Wed Nov 30, 2022 9:02 pm
You can configure the switch chip to make a subset of VLANs available on the ethernet ports and handle untagging, there isn't much you can do for the SFP port - maybe bridge filters. The CPU in the original hAP AC isn't great so you will only get wirespeed port-to-port throughput using the switch, i.e. not using a vlan-aware bridge.
If the port-to-port throughput isn't a concern you could go back to using a vlan-aware bridge and tag many/all of the VLANs not presented on the local wired ports, e.g. if you are using VLAN IDs 102 to 105 untagged on the wired ports
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=102
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=103
add bridge=bridge ingress-filtering=yes interface=ether4 pvid=104
add bridge=bridge ingress-filtering=yes interface=ether5 pvid=105
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=2-101
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=102
add bridge=bridge tagged=bridge,ether1 untagged=ether3 vlan-ids=103
add bridge=bridge tagged=bridge,ether1 untagged=ether4 vlan-ids=104
add bridge=bridge tagged=bridge,ether1 untagged=ether5 vlan-ids=105
add bridge=bridge tagged=bridge,ether1 vlan-ids=106-4094
Note the untagged= setting is optional, it will be dynamically added based on the bridge port pvid= setting. Also note from the Wiki / help pages "The vlan-ids parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are tagged ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the PVID value. "
You would have to manage this on each of the multi-port devices as and when you want to change the VLAN memberships of the ports other than the uplink, but any other VLANs used for WiFi interfaces would just work.
Nothing currently on the horizon for wired VLAN management, but Mikrotik have been eliciting requirements for potential future developments.