Community discussions

MikroTik App
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 4:34 pm

hello

i'm trying to get rid of vlan 1 on a 951G-2HnD

here is the config,
# model = 951G-2HnD
/interface bridge
add name=bridge-ALL

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-Mini-PC
set [ find default-name=ether3 ] name=ether3-TV
set [ find default-name=ether4 ] name=ether4-Guest1
set [ find default-name=ether5 ] name=ether5-Guest2

/interface ethernet switch port
set 0 vlan-mode=secure                     #setting vlan id=70 disconnect me from winbox
set 1 default-vlan-id=20 vlan-mode=secure
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=50 vlan-mode=secure
set 4 default-vlan-id=50 vlan-mode=secure
set 5 vlan-mode=secure

/interface bridge port
add bridge=bridge-ALL interface=wlan1 
add bridge=bridge-ALL interface=ether1-WAN
add bridge=bridge-ALL interface=ether2-Mini-PC
add bridge=bridge-ALL interface=ether3-TV
add bridge=bridge-ALL interface=ether4-Guest1
add bridge=bridge-ALL interface=ether5-Guest2

/interface ethernet switch vlan
add independent-learning=yes ports=ether1-WAN,ether2-Mini-PC switch=switch1 vlan-id=20
add independent-learning=yes ports=ether1-WAN,ether4-Guest1,ether5-Guest2 switch=switch1 vlan-id=50
add independent-learning=yes ports=ether1-WAN,switch1-cpu switch=switch1 vlan-id=1                #removing this disconnect me from winbox
add independent-learning=yes ports=ether1-WAN,ether3-TV switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1-WAN,switch1-cpu switch=switch1 vlan-id=70                   #this is what it should be


i put 3 comments in the config above

when i'm trying to remove vlan 1, i keep getting disconnected from winbox, thanks to safe mode it always rollback

this router act as a switch, it is connected to a hap ac2, on the hap ac2 it is properly configured on vlan70 (dhcp server give a proper lease / ip on that vlan 70)

i'm connected from a device on the hap ac2 and on that router and vlan 1 doesnt exist on it
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11436
Joined: Thu Mar 03, 2016 10:23 pm

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 4:47 pm

Is this truly the whole config? It lacks L2.5 setup (like /interface vlan section) and L3 setup (IP addresses etc.) ... but everything matters. If the shown setup is not whole of it, post everything. If this is the whole thing then ... well, try to fill in the voids.
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 5:04 pm

Is this truly the whole config? It lacks L2.5 setup (like /interface vlan section) and L3 setup (IP addresses etc.) ... but everything matters. If the shown setup is not whole of it, post everything. If this is the whole thing then ... well, try to fill in the voids.
dhcp server is on another router (hap ac2)

this 951G-2HnD is just a switch, there is nothing else on it, everything goes to my other router hap ac2

every single vlan on the 951G-2HnD work as expected, they get proper ip and proper internet access / etc

I just want to remove vlan 1 on it
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11436
Joined: Thu Mar 03, 2016 10:23 pm

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 5:09 pm

So the switch even doesn't have IP address assigned? How do you manage it then?
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 5:14 pm

So the switch even doesn't have IP address assigned? How do you manage it then?
switch get it 192.168.70.10 ip from hap ac2 properly

i'm connecting to it from my computer, my computer is connected to the hap ac2

i guess i didnt select until the end of the export

on the 951G-2HnD
/ip dhcp-client
add disabled=no interface=bridge-ALL
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD  [SOLVED]

Sun May 22, 2022 6:37 pm

I finally did it

I just created a dummy wireless connection on the 951G-2HnD, no specified vlan or anything and connected using mac address instead of ip using the mobile app on my phone

I set default-vlan-id=70 to ether1-wan and switch-cpu and removed the vlan-id=1 entry

look like it had to be done outside any vlan and/or could not be done from my pc --> hap ac2 --> 951G-2HnD
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 6:41 pm

The /ip dhcp-client add disabled=no interface=bridge-ALL configuration will acquire an address using untagged traffic through the switch1-cpu port. This currently has PVID 1, the export does not show the deafults, fully it would be set 5 default-vlan-id=1 vlan-mode=secure. Similarly the ether1-WAN port, so your management access appears to be untagged.

The current packet flow is: untagged packet -> ether1-WAN -> VLAN ID 1 tag added -> switch -> VLAN ID 1 tag removed -> switch1-cpu -> Mikrotik processes

As you already have VLAN 70 declared in /interface ethernet switch vlan you just need to change /interface ethernet switch port ether1 (#0) and switch1-cpu (#5) to 70 at the same time.
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 7:09 pm

The /ip dhcp-client add disabled=no interface=bridge-ALL configuration will acquire an address using untagged traffic through the switch1-cpu port. This currently has PVID 1, the export does not show the deafults, fully it would be set 5 default-vlan-id=1 vlan-mode=secure. Similarly the ether1-WAN port, so your management access appears to be untagged.

The current packet flow is: untagged packet -> ether1-WAN -> VLAN ID 1 tag added -> switch -> VLAN ID 1 tag removed -> switch1-cpu -> Mikrotik processes

As you already have VLAN 70 declared in /interface ethernet switch vlan you just need to change /interface ethernet switch port ether1 (#0) and switch1-cpu (#5) to 70 at the same time.
exactly, I figured that when I was doing it with my wireless connection

I had connectivity back from my pc when BOTH was set to 70

side question, is it possible to set both on the same command line? could i have done it without using my alternative? (wireless connection) ?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 7:16 pm

Yes
/interface ethernet switch port
set 0 default-vlan-id=70; set 5 default-vlan-id=70

(obviously with safe mode, just in case)
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 7:22 pm

Yes
/interface ethernet switch port
set 0 default-vlan-id=70; set 5 default-vlan-id=70

(obviously with safe mode, just in case)
ok, i didnt know about the delimited ;

thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 8:21 pm

Sounds like you made something simple extremely difficult.
An MT device acting solely as a switch/AP with some vlans is straightforward.
There is NO WAN! and no LAN! just a management interface which includes the vlan the MT device is getting its IP from.
This maintains vlan1 on the MT, no monkeypox business.........

The only part unknown is which vlan the WLAN was supposed to be using so I set it to the guest vlan.............
........
/interface bridge
add ingress-filtering=no name=bridge-all vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-hapac
set [ find default-name=ether2 ] name=ether2-Mini-PC
set [ find default-name=ether3 ] name=ether3-TV
set [ find default-name=ether4 ] name=ether4-Guest1
set [ find default-name=ether5 ] name=ether5-Guest2
/interface vlan
add interface=bridge-all name=VLAN-M70  vlan-id=70
/interface list
add name=management
/interface list member
add interface=VLAN-M70 list=management
/ip neighbor discovery-settings
set discover-interface-list=management
/interface wireless
set [ find default-name=wlan1 ] band=2ghz mode=ap-bridge \
/interface bridge port
add bridge=bridge-all interface=ether1-hapac   ingress-filtering=yes  frame-types=admit-only-vlan-tagged
add bridge=bridge-all interface=ether2-Mini-PC   ingress-filtering=yes  frame-types=admit-only-priority-and untagged  pvid=20
add bridge=bridge-all interface=ether3=TV       ingress-filtering=yes  frame-types=admit-only-priority-and untagged  pvid=10
add bridge=bridge-all interface=ether4-Guest1   ingress-filtering=yes  frame-types=admit-only-priority-and untagged  pvid=50
add bridge=bridge-all interface=ether5-Guest2   ingress-filtering=yes  frame-types=admit-only-priority-and untagged  pvid=50
add bridge=bridge-all interface=wlan1  ingress-filtering=yes  frame-types=admit-only-priority-and untagged  pvid=50??
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridge-all tagged=bridge-all,ether1-hapac  vlan-ids=70
add bridge=bridge-all tagged=ether1 untagged=ether2-Mini-PC  vlan-ids=20
add bridge=bridge-all tagged=ether1 untagged=ether3-TV  vlan-ids=10
add bridge=bridge-all tagged=ether1 untagged=ether4-Guest1,ether5-Guest2,wlan1 vlan-ids=50
/ip address
add address=xx.xx.xx.01/24 network=xx.xx.xx.0 comment="IP of device on trusted subnet"
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.1  comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=xx.xx.xx.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 8:34 pm

That would be fine if the Atheros/Qualcomm switch chips supported hardware offload with vlan-aware bridges. Given the RB951G-2HnD is an older device the CPU performance would likely limit software bridged thoughput to a few hundred Mbps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 8:35 pm

Wow, really tdw? what a hunk of junk, even an hex or capac, handles that with ease...........
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 9:21 pm

Wow, really tdw? what a hunk of junk, even an hex or capac, handles that with ease...........
vlan hardware offload from nas to pc, wire speed 1 gig
bridge vlan without hardware offload from nas to pc, between 300 to 400 mbits/sec

i tested it and that is why i went to the very difficult path of switch vlan
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 9:49 pm

what a hunk of junk, even an hex or capac, handles that with ease...........
They would as the processors are several times more powerful:
RB951G-2HnD - single-core 600MHz MIPS
hEX - dual-core 880MHz MIPS
cAP ac - quad-core 716MHz ARM
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 10:24 pm

what a hunk of junk, even an hex or capac, handles that with ease...........
They would as the processors are several times more powerful:
RB951G-2HnD - single-core 600MHz MIPS
hEX - dual-core 880MHz MIPS
cAP ac - quad-core 716MHz ARM
sadly even with hap ac2, a way more powerful cpu than RB951G-2HnD , a single file copy from nas to pc is stuck at 300-400mbits/sec if it goes through the CPU

I had my pc and nas on two different vlan, i had to move the nas into my pc vlan to get wirespeed, intervlan was killing speed

context:
nas: freenas
pc: windows 10
copy files from explorer.exe from smb on nas to local

file copy is single thread
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 10:38 pm

There is additional overhead with routing compared to software bridging. I would still expect somewhat better routing performance from a hAP ac2.
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Sun May 22, 2022 10:46 pm

There is additional overhead with routing compared to software bridging. I would still expect somewhat better routing performance from a hAP ac2.
same from me :(

I use my nas to record multiple 24/7 cctv

That was my reason to have it on a different vlan, now i'm using the ip firewall to restrain access of my cameras on my pc vlan, so they can only access the nas

In the end, I moved my nas vlan into my pc vlan, so I keep my wirespeed and I added firewall rules for my cameras

At least I always had a block by default pattern on my firewall so I only had to allow what I needed, still I was hoping that the little hap ac2 was strong enough not to have to do that
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: trying to get rid of vlan 1 on 951G-2HnD

Mon May 23, 2022 12:47 pm

after playing a few more hours with all this switch vlan vs bridge vlan saga here what i saw

intervlan, doesnt matter same speed on both, slow, always need to go though cpu.

same vlan, this is what I found and where i need to retract some of my statement above.

first I was not resetting the whole configuration every time i was playing around, somehow in the past I had put in the bridge setting use-ip-firewall=yes and use-ip-firewall-for-vlan=yes
maybe in the past I though it was needed to use the firewall, in fact they are for something else, I read the wiki again, they are needed for queued only.
so these two were always set to YES in my testing

this time around, a full reset was done and these two was kept to default value aka NO, firewall still work as expected
vlan was set with bridge pattern only (no more switch vlan)

on the RB951, I see a maximum 320 to 400mbits/sec with a 40-45% cpu usage on the single core and the bottleneck is on the hap ac2, since it goes intervlan, it is cpu restricted

on the hap ac2, same vlan, now this is what change my view and make me retract what I said in previous reply, I still see high cpu usage (versus no cpu usage with switch vlan) but I do get wirespeed.

if I turn on both setting that i mentioned above, in bridge setting, speed go back to 320 to 400mbits/sec, what I was seeing before.

so culprit was me not doing a full reset and these two settings being active and for now I will keep it as bridge vlan until I have speed issue that need fixing, I have plenty of cpu room based on what I saw but if it happen, I will have to go back to switch vlan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: trying to get rid of vlan 1 on 951G-2HnD

Mon May 23, 2022 2:18 pm

Yup, standard firewall rules work just fine 99% of the time at least for bridge vlan filtering.........
The clue is if its not a standard default setting, and you turn it on, best know why.

Who is online

Users browsing this forum: anav, joshuapl and 29 guests