Hi all,

was reading some docs, forum, but still no clear for me when there is benefit of VLAN filtering.
So mainly let's refer to the below manual:
https://help.mikrotik.com/docs/display/ ... n+Wireless

There is noted:
"VLAN filtering is not required in this setup, but is highly recommended due to security reasons. Without VLAN filtering it is possible to forward unknown VLAN IDs in certain scenarios. Disabling VLAN filtering does have performance benefits."

I could guess that R3 and R4 could send different VLAN tags over a WiFi connection, but not sure with it.

But does the VLAN filtering a reason when used locally on Mikrotik?

Maybe let's give an example:
- 5 Ethernet ports in bridge to switch untagged traffic, port1 for tagged traffic
- 1 WiFi untagged and in the same network with switch
- 2 WiFi-s use VLAN with 'use tag' option
- 1 VLAN for management interface
- all VLANs comes on port 1 only

- VLAN filtering is set on switch chip itself (allows VLANs on port1 + cpu)
- bridge configured with all Ethernet ports and all 3 wireless networks
- 1 VLAN interface for management
- 2 VLANs for wifi

So Ethernet ports are filtered and I expect the WiFi puts the packets with tags or without it to the bridge itself.
Is there any problem with this setup?

ROS since 6.41 has this VLAN-aware bridge. All devices, that have switch chip built in, released since, offload bridge VLAN operations to switch chip (L2 HW offload) and those don't even have related switch chip settings available. The same can be done entirely in software which greatly simplifies setup on switch-chip-less devices (e.g. most CCR1xx and early CCR2xx models). And can be used on devices with switch chips if desired (e.g. because seitch chip used is not supported for L2 HW offload).
So the bridge with VLAN filtering is mainstream now. The guide you linked is a generic one and doesn't go beyond mainstream. As soon as you leave the beaten track (e.g. by using switch chip configuration subtree), you have to glue together your "out of ordinary" config with the rest (more main-stream) parts.

The note you quoted is more about proper separation of different traffic classes in this very particular example where there is not much of a chance for improperly tagged frames to enter the device. And does not relate nor refer to the preceeding note about switch chips.

Yes, the configuration has changed from some version. Now what ports are in switch is configured under a bridge.
Anyway you can still configure things under Switch section and configure the switch directly.

So as I understand it:
Switch - configure pure switch chip on L2 and all is in HW
Bridge - new way to configure a ports in switch

Both above can be combined.
But when VLAN filter is enabled in Bridge then HW offload is lost. I can filter VLANs in Switch and not to loose a HW offload.

If you want filter VLAN interfaces then only in bridge, but you loose HW offload.

So the question is if there is any benefit in my setup.
Just want to understand how it is internally with injected VLANs from wireless and bridge.

I talk about rb2011 and v6 latest. I know that with other HW or switches it can be different.

You really should have started your opening post with the last line of your last post before this one. Yes, RB2011 is one of those almost-EOL devices which didn't (and likely won't) get L2 HW offload. So yes, if you want to get wirespeed switching performance, you better go with switch chip config and use bridge as dumb switch (no VLAN config on it). This way bridge will pass VLAN-tagged frames simply according to FDB and won't care about values of VLAN IDs. It will be up to switch chips to care about those on wired side and up to wireless driver to care about them in wireless side.

OK, thanks.

Found this in manual:
"Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the Basic VLAN switching guide. If an improper configuration method is used, your device can cause throughput issues in your network."

So it seems that in ROS7.x the bridge is used to configure the switch chip too. I do not know if the switch feature is gone in v7 on that platforms,
but could be logic as evolution.

AFAIK devices with L2HW support for anything non-trivial (e.g. VLANs) never had switch chip menus. Either they were released after 6.41 and received HW offload from the launch time or they didn't support VLANs in hardware (e.g. hEX with MT7621A and RB4011 with RTL8367) until HW offload was available (both mentioned switch chips got suppirt in various RCs of v7.1). And those who traditionally had switch chip menus to configure things never got L2 HW offload (like AR/QCA 8x27 families of switch chips, used in many models of SoHo switches and routers; sadly this includes pretty recent IPQ601x SoCs used in many ac wireless devices). As I mentioned, one can configure VLANs using bridge vlan-filtering and works fine ... only the performance relies on CPU "horsepower".

Thx for info. I will stick as I have it now and will see how it is with ROZ7 when I get to some newer model.

bman, I could ask a question too.
Why do ops do such a poor job of asking questions or describing their convoluted setups or scenarios??

In other words, provide a diagram with what you stated, to ensure whatever it is you tried to communicated is
an actual reproducible visual plan. Then constructive comments can be made in terms of the veracity of any config design.