Guest VLAN with Router + AP using new Bridge VLAN Filtering - Sample config

I have a working example for your critique showing a LAN with guest Wifi access. The Wifi AP allows standard Wifi and VLAN Wifi guests to access the internet, but not each other. It works the way I like, but I wanted to get your thoughts about the correctness of this.

Notes:

• The RB4011’s ether10 is PoE powering the hAP AC via it’s ether1.
• The RB4011 is acting like a router/switch combo. So, it has an IP of 192.168.0.1 on it’s Bridge-LAN and other standard settings (DHCP for LAN, etc.)
• The hAP AC is only a AP for corporate and guest Wifi access.

Questions:

• The RB4011 router does not have hardware switching when enabling Bridge VLAN Filtering! Is there still a way to hardware switch ports 2-9 via a special setting? Use Two bridges?
• The hAP AC is not using Bridge VLAN Filtering, only vlan-mode, yet it correctly sends untagged and VLAN ID 20 packets into the router. Is this correct or should I turn on Bridge VLAN Filtering on the AP and make ether1 a Hybrid port (which it naturally is somehow right now).

The Configuration (brevity, showing important facts only):

# RouterOS 6.43
# Router with Guest AP VLAN example
# https://forum.mikrotik.com/viewtopic.php?t=141279
# https://forum.mikrotik.com/viewtopic.php?t=143524
# https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
# https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering
# https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

#
# Configure the Router hardware
#

# Create one bridge to manage all VLANs and ports.
/interface bridge
add name=bridge_LAN protocol-mode=none vlan-filtering=no

# Setup ingress. Configure ether10 as a Trunk port (pvid set to default of 1) which will allow
# untagged LAN as well as tagged traffic coming from an AP. A reminder about pvid: traffic
# without a VLAN tag will be tagged with the pvid value at ingress. At egress, traffic
# matching pvid will get untagged. A pvid value other than 1 defaults to an Access port.
/interface bridge port
add bridge=bridge_LAN interface=ether2
# add for ether3, ether4, etc.
add bridge=bridge_LAN interface=ether10 pvid=1

# Setup egress. Configure ether10 as a Trunk port (tagged with a "vlan-ids" set). Port
# will send back packets with the same vlan tag they came in on. Setting "untagged"
# would remove the vlan tag if pvid matched.
/interface bridge vlan
add bridge=bridge_LAN tagged=bridge_LAN,ether10 vlan-ids=20

# Create a VLAN interface to interact with the VLAN ID (Layer 3)
/interface vlan add interface=bridge_LAN name=vLAN20 vlan-id=20

# Assign IP Address to VLAN interface
/ip address add interface=vLAN20 address=10.0.0.1/24

# Setup DHCP on VLAN interface
/ip pool add name=pool_vLAN20 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server add address-pool=pool_vLAN20 interface=vLAN20 name=dhcp_vLAN20 disabled=no
/ip dhcp-server network add address=10.0.0.0/24 dns-server=9.9.9.9 domain=guest.lan gateway=10.0.0.1

# Allow VLAN Internet access
/ip firewall filter
add chain=forward action=accept connection-state=new in-interface=vLAN20 out-interface=ether1 comment="Allow VLAN"

# Enable VLAN
/interface bridge set bridge_LAN vlan-filtering=yes


#
# Configure the WiFi AP hardware
#

# Create a bridge to manage all ports.
/interface bridge
add name=bridge_LAN protocol-mode=none vlan-filtering=no

# add necessary ports to bridge
/interface bridge port
add bridge=bridge_LAN interface=ether1
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
add bridge=bridge_LAN interface=wlan2
add bridge=bridge_LAN interface=wlan1

# Assign IP Address to the bridge
/ip address add interface=bridge_LAN address=192.168.0.10/24
/ip route add distance=1 gateway=192.168.0.1

# Turn on VLAN mode on the desired wlan interface
/interface wireless
set [ find default-name=wlan1 ] ssid=Public vlan-id=20 vlan-mode=use-tag
set [ find default-name=wlan2 ] ssid=Private

Sure, I can have a look.
/interface bridge ports,
By default all the ethernet interfaces will have a default pvid of 1, no need to show it all, or for one entry only ???
(okay I see why you may have thought it helpful due to using eth10 for vlan 10 but not really necessary)

/interface bridge port + /interface vlan
One can infer you will have one VLAN that will be flowing in/out of ether10 on your router device.
/dhcp setup seems fine, I have no clue as to why you are using 9.9.9.9 for DNS or domain=guest ???

/IP Firewall,
There are many ways to do this and the one shown is as good as any. I assume ether1 is your ISP.
(I use in-interface=VLANNAME out-interface-list=WAN (as I have two ISPs)

However, I don’t understand the rationale for including “connection state new” and is not required to my understanding.
That should be covered by the standard first rule in the forward chain!
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked

I too prefer to set bridge vlan filtering as you have done as the last step but would emphasize to do so with SAFE MODE on!

++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of the WIFI side, I do have some observations.
My y case is simpler using a cap AC

My recommended order would be different.
The first thing would be to configure the WIFI INTERFACES, wireless settings properly, to include security profile settings.
The important items are on the wireless tab, which is available on the menu one gets to after double clicking on the radio itself
a. attaching the right security profile made under the security profile tab.
b. Changing the default NO TAG, PVID=1 VLAN settings, IF the radio is going to be serving a VLAN to : USE TAG and the applicable VLANID that matches the appropriate one on the Router.

In my case, my unit comes with two radios, one I configured for 2.4ghz and the other for 5ghz, and I created a third - one Virtual AP running off the 5ghz radio.
The 2g and virtual 5ac radios are on separate VLANs while my main 5AC radio is stock and runs default without a vlan (no tag vlan1)

The NEXT step would entail going from the WIRELESS MENU to the INTERFACES MENU above.
So we have identified the WIFI Radios to the VLANs and next we have to associate the VLANs to the hapac bridge.
This is done under the Interfaces Menu and VLANS tab.
Add the VLAN and associate to the hapac bridge.

Next we are ready for the Bridge entries.

Bridgeports
On my CAPAC I only have two ethernet ports and really only ethernet1 (I disable ether2).
But I understand on the hapAC there are more Bridge ports to consider to attach to the Bridge.
Concur, that besides physical ports, the equivalent wifi ports, the APs or virtual APs are also added as bridge ports (your WLAN1 and WLAN2 I assume are names give to the radios or virtual radios.

The next step is one I do not understand? On my capAC I did not set a single IP address or similar setting. Are you sure its required??
The hapac is not giving out any IP addresses?
“Assign IP Address to the bridge”

Okay I get it now, I looked at the default quickset menu for my cap ac and I see that it has all that information assigned to the Bridge pretty much automatically.
The only thing missing was getting a DHCP address from the router which it did pull by itself.

The last step “Turn on VLAN mode on the desired wlan interface” was accomplished much earlier in the approach above.
My last step would be to turn on hapAC BRIDGE VLAN filtering (with SAFE MODE enabled).

In summary, prettty much what I do, with slightly different order.

On most Mikrotik models with lower end switch chips (CRS are an exception), vlan-filtering =yes disables direct forwarding of frames between switch chip ports because the switch chip is not able to perform all required handling, thus some frames would get where they should not or would not get where they should. But setting vlan-filtering=yes is not the only way how to deal with VLANs, so if your LAN devices exchange high volumes of data with each other and not just with remote devices accessible via WAN, you may prefer to use a combination of bridges with vlan-filtering=no and some switch chip settings to achieve your goal. But for your particular application case, things are even simpler, see below.

The vlan-filtering is named after its most visible functionality, which is to let only frames tagged with permitted VLAN IDs to get in and out the brigde and drop the rest. With vlan-filtering=no, the bridge (i.e. the software, what the switch chip does is another thing) accepts and forwards all frames, tagless or tagged, with any kind of tag (802.1Q or 802.1ad or even some other), with any VID in the tag, on all ports. So when the wireless chip sends a frame tagged with VID 20, the bridge with vlan-filtering=no still delivers that tagged frame to hAP AC’s ether1. And the same happens with the tagless frames. As the bridge running on the hAP AC has more or less just two ports (if we neglect the L3 interface of the hAP AC itself), you don’t need things like an independent MAC address table per VLAN (or VLAN group) provided by the feature set activated by setting vlan-filtering=yes.

In your particular scenario, you can keep vlan-filtering=no also on bridge-lan on the 4011, because the worst thing which can happen is that if you connect a device capable of sending and receiving frames tagged with VID 20 to ether2-ether9, it will be able to access the guest VLAN, and that two devices capable of sending and receiving tagged frames will be able talk together using tagged frames with any VID. You do not need MSTP as there is no L2 ring in your network, you don’t need to enforce VLAN policy on any of your ethernet ports, and all your ethernet ports are used to access the same VLAN so you don’t need tagging/untagging to happen as the frames ingress/egress through an ethernet port.

@sindy,
Thank you for your help and feedback. In the spirit of my QoS thread, I’m making one for VLAN. There are so many questions about this topic, that I feel it warrants a special forum post on it. Give me a few weeks, but soon, I’ll be seeking your feedback to make this thread the ultimate primer on VLAN with MikroTik.

I go beyond what the current documentation does by applying concepts to each set of commands. Along with visuals, this will make things simpler to understand and reason about. By crowdsourcing the wisdom of the forum, hopefully we can get this type of documentation into the main wiki. I don’t have the commands created yet, still finishing up graphics and descriptions.

Thank you.

Just thought I’d add my way of doing something similar for a little feedback.
I have 4 ssids from an ubiquiti ap. these are for: normal wan, vpn’d wan, filtered kids and guests. each ssid is tagged (vlans 5,6,10 & 10) And enter the Mikrotik on port 1.
Port 1 has 4 vlan interfaces added to it (one for each ssid) which are then added to a bridge.
The bridge has vlan filtering enabled and the pvids are all set as 1
A single subnet is added to the bridge and a dhcp pool/server.
All ports are set as untagged.
This allows me to have all in the same broadcast for use of AirPrint etc
It also allows me to add packet filters to the bridge which then pass through pre routing in order to assign routing marks and DST Nat rules without using the ip firewall on the bridge so that I can use different gateways and dns servers.
This all started from having a way to use/not use vpn without clunky apps or changing settings, I just connect to a different access point. It also allows all my lan devices to talk at l2
I’ve also just added another ssid for my work on the same bridge which goes out on an EoIP tunnel over l2tp/IPSec to my office. It allows me to AirPrint from home to the office as required and also another vlan trunk over this tunnel for an ip phone directly connected to my on site pabx so I have an office line

Out of curiosity: if you bridge all vlans in the RB, why do you bother with VLAN tags between AP and router? Or, how do you actually differentiate devices using e.g. “normal wan” from devices using “vpn’d wan”?