Hi

I am working with my first Mikrotik wireless router (RB951Ui, software version 6.34.3). I am having some problems getting VLANs working with virtual access point and wold greatly appreciate some help.

I am setting up a shared office space and am using VLANs to separate traffic so that tenants can only see traffic from other devices on the same VLAN and from the internet gateway. My setup is fairly simple with the Mikrotik wireless router, a managed switch and an internet router. I am using a single address space for the entire network so there is no routing across the Mikrotik device, everything should be bridged.



Each client port on the managed switch is configured with a native or access VLAN (101,102, etc) as well as VLAN 5. The internet gateway port is configured with native VLAN 5 as well as all the client VLANs (101, 102, etc.). The wireless router port is configured with native VLAN 5 as well as all the client VLANs (101, 102, etc.), all in trunking mode. This works for all clients connected to the switch - they are able to access other clients on their own VLAN as well as to the internet.

I am having trouble however getting this to work on the Mikrotik wireless router. I am able to get clients connecting to their own virtual access point to connect to other devices on the same VLAN, but not to the internet. I have set up the Mikrotik as follows:

1. A different VAP for each tenant
2. On the ethernet port (ether 5) connected to the managed switch, a VLAN configured for each tenant VLAN (101,102, etc) as well as vlan 5.
3. A bridge set up for each tenant with relevant VLAN and VAP interfaces added. For example, bridge101 has VLAN101 and VAP101 added.
4. On Ethernet 5 and each VAP interface, a VLAN configured on vlan 5.
5. A bridge set up that includes all VLANs set up in step 4, above.

If I now connect wirelessly to, say, vap101 then I can connect to another device connected to one of the vlan 101 ports on the managed switch but not to other devices on different tenant VLANs such as vlan 102. This is as it should be. However, I cannot connect to the internet gateway on vlan 5 either, even though vlan 5 is bridged to all vaps on the mikrotik router.


[admin@MikroTik] > export compact
# mar/21/2016 14:11:14 by RouterOS 6.34.3
# software id = SRY9-VAHZ
#
/interface bridge
add admin-mac=D4:CA:6D:C9:73:07 auto-mac=no comment=defconf name="LAN bridge"
add name=bridge5
add name=bridge101
add name=bridge105
add name=bridge107
add name=bridge109
add name=bridge113
add name=bridge117
/interface ethernet
set [ find default-name=ether5 ] name=ether5-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
MikroTik-C9730B wireless-protocol=802.11
/ip neighbor discovery
set "LAN bridge" comment=defconf
/interface vlan
add interface="LAN bridge" name=vlan4-mgt vlan-id=4
add interface=ether5-master name=vlan5 vlan-id=5
add interface=wlan1 name=vlan5-wap1 vlan-id=5
add interface=ether5-master name=vlan101 vlan-id=101
add interface=ether5-master name=vlan105 vlan-id=105
add interface=ether5-master name=vlan107 vlan-id=107
add interface=ether5-master name=vlan109 vlan-id=109
add interface=ether5-master name=vlan111 vlan-id=111
add interface=ether5-master name=vlan113 vlan-id=113
add interface=ether5-master name=vlan117 vlan-id=117
/interface ethernet
set [ find default-name=ether1 ] master-port=ether5-master
set [ find default-name=ether2 ] master-port=ether5-master
set [ find default-name=ether3 ] master-port=ether5-master
set [ find default-name=ether4 ] master-port=ether5-master
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:0B \
master-interface=wlan1 multicast-buffering=disabled name=vap101 ssid=\
tenant101 vlan-id=101 wds-cost-range=0 wds-default-cost=0
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:0C \
master-interface=wlan1 multicast-buffering=disabled name=vap105 ssid=\
tenant105 vlan-id=105 wds-cost-range=0 wds-default-cost=0
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:0D \
master-interface=wlan1 multicast-buffering=disabled name=vap107 ssid=\
tenant107 vlan-id=107 wds-cost-range=0 wds-default-cost=0
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:0E \
master-interface=wlan1 multicast-buffering=disabled name=vap109 ssid=\
tenant109 vlan-id=109 wds-cost-range=0 wds-default-cost=0
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:0F \
master-interface=wlan1 multicast-buffering=disabled name=vap113 ssid=\
tenant113 vlan-id=113 wds-cost-range=0 wds-default-cost=0
add disabled=no keepalive-frames=disabled mac-address=D6:CA:6D:C9:73:10 \
master-interface=wlan1 multicast-buffering=disabled name=vap117 ssid=\
Tenant117 vlan-id=117 wds-cost-range=0 wds-default-cost=0
/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=vap105 name=vlan5-vap105 vlan-id=5
add interface=vap107 name=vlan5-vap107 vlan-id=5
add interface=vap109 name=vlan5-vap109 vlan-id=5
add interface=vap113 name=vlan5-vap113 vlan-id=5
add interface=vap117 name=vlan5-vap117 vlan-id=5
add interface=vap101 name=vlan5-vpa101 vlan-id=5
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge="LAN bridge" comment=defconf interface=wlan1
add bridge="LAN bridge" interface=ether5-master
add bridge=bridge101 interface=vap101
add bridge=bridge101 interface=vlan101
add bridge=bridge105 interface=vlan105
add bridge=bridge105 interface=vap105
add bridge=bridge107 interface=vap107
add bridge=bridge107 interface=vlan107
add bridge=bridge109 interface=vap109
add bridge=bridge109 interface=vlan109
add bridge=bridge113 interface=vap113
add bridge=bridge113 interface=vlan113
add bridge=bridge117 interface=vlan117
add bridge=bridge117 interface=vap117
add bridge=bridge5 interface=vlan5
add bridge=bridge5 interface=vlan5-vap105
add bridge=bridge5 interface=vlan5-vap107
add bridge=bridge5 interface=vlan5-vap109
add bridge=bridge5 interface=vlan5-vap113
add bridge=bridge5 interface=vlan5-vap117
add bridge=bridge5 interface=vlan5-vpa101
add bridge=bridge5 interface=vlan5-wap1
/ip address
add address=172.25.0.5/23 comment=defconf interface="LAN bridge" network=\
172.25.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-relay
add dhcp-server=172.25.0.1 disabled=no interface=ether5-master name="BT Router"
/ip dns
set allow-remote-requests=yes servers=172.25.0.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
/ip route
add check-gateway=ping distance=1 gateway=172.25.0.1
/system clock
set time-zone-name=Europe/London
/system leds
set 5 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface="LAN bridge"
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface="LAN bridge"

Any help would be greatly appreciated

You should just add all vlans to a single bridge and set a horizon value to all of the tenant vlans.

This way, no vlan can communicate with the other vlans, and you simply put the router's IP address / DHCP server / etc into the one bridge interface, so everyone is logically in the same network at the IP layer, and in actuality as far as the Mikrotik is concerned, but at the ethernet layer, no traffic will be forwarded between the various vlan interfaces. Use the same horizon value for all of them - e.g. horizon=1

a bridge of a bridge can cause issues, not the least of which being complexity. When you bridge all vlan interfaces together, this strips the vlan information inside the Mikrotik, which is fine because you actually want a single network - you just want client isolation, which the split horizon gives, and the ability to direct customer traffic to the proper vap - which the vlan tag does. The bridge will track which vlan has which customer MAC address(es).

Thanks ZeroByte. This looks like a possible solution and I will give it a try and get back with the result.

As a matter of interest, is there any way of making the Mikrotik function in the same way as a managed switch when using VAPs? Specifically, can a 'native' VLAN be assigned on each VAP so that all egress packets are tagged with that VLAN ID; and one or more additional VLAN IDs be assigned for ingress packets to be allowed through? If so, how is it achieved?

Specifically, can a 'native' VLAN be assigned on each VAP so that all egress packets are tagged with that VLAN ID; and one or more additional VLAN IDs be assigned for ingress packets to be allowed through? If so, how is it achieved?

This is completely the opposite behavior of a native vlan.
The native vlan is the one and only untagged vlan on a trunk connection - all ingress untagged frames are considered to be in the native vlan, and all egress traffic of that vlan is transmitted without tags.