Hotspot on Bridge VLAN

MetalKalic · January 5, 2025, 6:05pm

Hello everyone, I am using Mikrotik for about 20 years and I am very satisfied with these products. In one of the recent version of ROS, there were change, that the VLANs should be created under bridge, not under ethernet port. So I changed configuration in my routers and everything is working well, I am using VLAN filtering and Ingress filtering with no issues.

But now I have to update my router, that is running Hotspot server; there is old configuration with VLANs created under ethernet port and Hotspots are running on this VLANs with no problems. When I change configuration to have VLANs on Bridge and add Hotspot servers on these VLANs, the Hotspots are not working. No captured new hosts to show portal, now Internet connection, no counting packets on dynamicaly created Hotspot Firewall and NAT rules. When i disable Hotspot, Internet is running OK, so there is no problem with configuration.

My question is, if Hotspot servers can be created on VLANs under Bridge, or is it known issue? When I change it to oldstyle ethernet VLANs, Hotspots are working as before.

Thank You for Your replies.

MetalKalic · January 6, 2025, 12:33pm

So, there is question - what configuration is the best for performance and security?

anav · January 8, 2025, 3:39pm

One bridge,
identify all the data vlans required and one management vlan ( unless you intend to use one of the data vlans as a trusted vlan)

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

panisk0 · January 8, 2025, 4:30pm

this device does not have a switch chip you can use multiple bridges if you do not use STP.
This configuration will be closer to what you’re using.

example:
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sp1_WAN_myisp
set [ find default-name=sfp-sfpplus7 ] name=sp7_UPLNK_sw1
set [ find default-name=sfp-sfpplus8 ] name=sp8_UPLNK_sw2
set [ find default-name=ether1 ] name=e1_LAN_mgm

/interface vlan
add interface=sp7_UPLNK_sw2 name=v200sp7_LAN_mgm vlan-id=200
add interface=sp8_UPLNK_sw2 name=v200sp8_LAN_mgm vlan-id=200
add interface=sp7_UPLNK_sw2 name=v240sp7_LAN_corpo vlan-id=240
add interface=sp8_UPLNK_sw2 name=v240sp8_LAN_corpo vlan-id=240
add interface=sp7_UPLNK_sw2 name=v260sp7_WLAN_corpo vlan-id=260
add interface=sp8_UPLNK_sw2 name=v260sp8_WLAN_corpo vlan-id=260
add interface=sp7_UPLNK_sw2 name=v280sp7_WLAN_guest vlan-id=280
add interface=sp8_UPLNK_sw2 name=v280sp8_WLAN_guest vlan-id=280

/interface bridge
add admin-mac=5A:FE:50:00:44:00 auto-mac=no name=b0_loopback protocol-mode=none
add admin-mac=5A:FE:50:00:44:01 auto-mac=no name=b1_LAN_mgm protocol-mode=none
add admin-mac=5A:FE:50:00:44:02 auto-mac=no name=b2_LAN_corpo protocol-mode=none
add admin-mac=5A:FE:50:00:44:03 auto-mac=no name=b3_WLAN_corpo protocol-mode=none
add admin-mac=5A:FE:50:00:44:04 auto-mac=no name=b4_WLAN_guest protocol-mode=none

/interface bridge port
add bridge=b1_LAN_mgm interface=e1_LAN_mgm
add bridge=b1_LAN_mgm interface=v200sp7_LAN_mgm
add bridge=b1_LAN_mgm interface=v200sp8_LAN_mgm
add bridge=b2_LAN_corpo interface=v240sp7_LAN_corpo
add bridge=b2_LAN_corpo interface=v240sp8_LAN_corpo
add bridge=b3_WLAN_corpo interface=v260sp7_WLAN_corpo
add bridge=b3_WLAN_corpo interface=v260sp8_WLAN_corpo
add bridge=b3_WLAN_guest interface=v280sp7_WLAN_guest
add bridge=b3_WLAN_guest interface=v280sp8_WLAN_guest

mkx · January 8, 2025, 5:15pm

True. But then there will be a ton of vlan interfaces (one per VLAN and per port) plus multitude of bridges (one per vlan) … compared to one bridge and few vlan interfaces (one per VLAN with which device has to interact … if device acts as a switch for some VLANs, then with single bridge it even doesn’t need corresponding vlan interface). There’s no processing benefit in either option …

The only benefit of using bridge per vlan is ability to have same VLAN on different ports but which should not communicate between each otger (at least on L2) or ability to merge different VLANs on L2 … neither are common in typical SOHO (or even “normal” corporations), the former might be handy in some network operation business and the later is not particularly sane. Another benefit (kinda) is ability to use different MAC addreses in different VLANs for router itself … which is not required very often.

MetalKalic · January 8, 2025, 6:54pm

Thank You, for me, the picture number one is in my view clear configuration, do not like to have VLAN interface created on ethernet port and than this VLAN add as a part of bridge (picture number 2) - I think, that there can be problem with RSTP. But configuration number two is working without any problem with Hotspot function, but clearer configuration number one does not work with Hotspot as I wrote before. I think, there is a problem with VLAN tagging/filtering, which does not working with Hotspot.

Not working configuration (picture 1):

/interface ethernet
set 0 name=Management mac-address=02:01:00:00:00:08 arp=disabled
set 1 name=T02GW_1 mac-address=02:01:00:00:00:00 arp=disabled
set 2 name=T02GW_2 mac-address=02:01:00:00:00:01 arp=disabled
set 3 name=T02GW_3 mac-address=02:01:00:00:00:02 arp=disabled
set 4 name=T02GW_4 mac-address=02:01:00:00:00:03 arp=disabled
set 5 name=Server08 mac-address=02:01:00:00:00:04 arp=disabled auto-negotiation=no speed=1G-baseT-full
set 6 name=Server11 mac-address=02:01:00:00:00:05 arp=disabled auto-negotiation=no speed=1G-baseT-full
set 7 name=Server10_1 mac-address=02:01:00:00:00:06 arp=disabled
set 8 name=Server10_2 mac-address=02:01:00:00:00:07 arp=disabled
set [find where name!="Management" name!="T02GW_1" name!="T02GW_2" name!="T02GW_3" name!="T02GW_4" name!="Server08" name!="Server11" name!="Server10_1" name!="Server10_2"] disabled=yes
/interface bonding
add name=T02GW arp=disabled slaves=T02GW_1,T02GW_2,T02GW_3,T02GW_4 mode=802.3ad
add name=Server10 arp=disabled slaves=Server10_1,Server10_2 mode=802.3ad
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes use-ip-firewall-for-pppoe=yes
/interface bridge
add name=GW-Bridge arp=reply-only admin-mac=02:01:00:00:00:00 dhcp-snooping=yes protocol-mode=rstp priority=16384 vlan-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes auto-mac=no
/interface vlan
add name=VLAN104 vlan-id=104 interface=GW-Bridge
add name=VLAN107 vlan-id=107 interface=GW-Bridge
add name=VLAN200 arp=reply-only vlan-id=200 interface=GW-Bridge
add name=VLAN201 arp=reply-only vlan-id=201 interface=GW-Bridge
add name=VLAN202 arp=reply-only vlan-id=202 interface=GW-Bridge
add name=VLAN203 arp=reply-only vlan-id=203 interface=GW-Bridge
add name=VLAN204 arp=reply-only vlan-id=204 interface=GW-Bridge
add name=VLAN205 arp=reply-only vlan-id=205 interface=GW-Bridge
add name=VLAN206 arp=reply-only vlan-id=206 interface=GW-Bridge
add name=VLAN210 arp=reply-only vlan-id=210 interface=GW-Bridge
add name=VLAN221 arp=reply-only vlan-id=221 interface=GW-Bridge
add name=VLAN222 arp=reply-only vlan-id=222 interface=GW-Bridge
add name=VLAN223 arp=reply-only vlan-id=223 interface=GW-Bridge
add name=VLAN231 arp=reply-only vlan-id=231 interface=GW-Bridge
add name=VLAN232 vlan-id=232 interface=GW-Bridge
add name=VLAN233 arp=reply-only vlan-id=233 interface=GW-Bridge
add name=VLAN234 arp=reply-only vlan-id=234 interface=GW-Bridge
add name=VLAN235 arp=reply-only vlan-id=235 interface=GW-Bridge
add name=VLAN236 arp=reply-only vlan-id=236 interface=GW-Bridge
add name=VLAN237 arp=reply-only vlan-id=237 interface=GW-Bridge
add name=VLAN238 arp=reply-only vlan-id=238 interface=GW-Bridge
add name=WAN arp=reply-only vlan-id=2100 interface=GW-Bridge
/interface list
add name=Infrastructure
/interface list member
add list=Infrastructure interface=VLAN200
/interface bridge port
add interface=T02GW bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled frame-types=admit-only-vlan-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server08 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server10 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server11 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Management bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
/interface bridge vlan
add bridge=GW-Bridge vlan-ids=200 tagged=T02GW,GW-Bridge untagged=Server08,Server10,Server11,Management
add bridge=GW-Bridge vlan-ids=104 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=107 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=201 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=202 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=203 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=204 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=205 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=206 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=210 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=221 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=222 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=223 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=231 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=232 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=233 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=234 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=235 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=236 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=237 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=238 tagged=T02GW,GW-Bridge
add bridge=GW-Bridge vlan-ids=2100 tagged=T02GW,GW-Bridge
/ip address
add address=192.168.200.1/24 interface=VLAN200
add address=192.168.104.8/24 interface=VLAN104
add address=192.168.104.254/24 interface=VLAN104
add address=192.168.107.253/24 interface=VLAN107
add address=192.168.201.1/24 interface=VLAN201
add address=192.168.202.1/24 interface=VLAN202
add address=172.23.0.1/16 interface=VLAN203
add address=172.24.0.1/16 interface=VLAN204
add address=172.25.0.1/16 interface=VLAN205
add address=172.26.0.1/16 interface=VLAN206
add address=172.30.0.1/16 interface=VLAN210
add address=192.168.221.1/24 interface=VLAN221
add address=192.168.222.1/24 interface=VLAN222
add address=192.168.223.1/24 interface=VLAN223
add address=192.168.231.1/24 interface=VLAN231
add address=192.168.232.1/24 interface=VLAN232
add address=192.168.233.1/24 interface=VLAN233
add address=192.168.234.1/24 interface=VLAN234
add address=192.168.235.1/24 interface=VLAN235
add address=192.168.236.1/24 interface=VLAN236
add address=192.168.237.1/24 interface=VLAN237
add address=192.168.238.1/24 interface=VLAN238
add address=XXX.XXX.XXX.XX2/28 interface=WAN
add address=XXX.XXX.XXX.XX3/28 interface=WAN
add address=XXX.XXX.XXX.XX4/28 interface=WAN
add address=XXX.XXX.XXX.XX5/28 interface=WAN
add address=XXX.XXX.XXX.XX6/28 interface=WAN
add address=XXX.XXX.XXX.XX7/28 interface=WAN
add address=XXX.XXX.XXX.XX8/28 interface=WAN

Working configuration (picture 2):

/interface ethernet
set 0 name=Management mac-address=02:01:00:00:00:08 arp=disabled
set 1 name=T02GW_1 mac-address=02:01:00:00:00:00 arp=disabled
set 2 name=T02GW_2 mac-address=02:01:00:00:00:01 arp=disabled
set 3 name=T02GW_3 mac-address=02:01:00:00:00:02 arp=disabled
set 4 name=T02GW_4 mac-address=02:01:00:00:00:03 arp=disabled
set 5 name=Server08 mac-address=02:01:00:00:00:04 arp=disabled auto-negotiation=no speed=1G-baseT-full
set 6 name=Server11 mac-address=02:01:00:00:00:05 arp=disabled auto-negotiation=no speed=1G-baseT-full
set 7 name=Server10_1 mac-address=02:01:00:00:00:06 arp=disabled
set 8 name=Server10_2 mac-address=02:01:00:00:00:07 arp=disabled
set [find where name!="Management" name!="T02GW_1" name!="T02GW_2" name!="T02GW_3" name!="T02GW_4" name!="Server08" name!="Server11" name!="Server10_1" name!="Server10_2"] disabled=yes
/interface bonding
add name=T02GW arp=disabled slaves=T02GW_1,T02GW_2,T02GW_3,T02GW_4 mode=802.3ad
add name=Server10 arp=disabled slaves=Server10_1,Server10_2 mode=802.3ad
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes use-ip-firewall-for-pppoe=yes
/interface bridge
add name=GW-Bridge arp=reply-only admin-mac=02:01:00:00:00:00 dhcp-snooping=yes protocol-mode=rstp priority=16384 vlan-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes auto-mac=no
/interface vlan
add name=VLAN104 vlan-id=104 interface=T02GW
add name=VLAN107 vlan-id=107 interface=T02GW
add name=VLAN200 arp=reply-only vlan-id=200 interface=T02GW
add name=VLAN201 arp=reply-only vlan-id=201 interface=T02GW
add name=VLAN202 arp=reply-only vlan-id=202 interface=T02GW
add name=VLAN203 arp=reply-only vlan-id=203 interface=T02GW
add name=VLAN204 arp=reply-only vlan-id=204 interface=T02GW
add name=VLAN205 arp=reply-only vlan-id=205 interface=T02GW
add name=VLAN206 arp=reply-only vlan-id=206 interface=T02GW
add name=VLAN210 arp=reply-only vlan-id=210 interface=T02GW
add name=VLAN221 arp=reply-only vlan-id=221 interface=T02GW
add name=VLAN222 arp=reply-only vlan-id=222 interface=T02GW
add name=VLAN223 arp=reply-only vlan-id=223 interface=T02GW
add name=VLAN231 arp=reply-only vlan-id=231 interface=T02GW
add name=VLAN232 vlan-id=232 interface=T02GW
add name=VLAN233 arp=reply-only vlan-id=233 interface=T02GW
add name=VLAN234 arp=reply-only vlan-id=234 interface=T02GW
add name=VLAN235 arp=reply-only vlan-id=235 interface=T02GW
add name=VLAN236 arp=reply-only vlan-id=236 interface=T02GW
add name=VLAN237 arp=reply-only vlan-id=237 interface=T02GW
add name=VLAN238 arp=reply-only vlan-id=238 interface=T02GW
add name=WAN arp=reply-only vlan-id=2100 interface=T02GW
/interface list
add name=Infrastructure
/interface list member
add list=Infrastructure interface=GW-Bridge
/interface bridge port
add interface=VLAN200 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled frame-types=admit-only-vlan-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server08 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server10 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Server11 bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
add interface=Management bridge=GW-Bridge unknown-multicast-flood=no multicast-router=disabled pvid=200 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes mvrp-registrar-state=fixed mvrp-applicant-state=non-participant
/interface bridge vlan
add bridge=GW-Bridge vlan-ids=200 tagged=VLAN200,GW-Bridge untagged=Server08,Server10,Server11,Management
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes forward=no accept-redirects=no accept-router-advertisements=no
/ipv6 address
remove [find]
/ip address
add address=192.168.200.1/24 interface=GW-Bridge
add address=192.168.104.8/24 interface=VLAN104
add address=192.168.104.254/24 interface=VLAN104
add address=192.168.107.253/24 interface=VLAN107
add address=192.168.201.1/24 interface=VLAN201
add address=192.168.202.1/24 interface=VLAN202
add address=172.23.0.1/16 interface=VLAN203
add address=172.24.0.1/16 interface=VLAN204
add address=172.25.0.1/16 interface=VLAN205
add address=172.26.0.1/16 interface=VLAN206
add address=172.30.0.1/16 interface=VLAN210
add address=192.168.221.1/24 interface=VLAN221
add address=192.168.222.1/24 interface=VLAN222
add address=192.168.223.1/24 interface=VLAN223
add address=192.168.231.1/24 interface=VLAN231
add address=192.168.232.1/24 interface=VLAN232
add address=192.168.233.1/24 interface=VLAN233
add address=192.168.234.1/24 interface=VLAN234
add address=192.168.235.1/24 interface=VLAN235
add address=192.168.236.1/24 interface=VLAN236
add address=192.168.237.1/24 interface=VLAN237
add address=192.168.238.1/24 interface=VLAN238
add address=XXX.XXX.XXX.XX2/28 interface=WAN
add address=XXX.XXX.XXX.XX3/28 interface=WAN
add address=XXX.XXX.XXX.XX4/28 interface=WAN
add address=XXX.XXX.XXX.XX5/28 interface=WAN
add address=XXX.XXX.XXX.XX6/28 interface=WAN
add address=XXX.XXX.XXX.XX7/28 interface=WAN
add address=XXX.XXX.XXX.XX8/28 interface=WAN

Now, as I can see here in colours, I have the same MAC for ethernet port and for bridge, hm, maybe this is the problem?

mkx · January 8, 2025, 7:30pm

You have quite some settings on L2 entities (bridge ports, etc.), which IMO border on paranoia … and might affect hotspot operations. You might want to create a very simplified lab setup, starting from defaults and then add settings toward your intended setup … while checking if hotspot still works. You may stumble upon a setting which breaks it … and if/when you do, ask MT support (via official channels, forum is not one of them) if it’s a bug or a feature.

MetalKalic · January 8, 2025, 8:06pm

Paranoic? Maybe a little. I am always trying to set up the most restricting configuration. I will try to simplify the configuration and test Hotspot and let you know, where was the problem.

anav · January 8, 2025, 9:11pm

Where is the full config, firewall rules etc…
Your diagram is confusing is this all on one device the router, or do you show it being attached to a switch (you state uplink and bonding but to what etc…)

If connecting to a switch is it an MT switch? Normally one uses a single trunk port between two smart devices (or two ports bonded but still considered one port for bridge purposes )

MetalKalic · January 9, 2025, 6:57am

Firewall, NAT and Mangle setup are not important in this problem, because when I disable or remove all rules (except mangle LAN to WAN), nothing change, the problem will be in bridge or VLAN config. And as I wrote before, when I disable Hotspot, everything is working fine on my setup even with all security rules enabled. Device on the picture is router CCR1072-1G-8S+ and it is connected to agregation switch Edge-Core ECS5520-18X via 1Q trunk over four bonded ports.

anav · January 9, 2025, 11:22am

I am confident you will find the problem then. GLuck.

bpwl · January 9, 2025, 12:05pm

There is a VLAN on bridge fix in ROS 7.13 (before host moving to VLAN 0 in Hotspot table was possible)

Release notes 7.13:
*) hotspot - fixed incorrect host moving to VLAN 0 when receiving packets through bridge;

Also see
http://forum.mikrotik.com/t/hotspot-vlan-issues/170440/1

MetalKalic · January 9, 2025, 7:03pm

Thank You, but I saw a problem with VLAN 0 here in forum, but I am trying the newest firmware 7.16.2.

allan2358 · February 14, 2025, 12:15am

same problem, hotspot not working in bridge vlan…