Hi,

i have a RB3011 with two QCA8337 based switches. Because these switches do NOT support VLAN hardware offloading when using Bridge based VLAN filtering, I have turned the new VLAN filtering off in the bridge configuration and i am NOT using the new Bridge based VLAN configuration. All VLAN configuration is done in switch configuration and appropriate VLANs with address and DHCP server configuration are added to the bridge. Everything is working fine despite of the following problem:

A device "A" at access port of switch 1 configured for VLAN 30 is not able to communicate with a device "B" behind a trunk port (VLAN 10/30) behind port of switch 2.
All packages get lost, ping between both devices are not working. When I move the device "A" to an access port of switch 2 (VLAN 30), the switch based VLAN configuration is working as expected with high speed.

So the problem seems to be that the bridge with disabled VLAN filtering is not able to transmit the VLAN packages from switch 1 to switch 2. Using torch I can see that some packages
are able to pass through the bridge (4% running ping for 5 Minutes). The current setup (both trunk and AP at same switch) helps me to get out, but I will need more ports and the second switch soon.

What is my bridge configuration missing? Or is this setup (Switch based VLAN configuration and bridging two switches with no VLAN filtering) not supported any more and I should switch to bridge based VLAN filtering without VLAN hardware offloading?
Do I have to use the new VLAN filtering of bridge and disable the switch based VLAN configuration?

See the second note here https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

I've not had chance to experiment with adding all the VLANs to both switch1cpu and switch2cpu (under Switch>VLAN) to see if the traffic would then, for example, take the path ether2 -> [switch1] -> switch1cpu -> bridge -> switch2cpu -> [switch2] -> ether8 - if this does work there would be CPU overhead as the traffic has to pass between the switch chips, but not as much as turning off hardware acceleration by using a VLAN-aware bridge.

Be warned that even with a VLAN-aware bridge (and no hardware offloading), leaving non-default settings in the Switch menu does weird things.

@andreasbehnke: can you post configuration of ethernet and bridge? (/interface ethernet export and /interface bridge export) ... I've got an idea, but I'd like to see your current setup to think it over ...

See the second note here https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

Thank you, this is the corrcet documentation... Either I have to use a cable to conect both switches (...) or have to not add all ports to one bridge. Think I have to figure out how to place the access ports and trunk ports to get max usage out of the two switches and to use multiple software bridges.

@andreasbehnke: can you post configuration of ethernet and bridge? (/interface ethernet export and /interface bridge export) ... I've got an idea, but I'd like to see your current setup to think it over ...

Hi mkx,

here is my current config:

If I use ether5 (kitchen sound, VLAN 30 AP) to access a server behind trunk ether6 (VLAN 10/30),
I get 96% package lost using ping.

If I use ether7 (Livingroom, VLAN 30 AP) I have no problem accessing server behind trunk.

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=management
set [ find default-name=ether3 ] comment=virthost
set [ find default-name=ether5 ] comment="kitchen sound"
set [ find default-name=ether6 ] comment=Homeserver
set [ find default-name=ether7 ] comment=Livingroom
set [ find default-name=ether8 ] comment=bedroom
set [ find default-name=ether9 ] comment="livingroom access point"
set [ find default-name=ether10 ] comment="trunk office"
set [ find default-name=sfp1 ] disabled=yes
/interface ethernet switch port
set 2 default-vlan-id=5 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure
set 6 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=10 vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=ether10,ether9,ether8,ether6,switch2-cpu switch=switch2 vlan-id=10
add independent-learning=yes ports=ether10,ether9,switch2-cpu switch=switch2 vlan-id=50
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=ether3,switch1-cpu switch=switch1 vlan-id=5
add independent-learning=no ports=ether10,switch2-cpu switch=switch2 vlan-id=5
add independent-learning=no ports=switch2-cpu,ether6,ether7 switch=switch2 vlan-id=30

/interface bridge
add admin-mac=64:D1:54:17:68:E1 auto-mac=no name=bridge-local
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether5

Uh, sorry, my idea does not apply to your settings, there's nothing much I'd change. Only minor setting (and I'm not sure it'd make any difference): I'd set independent-learning to same value (my choice would be "no" although manual suggests "yes" to be wiser choice) on all vlans ...
Potentially there's a conflict: port ether6 is a member of VLAN 10, where IVL is enabled, and member of VLAN 30, where IVL is disabled. VLAN 30 ports from switch1 have IVL enabled ...