Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

mikrochad · Sun Mar 24, 2024 10:41 pm

I am new to Mikrotik and VLANs.

I had a simple setup with the ISP-provided modem/gateway plus an ASUS router setup in "Access Point" mode. Network was "flat", single subnet.

After a few weeks of researching, reading, etc. I opted to get an RB5009 Mikrotik, based on the great reviews, flexibility, etc. I knew it would be a learning curve and I tried my best to spend the last 2 weekends reading documentation, forum posts, and viewing videos.

I got the RB5009 working as a router, keeping everything else the same (i.e. single subnet).

I am now trying to expand the configuration with the goal of adding a few VLANs. Since I have an RB5009, I think I need to use "Router on a Stick" (ROAS) and configure physical interfaces with VLANs.

I am also trying to make use of the ASUS router (RT-AX88U Pro), configuring VLANs per SSIDs.

My expectation was that if I configured the VLANs correctly, I would have a trunk between ether7 on the RB5009 and LAN1 on the AX88UPro. With that in mind, I also expected clients connecting on either of the 2 "guest" SSIDs on the ASUS to be able to "see" the DHCP servers I setup on the RB5009 via the LAN1 (ASUS) trunk to the ether7 port on the RB5009.

But that is not occurring... no IP obtained on the wireless clients. And I do not know if this is because of an issue on the RB5009 or on the AX88UPro or both.

I do not even know if this can work at all! Maybe I need to buy a different type of AP (another Mikrotik or something else with a more robust VLAN/SSID setup option).

Here is the RB5009 exported config:

# 2024-03-24 16:19:18 by RouterOS 7.11.3
# software id =
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add name=VLAN-BRIDGE-VL10-HOME
add name=VLAN-BRIDGE-VL20-GUEST1
add name=VLAN-BRIDGE-VL25-GUEST-2
add admin-mac=78:9A:18:BB:C3:66 auto-mac=no comment=defconf name=main-bridge
/interface ethernet
set [ find default-name=ether3 ] comment="ether3 NOT in main bridge"
set [ find default-name=ether7 ] comment=\
    "NOT in main bridge, but has 3 VLANs for a trunk for AX88UPro"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether7 name=VLAN_10_E7 vlan-id=10
add interface=ether7 name=VLAN_20_E7 vlan-id=20
add interface=ether7 name=VLAN_25_E7 vlan-id=25
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_vlan10_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_vlan20-guest1 ranges=192.168.20.2-192.168.20.127
add name=dhcp_vlan25-guest2 ranges=192.168.25.128-192.168.25.254
/ip dhcp-server
add address-pool=default-dhcp interface=main-bridge lease-time=10m name=\
    defconf
add address-pool=dhcp_vlan10_home interface=VLAN-BRIDGE-VL10-HOME name=dhcp1 \
    relay=172.16.10.1
add address-pool=dhcp_vlan20-guest1 interface=VLAN-BRIDGE-VL20-GUEST1 name=\
    dhcp2 relay=192.168.20.1
add address-pool=dhcp_vlan25-guest2 interface=VLAN-BRIDGE-VL25-GUEST-2 name=\
    dhcp3 relay=192.168.25.1
/interface bridge port
add bridge=main-bridge comment=PC interface=ether2 pvid=10
add bridge=main-bridge interface=ether4 pvid=10
add bridge=main-bridge comment=\
    "AX88UPro non-tagged (access via 192.168.88.0 IP address)" interface=\
    ether5 pvid=10
add bridge=main-bridge interface=ether6
add bridge=main-bridge interface=ether8
add bridge=main-bridge comment=defconf interface=sfp-sfpplus1
add bridge=VLAN-BRIDGE-VL10-HOME interface=VLAN_10_E7 pvid=10
add bridge=VLAN-BRIDGE-VL20-GUEST1 interface=VLAN_20_E7 pvid=20
add bridge=VLAN-BRIDGE-VL25-GUEST-2 interface=VLAN_25_E7 pvid=25
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=main-bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=main-bridge network=\
    192.168.88.0
add address=192.168.1.253/24 comment="2nd WAN IP for accessing ISP gateway" \
    interface=ether1 network=192.168.1.0
add address=172.16.10.1/24 interface=VLAN-BRIDGE-VL10-HOME network=\
    172.16.10.0
add address=192.168.20.1/24 interface=VLAN-BRIDGE-VL20-GUEST1 network=\
    192.168.20.0
add address=192.168.25.1/24 interface=VLAN-BRIDGE-VL25-GUEST-2 network=\
    192.168.25.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.1.254 to-addresses=\
    192.168.1.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22022
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here is a network diagram:

network_diag_3.png

Am I on the right path? Is this just folly?

anav · Mon Mar 25, 2024 12:40 pm

The ASUS is a wifi router not an access point and its not a business model its a consumer pro model.
1. No where in the specs does it mention vlans or vlan tagging
2. no where in the manual does it detail assigning vlans and firewalling between vlans.

You have a hunk of junk.
suggest look at alternate WIFI devices that do VLANS.
If you want to look at typical consumer vendors that do provide vlans in their business access points
Check out TPLINK - plugNplay for the most part and handles vlans and now they have wifi 7 products.
IF interested in more expensive WIFI access points check out ubiquiti unifi.

mikrochad · Mon Mar 25, 2024 7:24 pm

Thanks anav.

What you are saying makes sense. I thought that the VLAN support that was added via newer firmware would be enough, but it clearly isn't.

I will look at other options for APs, including TP-Link as you suggested and the Mikrotik wifi devices like the hAP ax2 or ax3.

mszru · Mon Mar 25, 2024 11:19 pm

Remove the relays in the DHCP server settings for your networks.

Have you read this?
After changing ASUS operation mode to AP set LAN IP to 192.168.88.2 and try pinging your ASUS from the RB5009.

mikrochad · Tue Mar 26, 2024 3:24 pm

Thanks mszru.

That is the article I had read that indicated VLAN support on AX88UPro.

I actually made some progress!

I had LAN3 port on ASUS connected to my LAN, in order to access the AX88UPro via its LAN IP (which was already set to 192.168.88.6). This is because once I set LAN1 as TRUNK for all VLANs, I lost access to the AX88UPro, which was expected.

However, I do not know if having a port (LAN3) connected to non-tagged network interfered with LAN1 "trunking". So I disconnected LAN3 and kept LAN1 (trunk access, all tags). I rebooted the ASUS just in case.

And then, I was able to connect to the SSID for VLAN25 and it did get an IP address from the DHCP server running on the RB5009! VLAN tagging working between AX88UPro and RB5009! With **NO** changes to the config I already shared in my opening post.

VLAN20 was not working: When I connected to the SSID "mapped" to VLAN 20 on the AX88UPro, I did not get an IP address.

So from here, I removed the relays in the DHCP server settings, as suggested by mszru. I do not know why those were there. But they are gone now.

And now SSID mapped to VLAN20 also works!

All of that is good news, but I still do not fully understand how VLAN works on AX88UPro. I'll post the questions/issues that I have once I get a chance to take some screenshots.

mikrochad · Tue Mar 26, 2024 3:38 pm

This is the config on the AX88UPro:

asus_1.png

asus_2.png

Issue #1: I had defined an SSID under the "Wireless" section (first screenshot red highlight) named GUP_WIFI. This SSID appears to **NOT** be tagged at all and thus does not work via the LAN1 trunk port. That is expected, but.... how to I add a VLAN tag to that one? I wanted to make that the "Home" VLAN (VID = 10). But I do not see how. I added a VLAN Profile for VLAN VID = 10, but I do not see a way to "map" it to the wireless network definition under Wireless (the GUP_WIFI SSID).

I think I might need to define all VLAN SSIDs via the "Guest Network Pro" interface/page and remove the one on the Wireless interface/page.

This is still not ideal because the WiFi password you can define under "Guest Network Pro" interface/page is buggy. It removes spaces and restricts the length to a much shorter string. I do not know why. Seems wrong and buggy.

Issue #2: Understanding the terminology ASUS uses.

"Guest Network Pro" interface/page has a page filename of SDN.asp
LAN -> VLAN has a page filename of Advanced_VLAN_Switch_Content.asp
LAN -> VLAN - Profile has a page filename of Advanced_VLAN_Profile_Content.asp

The only page that seems to be fairly clear is Advanced_VLAN_Switch_Content.asp. It is simple, yet limited.
SDN.asp and Advanced_VLAN_Profile_Content.asp seem to overlap and be somewhat redundant. It is also limited in what you can see and define.

I am still considering switch off the ASUS and into an AP with proper VLAN support. The ASUS is still tempting because (1) it is supposed to be a good AX/WIFI6 router (4x4) overall, (2) ASUS seems to be adding VLAN support, albeit buggy and limited, (3) I already have the device, (4) I have uses AC68U for a while and "know" the interface, and (5) they are relatively cheap if I want to get another one of the same.

Since this is mikrotik forum, I am doubtful I will get answers on the ASUS questions, so I will need to cross-post those into some ASUS support forum.

CGGXANNX · Tue Mar 26, 2024 9:05 pm

Regardless of the configurations that need to be done on the RT-AX88U, you need to rework the VLAN configuration on your RB5009. You are currently not following the best practice, which is to use Bridge VLAN Filtering with only one bridge, and to put the VLAN interfaces under that bridge:

https://help.mikrotik.com/docs/display/ ... NFiltering

See also viewtopic.php?p=781603. You are wasting the hardware offloading features of the RB5009 with your current configuration.

mikrochad · Wed Mar 27, 2024 1:57 am

Thanks for pointing that out CGGXANNX.

I am aware of that... to a degree. I read the issue as being related to some MikroTik devices where you want traffic to "stay" within the "switch chip" and avoid it going through the CPU. But I thought it would either not apply or be of no significant consequence if I use type type/style of VLAN configuration on a router (RB5009). If this is not a correct understanding, please let me know.

The reason I liked that style is that I plan to add more trunk ports to the RB5009 and wanted to have 1 bridge per VLAN, combining the "Interface-VLAN" records under the same bridge.

Example:

Create VLANs for another trunk port:

/interface vlan
add interface=ether8 name=VLAN_10_E8 vlan-id=10
add interface=ether8 name=VLAN_20_E8 vlan-id=20
add interface=ether8 name=VLAN_30_E8 vlan-id=30
add interface=ether8 name=VLAN_40_E8 vlan-id=40
add interface=ether8 name=VLAN_99_E8 vlan-id=99

[ . . . ]

/interface bridge port
add bridge=VLAN-BRIDGE-VL10-HOME interface=VLAN_10_E8 pvid=10
add bridge=VLAN-BRIDGE-VL20-GUEST1 interface=VLAN_20_E8 pvid=20
add bridge=VLAN-BRIDGE-VL30-WORK interface=VLAN_30_E8 pvid=30
add bridge=VLAN-BRIDGE-VL40-IOT interface=VLAN_40_E8 pvid=40
add bridge=VLAN-BRIDGE-VL99-MGMT interface=VLAN_99_E8 pvid=99

Etc.

But, if this causes issues, I am willing to change it to whatever is recommended.

mszru · Wed Mar 27, 2024 1:33 pm

The modern way of dealing with VLANs is "Bridge VLAN Filtering". Follow the link posted by @CGGXANNX earlier to get more details. There you'll also find some configuration examples.

The idea is that you use just one bridge, add all ether ports to that bridge and then in the Bridge\VLANs define all your VLANs and tagged ports. Then set PVID (VLAN number) in the Bridge\Ports window for all your access ports. Finally enable bridge VLAN filtering. Be careful and use Safe Mode as enabling filtering may kick you out of Winbox.

If you need any IP services for your VLANs or routing between VLANs, create corresponding VLAN interfaces on top of the bridge and assign IP, setup DHCP, etc. for the VLAN interface. Then in the firewall you may use those VLAN interfaces to limit traffic between them if needed (e.g. drop forward from guest to home VLAN).

mikrochad · Thu Mar 28, 2024 4:01 am

Thank you mszru and CGGXANNX.

I am working on changing the config to use a single bridge.

I also got a hAP ax2 to test out as a WiFi AP. I'll report back once I have time to make the changes.

mikrochad · Sat Mar 30, 2024 3:07 am

I changed the RB5009 configuration to a single bridge, with access and trunk ports configured within the switch. Much cleaner now.

The new config worked with the AX88UPro without changes on it, which sort of confirms the new configuration is sound.

However, I also configured the hAP ax2. I read pcunite's awesome post here: viewtopic.php?t=143620#p706999

I ended up "converting" the various /interface wireless to the /interface wifi "equivalents" and I am up and running with 2 SSIDs each in its own VLAN; one for home and another for guest.

While the setup was a bit complex, it is soooooo much more powerful. I cannot go back to AX88UPro.

I also got a TP-Link EAP670, based on many recommendations on ease of setup and good performance. Setup was indeed trivial. I have not tested performance yet.

The hAP ax2 for the size, features, and price is quite remarkable. I will keep it as a 2nd AP, as I think I need more than one for the area I want to cover.

Anyways, thanks to everyone who helped me get this far.

mikrochad · Mon Apr 01, 2024 5:48 am

I am trying to get the "BASE"/MGMT/Management vlan working, but I do not know what I am doing wrong.

MGMT is vlan 99. Using 10.99.99.0/24. DHCP setup for it.

I want to connect PC to ether4 so that the PC is in vlan 99 and then I can see/access the various devices in that vlan, like the router .1 and access points .3 and .4.

But when I connect PC to ether4, I do not get an IP in 10.99.99.0/24 subnet.

Latest config:

# 2024-03-31 22:32:26 by RouterOS 7.14.2
#
# model = RB5009UG+S+
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Not in bridge"
set [ find default-name=ether8 ] comment="Not in bridge"
/interface vlan
add interface=bridge name="Guest - vlan 20" vlan-id=20
add interface=bridge name="Home - vlan 10" vlan-id=10
add interface=bridge name="IoT - vlan 40" vlan-id=40
add interface=bridge name="MGMT-vlan 99" vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.20-192.168.88.254
add name=dhcp_vlan20-guest ranges=192.168.20.20-192.168.20.254
add name=dhcp_vlan40-iot ranges=192.168.40.20-192.168.40.254
add name=dhcp_vlan99-mgmt ranges=10.99.99.20-10.99.99.254
add name=dhcp_vlan10-home ranges=172.16.10.20-172.16.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=\
    "Default - DHCP"
add address-pool=dhcp_vlan99-mgmt interface="MGMT-vlan 99" name="MGMT - DHCP"
add address-pool=dhcp_vlan20-guest interface="Guest - vlan 20" name=\
    "Guest - DHCP"
add address-pool=dhcp_vlan40-iot interface="IoT - vlan 40" name="IoT - DHCP"
add address-pool=dhcp_vlan10-home interface="Home - vlan 10" name=\
    "Home - DHCP"
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=PC interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment="Access Port to VLAN 99 (MGMT)" interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment="Port to unmanaged switch" interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface="Home - vlan 10" internal-path-cost=10 path-cost=\
    10 pvid=10
add bridge=bridge interface="Guest - vlan 20" internal-path-cost=10 \
    path-cost=10 pvid=20
add bridge=bridge interface="IoT - vlan 40" internal-path-cost=10 path-cost=\
    10 pvid=40
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether7,sfp-sfpplus1,bridge vlan-ids=10
add bridge=bridge tagged=ether7,sfp-sfpplus1,bridge vlan-ids=20
add bridge=bridge tagged=ether7,bridge,sfp-sfpplus1 vlan-ids=40
add bridge=bridge tagged=sfp-sfpplus1,bridge untagged=ether4 vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus1,bridge vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="MGMT-vlan 99" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.253/24 comment="2nd WAN IP for accessing ISP gateway" \
    interface=ether1 network=192.168.1.0
add address=172.16.10.1/24 interface="Home - vlan 10" network=172.16.10.0
add address=192.168.20.1/24 interface="Guest - vlan 20" network=192.168.20.0
add address=192.168.40.1/24 interface="IoT - vlan 40" network=192.168.40.0
add address=10.99.99.1/24 interface="MGMT-vlan 99" network=10.99.99.0
add address=192.168.88.9/24 comment=\
    "Need to test what happens when I connect to ether 3" interface=ether3 \
    network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=192.168.1.254 to-addresses=\
    192.168.1.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22022
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I tried assigning /interface bridge port ether4 vid=99, but that does not work either. I get locked out of the router.

There is another managed switch (MokerLink 2G04210GSMX for eventual PoE for APs) in between .3 (hAP ax2) and .4 (hAP ax3) via trunk port sfp-sfpplus1. The wireless networks on the ax2 and ax3 work fine via the trunk port (DHCP, internet, etc.). But I just cannot ping or access 10.99.99.3 or 10.99.99.4 via PC connected to ether4, which is supposed to be access port for vlan99.

I am sure this is user error. I just cannot pinpoint where I messed up the configuration.

CGGXANNX · Mon Apr 01, 2024 10:13 am

I think under /interface bridge port you need to set pvid of port ether4 to 99 (instead of the default value of 1). That port will then be an access port for VLAN ID 99. While you are there, also set frame-types=admit-only-untagged-and-priority-tagged for that port.

It's not enough to set "untagged=ether4" for the "vlan-ids=99" under /interface bridge vlan. In fact, if you already set pvid of ether4 to 99, you aren't required to put "untagged=ether4" for that entry.

Also under /ip dhcp-server network there is no corresponding entry for the MGMT-vlan 99 network (10.99.99.0/24)?

mikrochad · Mon Apr 01, 2024 4:47 pm

Thanks CGGXANNX.

I had tried setting /interface bridge port pvid of port ether4 to 99. But it did not work; specifically, I did not get an IP address at all. I was indeed missing the /ip dhcp-server network entry for the MGMT vlan network of 10.99.99.0/24. I had looked around DHCP settings, but did not notice that.

I now get an IP on 10.99.99.0/24 network when I connect to ether4 port.

But I still cannot access other hosts in that MGMT network. Specifically, there is another MikroTik device with IP 10.99.99.4 which I cannot reach from either the PC on ether4 nor the RB5009 router itself.

UPDATE: Once again, having more than 1 cable plugged into a device caused issues. I have been doing this as a way to continue to access devices that will ultimately be managed via the MGMT vlan from "vlan 1". This appears to create problems, perhaps because packets would not be sent to the correct port? In this case, I had a cable from an unmanaged switch that went into the RB5009 ether6 port which is currently Untagged vlan 1. That was going into the MokerLink between the RB5009 and the MikroTik device with IP 10.99.99.4. As soon as I unplugged that connection, all worked via MGMT vlan access port (ether4 on RB5009)! I am sure this is a noob mistake. I was only doing that because I did not have MGMT vlan working as intended. Now that I have, I no longer need to use these "extra cable connections" and hopefully avoid this type of issue in the future.

jkprice · Wed Apr 17, 2024 8:05 pm

Do you have a reworked network diagram with your second version of the configuration shared or might you possibly have a new config/diagram you can share? I'm pretty sure the weeks I've spent searching "RB5009 and non-mikrotik access points" is about to pay off...I may have questions however I'd like to try and solve myself - thanks Mikrochad and thread-commiters, thank you.

Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Re: Setting up VLANs on RB5009 with an ASUS RT-AX88U Pro as access point

Who is online