Hi everyone,
I'm working with a Hap AC2 router linked directly to my modem and have set up a bridge for ports ether2-5, which connects to devices like TP Link Deco Mesh access points, without using VLANs.
I aimed to enable the Guest Network on the TP Link units to allocate a separate SSID for guests, with traffic marked as VLAN 519. However, the router overlooks the VLAN tags, and guest devices end up on my main IP range.
My goals are:
1. Keep changes minimal: I want the regular (untagged) traffic to remain on the existing bridge and IP range yet enable both tagged and untagged traffic on the access point-connected ports.
2. Route VLAN 591 traffic to a new IP range (e.g., 192.168.2.x/24), with its own DHCP and DNS, allowing internet access but preventing access to my main network (192.168.0.0/24) for less trusted devices.
After setting up VLAN 591 on the MikroTik and configuring an IP and DHCP for it, I'm stuck on how to manage both tagged and untagged traffic. I'm questioning whether I need two bridges or a way to keep the traffic separate while maintaining the flow of untagged traffic as is.
The MikroTik's role is to recognize the VLAN tags without altering them, ensuring both networks remain distinct.
Would appreciate any suggestions on tackling this. Thanks in advance!
Could you help me with how I would create a config to separate tagged 519 vlan traffic from non vlan traffic on the same bridge?
HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Last edited by Ameeno on Fri Feb 02, 2024 10:33 pm, edited 1 time in total.
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 519
If you read the TPLINK user guide, it is not designed to be able to read and handle VLAN tagging.
Therefore its not suprizing that new clients were assigned to the same vlan.
HOWEVER, what you should know and can test is that the GUEST vlan and IOT vlan on the decos are set so that:
a. they cannot even talk to each other or to the other wifi users on main wifi.
b. they cannot reach any other wired users on the same vlan
Suggest you test....................
Therefore its not suprizing that new clients were assigned to the same vlan.
HOWEVER, what you should know and can test is that the GUEST vlan and IOT vlan on the decos are set so that:
a. they cannot even talk to each other or to the other wifi users on main wifi.
b. they cannot reach any other wired users on the same vlan
Suggest you test....................
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Hi Mesquite,If you read the TPLINK user guide, it is not designed to be able to read and handle VLAN tagging.
Therefore its not suprizing that new clients were assigned to the same vlan.
HOWEVER, what you should know and can test is that the GUEST vlan and IOT vlan on the decos are set so that:
a. they cannot even talk to each other or to the other wifi users on main wifi.
b. they cannot reach any other wired users on the same vlan
Suggest you test....................
Thanks for your message.
I did some further digging to double check my earlier post and research to see if that was the case
I found a forum post telling me to check the debug logs of my deco's and i can confirm my system debug logs show the following:
Code: Select all
config{enable_5g:1,ssid:MYSSID_Guest,encryption:1,enable:1,password:VERY_STRONG_PASSWORD,usr_set:1,access_duration:-1,enc_type:wpa2,start_time:1706879140,enable_2g:1,enable_5g2:0}
Fri Feb 2 13:05:44 2024 daemon.notice nrd[19861]: Leaving nrd executive program
Fri Feb 2 13:05:44 2024 user.info root: guest-eth [trigger]wifi config has changed, check vlan
Fri Feb 2 13:05:44 2024 user.info root: guest-eth guest vlan enable, guest_vlan id is 591
Fri Feb 2 13:05:44 2024 user.info root: guest-eth guest vlan id is changed -> 591, or iptv port changed to other, restart apsd and switch
Fri Feb 2 13:05:45 2024 daemon.info /usr/bin/apsd: config_load:415: Info: backhual lan:ath02.1, guest:ath02.2
.........
Fri Feb 2 13:05:45 2024 daemon.emerg procd: uci: Entry not found
Fri Feb 2 13:05:45 2024 user.info root: guest-eth AP role, eth0 set tag port, vlan id is 591
Fri Feb 2 13:05:45 2024 user.info root: guest-eth AP role, eth1 set tag port, vlan id is 591
Fri Feb 2 13:05:45 2024 user.info root: wps: wpsd reload
......
And then how do I put the vlan591 tagged packets in isolation from the untagged ones?
Thanks for your help
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Bump, still stuck on this one.
Basically, I want packets with the vlan id tag of 591 to be put in a separate ip range with own dhcp and network and separate from the normal Lan.
Any ideas on how to configure this?
Basically, I want packets with the vlan id tag of 591 to be put in a separate ip range with own dhcp and network and separate from the normal Lan.
Any ideas on how to configure this?
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Three questions and one fact.
1. As stated, the guest clients will also be assigned the same vlan as the rest of your other wlan users.
- did you confirm this via test --? what LANIP do WIFI guests get?
2. As stated, the guest clients should not be able to reach other WLAN users (on home WLAN etc._
- did you confirm this via test --? can a guest user, either ping a HOME WLAN user or access a device thats on HOME WIFI ??
3. As stated the guest clients should not be able to reach any WIRED USERS on the same VLAN.
- did you confirm this via test --? can a guest user, either ping a wired LAN user in the same subnet or access a Wired device on the same subnet??
+++++++++++++++++++++++
I am expecting no, because the WIFI router for guest should block all traffic that is private and it should only be able to access the internet.
If you want multiple VLAN capable wifi, then you need business class or smart APs, that can read VLAN tags
1. As stated, the guest clients will also be assigned the same vlan as the rest of your other wlan users.
- did you confirm this via test --? what LANIP do WIFI guests get?
2. As stated, the guest clients should not be able to reach other WLAN users (on home WLAN etc._
- did you confirm this via test --? can a guest user, either ping a HOME WLAN user or access a device thats on HOME WIFI ??
3. As stated the guest clients should not be able to reach any WIRED USERS on the same VLAN.
- did you confirm this via test --? can a guest user, either ping a wired LAN user in the same subnet or access a Wired device on the same subnet??
+++++++++++++++++++++++
I am expecting no, because the WIFI router for guest should block all traffic that is private and it should only be able to access the internet.
If you want multiple VLAN capable wifi, then you need business class or smart APs, that can read VLAN tags
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Hiya. Actually any of the clients on the clan tagged guest WiFi still get up address and DHCP from the normal bridge, so my tags are not working on the mikrorik to separate it
Re: HAP ac2 + TP Lin Deco Mesh (Guest network Isolation Help) - VLAN 591
Reply: see three questions above.