I have two MikroTik router boards: (a) HAP AC and (b) HAP AC2. I have been using HAP AC as my home router without issues for the past two months.
However, when I recreated my configuration on HAP AC2 (export from HAP AC and rerun on AC2 via terminal) I’ve found that two ethernet ports are shown disabled, along with one of the wifi endpoints. Namely ether5-VMLAB, ether2-OPEN and plan-guest
I thinking I’m dong something wrong and its not a hardware related issue. Appreciate help.
Here is my AC2 config (passwords removed) for reference:
Yeah its really easy to walk away and resort to simplistic solutions, isn’t it.
I have this configuration working perfectly on the HAP AC, so I know that this works. Plus this is what I need to have segmentation in my network and have multiple LANs.
Unless you were pointing me to another way of doing the same thing? Your answer isn’t specific and does not contribute to anything useful. Care to elaborate?
Without a config I can only speculate and I leave that to the illogical and paranoid!
But if you insist, I suggest you plug in ethernet cables (with active devices on the other ends) to the disabled ports and they should come up right away.
Without a config? I hope you can see the entire config I posted here.
I plugged in the Ethernet with working computers in all ports to check. And they did not start working.
Had a brief look at your config.
Potential issues:
You have assigned two subnets to the same bridge, this is not good LOL
/ip address
add address=192.168.88.1/24 comment=defconf interface**=bridge** network=
192.168.88.0
add address=192.168.9.1/24 comment=defconf interface**=bridge** network=
192.168.9.0
You have assigned VLAN40 to eth3, one of the bridge ports on the bridge, however there is no subnet defined for the vlan**???**
This leads to mass confusion as one asks if the VLAN is for the entire bridge (eth4 and both bridge wlans??) or just for eth3 port.
One bridge port setting for the bridge makes no sense to me… add bridge=bridge interface=wlan-router**???**
The bridge port setting for the wlans on the bridge may require pvid settings if they are on vlan40 and certainly WLAN5 has that indication, so remove it from the wireless rule
and add it to the bridge port setting along with admit only untagged and priority tagged frames and ingress filtering=yes. Strangely wlan2 has no vlan 40 assignment? On purpose?
Where did this address line come from, its not tied to anything - no ip pool
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1**???**
well other than this and not sure this is an allowed designation
6. /ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.9.1 name=router.lan
You dont assign a vlan as Bridge port Interface…
add bridge=bridge-main-lan interface=vlan-main-lan**??**
8, How do you intent to give WLAN IOT and WLAN GUEST their separate DHCP service? They are both running off WLAN2 which is the main-lan bridge??
My overall assessment stands, your config is a confusing mess and now more evidently full of errors.
Suggest a makeover is necessary.
Use one bridge and create vlans for necessary subnets.
Ok so first of all thank for taking the time to go through the config. It wasn’t an easy question to ask.
I was trying to create a home networking setup with three different subnets that are selectively allowed to talk to each other. Here is a diagram of the network I was trying to implement https://imgur.com/a/8Gigo1y.
As you can see, I want three different subnets for specific purpose as shown. I’m not a networking guru, everything I learned about RouterOS was by watching YouTube videos. Most of the videos are not in English, so I found only one series that was good and explained MikroTik configurations in easy to understand language: https://www.youtube.com/watch?v=1ZJ-pM89N7o
If I don’t create one bridge per subnet as shown in the config, then how can I create the separate subnets I need?
Okay a couple of things from your diagram.
Dont use VLAN1 lets make it vlan10
Why is your VM vlan the same as a guest wifi-vlan?
Assuming you want your homevlan network to include the 2K photo and NAS?
Assuming that the switch you have is a managed switch?
1 - One bridge, call it home-bridge
2 - Four VLANs, Vlan2-home, Vlan3-Guest, Vlan4-VM, Vlan10-iot with interface being the bridge
3 - Router config Trunk Port ether1 (all vlans tagged)
4 - Switch config Trunk Port ether1 from router (tagged with all VLANs), Trunk port ether2 to WAP(tagged with VLANs 2,3,10), Access port ether3 to 2K (vlan2), Access port ether4 to NAS(vlan2), Access port ether5 to VM(vlan4)
Networks required for
Home subnet - with interface vlan2
Guest subnet - with interface vlan3
VM subnet -with interface vlan4
iot subnet - with interface vlan10
WAP (use default AP-wisp mode)
Create Bridge - call it wifi-bridge
Create vlans 2,3,10 with interface wifi-bridge
Bridge ports- are
wlan1 for home WIFI, pvid=2 allow untagged priority packets ingress filtering=yes
wlan2 for iot-wifi pvid=10 allow untagged priority packets ingress filtering=yes
wlan3 (if you have three chains) if not suggest you create a virtual AP using the home wifi wlan1 as the master interface.
pvid=3 allow untagge priority packets ingress filtering=yes
Bridge interface vlans
one line for vlan2 id untagged is WLAN1, tagged is bridge
one line for vlan3 id untagged is WLAN2, tagged is bridge
one line for vlan10 id untagged is WLAN3, tagged is bridge
That with the article should get you to a happier place.
When done all you can post your config
/export hide-sensitive file=yourconfigmar21
dont forget to use safe mode
and the last step is to go to bridge and enable vlan filtering
Ok I did exactly that. Thank you for pointing me to those pages that gave me the configuration examples. Honestly, I didn’t know any better that why would I need one bridge vs two or three. I still don’t, but now I got to configure clean separation one way. Look at my config at the bottom and let me know what you think. Also, check out the diagram I made that shows the topology of my config: https://imgur.com/a/XyZxwMV
So this setup is working fine now. But I do have a few questions that I want to ask and some things I want to tinker with. So I’d appreciate if you can provide some guidance:
In the example article http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 I took the second example and created my config using the RouterSwitchAP.rsc file. I don’t quite understand why this configuration is needed. I’m thinking that this might be a management LAN, but I don’t see any IP addresses being assigned in the 192.168.0.x range anywhere.
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN
As you can see from my diagram that I now have a switch connected into ether5. Right now this switch is just another device on the router connected to VLAN 50. So any device I plug into the switch will be on VLAN 50 as well. That is fine. But how would I configure this so that each port on the switch can be on specific VLAN? Like port 2 on VLAN 10, port 3 on VLAN 50, port 4 on VLAN 70 etc? I have to follow the first example here, I know, but its now going above my understanding of configuration of routers and switches I had to study what is PVID and why its necessary. I’m not coming from a deep network config background. Maybe I’ll add another VLAN aware switch on ether2 on router for this for clean config. But I still need to know how to do this.
How do I limit Winbox and SSH to specific ether port & WLAN SSID on the router? I don’t want people being able to connect to my master config from anywhere.
How do I allow SSH and network traffic from VLAN 10 (HOME_VLAN) to be able to go into other VLANs but block from other VLANs to go into any other VLAN? Right now I cannot go into any other VLAN, the cross VLAN traffic is blocked by firewall. I want to selectively allow it.
How do I block all traffic originating outside from WAN to come into my networks? Is this already the case? If yes, how is this controlled?
I don’t know why its saying that my ethernets are locked at 100Mbps only in my config. I did no such thing. How do I lift this limitation?
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-OPEN speed=100Mbps
set [ find default-name=ether3 ] name=ether3-WIN-WRKST speed=100Mbps
set [ find default-name=ether4 ] name=ether4-NAS speed=100Mbps
set [ find default-name=ether5 ] name=ether5-SWITCH speed=100Mbps
Thanks in advance for the support. Please point me to more articles examples of MikroTik config.
I had to study what is PVID and why its necessary. I’m not coming from a deep network config background. Maybe I’ll add another VLAN aware switch on ether2 on router for this for clean config. But I still need to know how to do this.