MikroTik

Posted: **Sat Jun 22, 2019 8:37 pm**

I'm using hap ac2 with its switch configured as follows:

VLANs are configured in switch;
all external Ethernet ports are access (untagged) ports with corresponding VLANs;
CPU port is a trunk (tagged) port;
all external Ethernet ports are added to master bridge in router;
corresponding VLANs on master bridge are added to interfaces for router to access these VLANs.

This way I'm separating switch part from router part of device in an easy to understand way, and always get switching at wire speed.
This type of config worked well on all my MT devices prior to beta62.

Upgrading from 6.45beta54 to beta62 breaks this setup:

VLANs are no longer working (I've noticed the problem because my PC got an IP address from external DHCP, which surprised me a lot as they are in different VLANs);
no learned MAC addresses in switch config;
hardware offload disappears on all ports added to master bridge in router.

Obviously I've lost access to the device via Ethernet and had to connect with WiFi to see this and roll back.

Rolling back to beta54 resolved the issue.
Will submit it to support (and list corresponding part of my config) when I'll get back to the device next Monday.

Update: Apparently the same issue here viewtopic.php?f=21&t=146087&p=736260#p735454.

Posted: **Wed Jun 26, 2019 10:09 am**

It took a bit longer, still here it is.

Relevant portion of config:

# model = RBD52G-5HacD2HnD
/interface ethernet
set [ find default-name=ether1 ] name=ether1-company
set [ find default-name=ether2 ] name=ether2-extra
set [ find default-name=ether3 ] name=ether3-laptop
set [ find default-name=ether4 ] name=ether4-nas
/interface ethernet switch port
set 0 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1-company,ether2-extra \
    switch=switch1 vlan-id=10
add independent-learning=yes ports=\
    switch1-cpu,ether2-extra,ether3-laptop,ether4-nas,ether5 switch=switch1 \
    vlan-id=20
/interface bridge
add name=bridge-master protocol-mode=none
add name=bridge-private protocol-mode=none
/interface bridge port
add bridge=bridge-master interface=ether1-company
add bridge=bridge-master interface=ether2-extra
add bridge=bridge-master interface=ether3-laptop
add bridge=bridge-master interface=ether4-nas
add bridge=bridge-master interface=ether5
add bridge=bridge-private interface=vlan-private
add bridge=bridge-private interface=wlan-5G
/interface vlan
add interface=bridge-master name=vlan-company vlan-id=10
add arp=proxy-arp interface=bridge-master name=vlan-private vlan-id=20

And screenshots, beta54:

MT 6.45b54 Ports.png

MT 6.45b54 MAC Lists.png

After upgrading to beta62:

MT 6.45b62 Ports.png

MT 6.45b62 MAC Lists.png

HW offload is gone on all ports, no MAC adresses learned in switch. In-switch VLANs are not working.

Posted: **Wed Jun 26, 2019 11:40 am**

Hi,
I'm using multiple hAP ac², two of them at home. Keep in mind, that only the first bridge is using hw offloading. You configured two bridges (bridge-master, bridge-private).

/interface bridge add name=bridge-main
/interface bridge port add bridge=bridge-main interface=ether1
/interface bridge port add bridge=bridge-main interface=ether2
/interface bridge port add bridge=bridge-main interface=ether3
/interface bridge port add bridge=bridge-main interface=ether4
/interface bridge port add bridge=bridge-main interface=ether5
/interface bridge port add bridge=bridge-main interface=wlan1
/interface bridge port add bridge=bridge-main interface=wlan2
/interface bridge port add bridge=bridge-main interface=wlan_virtual-interface

/interface ethernet switch port set 0 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 1 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch port set 5 vlan-mode=secure

/interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether1,ether3,ether4,ether5 switch=switch1 vlan-id=10
/interface ethernet switch vlan add independent-learning=no ports=switch1-cpu,ether2 switch=switch1 vlan-id=11

/interface vlan add interface=bridge-main name=VLAN_10 vlan-id=10
/ip address add address=10.0.0.1/24 interface=VLAN_10 network=10.0.0.0

/interface wireless set [ find default-name=wlan1 ] vlan-id=10 vlan-mode=use-tag
/interface wireless set [ find default-name=wlan2 ] vlan-id=10 vlan-mode=use-tag
/interface wireless add master-interface=wlan1 vlan-id=11 vlan-mode=use-tag

In the example above you can see, that I'm using VLANs but only one bridge. This should normally be better way, because you would use as much as possible of the hardware capabilities.

Best regards
Tobias

Posted: **Wed Jun 26, 2019 1:55 pm**

Tobias, if your config work on beta64?

No hw offload on the second bridge is not a problem because it won't have any meaningful hw offload as it includes only wireless interfaces and VLAN on master bridge - it goes through CPU anyway. Moreover, you'll need this separate bridge if you want to connect your PPP-style clients or EoIP interfaces to private network - you couldn't specify VLANs for these interfaces.

However your config looks interesting - I haven't thought about such way (that looks a bit implicit to me) of bridging wireless interfaces to switch VLANs, and preferred an explicit bridging (but I also have both SSTP and EoIP links that I need to bridge to private network, so I must use a separate bridge anyway).
Is it works OK? I mean wlan1 and wlan2 are bridged with Ethernet ports on VLAN 10, and virtual wlan is bridged with Ethernet port on VLAN 11?

Posted: **Wed Jun 26, 2019 3:41 pm**

Hi,

Tobias, if your config work on beta64?

I've installed on one my of hAP ac² 6.45beta62 and see exactly same behavior like you.

[root@ap-6.45beta62] > /interface ethernet switch host print
Flags: D - dynamic, I - invalid
 #   SWITCH                                                         MAC-ADDRESS       PORTS                                                        TIMEOUT DROP MIRROR VLAN-ID

No hw offload on the second bridge is not a problem because it won't have any meaningful hw offload as it includes only wireless interfaces and VLAN on master bridge - it goes through CPU anyway. Moreover, you'll need this separate bridge if you want to connect your PPP-style clients or EoIP interfaces to private network - you couldn't specify VLANs for these interfaces.

You're right. If you use additional "virtual" interfaces such as PPP or EoIP, you need additional bridges. Even there is PVID, but I think the PVID is only considered if the bridge is in VLAN filtering mode.

However your config looks interesting - I haven't thought about such way (that looks a bit implicit to me) of bridging wireless interfaces to switch VLANs, and preferred an explicit bridging (but I also have both SSTP and EoIP links that I need to bridge to private network, so I must use a separate bridge anyway).
Is it works OK? I mean wlan1 and wlan2 are bridged with Ethernet ports on VLAN 10, and virtual wlan is bridged with Ethernet port on VLAN 11?

Yes exactly, I also tested if the traffic is really isolated, but so far no issues with this kind of configuration. From my point of view, this was the simplest and most direct type of configuration.

Best regards
Tobias

Posted: **Wed Jun 26, 2019 3:48 pm**

Is it works OK? I mean wlan1 and wlan2 are bridged with Ethernet ports on VLAN 10, and virtual wlan is bridged with Ethernet port on VLAN 11?

Setting "vlan-mode=use-tag vlan-id=10" on wlan interface makes it access port of that VLAN ... more or less exactly the same as "default-vlan-id=10 vlan-header=always-strip" set on ether port.

When bridge doesn't have "vlan-filtering=yes", it behaves as a dumb switch and forwards packets between its member ports without regard to VLAN tags ... which is OK if member ports can deal with VLAN tags (ether ports can do it if switch chip supports that, wlan interfaces can do it, other interfaces can't).

Posted: **Wed Jun 26, 2019 3:53 pm**

Hi,

@mkx good summary, thanks!

Best regards
Tobias

Posted: **Thu Jun 27, 2019 9:49 am**

Yes exactly, I also tested if the traffic is really isolated, but so far no issues with this kind of configuration. From my point of view, this was the simplest and most direct type of configuration.

Looks like I was missing a critical part of knowledge to implement it this way. And it's actually simpler than my config as there's only one bridge.
It still feels somehow implicit, but VLANs configured in switch are working in the same implicit way - just VLAN-aware ports of non-VLAN-aware bridge.

@mkx, thanks for bringing this to light. While the same is clearly stated in docs, I somehow overlooked VLAN part of wireless interface description.

Posted: **Mon Jul 01, 2019 11:04 pm**

Fixed in 6.45.1 stable.

MikroTik

Switch issues in 6.45beta62 (but not in beta54)

Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54)

Re: Switch issues in 6.45beta62 (but not in beta54) [SOLVED]