3 VLANs with 2 RouterBoards - find problem in configuration ?

Hi,
I have 2 router boards, RB751G called RTR1 acting as main WAN router and hAp AC (RB962UiG) called AP7 acting as my Access-point. On 1 VLAN all is working fine, Access Point is a DHCP Client and all wireless clients on the same subnet have access.

I read through the local VLAN guides with examples and decided to divide my network to also provide Guest Wireless network with a separate management VLAN, but unfortunately, I have not been successful yet.

What works:

• Internet on the main router RTR1 works fine (both wireless and wired)
• DHCP on all the VLANs, when connecting directly via the main router RTR1 and also via the AP7 both wired and wireless gives me correct IP address from appropriate range

What does not work:

• all networks (wired and wireless) from the AP7 are not able to connect anywhere and cannot even ping their own gateway, but all receive correct IP address from DHCP
• AP7 access-point bridge receives management VLAN ip address for itself, but cannot ping the main router management IP and cannot ping the Internet

I created a diagram of the network, including the port numbers and VLANs. Any help is greatly appreciated.

r01_export_v01.rsc (6.09 KB)
ap7_export_v01.rsc (5.53 KB)

The best guide ref vlans is:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Make sure you read this over to cement your understanding!!!

Will look at the configs soon.

Router Config:
(1) I am a bit lazier than you on the bridge ports (which define ingress behaviour), for the router I normally only add ingress-filtering=yes for trunk ports, and frame-types=admit-only-untagged-and-priority-tagged for access ports. Works fine either way.

(2) You did miss setting the pvid on port 5 though.
add bridge=BR1 comment=settop-box frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether5 pvid=10

(3) I am curious as to this setting on a wired only router ;-P, which needs to be removed:
add bridge=BR1 interface=wlan1 pvid=99

(4) Your bridge vlan settings are a bit off.
Normally you separate each line by vlan-ids but in your case with a single trunk, it is very doable to combine them but weird why you combined two and not the third??
/interface bridge vlan
From
add bridge=BR1 tagged=BR1,ether3-TRUNK vlan-ids=10,20
add bridge=BR1 tagged=BR1,ether3-TRUNK vlan-ids=99
To
dd bridge=BR1 tagged=BR1,ether3-TRUNK vlan-ids=10,20,99

However, you also have vlan 10 going to other ports so you cannot combine vlan 10. Furthermore you forgot to define the other egress (access ports) so it should look more like
add bridge=BR1 tagged=BR1,ether3-TRUNK vlan-ids=20,99
add bridge=BR1 tagged=BR1,ether3-TRUNK untagged=ether2,ether4,ether5 vlan-ids=10

(5) Interface list… are good to use but…
Items in red, are mythical creatures that dont exist.
Items in green are not useful duplicates.
The list entries by VLAN are the good ones and define all that is required.
I would not necessarily have an interface-list (other than defaults) that contains only interface, they help with multiple entries for the most part!!

/interface list member
add interface=BR1 list=LAN
add interface=ether1-WAN list=WAN
add interface=wlan1 list=MGMT
add interface=VLAN99_MGMT list=MGMT ???
add interface=VLAN10_HOME list=LAN
add interface=VLAN20_GUEST list=LAN
add interface=VLAN99_MGMT list=LAN
add interface=ether2 list=LAN
add interface=ether3-TRUNK list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN

(6) Firewall address list - what are you trying to accomplish here ???
/ip firewall address-list
add address=185.125.X.X list=blckaccess AND
add action=drop chain=forward comment=“Block Access” dst-address-list=
blcksafran src-address=0.0.0.0/0

(7) Input Chain FW rules look good! The only question is the intent of these two rules… not clear in my mind what you are trying to accomplish??
add action=accept chain=input comment=“Allow LAN” in-interface-list=LAN
add action=accept chain=input comment=“Allow Mgmt_Vlan Full Access”
in-interface=VLAN99_MGMT

The only person that needs access to the router itself to configure the router is the Admin.
So I create a firewall address list
add address=IP (my desktop-static) list=adminaccess
add address=IP (my laptop or ipad -static) list=adminaccess

and thus only need a single rule
add action=accept chain=input in-interface=vlan99_MGMT (or which ever subnet my devices are on) src-address-list=adminaccess

(8) In the forward chain, to go along with the premise above that you are in the management subnet, a specific FORWARD rule to be able to access all vlans!
add action=accept chain=forward in-interface=vlan99_MGMT src-address-list=adminaccess out-interface-list=VLAN*

• you could get fancy in the interface-list members and create another interface list as ‘VLAN’ includes the vlan you are coming from so its not as efficiently stated.
  add - vlan10 list=othervlans
  add - vlan20 list=othervlans
  add action=accept chain=forward in-interface=vlan99_MGMT src-address-list=adminaccess out-interface-list=othervlans

(9) Unless you need this for something?? Security wise best to deactivate.
/tool mac-server
set allowed-interface-list=LAN

Access Point…
Hmmm what did you start with as the quickset setting - to prepare the box with defaults before configuring?
It looks like to me this is setup as a router and not an access point so unable to really comment until its cleaned up as per
the reference document provided…

@ anav: first and foremost, thanks for such fast and thorough analysis point-by-point. I read the topic nr. 143620 maybe 3 times now from start till end and went through all the attached config examples also several times. Picked up firewall rules, which suit my setup and applied them. I have to say, that MikroTik setup for VLANs is quite different compared to Cisco. I was able to configure our stand-by Cisco equipment for my use at work in matter of one hour to fullfill my diagram easily just to prove it will work, but with Mikrotik RouterOS it is a different approach with using Bridges. I am also learning how to properly trace packets via WinBox, to see what VLAN ID is in use etc.

To your comments:
(1) noted, will try to use ingress-filtering setting for TRUNK ports and frame-type setting for ACCESS to make it easier

(2) You are right, I noted this after I posted the question and fixed that one already. Thx.

(3) You do not miss anything I started with disabled WLAN modules, but after I lost access to the router RTR1 too many times during my configuration attempts, I decided to use the 2.4GHz wlan1 interface as temporary management interface. Thus my plan is to use wlan1 only during the configuration build-up until it is finalized and after all is working, I will again disable the wlan module on this router, as it is not needed there and will save router memory anyway.

(4) I did not combine it, because for that you need to remove the management (VLAN99) and re-add it to the “combined” line, but I lost access once doing the first step,so I did not retry anymore. Will try it again.

With the other local VLAN10 ports not being part of “untagged”, I read in the MikroTik VLAN Wiki, that if you have PVID set statically, that RouterOS will add such ports automatically as untagged to the bridge’s correct VLAN ID. Did I misunderstood it then?

(5) Noted, will remove all green duplicates. As explained wlan1 actually exists but was added later on, after too many lock-outs from the router management via the wired LAN.

(6) That list is a list of multiple IP addresses(shown just one of multiple), where I forbid any access to them from Local network. Blocking our kids connecting to other friends fixed IP with Hamachi and other virtual LAN solutions. There was a typo, it should be as below:

/ip firewall address-list
add address=185.125.X.X list=blckaccess
add action=drop chain=forward comment="Block Access" dst-address-list=\
blckaccess src-address=0.0.0.0/0

(7) The second rule is actually copied from the template examples from the main topic nr. 143620 from the router example. My aim is to be able to manage the routers only from the VLAN99_MGMT network, either wireless or wired (static port assigned to VLAN99). I added the first rule during troubleshooting, because I lost access to the router. I will copy your example, define list of reserved IP addresses and include them in the rule for “input” chain.

(8) Will create new interface lists, so that the FW rules are more human readable and add the proposed forward rule. It looks more clean.

(9) I agree, will deactivate it.


With Access Point - you are right, I started with QuickSet as router and tried to adjust all settings to access point manually. I thought that changing it to Access Point with the switchports giving VLAN10 will be easy without any issues, but I was badly mistaken. Will try quick-set as “Home AP DUAL”, which should give the best settings for starters. I want that the AP is not doing any routing or firewalling of course, just VLAN10 access on switchports and wireless.

Points.

• yes you have to specifically note untagged ports where appropriate (as per my inuput).
  (you are telling the router to remove the vlan tags before they hit devices on that port)

• not sure your 185. rule is going to accomplish what you want to achieve, lets discuss that in detail and see if we can find a useful solution.

• for access point, i prefer quickset AP-WISP, do you have that option??

All I did for my CAPAC was
(write down its mac address)
(decide what IP on vlan10 (in your case I think) you wanted to assign it)
(in router manually assign the IP to the mac and set it as static)

On the AP, in quickset, manually enter itS new IP address.
Then configure the AP in normal menu

add a bridge
add vlans to bridge
make wifi settings
add bridge ports
add vlan bridge settings
add vlan bridge filtering checkbox (last entry)

dont forget use of safe mode button throughout.
That should get you working.
If not we can look at the config after and see what else may need tweaking.

Thanks for all the good tips. I got it working - finally!

I think that the cleanup of the interface list did the most and also setting WAN to pppoe interface instead of the physical interface. Now the setup and VLANs work as I need them to. I tested connectivity between all my devices including the separate Guest VLAN and it works really good.

RTR1 changes (besides other cleanup as proposed by anav)
/interface bridge
add arp=proxy-arp frame-types=admit-only-vlan-tagged ingress-filtering=yes
name=BR1 protocol-mode=none vlan-filtering=yes

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3-TRUNK untagged=ether2,ether4,ether5
vlan-ids=10
add bridge=BR1 tagged=BR1,ether3-TRUNK vlan-ids=20,99

/interface list member
add interface=VLAN10_HOME list=LAN
add interface=VLAN20_GUEST list=LAN
add interface=VLAN99_MGMT list=LAN
add interface=pppoe-out1 list=WAN
add interface=VLAN99_MGMT list=MGMT

AP7 changes
removed other VLANs and kept only VLAN99 Management in interface vlans
/interface vlan
add arp=proxy-arp interface=bridgeAP7 mtu=1496 name=VLAN99_MGMT vlan-id=99