Internet --> pfSense --> CRS328-24P-4S+RM (crs328) (ether10 port) --> hap ac2 (hap1) (ether1 port)
Internet --> pfSense --> CRS328-24P-4S+RM (crs328) (ether16 port) --> cap ac (cap3) (ether1 port)
and I'm attempting to add:
Internet --> pfSense --> CRS328-24P-4S+RM (crs328) (ether12 port) --> hap ax3 (hax1) (ether1 port)
DHCP/DNS is running on pfSense (10.10.5.1=vlan5, 10.10.10.1=vlan10, 10.10.40.1=vlan40, 10.10.60.1=vlan60)
crs328, hap1 & cap3 are all running RouterOS/firmware v6.49.10 (long-term). hap1 & cap3 are both managed by CAPsMAN on crs328. All have been running for several years without issue. I have multiple vlans configured, and three SSIDs (home, guest, IoT) on hap1/cap3 that add vlan tags (10, 40 & 60, respectively). Management vlan tag is 5.
I recently purchased a hap ax3 (hax1), as I wanted to add wifi6 to the mix. It came with RouterOS/firmware v7.8 installed, which I upgraded to v7.12.1 before beginning configuration.
My understanding is there are two different CAPsMAN versions due to the changes between 'wireless' and 'wifiwave2'; therefore, I chose to configure hax1 directly, rather messing with my working CAPsMAN configuration for hap1/cap3.
After reviewing my existing configurations for crs328/hap1/cap3, I configured hax1 as follows:
Code: Select all
# 2024-03-13 14:07:57 by RouterOS 7.12.1
# software id = 8DDV-0MXM
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HF809E2QYAG
/interface bridge add admin-mac=78:9A:18:94:C9:CE auto-mac=no name=bridge
/interface bridge add admin-mac=78:9A:18:94:C9:CA auto-mac=no name=bridge_vlan vlan-filtering=yes
/interface vlan add interface=bridge_vlan name=5_Mgmt vlan-id=5
/interface vlan add interface=bridge_vlan name=10_LAN vlan-id=10
/interface vlan add interface=bridge_vlan name=40_Guest vlan-id=40
/interface vlan add interface=bridge_vlan name=60_IoT vlan-id=60
/interface wifiwave2 channel add band=5ghz-ax disabled=no name=5gHz skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifiwave2 channel add band=2ghz-ax disabled=no name=2gHz skip-dfs-channels=10min-cac width=20mhz
/interface wifiwave2 configuration add country="United States" disabled=no mode=ap name=cfg_dual
/interface wifiwave2 set [ find default-name=wifi1 ] channel=5gHz configuration=cfg_dual configuration.mode=ap .ssid=MikroTik-94C9CF disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wifiwave2 set [ find default-name=wifi2 ] channel=2gHz configuration=cfg_dual configuration.mode=ap .ssid=MikroTik-94C9D0 disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wifiwave2 security add authentication-types=wpa2-psk disabled=no name=sec_home
/interface wifiwave2 security add authentication-types=wpa2-psk disabled=no name=sec_guest
/interface wifiwave2 security add authentication-types=wpa2-psk disabled=no name=sec_IoT
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=IoT disabled=no mac-address=7A:9A:18:94:C9:D1 master-interface=wifi1 name=wifi1_IoT security=sec_IoT
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=guest disabled=no mac-address=7A:9A:18:94:C9:D0 master-interface=wifi1 name=wifi1_guest security=sec_guest
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=home disabled=no mac-address=7A:9A:18:94:C9:CF master-interface=wifi1 name=wifi1_home security=sec_home
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=IoT disabled=no mac-address=7A:9A:18:94:C9:D4 master-interface=wifi2 name=wifi2_IoT security=sec_IoT
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=guest disabled=no mac-address=7A:9A:18:94:C9:D3 master-interface=wifi2 name=wifi2_guest security=sec_guest
/interface wifiwave2 add configuration=cfg_dual configuration.mode=ap .ssid=home disabled=no mac-address=7A:9A:18:94:C9:D2 master-interface=wifi2 name=wifi2_home security=sec_home
/interface bridge port add bridge=bridge_vlan comment="TRUNK to CRS328" interface=ether1
/interface bridge port add bridge=bridge_vlan comment="AppleTV (10)" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
/interface bridge port add bridge=bridge_vlan comment="Sony (40)" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=40
/interface bridge port add bridge=bridge_vlan comment="Roku (60)" frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
/interface bridge port add bridge=bridge comment="LAN port" interface=ether5
/interface bridge port add bridge=bridge interface=wifi1
/interface bridge port add bridge=bridge interface=wifi2
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi1_home pvid=10
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi1_guest pvid=40
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi1_IoT pvid=60
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi2_home pvid=10
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi2_guest pvid=40
/interface bridge port add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=wifi2_IoT pvid=60
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ipv6 settings set disable-ipv6=yes
/interface bridge vlan add bridge=bridge_vlan tagged=bridge_vlan vlan-ids=5
/interface bridge vlan add bridge=bridge_vlan tagged=bridge_vlan untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge_vlan tagged=bridge_vlan untagged=ether3 vlan-ids=40
/interface bridge vlan add bridge=bridge_vlan tagged=bridge_vlan untagged=ether4 vlan-ids=60
/interface list add name=BRIDGES
/interface list member add interface=bridge list=BRIDGES
/interface list member add interface=bridge_vlan list=BRIDGES
/ip dhcp-client add interface=bridge
/ip dhcp-client add interface=bridge_vlan
/system clock set time-zone-name=America/Chicago
/system identity set name=hax1
/tool mac-server set allowed-interface-list=BRIDGES
/tool mac-server mac-winbox set allowed-interface-list=BRIDGES
1. 'bridge', which does not include any vlan filtering (includes ether5, wifi1 & wifi2): With ether5 connected to port 1 on crs328 (which is a direct access port into vlan10), I can ssh into hax1 at 10.10.10.8. Additionally, I can connect to the wifi1/wifi2 ssids (MikroTik-94C9CF or MikroTik-94C9D0), receive an IP address from pfsense, and everything works as 'normal' on my internal vlan10 (i.e. I can access the internet or local computers on the same vlan)
2. 'bridge_vlan', vlan filtering is 'on' (includes ether1/2/3/4, wifi1_home, wifi1_guest, wifi1_IoT, wifi2_home, wifi2_guest & wifi2_IoT): I can connect to the home/guest/IoT SSIDs (connection is also confirmed in winbox / wireless tables / registration); however, no IP is assigned and therefore neither internet, nor local network access, is working. Same with plugging into ether2/3/4 directly--no IP address nor network access.
On crs328, ether10/12/16 are configured identically:
Code: Select all
/interface bridge port add bridge=bridge_vlan comment="TRUNK to hAP ac2 (connected to ether1 on hap1)" interface=ether10 pvid=5
/interface bridge port add bridge=bridge_vlan comment="TRUNK to hap ax3 (connected to ether1 on hax1)" interface=ether12 pvid=5
/interface bridge port add bridge=bridge_vlan comment="TRUNK to cAP ac (connected to ether1 on cap3)" interface=ether16 pvid=5
Thanks in advance for any suggestions you may provide.