Accesspoint with VLANs without separate DHCP server

Hi there,

I have a RB5009 with a set of VLANs. I want to use an access point cAP XL ac on a trunk port. Each VLAN should be assigned to a separate WLAN SSID. I want to use the DHCP server of the RB5009 for the WLANs. The AP is connected to ether3 of the RB5009 using ether1 of the AP. When I use a DHCP client on the access point, the AP is able to get a IP address from the RB5009. But the WLAN clients connecting to the AP do not get a valid IP. Any idea?

Configuration of RB5009:

#######
#RB5009
#######
/interface bridge
add comment="Main LAN bridge (VLAN-aware)" name=br-lan vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="WAN (internet) - keep closed to remote access"

/interface vlan
add comment="SVI for LAN (trusted)" interface=br-lan name=vlan20 vlan-id=20
add comment="SVI for Guest" interface=br-lan name=vlan30 vlan-id=30
add comment="SVI for IoT with internet" interface=br-lan name=vlan40 vlan-id=40
add comment="SVI for IoT no-internet" interface=br-lan name=vlan41 vlan-id=41
add comment="SVI for Admin" interface=br-lan name=vlan100 vlan-id=100

/interface list
add name=TrustedPorts

/ip pool
add name=pool-vlan20 ranges=192.168.20.10-192.168.20.250
add name=pool-vlan30 ranges=192.168.30.10-192.168.30.250
add name=pool-vlan40 ranges=192.168.40.10-192.168.40.200
add name=pool-vlan41 ranges=192.168.41.10-192.168.41.200
add name=pool-vlan100 ranges=192.168.100.10-192.168.100.50

/interface bridge port
add bridge=br-lan comment="LAN - untagged VLAN20" interface=ether2 pvid=20
add bridge=br-lan comment="AP1 trunk - native VLAN20, tagged VLAN30" interface=ether3 pvid=20
add bridge=br-lan comment="AP2 trunk - native VLAN20, tagged VLAN30" interface=ether4 pvid=20
add bridge=br-lan comment="IoT (internet) - VLAN40" interface=ether5 pvid=40
add bridge=br-lan comment="IoT (internet) - VLAN40" interface=ether6 pvid=40
add bridge=br-lan comment="IoT (no-internet) - VLAN41" interface=ether7 pvid=41
add bridge=br-lan comment="Admin access - VLAN100" interface=ether8 pvid=100

/interface bridge vlan
add bridge=br-lan comment="Trusted LAN" tagged=br-lan,ether3,ether4 untagged=ether2 vlan-ids=20
add bridge=br-lan comment=Guest tagged=br-lan,ether3,ether4 vlan-ids=30
add bridge=br-lan comment=IOT-Internet tagged=br-lan untagged=ether5,ether6 vlan-ids=40
add bridge=br-lan comment=IOT-NoInternet tagged=br-lan untagged=ether7 vlan-ids=41
add bridge=br-lan comment=Administration tagged=br-lan untagged=ether8 vlan-ids=100

/ip address
add address=192.168.20.1/24 comment="LAN VLAN20" interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 comment="Guest VLAN30" interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 comment="IoT VLAN40" interface=vlan40 network=192.168.40.0
add address=192.168.41.1/24 comment="IoT VLAN41 (no internet)" interface=vlan41 network=192.168.41.0
add address=192.168.100.1/24 comment="Admin VLAN100" interface=vlan100 network=192.168.100.0

/ip dhcp-client
add comment="DHCP client on WAN" interface=ether1

/ip dhcp-server
add address-pool=pool-vlan20 interface=vlan20 lease-time=12h name=dhcp-vlan20
add address-pool=pool-vlan30 interface=vlan30 lease-time=6h name=dhcp-vlan30
add address-pool=pool-vlan40 interface=vlan40 lease-time=8h name=dhcp-vlan40
add address-pool=pool-vlan41 interface=vlan41 lease-time=8h name=dhcp-vlan41
add address-pool=pool-vlan100 interface=vlan100 lease-time=12h name=dhcp-vlan100

/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1,1.1.1.1,9.9.9.9 gateway=192.168.20.1 ntp-server=192.168.20.1 wins-server=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,1.1.1.1,9.9.9.9 gateway=192.168.30.1 ntp-server=192.168.30.1 wins-server=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1,1.1.1.1,9.9.9.9 gateway=192.168.40.1 ntp-server=192.168.40.1 wins-server=192.168.40.1
add address=192.168.41.0/24 dns-server=192.168.41.1,1.1.1.1,9.9.9.9 gateway=192.168.41.1 ntp-server=192.168.41.1 wins-server=192.168.41.1
add address=192.168.100.0/24 dns-server=192.168.100.1,1.1.1.1,9.9.9.9 gateway=192.168.100.1 ntp-server=192.168.100.1 wins-server=192.168.100.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

/ip firewall filter
add action=accept chain=input comment="Allow established to router" connection-state=established,related
add action=accept chain=forward comment="Allow established in forward" connection-state=established,related
add action=accept chain=input comment="Allow ping from VLAN20" protocol=icmp src-address=192.168.20.0/24
add action=accept chain=input comment="Allow ping from VLAN30" protocol=icmp src-address=192.168.30.0/24
add action=accept chain=input comment="Allow ping from VLAN40" protocol=icmp src-address=192.168.40.0/24
add action=accept chain=input comment="Allow ping from VLAN41" protocol=icmp src-address=192.168.41.0/24
add action=accept chain=input comment="Allow ping from Admin VLAN100" protocol=icmp src-address=192.168.100.0/24
add action=accept chain=input comment="Allow WinBox from LAN" dst-port=8291 protocol=tcp src-address=192.168.20.0/24
add action=accept chain=input comment="Allow WinBox from Admin port" dst-port=8291 protocol=tcp src-address=192.168.100.0/24
add action=accept chain=input comment="Allow SSH from Admin" dst-port=22 protocol=tcp src-address=192.168.100.0/24
add action=drop chain=input comment="Drop all other input from WAN" in-interface=ether1
add action=accept chain=forward comment="Allow LAN->IoT(internet)" dst-address=192.168.40.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow LAN->IoT(no-internet)" dst-address=192.168.41.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow LAN ping Guest" dst-address=192.168.30.0/24 protocol=icmp src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow LAN->WAN" out-interface=ether1 src-address=192.168.20.0/24
add action=accept chain=forward comment="Allow Guest->WAN" out-interface=ether1 src-address=192.168.30.0/24
add action=accept chain=forward comment="Allow IoT(internet)->WAN" out-interface=ether1 src-address=192.168.40.0/24
add action=accept chain=forward comment="Allow Admin->WAN" out-interface=ether1 src-address=192.168.100.0/24
add action=drop chain=forward comment="Block IoT(no-internet)->WAN" out-interface=ether1 src-address=192.168.41.0/24
add action=drop chain=forward comment="Drop other inter-VLAN forward traffic (default deny)"
add action=drop chain=input comment="Drop invalid input connections" connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade VLAN20 (LAN)" out-interface=ether1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="Masquerade VLAN30 (Guest)" out-interface=ether1 src-address=192.168.30.0/24
add action=masquerade chain=srcnat comment="Masquerade VLAN40 (IoT internet)" out-interface=ether1 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="Masquerade VLAN100 (Admin)" out-interface=ether1 src-address=192.168.100.0/24

/ip service
set ftp disabled=yes
set telnet disabled=yes

/ipv6 address
add address=fd00:20::1 comment="ULA LAN fallback" interface=vlan20
add address=fd00:30::1 comment="ULA Guest fallback" interface=vlan30
add address=fd00:40::1 comment="ULA IoT internet fallback" interface=vlan40
add address=fd00:41::1 comment="ULA IoT no-internet fallback" interface=vlan41
add address=fd00:100::1 comment="ULA Admin fallback" interface=vlan100

/ipv6 dhcp-client
add add-default-route=yes comment="DHCPv6 client on WAN (requests PD)" interface=ether1 pool-name=delegated-prefix request=prefix

/ipv6 firewall filter
add action=accept chain=input comment="Established IPv6" connection-state=established,related
add action=accept chain=forward comment="Established IPv6 forward" connection-state=established,related
add action=accept chain=input comment="Allow ICMPv6 (ND / ping) to router from anywhere internal" protocol=icmpv6
add action=drop chain=input comment="Drop IPv6 input from WAN" in-interface=ether1

/system clock
set time-zone-name=Europe/Berlin

/system ntp client
set enabled=yes

/system ntp server
set enabled=yes multicast=yes

/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org

/system package update
set channel=long-term

/tool graphing interface
add interface=ether1

/tool graphing resource
add

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none 

Configuration of the AP:

###########
#cAP XL ac
###########

/interface bridge
add comment="Bridge for VLAN20+30 trunk" name=br-vlan vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment="2.4 GHz radio" country=germany disabled=no distance=indoors frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge ssid=myssid-base-Mgm
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX comment="5 GHz radio" country=germany disabled=no distance=indoors frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge ssid=myssid-base-Mgm

/interface ethernet
set [ find default-name=ether2 ] comment="Management port (untagged, out-of-band)"

/interface wireless manual-tx-power-table
set wlan1 comment="2.4 GHz radio"
set wlan2 comment="5 GHz radio"

/interface wireless nstreme
set wlan1 comment="2.4 GHz radio"
set wlan2 comment="5 GHz radio"

/interface vlan
add comment="SVI for VLAN20" interface=br-vlan name=vlan20 vlan-id=20
add comment="SVI for VLAN30" interface=br-vlan name=vlan30 vlan-id=30

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="WPA2/WPA3 for default profile" disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=my-secure-password1
add authentication-types=wpa2-psk comment="WPA2/WPA3 for myssid-base-local" disable-pmkid=yes mode=dynamic-keys name=profile-vlan20 supplicant-identity=MikroTik wpa2-pre-shared-key=my-secure-password2
add authentication-types=wpa2-psk comment="WPA2/WPA3 for myssid-base-guest" disable-pmkid=yes mode=dynamic-keys name=profile-vlan30 supplicant-identity=MikroTik wpa2-pre-shared-key=my-secure-password3

/interface wireless
add comment="2.4GHz VLAN20 SSID" disabled=no mac-address=06:F4:1C:27:48:42 master-interface=wlan1 name=wlan20-2ghz security-profile=profile-vlan20 ssid=myssid-base-local vlan-id=20
add comment="5GHz VLAN20 SSID" disabled=no mac-address=06:F4:1C:27:48:44 master-interface=wlan2 name=wlan20-5ghz security-profile=profile-vlan20 ssid=myssid-base-local vlan-id=20
add comment="2.4GHz VLAN30 SSID" disabled=no mac-address=06:F4:1C:27:48:43 master-interface=wlan1 name=wlan30-2ghz security-profile=profile-vlan30 ssid=myssid-base-guest vlan-id=30
add comment="5GHz VLAN30 SSID" disabled=no mac-address=06:F4:1C:27:48:45 master-interface=wlan2 name=wlan30-5ghz security-profile=profile-vlan30 ssid=myssid-base-guest vlan-id=30

/interface wireless manual-tx-power-table
set wlan20-2ghz comment="2.4GHz VLAN20 SSID"
set wlan20-5ghz comment="5GHz VLAN20 SSID"
set wlan30-2ghz comment="2.4GHz VLAN30 SSID"
set wlan30-5ghz comment="5GHz VLAN30 SSID"

/interface wireless nstreme
set *8 comment="2.4GHz VLAN20 SSID"
set *A comment="5GHz VLAN20 SSID"
set *9 comment="2.4GHz VLAN30 SSID"
set *B comment="5GHz VLAN30 SSID"

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/interface bridge port
add bridge=br-vlan comment="WAN trunk - tagged VLAN20,30" interface=ether1 pvid=20

/interface bridge vlan
add bridge=br-vlan comment="VLAN20 (Trusted LAN)" tagged=br-vlan,ether1 untagged=wlan20-2ghz,wlan20-5ghz vlan-ids=20
add bridge=br-vlan comment="VLAN30 (Guest)" tagged=br-vlan,ether1 untagged=wlan30-2ghz,wlan30-5ghz vlan-ids=30

/ip address
add address=192.168.100.50/24 comment="Management port static IP" interface=ether2 network=192.168.100.0
add address=192.168.20.2/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.2/24 interface=vlan30 network=192.168.30.0

/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=accept chain=input comment="Allow established" connection-state=established,related
add action=accept chain=input comment="Allow ICMP (ping)" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="Allow SSH" dst-port=22 protocol=tcp
add action=accept chain=forward comment="Allow forward established" connection-state=established,related
add action=accept chain=forward comment="Allow all forward (router handles security)"

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Berlin

/system ntp client
set enabled=yes primary-ntp=172.104.154.182 secondary-ntp=131.188.3.223

I have only ever configured cAP XL ac with remote CAPsMAN. It seems to me that you are missing datapath settings, although I am not sure whether this is required for a standalone configuration.

Your VLAN config is incomplete on both the RB5009 and cAP XL ac.
Please start with this great topic to learn more about VLAN's:

Using RouterOS to VLAN your network - MikroTik

The specific part of the above topic to focus on is the post about AP setup. Using RouterOS to VLAN your network - #4 by pcunite

Disclaimer, I have no MikroTik devices with wifi, so anything related to wifi setup is all second hand.

However, looking at the config on your cAP XL ac, these are the things I noticed.

You have not configured the wifi interfaces to be members of the bridge. This is the in the /interface bridge port section.

You have vlan interfaces (SVI in the cisco terminology you are using) for the data vlans vlan20 and vlan30 (which is configuring the cAP to be a router between those vlans, not what you want, because it will bypass the rb5009 firewall). The vlans should be defined in /interface bridge port and /interface bridge vlan but there should not be a "connection" to the routing engine in the cAP (via the SVI). Also you don't have a vlan interface (SVI) for vlan 100 (what you used as management interface on the 5009). For ease of management when the cap is on the ceiling, having a management vlan is what you want. The CAP should have only a single vlan interface (SVI) defined, and it should be for management. The other vlans should just be defined at the layer 2 level (bridge/switch) so the traffic will be kept separate for each SSID.

If you get things working by adding the wifi interfaces to the bridge, then you can just leave ether2 configured as an out of band management port. If doing that doesn't work, then there are some other things that could be done to use that port as an access port for one of the vlans (e.g. 20) just to verify that a device plugged into that port would be able to get an ip address (from the correct pool).

My steps would be (on cAP XL ac)

1. Login from ether2
2. Backup and export your current cAP config and save off the cAP before making any changes.
3. Add vlan interface vlan100.
4. assign ip address to vlan100 (distinct from the one used by RB5009 (192.168.100.1), e.g. 192.168.100.2)
5. connect to 192.168.100.2 to verify that access works.
6. log out from ether2, do rest of config from admin vlan100
7. remove vlan20 and vlan30 vlan interfaces (SVIs)
8. add wlan1 and wlan2 as bridge ports in each vlan 20 and vlan 30 (separate lines for each vlan)
9. test to see if wifi works.
10. protect access to vlan100 with firewall (at least before you stop configuration, although this would be my last step). Verifiy that you can't access from vlan30 (for sure). Whether you want to allow access from 20 is up to you, but it will be routed through the RB5009 if it is allowed.

Report back. If things still don't work, next will be to reconfigure ether2 as a bridge port in vlan 20, and to see if plugging a wired dhcp client (e.g. a laptop) will get an ip address from pool-vlan20 (which you didn't show in your "RB5009 config")

Why do you have VLANs on the interface and on the bridge?

The Addition of VLANS on the INTERFACE menu should be enough. Turn off VLAN filter on the bridge.

Make sure you have the latest broadcom wifi package installed on both devices.

Once you do that you will have devices in the default VLAN unless tagged. But you can work your way up from there.

Your mentioned changes to the VLAN settings solved my connection issue. And thank you for the tip with the firewall. I checked this and now the rb5009 firewall rules are used.

Learning RouterOS is really not easy. There are so many different options… But it’s great to have such a friendly community!

Yes, I don't think you will find many that disagree with that.

I'm a lot more comfortable with ROS now than I was 4 years ago when I posted this on Tom Lawrence's forum about my first experience with ROS on a hEX S (coming from Ubiquiti's EdgeOS/vyatta). https://forums.lawrencesystems.com/t/why-does-mikrotik-feel-like-a-dirty-word-around-here/11605/22