Hello
Unfortunately i cannot figure out, how to configure my cAP ax to tag incoming traffic to different VLANs.
What i want to achieve:
ether1 is a trunk
ether2 is access into management-vlan (1000 [10.11.11.0/24])
wifi1 & wifi2 tag incomming traffic to the default-vlan (10 [10.10.10.0/24])
I have a dhcp server running in each vlan, that work. I have tested my router by using a switch to tag incomming traffic to different vlans and that works.
If I connect via ether2 (VID 1000) i receive an ip.
Why?
/interface bridge
add admin-mac=F4:1E:57:1D:BF:92 auto-mac=no name=bridge vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Germany .mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Germany .mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=1000
/interface list
add name=MGMT
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MGMT lldp-med-net-policy-vlan=1000
/interface bridge vlan
add bridge=bridge comment=mgmt tagged=ether1,bridge vlan-ids=1000
add bridge=bridge comment=default tagged=ether1,bridge vlan-ids=10
/interface list member
add interface=vlan-mgmt list=MGMT
/ip address
add address=10.11.11.20/24 interface=vlan-mgmt network=10.11.11.0
/ip dns
set allow-remote-requests=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.11.11.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
If you set ether2 to pvid=1000 (instead of 1000), do you also get an IP address?
Hello!
My first thought was this:untagged=ether2 vlan-ids=1000untagged=wifi1,wifi2 vlan-ids=10
This un-tags VLAN 10 to wifi1 and wifi2 interface. And remove bridge interface, that is only needed for Your VLAN1000.
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
If i set ether2 to 10 i do not get an ip.
My first thought was this:untagged=ether2 vlan-ids=1000untagged=wifi1,wifi2 vlan-ids=10
This un-tags VLAN 10 to wifi1 and wifi2 interface. And remove bridge interface, that is only needed for Your VLAN1000.
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
Removing or adding the bridge to VLAN10 does seem to do nothing in testing...
If I connect with a static IP the AP automatically creates the VLAN configuration for untagged. But I still cannot reach any other host.Image link
anav
May 9, 2025, 12:24pm
5
As pointed out the config should be:/interface bridge portadd bridge=bridge comment=mgmt tagged=ether1,bridge untagged=ether2 vlan-ids=1000
other observations to modify that should have no bearing on your issue/ip dns
/tool mac-servernone
other observations to modify that should have no bearing on your issue/ip dns
/tool mac-servernone
Thank you for the other advice. I do indeed not need Telnet to be accessible.
Unfortunately I still cannot get it to work.
/interface bridge
add admin-mac=F4:1E:57:1D:BF:92 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=1000
/interface list
add name=MGMT
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MGMT lldp-med-net-policy-vlan=1000
/interface bridge vlan
add bridge=bridge comment=mgmt tagged=ether1,bridge vlan-ids=1000
add bridge=bridge comment=default tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
/interface list member
add interface=vlan-mgmt list=MGMT
/interface ovpn-server server
add mac-address=FE:CF:17:0E:E1:A0 name=ovpn-server1
/ip address
add address=10.11.11.20/24 interface=vlan-mgmt network=10.11.11.0
/ip dns
set allow-remote-requests=yes servers=10.10.10.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.11.11.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
I’m making most of the changes via winbox.
anav
May 9, 2025, 2:52pm
7
Minor things so far..
Remove the extra entries… to see if it makes a differerence/ip neighbor discovery-settings /ip neighbor discovery-settings
Slight mod/interface bridge vlanuntagged=ether2 vlan-ids=1000
from/ip dns /ip dns10.11.11.1
++++++++++++++++++++++++++++++++++++++++++
Does your PC get an IP address on the management vlan when plugged into ether2?
Suspect issue may be on upstream router dishing out DHCPs etc… what is that device and if MT provide a config.
I have a second cAP which I reset and configured as my router. (For debugging purposes)
# Router
/interface bridge
add admin-mac=F4:1E:57:1D:BF:92 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=F4:1E:57:1D:BF:91
set [ find default-name=ether2 ] mac-address=F4:1E:57:1D:BF:92
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-MGMT disabled=no mac-address=F4:1E:57:1D:BF:93 security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-MGMT disabled=no mac-address=F4:1E:57:1D:BF:94 security.authentication-types=wpa2-psk,wpa3-psk \
.ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=vlan-main vlan-id=10
add interface=bridge name=vlan-mgmt vlan-id=1000
/interface list
add name=WAN
add name=MGMT
/ip pool
add name=dhcp_pool1 ranges=10.10.10.20-10.10.10.200
add name=dhcp_pool2 ranges=10.11.11.100-10.11.11.200
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan-main name=dhcp1
add address-pool=dhcp_pool2 interface=vlan-mgmt name=dhcp2
/disk settings
set auto-smb-sharing=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=1000
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge comment=main tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment=mgmt tagged=bridge,ether2 untagged=wifi1,wifi2 vlan-ids=1000
/interface list member
add interface=vlan-mgmt list=MGMT
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 comment=main interface=vlan-main network=10.10.10.0
add address=10.11.11.1/24 comment=mgmt interface=vlan-mgmt network=10.11.11.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.11.11.0/24 gateway=10.11.11.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
I also have my AP
# AP
/interface bridge
add admin-mac=F4:1E:57:1D:BF:92 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-1DBF93 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=1000
/interface list
add name=MGMT
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MGMT lldp-med-net-policy-vlan=1000
/interface bridge vlan
add bridge=bridge comment=mgmt tagged=ether1,bridge vlan-ids=1000
add bridge=bridge comment=main tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
/interface list member
add interface=vlan-mgmt list=MGMT
/interface ovpn-server server
add mac-address=FE:CF:17:0E:E1:A0 name=ovpn-server1
/ip address
add address=10.11.11.20/24 interface=vlan-mgmt network=10.11.11.0
/ip dns
set allow-remote-requests=yes servers=10.10.10.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.11.11.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
What works?
Clients receive an IP on all interfaces (Router and AP)
Clients can connect to WAN
Clients connected to Router can access the Routers WinBox via 10.11.11.1
No Client can access the APs WinBox on 10.11.11.20
Clients connected to AP can’t access nor ping 10.11.11.1 and 10.11.11.20
I solved it by rebooting all my devices. ._.
