Caps cannot resolve DNS - VLAN environment

h1ghrise · Tue Mar 12, 2024 9:49 pm

Hi,
im running a RB5009 with 2 connected CAP ACs.
the CAPs are connected to Port 7+8 on the RB5009.

Im running 3 VLANS:

/interface vlan
add interface=BR-MAIN name="VLAN10 - Wifi" vlan-id=10
add interface=BR-MAIN name="VLAN20 - IoT" vlan-id=20
add interface=BR-MAIN name="VLAN50 - LAN" vlan-id=50

Bridge BR-MAIN is setup as following (relevant AP config only)

/interface bridge
add admin-mac=REDACTED auto-mac=no name=BR-MAIN port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=BR-MAIN comment="AP1 (Downstairs)" frame-types=admit-only-vlan-tagged interface="ether7 - AP1" internal-path-cost=10 path-cost=10
add bridge=BR-MAIN comment="AP2 (Upstairs)" frame-types=admit-only-vlan-tagged interface="ether8 - AP2" internal-path-cost=10 path-cost=10

The Caps are running on VLAN50:

/interface bridge vlan
add bridge=BR-MAIN comment=LAN tagged="BR-MAIN,ether7 - AP1,ether8 - AP2" vlan-ids=50

Caps Man config:

/caps-man configuration
add channel.band=5ghz-a/n/ac .control-channel-width=20mhz .extension-channel=\
    disabled .skip-dfs-channels=yes .tx-power=20 country=austria \
    datapath.bridge=BR-MAIN .client-to-client-forwarding=yes .vlan-id=10 \
    .vlan-mode=use-tag installation=indoor mode=ap name=Owcahome rates.basic=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps security.authentication-types=\
    wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=\
    10m ssid=Owcahome
add channel.band=2ghz-g/n .control-channel-width=20mhz .extension-channel=\
    disabled .frequency=2412,2437,2462 .skip-dfs-channels=no .tx-power=10 \
    country=austria datapath.bridge=BR-MAIN .vlan-id=20 .vlan-mode=use-tag \
    installation=indoor mode=ap name=IoT rates.basic=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps security.authentication-types=\
    wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=\
    10m ssid=IoT

Each VLAN has a DHCP Server running, handing out IPs:

/ip dhcp-server
add address-pool=POOL_IOT interface="VLAN20 - IoT" lease-time=4w2d name=DHCP-IOT
add address-pool=POOL_WIFI interface="VLAN10 - Wifi" lease-time=1w3d name=DHCP-WIFI
add address-pool=POOL_LAN interface="VLAN50 - LAN" lease-time=14w2d name=DHCP-LAN

The CAPs are operating in manager forwarding mode.
Clients are getting their IP fine and Caps are reachable via L2/L3 fine.
Only thing which is not working is DNS. I cannot upgrade CAPs as they cannot resolve DNS names. What am I doing wrong?

Forgot to add CAP config.

/interface bridge
add admin-mac=REDACTED auto-mac=no ingress-filtering=no name=BR-MAIN \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Router"
set [ find default-name=ether2 ] name="ether2 - Printer" poe-out=off
/interface vlan
add interface=BR-MAIN name="VLAN50 - LAN" vlan-id=50
/interface bridge port
add bridge=BR-MAIN frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface="ether1 - Router"
add bridge=BR-MAIN frame-types=admit-only-untagged-and-priority-tagged \
    interface="ether2 - Printer" pvid=50
/interface bridge vlan
add bridge=BR-MAIN tagged="BR-MAIN,ether1 - Router" vlan-ids=50
/interface wireless cap
set bridge=BR-MAIN certificate=CAP-18FD74C22E38 discovery-interfaces=\
    "VLAN50 - LAN" enabled=yes interfaces=wlan1,wlan2 lock-to-caps-man=yes
/ip dhcp-client
add interface="VLAN50 - LAN"
/system identity
set name=AP1

h1ghrise · Wed Mar 13, 2024 9:04 pm

found the solution.
Even tho VLAN50 was in the LAN Interface List, DNS requests from VLAN50 got dropped.

/ip firewall filter add action=accept chain=input dst-port=53 in-interface="VLAN50 - LAN"

Error is in the Bridge/Interface List Setup:

/interface list member add interface=BR-MAIN list=LAN

Found an explaining Post from anav in a different topic (viewtopic.php?t=197370)

As pe1chl stated you are mixing up apples and oranges.

There is interface lists for the purposes I stated and then there is also a bridge with its bridge ports.
If there are no vlans then one simply has a single subnet going over the bridge and only /interface bridge ports where each port is identified as belonging to the bridge and for interface list rules, one only needs to identify the bridge as being a member of the LAN interface for example.

In the case where one has multiple subnets and vlans, then we also need /interface bridge vlans to help ensure that the bridge ports are correctly identified as trunk, access or hybrid ports and then using /interface bridge vlans to detail the assignment of vlans to those ports......... In this case for interface lists each vlan needs to be added as a LAN interface member and the bridge is not.

Caps cannot resolve DNS - VLAN environment [SOLVED]

Caps cannot resolve DNS - VLAN environment

Re: Caps cannot resolve DNS - VLAN environment [SOLVED]

Who is online