Using bridge I think I got it figured out, as in: it works.
But the CPU load is noticeable.
btest between both ac3's gives me max 560mpbs, CPU hovering around 50-70% on both sides.
(I know, I know, shouldn't be testing directly between those devices ...)
Since ROS7 allows HW offload using switch chip, I tried using it but somehow it doesn't work...
Used these instructions;
https://help.mikrotik.com/docs/display/ ... switchchip
Setup:
Hex connected to ISP modem, handing out subnet 192.168.2.0/24
hAP AC3 (AC3-1, ROS7), connected to Hex via hub on ether1, using port5 for POE to another hAP AC3 (AC3-2, Ros6).
ether5 is untagged vlan30 with subnet 192.168.30.0/24 and DHCP server (at least, that is the intention...).
Second AC3 is pretty default configured, access port on ether1. DHCP client on ether1.
On AC3-1, 2 subnets. One coming from Hex further up, second on VLAN30.
hAP AC3 has Atheros8327 switch chip so it should be able to handle the VLAN stuff.
When using bridge based VLAN, I get an IP adres from VLAN30 pool. Nicely as intented.
When using switch based VLAN, I either get no IP, no connection, or (as config is now) address from Hex range.
Where am I going wrong with that switch setup ?
Config attached (removed everything wifiwave2 related for now, I first want to see how this works using regular ethernet ports)
Code: Select all
# may/14/2022 23:02:40 by RouterOS 7.3beta40
# software id = LB29-6B5U
#
# model = RBD53iG-5HacD2HnD
# serial number = <edited>
/interface bridge
add comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] disabled=yes
/interface vlan
add interface=bridge1 name=VLAN30 vlan-id=30
/interface ethernet switch port
set 4 default-vlan-id=30 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=VLAN30 ranges=192.168.30.100-192.168.30.199
/ip dhcp-server
add address-pool=VLAN30 interface=VLAN30 name=VLAN30
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether1
/interface ethernet switch vlan
add independent-learning=yes ports=ether5,ether1,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add comment=defconf interface=bridge1 list=LAN
add interface=ether1 list=LAN
add interface=VLAN30 list=LAN
/ip address
add address=192.168.2.3/24 comment=defconf interface=bridge1 network=192.168.2.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.30.0/32 dns-server=192.186.2.1 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.91,192.168.2.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept Winbox from LAN" dst-port=8291 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=hAPAC3
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes