early CCR1009 model). Using vlan-filtering on bridge is much more elegant and simplifies configuration.

The way vlan interface works is the following: one creates vlan interface with command /interface vlan add interface=<underlying-interface> name=<vlan-interface-name> vlan-id=<VID> and has two ends; the tagged end (the red part) and untagged one (the green part). When tagged end sees frame, tagged with correct VID, it takes frame, strips the VLAN header and ejects it on untagged end. It ignores frames with wrong VID. In the other direction, it takes frame on the untagged end, adds VLAN header with configured VID and spits it out on tagged end. The underlying interface is (or can be) completely VLAN-unaware.

The problem with untagged frames is that AFAIK there isn't an interface that only accepts untagged frames so you can't construct anything analogous to bridge-per-vlan. Hybrid interface can be used directly for L3 because L3 can only work with untagged frames (and ignores tagged ones) but I don't think you can bridge them without creating a bypass for tagged frames.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Switch Chip VLAN Switching in Software Bridge  [SOLVED]

Wed Apr 06, 2022 10:44 pm

Reagrding post #9:
Setting frame-types= and the defintions in /interface bridge vlan have no effect when the bridge has vlan-filtering=no.
As noted in the documentation "On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to."
You cannot set vlan-filtering=yes as this is what disables the hardware offload to the switch chip, the results of mixing a VLAN-aware bridge and configuring the switch chip is not defined.

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=sfp1
/interface vlan
add interface=bridge1 vlan-id=99 name=MGMT
/interface ethernet switch port
set ether1 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=10
set ether2 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=20
set ether3 vlan-header=leave-as-is vlan-mode=secure default-vlan-id=99
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add ports=ether2,switch1-cpu switch=switch1 vlan-id=20
add ports=ether3,switch1-cpu switch=switch1 vlan-id=99
/ip address
add address=192.168.99.1/24 interface=MGMT


gives:
ether1 - VLAN 10 untagged
ether2 - VLAN 20 untagged
ether3 - VLAN 99 untagged
sfp1 - VLAN 10,20,99 tagged
and the Mikrotik is accessible on VLAN 99 with address 192.168.99.1
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Thu Apr 07, 2022 8:35 pm

Reagrding post #9:
Setting frame-types= and the defintions in /interface bridge vlan have no effect when the bridge has vlan-filtering=no.
As noted in the documentation "On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to."
You cannot set vlan-filtering=yes as this is what disables the hardware offload to the switch chip, the results of mixing a VLAN-aware bridge and configuring the switch chip is not defined.
thx a lot for the configuration you wrote down my thoughts :)
Now we have a best practice sample.
Would be great to see that in official help as well.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Thu Apr 07, 2022 9:35 pm

The sketch most likely may explain it better.

...

I cannot find that much documentation on this approach as Bridge-VLAN-Filtering is always recommended (for good reason).
In this configuration ROS switches frames according to the 802.1Q tag to the corresponding VLAN interface, doesn't it?
If an interface does not exist, the frame is dropped.
(Just) for curiosity, how would I handle untagged frames? 
The sketch represents the config great.

You don't find any documentation about this way of configuring things because the bridge with vlan-filtering is here since years ago ...
thx for all the details explanation. I would like to continue the clarification as it could be useful in certain scenarios although challenging to manage if the amount of VLAN increases significantly.

.
.
The way vlan interface works is the following: one creates vlan interface with command /interface vlan add interface=<underlying-interface> name=<vlan-interface-name> vlan-id=<VID> and has two ends; the tagged end (the red part) and untagged one (the green part). When tagged end sees frame, tagged with correct VID, it takes frame, strips the VLAN header and ejects it on untagged end. It ignores frames with wrong VID. In the other direction, it takes frame on the untagged end, adds VLAN header with configured VID and spits it out on tagged end.
added to the sketch:
VLAN on phy. interface +L2HW, VLAN +&amp;-.png
.
.
IIRC it was 6.40 that brought VLAN-aware bridge making shown config method disadvised (to put it mildly).
but the configuration discussed here would not cause problems as described in Layer2 misconfiguration - RouterOS - MikroTik Documentation, wouldn't it?
The VLAN tagged/untagged is simple&controlled (only between VLAN interfaces) and is only point2point (interface2interface), like a VLAN-aware patch cable.

.
.
The underlying interface is (or can be) completely VLAN-unaware.
Is there an interface besides the VLAN interface what is VLAN-aware?
In the case of "vlan-filtering on bridge" it is the vlan-filtering what makes the interface VLAN-aware.

.
.
Hybrid interface can be used directly for L3 because L3 can only work with untagged frames (and ignores tagged ones)
by assigning an IP to a hardware Interface and than route it?

.
.
but I don't think you can bridge them without creating a bypass for tagged frames.
bypass is bridge-v100 bridge-200?

.
.
The problem with untagged frames
could be handled by creating a "PVID=1-VLAN-Interface" like in sketch below?
VLAN on phy. interface +L2HW, VLAN wiht PVID.png

.
.
Using vlan-filtering on bridge is much more elegant and simplifies configuration.
why can I not just create a second software bridge with active VLAN-filtering
VLAN on phy. interface +L2HW with extra Software bridge.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Thu Apr 07, 2022 10:24 pm

Just a few comments:

the "bridge per vlan" certainly does have a few shortcomings. Whether they will cause problems for your particular use case or not ... is up to dilligent examination. And many of potential problems also depend on equipment connected to your device, some can trip the problem, some can survive.

Legacy wireless drivers (as opposed to the new wifiwave2 drivers) take parameters to deal with vlan tags (vlan-mode and vlan-id) ... if configured thus, nowdays such wifi interface had to be set as tagged port member of bridge.

Example of problems with hybrid setup: let's say you have two hybrid ports, sfp1 and sfp2. Sfp1 has untagged snd tagged vlans 10 and 20. Sfp2 has untagged and tagged vlan 10 (but not vlan 20). If you bridge both ports with a bridge directly (because you want to bridge the untagged frames), also tagged frames will pass via this bridge. The vlan bridges will be selective due to using vlan interfaces between interfaces and corresponding bridges. And besides, this kind of solution would be wrong because physicsl interface can either be bridge port or can be used as anchor for vlan interfaces (etc.), but not both, so your diagram with bridge-v1 spanning sfp1 and be-v1 is not valid.

You can't connect things as per last diagram, because be-v100 and be-v200 are connected to bridge with untagged ends.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Fri Apr 08, 2022 12:50 pm

the "bridge per vlan" certainly does have a few shortcomings. Whether they will cause problems for your particular use case or not ... is up to dilligent examination. And many of potential problems also depend on equipment connected to your device, some can trip the problem, some can survive.
alright

.
.
Legacy wireless drivers (as opposed to the new wifiwave2 drivers) take parameters to deal with vlan tags (vlan-mode and vlan-id) ... if configured thus, nowdays such wifi interface had to be set as tagged port member of the bridge.
that happens dynamically anyway if VLAN is used
/interface wireless
... vlan-id=111 vlan-mode=use-tag
.

.
.
Example of problems with hybrid setup: let's say you have two hybrid ports, sfp1 and sfp2. Sfp1 has untagged snd tagged vlans 10 and 20. Sfp2 has untagged and tagged vlan 10 (but not vlan 20). If you bridge both ports with a bridge directly (because you want to bridge the untagged frames), also tagged frames will pass via this bridge. The vlan bridges will be selective due to using vlan interfaces between interfaces and corresponding bridges. And besides, this kind of solution would be wrong because physicsl interface can either be bridge port or can be used as anchor for vlan interfaces (etc.), but not both, so your diagram with bridge-v1 spanning sfp1 and be-v1 is not valid.

You can't connect things as per the last diagram, because be-v100 and be-v200 are connected to a bridge with untagged ends.
ok, thx was curious if it could optimize
Thought of a theoretical case like
Soft.-Bridge (LAN&amp;WLAN) +Switch VLAN - marked.png
or my hAP ac3 where I want to at wire-speed between ports but wondered how to get the WLAN interfaces included:
hAP ac3.png
but that is answered now :D :D :D
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Fri Apr 08, 2022 9:25 pm

Legacy wireless drivers (as opposed to the new wifiwave2 drivers) take parameters to deal with vlan tags (vlan-mode and vlan-id) ... if configured thus, nowdays such wifi interface had to be set as tagged port member of the bridge.
that happens dynamically anyway if VLAN is used
/interface wireless
... vlan-id=111 vlan-mode=use-tag

There are two ways to do it with vlan-enabled bridge:
  1. bridge port tags traffic:
    /interface wireless
    set [ find name=wlan1 ] vlan-mode=no-tag
    /interface bridge port
    add bridge=bridge interface=wlan1 frame-types=admit-only-untagged-and-priority-tagged pvid=666
    /interface bridge vlan
    set [ find vlan-id=666 ] untagged=wlan1<,rest_of_untagged_ports>
    
  2. wireless driver tags traffic:
    /interface wireless
    set [ find name=wlan1 ]  vlan-mode=use-tag vlan-id=666
    /interface bridge port
    add bridge=bridge interface=wlan1 frame-types=admit-only-vlan-tagged
    /interface bridge vlan
    set [ find vlan-id=666 ] tagged=wlan1<,rest_of_tagged_ports>
    
The way #1 is onky possible with vlan-filtering enabled on bridge. The way #2 is also possible if bridge doesn't do anything about vlans which was up to ROS version 6.40 or there about.

The way #1 is the contemporary way of doing it, wifiwave2 drivers don't support tagging any more so I guess with time #2 will be gone.

However, on my audience running 7.2 the working config is #3:
/interface/wifiwave2
# nothing here, wifiwave2 drivers don't have any vlan-related settings
/interface bridge port
add bridge=bridge interface=wifi1 frame-types=admit-only-vlan-tagged pvid=666
/interface bridge vlan
set [ find vlan-id=666 ] tagged=wlan1<,rest_of_tagged_ports>
It doesn't work without pvid set on bridge port. And doesn't work if frame-types=admit-only-untagged-and-priority-tagged pvid=666 on bridge/port and wifi1 made member of untagged ports members of corresponding vlan. VLAN setup for ether ports work according to expectations. I've open a support ticket and waiting patiently for any kind of response.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Sun Apr 10, 2022 4:53 pm

The way #1 is the contemporary way of doing it, wifiwave2 drivers don't support tagging any more so I guess with time #2 will be gone.
it is a shame that #2 is not supported by wifiwave2 as that is the only option to allow hardware vlan switching through the switch chip and including the WLAN interfaces to the corresponding bridge (in case of e.g. hAP ac3)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Sun Apr 10, 2022 8:47 pm

The way #1 is the contemporary way of doing it, wifiwave2 drivers don't support tagging any more so I guess with time #2 will be gone.
it is a shame that #2 is not supported by wifiwave2 as that is the only option to allow hardware vlan switching through the switch chip and including the WLAN interfaces to the corresponding bridge (in case of e.g. hAP ac3)

I hope that more switch chip types will receive HW offload from bridge. Just like RTL8367 and MT7621 did with ROS 7.1. As most wifiwave2 devices currently run off QCA wifi chips, I guess that HW offload to AR8327/QCA8337 would solve the problem you mentioned.
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Tue Apr 12, 2022 9:12 pm

an additional configuration for a cAP ac
/interface bridge 
add name=bridge-VLANs
  
/interface bridge port
add bridge==bridge-VLANs interface=ether1
add bridge==bridge-VLANs interface=ether2

/interface vlan
add interface=bridge-VLANs   vlan-id=999   name=VLAN_MGMT   comment="NETWORK DEVICES MANAGEMENT VLAN"	

/ip address  add address=10.10.9.132/24   interface=VLAN_MGMT   comment="NETWORK DEVICES MANAGEMENT VLAN"
/ip route add gateway=10.10.9.1   distance=1 
/ip dns set allow-remote-requests=no   servers="10.10.9.1"  

/interface ethernet switch port
set ether1      vlan-mode=secure vlan-header=add-if-missing
set ether2      vlan-mode=secure vlan-header=always-strip default-vlan-id=160
set switch1-cpu vlan-mode=secure vlan-header=leave-as-is 

/interface ethernet switch vlan
#traffic through tagged ports
add ports=ether1,switch1-cpu switch=switch1 vlan-id=1
add ports=ether1,switch1-cpu switch=switch1 vlan-id=8
add ports=ether1,switch1-cpu switch=switch1 vlan-id=999
add ports=ether1,switch1-cpu switch=switch1 vlan-id=11
add ports=ether1,switch1-cpu switch=switch1 vlan-id=130
#traffic through tagged ports tagged & untagged ports
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=160

/interface wireless cap
set interfaces=wlan1,wlan2   enabled=yes   bridge=bridge-VLANs  discovery-interfaces=VLAN_MGMT    
gives:
ether1 - VLAN 1,8, 999, 160 tagged
ether2 - VLAN 160 tagged
switch1-cpu - VLAN 1,8, 999, 130, 160 tagged
WLAN will be added dynamically as bridge VLAN ports
and the Mikrotik is accessible on VLAN 999 with address 10.10.9.132
VLAN 8 and 130 are for WLAN.

the only thing remaining adding filters on the bridge to avoid the WLAN-user can access the CPU (to configure the device etc.). Only VLAN999 shall be able to access the device (chain input from VLAN else drop)

https://wiki.mikrotik.com/wiki/Manual:C ... figuration
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Mon Apr 25, 2022 10:51 pm

The way #1 is only possible with vlan-filtering enabled on bridge. The way #2 is also possible if bridge doesn't do anything about vlans which was up to ROS version 6.40 or there about.

The way #1 is the contemporary way of doing it, wifiwave2 drivers don't support tagging any more so I guess with time #2 will be gone.
is that resolved by
RouterOS version 7.3beta33 has been released "v7 testing" channel!
What's new in 7.3beta33 (2022-Apr-11 14:09):
...
*) ww2 - fixed VLAN tag handling;
?


I'm done with my configuration but I noticed that:
  1. that hEX S only forwards traffic on the hardware, if all VLANs have access to the bridge port, see my comment in viewtopic.php?p=929133#p929133
  2. my phone suddenly does not tx/rx data anymore and is disconnected from WiFi although not being moved.It reconnects (still not being moved) and tx/rx dat again. It could be that it changes SSID.
    I'm still investigating but no clue why this is happening Wondering if that is related to the here discussed configuration.
    I got this from the log, phone not moved:
    21:42:44 echo: caps,debug 4E:10:A0:6A:CA:FD@AP_1F-W_MT-cAP-ac-1 connected, signal strength -63
    21:42:44 echo: caps,debug 4E:10:A0:6A:CA:FD@AP_1F-W_MT-cAP-ac-1-1 disconnected, registered to other interface, signal strength -65
    21:43:17 echo: caps,debug 4E:10:A0:6A:CA:FD@AP_1F-W_MT-cAP-ac-1 disconnected, received deauth: sending station leaving (3), signal strength -60
    21:43:18 echo: caps,debug 4E:10:A0:6A:CA:FD@AP_1F-W_MT-cAP-ac-1-1 connected, signal strength -59
    
    
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch Chip VLAN Switching in Software Bridge

Tue Apr 26, 2022 9:00 am

my phone suddenly does not tx/rx data anymore and is disconnected from WiFi although not being moved.It reconnects (still not being moved) and tx/rx dat again. It could be that it changes SSID.

It does seem that phone changes SSID ... connects and disconnects are happening at the same time, so the sequence of messages doesn't necessarily reflect actual sequence of events. But they do refer to different interface names (AP_1F-W_MT-cAP-ac-1 and AP_1F-W_MT-cAP-ac-1-1), which indicates different physical or virtual wifi interface.

I did notice with my audience that some devices (in particular one of my Huawei tablets) don't particularly like 5GHz radio and prefer to camp on 2.4 GHz radio instead (others merrily move over to 5GHz eventually). I've created a different SSID and if I hand select that SSID on tablet, it's working just fine. But as soon as something itches the tablet, it'll re-connect to the normal SSID and camp on 2.4GHz again.
BTW, my audience runs 7.2.1, hence no CAPsMAN in picture (right now).
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 268
Joined: Tue Sep 29, 2020 6:05 pm

Re: Switch Chip VLAN Switching in Software Bridge

Tue Apr 26, 2022 6:09 pm

in my case all happens on 2.4GHz
ac-1-1 and ac-1 are virtual wifi interface
I have some SSID broadcasting currently due to testing https://github.com/eworm-de/routeros-sc ... pot-to-wpa
ROS v7.2.1

Devices was not moved. Did rx/tx suddenly stopped rx/tx, disconnected/connected, rx/tx was happening again... :?
apr/25 23:20:44 caps,debug 4E:10:A0:6A:CA:FD@AP+ES_GF_MT-hAP-ac3-1-1 connected, signal strength -58 
apr/25 23:21:34 caps,debug 4E:10:A0:6A:CA:FD@AP+ES_GF_MT-hAP-ac3-1 connected, signal strength -57 
apr/25 23:21:34 caps,debug 4E:10:A0:6A:CA:FD@AP+ES_GF_MT-hAP-ac3-1-1 disconnected, registered to other interface, signal strength -58 
apr/25 23:22:00 caps,debug 4E:10:A0:6A:CA:FD@AP+ES_GF_MT-hAP-ac3-1 disconnected, group key timeout, signal strength -58 
apr/25 23:22:05 caps,debug 4E:10:A0:6A:CA:FD@AP+ES_GF_MT-hAP-ac3-1-1 connected, signal strength -56 

Who is online

Users browsing this forum: ccrsxx, Google [Bot], johnson73, Qalderu, rano, rplant, sted and 80 guests