Hi, I’ve got a hAPacLite operating as a CAP with multiple vlans and ssids. Local forwarding is enabled. Discovery is on vlan99. This alll works fine.
I’d now like to set ether2 as an access port untagged on vlan62, and ether3 as an access port untagged on vlan63.
Traffic on all vlans on ether1 is tagged.
Do I configure this in Bridge, or Interface, or Switch? I tried configuring in Switch, but then the CAP stopped passing traffic.
Thank you
# nov/10/2022 17:52:13 by RouterOS 7.6
# software id = VL5C-V8UW
#
# model = RB952Ui-5ac2nD
# serial number = 924C096D12E2
/interface bridge
add name=Bridge-vlans
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
set [ find default-name=ether2 ] comment=esp32
set [ find default-name=ether3 ] comment=cctv
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(8dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(18dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=Bridge-vlans name=vlan99-Management vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=Bridge-vlans interface=ether1 pvid=99
/interface wireless cap
#
set bridge=Bridge-vlans discovery-interfaces=vlan99-Management enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=vlan99-Management
/system identity
set name=hAPacLite-Shed
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.254
mkx
November 10, 2022, 6:30pm
2
All vlan config (apart from CAPsMAN) should go on bridge:
/interface bridge#do this change the last!
The untagged property in section /interface bridge vlan is optional (ROS adds ports with pvid set automatically).
Brilliant, thank you, that worked.
Ah, I spoke too soon. The vlans on ether2 and 3 work correctly, But I have no wifi access. The CAP has connected to CAPSMAN, and I can see the SSIDs, but a client doesn’t get a DHCP address.
I’m just starting to get my head around the bridge changes done a while ago. (6.41?)
# nov/11/2022 11:32:49 by RouterOS 7.6
# software id = VL5C-V8UW
#
# model = RB952Ui-5ac2nD
/interface bridge
add name=Bridge-vlans pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
set [ find default-name=ether2 ] comment=esp32
set [ find default-name=ether3 ] comment=cctv
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(8dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(18dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=Bridge-vlans name=vlan99-Management vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=Bridge-vlans interface=ether1 pvid=99
add bridge=Bridge-vlans interface=ether2 pvid=62
add bridge=Bridge-vlans interface=ether3 pvid=63
/interface bridge vlan
add bridge=Bridge-vlans tagged=Bridge-vlans,ether1,vlan99-Management vlan-ids=99
add bridge=Bridge-vlans tagged=ether1 untagged=ether2 vlan-ids=62
add bridge=Bridge-vlans tagged=ether1 untagged=ether3 vlan-ids=63
/interface wireless cap
#
set bridge=Bridge-vlans discovery-interfaces=vlan99-Management enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=vlan99-Management
/system identity
set name=hAPacLite-Shed
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.254
mkx
November 12, 2022, 9:59am
5
If wireless, managed by CAPsMAN, doesn’t work, then you have to show us CAPsMAN settings.
Here are the CAPsMAN settings from my main router. Wifi did work on the CAP with the config on my original post. Now I’ve changed the config as per post on Friday, and ether2 and 3 work, but wifi doesn’t.
[admin@hAPac-Main Router] /caps-man> export hide-sensitive
# nov/12/2022 23:52:37 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1206C86AC7
/caps-man channel
add name=LowPower tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=2ghz tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=5ghz tx-power=20
add band=2ghz-g/n control-channel-width=5mhz extension-channel=disabled name="2ghz-High Power" tx-power=20
/caps-man rates
add basic=6Mbps name=GN supported=6Mbps vht-basic-mcs=""
add basic=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps name=IOT supported=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi350
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi35t
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=guest
/caps-man configuration
add channel=5ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-5ghz rates=GN \
security=wifi350 ssid=wifi350
add channel=2ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=54 .vlan-mode=use-tag mode=ap name=cfg_guest-2ghz rates=GN \
security=guest ssid=guest2
add channel=2ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=62 .vlan-mode=use-tag mode=ap multicast-helper=full name=\
cfg_wifi35t-2ghz rates=GN security=wifi35t ssid=wifi35t
add channel=2ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-2ghz rates=GN \
security=wifi350 ssid=wifi350
add channel=5ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=54 .vlan-mode=use-tag mode=ap name=cfg_guest-5ghz rates=GN \
security=guest ssid=guest
/caps-man interface
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=4C:5E:0C:86:65:E1 master-interface=none name=2G-cAP-Office-1 radio-mac=4C:5E:0C:86:65:E1 radio-name=4C5E0C8665E1
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=4E:5E:0C:86:65:E1 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
4E5E0C8665E1
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=4E:5E:0C:86:65:E2 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
4E5E0C8665E2
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=E4:8D:8C:8A:7B:51 master-interface=none name="2G-hAP-Lite-Boiler Cupboard-1" radio-mac=E4:8D:8C:8A:7B:51 radio-name=\
E48D8C8A7B51
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:8A:7B:51 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name="2G-hAP-Lite-Boiler Cupboard-1-1" radio-mac=\
00:00:00:00:00:00 radio-name=E68D8C8A7B51
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:8A:7B:52 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name="2G-hAP-Lite-Boiler Cupboard-1-2" radio-mac=\
00:00:00:00:00:00 radio-name=E68D8C8A7B52
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=6C:3B:6B:44:98:47 master-interface=none name="2G-hAPac-Main Router-1" radio-mac=6C:3B:6B:44:98:47 radio-name=6C3B6B449847
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:44:98:47 master-interface="2G-hAPac-Main Router-1" name="2G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 \
radio-name=6E3B6B449847
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:44:98:48 master-interface="2G-hAPac-Main Router-1" name="2G-hAPac-Main Router-1-2" radio-mac=00:00:00:00:00:00 \
radio-name=6E3B6B449848
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=E4:8D:8C:CE:D0:69 master-interface=none name=2G-wAP-Outside-Garage-1 radio-mac=E4:8D:8C:CE:D0:69 radio-name=E48D8CCED069
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D0:69 master-interface=2G-wAP-Outside-Garage-1 name=2G-wAP-Outside-Garage-1-1 radio-mac=00:00:00:00:00:00 \
radio-name=E68D8CCED069
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D0:6A master-interface=2G-wAP-Outside-Garage-1 name=2G-wAP-Outside-Garage-1-2 radio-mac=00:00:00:00:00:00 \
radio-name=E68D8CCED06A
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=E4:8D:8C:CE:DD:3D master-interface=none name=2G-wAP-Outside-Shed-1 radio-mac=E4:8D:8C:CE:DD:3D radio-name=E48D8CCEDD3D
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:DD:3D master-interface=2G-wAP-Outside-Shed-1 name=2G-wAP-Outside-Shed-1-1 radio-mac=00:00:00:00:00:00 \
radio-name=E68D8CCEDD3D
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:DD:3E master-interface=2G-wAP-Outside-Shed-1 name=2G-wAP-Outside-Shed-1-2 radio-mac=00:00:00:00:00:00 \
radio-name=E68D8CCEDD3E
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=E4:8D:8C:4B:12:37 master-interface=none name=2G-wAPac-Guestroom-1 radio-mac=E4:8D:8C:4B:12:37 radio-name=E48D8C4B1237
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:4B:12:37 master-interface=2G-wAPac-Guestroom-1 name=2G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C4B1237
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:4B:12:38 master-interface=2G-wAPac-Guestroom-1 name=2G-wAPac-Guestroom-1-2 radio-mac=00:00:00:00:00:00 \
radio-name=E68D8C4B1238
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:A1:6E master-interface=none name=2G-wAPac-Kitchen-1 radio-mac=6C:3B:6B:6C:A1:6E radio-name=6C3B6B6CA16E
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:6C:A1:6E master-interface=2G-wAPac-Kitchen-1 name=2G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B6CA16E
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:6C:A1:6F master-interface=2G-wAPac-Kitchen-1 name=2G-wAPac-Kitchen-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B6CA16F
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=6C:3B:6B:44:98:46 master-interface=none name="5G-hAPac-Main Router-1" radio-mac=6C:3B:6B:44:98:46 radio-name=6C3B6B449846
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:44:98:46 master-interface="5G-hAPac-Main Router-1" name="5G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 \
radio-name=6E3B6B449846
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=E4:8D:8C:4B:12:36 master-interface=none name=5G-wAPac-Guestroom-1 radio-mac=E4:8D:8C:4B:12:36 radio-name=E48D8C4B1236
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=E6:8D:8C:4B:12:36 master-interface=5G-wAPac-Guestroom-1 name=5G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C4B1236
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=6C:3B:6B:6C:A1:6D master-interface=none name=5G-wAPac-Kitchen-1 radio-mac=6C:3B:6B:6C:A1:6D radio-name=6C3B6B6CA16D
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=6E:3B:6B:6C:A1:6D master-interface=5G-wAPac-Kitchen-1 name=5G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B6CA16D
/caps-man access-list
add action=accept comment=OfficeSqueezebox disabled=yes mac-address=00:04:20:1E:3F:F6 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Playroom Squeezebox" disabled=yes mac-address=00:04:20:1E:3F:5A ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add comment="Kitchen Squeezebox" disabled=yes mac-address=00:04:20:26:98:36 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="phone" disabled=yes mac-address=14:1A:A3:98:4B:57 ssid-regexp="" vlan-id=62 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-80..0 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-120..-83 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s disabled=no interface=any signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=3s disabled=no interface=any signal-range=-120..-87 ssid-regexp=""
/caps-man manager
# bad package path
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_wifi350-5ghz name-format=prefix-identity name-prefix=5G slave-configurations=cfg_guest-5ghz
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_wifi350-2ghz name-format=prefix-identity name-prefix=2G slave-configurations=cfg_guest-2ghz,cfg_wifi35t-2ghz
[admin@hAPac-Main Router] /caps-man>
mkx
November 13, 2022, 7:54am
7
On CAP (client) you have to add entries under /interface bridge vlan for all VLANs (54, 71, any other) that you use for wireless interfaces. E.g.:
/interface bridge vlan
add bridge=Bridge-vlans tagged=ether1 vlan-ids=71
wireless interfaces will be added by CAPsMAN automatically, but other trunk interfaces you have to add yourself.
It worked at beginning of this exercise because bridge did not care about VLAN tags and simply let all VLANs everywhere. With vlan-filtering enabled it enforces proper port vlan mappings and ether1 (trunk) port has to be configured to pass all necessary VLANs.
That did it thank you. Helped me understand the “new to me” bridge setup.
mkx
November 13, 2022, 10:53am
9
Another good tutorial on different personalities of bridge in ROS. Should help you understand why bridge and VLANs have to be configured in certain way in post-6.41 era.