i have just received my Hex POE device

I have been trying to play around to be able to play around with various combinations and be well versed with configurations before i put it into my production home network.

i am trying to get afew configurations to work but always got myself locked out, having to factory reset

my final goal is to let the hex handle intervlan traffic, gateway to internet and use one of the eth port for non-vlan "backdoor" in case i get locked out from the vlans.

can someone explain to me where i should be setting all these up.

i have been configuring cisco switches and for fortigate gateways for some time hence i am abit lost when i configured the same way and get locked out.

I have followed many of the wiki examples and i am always hitting a dead end when i flip the clan mode in switch-cpu to secure.

can someone enlighten me please.

Which option locks you out? The device is configured so, that only LAN ports (2-5) are for management. The first port is protected.
Unless you configured some more things.

The configuration is completely different to any other vendor, it is a pity Mikrotik have not integrated hardware acceleration (i.e. switching) into the VLAN-aware bridge handling as they have with the CRS3xx devices.

https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29 and https://wiki.mikrotik.com/wiki/Manual:Switch_Router should cover what you require.

Be aware the the underlying hardware has a single connection between the switch chip and CPU, the traffic to the ether1-5 ports are multiplexed over the switch1-cpu port (not visible as an interface, only appears in the switch menus) using port-based VLANs, so setting switch1-cpu vlan-mode=secure can break things in unexpected ways if not all the ports are configured as switched VLANs.

As you control everything attached to the switch1-cpu port leaving vlan-mode=disabled on this would be fine.

Which option locks you out? The device is configured so, that only LAN ports (2-5) are for management. The first port is protected.
Unless you configured some more things.

I have followed wiki guides like:
https://wiki.mikrotik.com/wiki/Manual:Switch_Router
https://wiki.mikrotik.com/wiki/Manual:B ... _switching

once i enable vlan mode=secure on the switch-cpu, i am not able to get any ip from the vlan nor from the previous subnet.
there was once i tried and i got the IP from the vlan interface but i was not able to reach the router anymore. (i have declared a vlan interface IP under IP -> Addresses).

In summary, once i enable vlan mode = secure, i lose access to the router management page via web or winbox.

The configuration is completely different to any other vendor, it is a pity Mikrotik have not integrated hardware acceleration (i.e. switching) into the VLAN-aware bridge handling as they have with the CRS3xx devices.

https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29 and https://wiki.mikrotik.com/wiki/Manual:Switch_Router should cover what you require.

Be aware the the underlying hardware has a single connection between the switch chip and CPU, the traffic to the ether1-5 ports are multiplexed over the switch1-cpu port (not visible as an interface, only appears in the switch menus) using port-based VLANs, so setting switch1-cpu vlan-mode=secure can break things in unexpected ways if not all the ports are configured as switched VLANs.

As you control everything attached to the switch1-cpu port leaving vlan-mode=disabled on this would be fine.

I have engaged with hands-on on both the examples you provided but once i enable the vlan mode=secure on switch cpu, i get cut off from the router. i cannot even ping the gateway.

From what i have understood from you statements, can i say that switch1-cpu is the connection from switch chip and cpu. flipping the settings to vlan-mode=secure causes all traffic between the switch and the cpu to be "vlan-aware".
If i were to leave it as disabled, what will happen to my vlan traffic?

On the other hand, since i have followed the example, turning switch1-cpu to secure should be the way to enable vlan switching/routing, or am i missing something.

From what i have understood from you statements, can i say that switch1-cpu is the connection from switch chip and cpu

Yes.

flipping the settings to vlan-mode=secure causes all traffic between the switch and the cpu to be "vlan-aware".

By default the switch ports pass all traffic, including tagged VLANs - much like a simple unmanaged switch. Setting vlan-mode=secure only permits the specific VLANs on ports specified in /interface ethernet switch vlan.

If i were to leave it as disabled, what will happen to my vlan traffic?

If left disabled on the switch1-cpu port any VLAN ID would be accepted coming from the CPU.

On the other hand, since i have followed the example, turning switch1-cpu to secure should be the way to enable vlan switching/routing, or am i missing something.

If not using all the ports for switching, as in the example, there can be other interactions as I have mentioned. Even using all ports for switching management access changes as discussed in https://wiki.mikrotik.com/wiki/Manual:S ... figuration

thanks for the response, tdw. I think i am starting to get confused with when to use bridge and switch in the config.

Initially i bought this device because it has the switch chip as the switch chip provides the hardware offloading to get close to wire speed across vlans.
I will be using this mainly for intervlan routing (1 trunk port), internet gateway (eth1) and one for physical IP assignment to access in case of misconfiguration.

Can help me with how to set this up?

Looking at the hex poe
https://i.mt.lv/cdn/product_files/RB960PGS_161241.png

vice the plain hex or hex S
https://i.mt.lv/cdn/product_files/RB750 ... 161117.png
https://i.mt.lv/cdn/product_files/RB750 ... 190642.png

I'd say you got the wrong device?

thanks for the response, tdw. I think i am starting to get confused with when to use bridge and switch in the config.

Initially i bought this device because it has the switch chip as the switch chip provides the hardware offloading to get close to wire speed across vlans.
I will be using this mainly for intervlan routing (1 trunk port), internet gateway (eth1) and one for physical IP assignment to access in case of misconfiguration.

The hardware offloading is switching (layer 2), not routing (layer 3). You can do wire-speed switching on the same VLAN between ports, but routing between different VLANs and the internet will always be handled by the CPU.

Looking at the hex poe
https://i.mt.lv/cdn/product_files/RB960PGS_161241.png

vice the plain hex or hex S
https://i.mt.lv/cdn/product_files/RB750 ... 161117.png
https://i.mt.lv/cdn/product_files/RB750 ... 190642.png

I'd say you got the wrong device?

The MT7621 in the hex does not have the vlan table hence i opted for hex poe

thanks for the response, tdw. I think i am starting to get confused with when to use bridge and switch in the config.

Initially i bought this device because it has the switch chip as the switch chip provides the hardware offloading to get close to wire speed across vlans.
I will be using this mainly for intervlan routing (1 trunk port), internet gateway (eth1) and one for physical IP assignment to access in case of misconfiguration.

The hardware offloading is switching (layer 2), not routing (layer 3). You can do wire-speed switching on the same VLAN between ports, but routing between different VLANs and the internet will always be handled by the CPU.

ok, i get what you mean about the layer 2 and 3 performance - Eg. eth2 to eth3 configured as same vlan and performance will be hardware offloaded.

in my scenario, should i be focusing on the switch settings or the bridge as both has vlan options in them.

in my scenario, should i be focusing on the switch settings or the bridge as both has vlan options in them.

It depends on your requirements:
If wire-speed switching within the same VLAN is not of particular importance then a VLAN-aware bridge (/interface bridge add name=... vlan-filtering=yes) is by far the simplest method, with configuration in /interface bridge port and /interface bridge vlan.
If it is then a non-VLAN-aware bridge (/interface bridge add name=... vlan-filtering=no) with switch configuration in /interface ethernet switch port and /interface ethernet switch vlan.
In both cases the CPU itself gains access to tagged VLANs by defining VLAN interfaces in /interface vlan.

When changing from the default configuration to a VLAN setup it is quite easy to cut yourself off as you have found. Using MAC rather than IP connections from Winbox can make it easier to reconnect part-way through the configuring process.

in my scenario, should i be focusing on the switch settings or the bridge as both has vlan options in them.

It depends on your requirements:
If wire-speed switching within the same VLAN is not of particular importance then a VLAN-aware bridge (/interface bridge add name=... vlan-filtering=yes) is by far the simplest method, with configuration in /interface bridge port and /interface bridge vlan.
If it is then a non-VLAN-aware bridge (/interface bridge add name=... vlan-filtering=no) with switch configuration in /interface ethernet switch port and /interface ethernet switch vlan.
In both cases the CPU itself gains access to tagged VLANs by defining VLAN interfaces in /interface vlan.

When changing from the default configuration to a VLAN setup it is quite easy to cut yourself off as you have found. Using MAC rather than IP connections from Winbox can make it easier to reconnect part-way through the configuring process.

I think i will try one use case for now which is intervlan routing (1 trunk port), internet gateway (eth1) and one for physical IP assignment to access in case of misconfiguration.

and for this set up, i will set up using bridge vlan with vlan filtering turned on?

Hi guys, i have ran through more examples and got it to work.
I would like to check if this will achieve best performance for same subnet file transfer, intervlan routing and LAN->WAN (WAN->LAN) routing.

The setup you posted above does not facilitate any switch-chip offload whatsoever. Same-subnet traffic won't pass router because only single interface is member of single subnet.

So I'll echo suggestion by @tdw: go with vlan-aware bridge setup, the performance will be just the same as it would be with switch-chip setup ... only far easier to configure.

Further more: your current setup does not use VLAN IDs externally to the router itself (ether2 is untagged member of VLAN11 and ether3 is untagged member of VLAN12) and in this case you could even go with all-interfaces-routed approach (none of ether interfaces are bridged and IP config for subnets go directly to appropriate ether interfaces).

The setup you posted above does not facilitate any switch-chip offload whatsoever. Same-subnet traffic won't pass router because only single interface is member of single subnet.

So I'll echo suggestion by @tdw: go with vlan-aware bridge setup, the performance will be just the same as it would be with switch-chip setup ... only far easier to configure.

Further more: your current setup does not use VLAN IDs externally to the router itself (ether2 is untagged member of VLAN11 and ether3 is untagged member of VLAN12) and in this case you could even go with all-interfaces-routed approach (none of ether interfaces are bridged and IP config for subnets go directly to appropriate ether interfaces).

This is just a test as i couldnt even get DHCP from all my previous attempts.
This is the first attempt that went through.
I used vlans in this set up to make sure i knew how to get vlan working before i move on.

My next test would be to add a trunk port at eth4 to a vlan aware switch. and the mikrotik will be the gateway to the vlans and routing all traffic.
Do i still benefit from vlan aware bridge for this set up?

Can you guide me to give me a kick start to the vlan-aware bridge?
I failed at my last attempt when @tdw shared his view on that

In a "router-on-a-stick" scenario, none of traffic can be HW offloaded on most Mikrotik devices. And on devices (currently CRS317 only) where it can be (or rather: will be under ROSv7), it's the vlan-bridge way of doing it as well.

First things first: there's safe mode available in all UIs (including CLI ... press ctrl-X to toggle it ON/OFF). When enabled and one looses management connection, ROS will revert all the changes done since enabling it ... So when you're about to change something which might lock you out, enable safe mode, perform the change ... and if management connection survives, exit safe mode (making the change permanent). Note that logging out while in safe mode counts as loosing management connection as well, so you have to manually exit safe mode before logging out to keep the changes.

Example of configuration for your test scenario (ether2 access port for VLAN11 and ether3 access port for VLAN12) extended to include ether4 as tunk port:

There's an excellent tutorial on configuring VLANs on bridge with several use cases explained.

One thing one really has to be careful is not to lock self out of management. One thing is management over IP (webfig, CLI, "normal" winbox) which works over IP and firewall settings may need to be adjusted. Winbox over plain ethernet (select MAC address to connect instead of IP address) is another thing (it's configured under /tool mac-server). By default both access types are configured by properly configuring interface lists in /interface list and management VLAN interfaces have to be added to LAN interface list:
Which is true for WAN as well ... if WAN interface is anything but default ether1 (e.g. if WAN comes in via VLAN, then appropriate VLAN interface has to be added to WAN interface list).

Hi mkx,

I have tried you config but i am not getting an IP from DHCP and blow is my config.

EDIT: ok, i found my mistake. I forgot to add bridge as tagged traffic. i follow the examples using CLI and i configure using the GUI

Ok now to summarise my learning points, correct me if i am still wrong please.

==Understanding 1===
so can i summarise that HW-offloading is off when using bridged vlan.
HW off-loading is of no importance when i am using the RB as a router (sub-interface routing or intervlan routing)

so in the case of purely being a intervlan router and gateway to internet, switch chip or HW offloading does not come into play.

==Understanding 2==
Lets say i want to fully utilise the ports on the RB (like my initial working config: vlan11, vlan12 and trunks with more vlans including vlan 11,12)
Should i be using the switch config as i have set up above or i should carry on with the full bridged method.

OR

As long vlan routing comes into play at the RB, HW offloading is disabled. Hence no matter bridged or switched vlan is used, it doesnt matter anymore.
Bridged is recommended due to ease of config.

Ok now to summarise my learning points, correct me if i am still wrong please.

==Understanding 1===
so can i summarise that HW-offloading is off when using bridged vlan.
HW off-loading is of no importance when i am using the RB as a router (sub-interface routing or intervlan routing)

so in the case of purely being a intervlan router and gateway to internet, switch chip or HW offloading does not come into play.

==Understanding 2==
Lets say i want to fully utilise the ports on the RB (like my initial working config: vlan11, vlan12 and trunks with more vlans including vlan 11,12)
Should i be using the switch config as i have set up above or i should carry on with the full bridged method.


OR

As long vlan routing comes into play at the RB, HW offloading is disabled. Hence no matter bridged or switched vlan is used, it doesnt matter anymore.
Bridged is recommended due to ease of config.

IHMO I always think that using or not Hw Offloading is always better approaches


Here is a similar setup on my Hap ac lite using switch menu
Just the switch menu part,

/interface ethernet switch port
set 0 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure [eth1-Trunk]
set 1 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure [eth2-Trunk]
set 2 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure [eth3-Access]
set 3 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure [eth4-Access]
set 4 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled [Not in use]
set 5 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=secure
/interface ethernet switch vlan
add disabled=no ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=99
add disabled=no ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=7
add disabled=no ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=6
add disabled=no ports=ether1,ether3,ether4,switch1-cpu switch=switch1 vlan-id=2

so Eth1-2 are trunk with vlan 2[ excluded form eth2],6,7,99 and Eth3-4 are access for vlan2

anyone has more thoughts on my summary above?

I have been monitoring the device and its heat output while the device is on my desk (the final location is my network closet which is enclosed with no ventilation).
i find that it runs alot warmer when i run my set up in this manner: Mikrotik -> vlan aware switch -> laptop compared to mikrotik -> laptop with same config.
Both Mikrotik and vlan aware switch were both warmer than i have expected.

EDIT:
I did some more tests with regards to the heat.
changed my config back to switch chip vlan rather than bridged vlan.
external vlan aware switch is no longer warm even with some traffic load to the laptop.

RB is still reasonably warm, even with poe disabled on interface.
i removed the SPF for WAN, reverted to Eth1 for WAN.
RB is cooler now.

So i guess both bridged vlan and SPF module contributed to the heat.

I initially bought the SPF module because i saw that SPF has a dedicated 1gbps link direct to the CPU, not shared with the 1gbps used by the switch chip.

I have the router and switch untouched over the night with just the WAN link on and no devices connected.

Somehow it got warm again. I guess i cant run away form the heat any more.

I will just familiarise myself with a few more examples like port forwarding and VPN and i will start using it officially.

It seems that for most RB devices there's not much difference in CPU power consumption between idle and fairly loaded cases (usually less than 10%). So bridge VS switch chip won't generally differ in power consumption (and heat generation) by much.

OTOH RJ SFP modules tend to consume quite some power (a few Watts which is relatively a lot compared to 10-20 Watts for the rest of device), much more than built-in ethernet interface when active.

At the end of the day, you'll have to monitor temperature inside that comms closet a while. RB devices are mostly certified for use in environment with temperature up to say 40°C ... so if temperature inside cabinet doesn't rise above the limit, it should be fine.