As described the physical ports are working. I can get an IP address and access DNS from the port 2 of hAP AC and configure the hAP AC from a remote computer on VLAN 10.
I simply can’t get the WLAN1 on hAP AC to be a part of VLAN 23.
I think you can’t use “ethernet switch” device with WLAN. You will have to create a bridge and attach your interfaces (VLANs and WLAN).
Global performance might not be the same, as bridging is done by the CPU.
Thank you for your help, unfortunately this don’t seem to solve the issue. WLAN1 is for some reason not bridged with VLAN23. If I use the physical ports ether2-4 i instantly get an IP address from DHCP on VLAN23. If I use WLAN1 i don’t.
Found the problem. Seems like “switch1-cpu” should be added for the VLAN switch, then everything is working as expected. The bridge from WLAN1 to ETHER1 was expected, but it didn’t work without “switch1-cpu” on the VLAN configured on the switch.
I’m new to MikroTik, so if someone care, please explain why this is needed for bridging the WLAN interface, but not the ETHER interfaces.
I also removed the VLAN interface on ETHER1, since it wasn’t needed, and configured a bridge between ETHER1 and WAN1. I then configured the VLAN on the WLAN1 instead. I later on tested by adding another VLAN to the switch (remember to add switch1-cpu as well), and configured a VAP (virtual AP) on this. It worked as well.
This is the final config that is working with the initial requirements:
# apr/09/2016 04:14:21 by RouterOS 6.34.4
# software id = 4A0F-K35L
#
/interface bridge
add name=br-wlan-ether1
/interface ethernet
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1 poe-out=off
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
ssid=TEST vlan-id=23 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name=ether1.10 vlan-id=10
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=23 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=br-wlan-ether1 interface=wlan1
add bridge=br-wlan-ether1 interface=ether1
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=23
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=10
/ip address
add address=10.42.10.31/24 interface=ether1.10 network=10.42.10.0
/ip route
add distance=1 gateway=10.42.10.1
/system leds
set 1 interface=wlan2
/system routerboard settings
set cpu-frequency=720MHz protected-routerboot=disabled
The idea is that this should completely isolate all VLAN on the router. If this is not correct, you are more than welcome to comment on this.
Put all the ports in a switch group.
Add VLAN 10 to the Bridge.
On your managed switch, set the untag ID of 10 for the port/ports where you want the other units to sit.
If you add WAPS or anything else… you can use any port on the Main router and tag or untag as needed on switches or WAPs.
I don’t like the idea of a default VLAN on a trunk port. I agree that you probably could.
The purpose is that more VLANs would be added later on, and that the physical ports could be part of any of these. I’m new to the MikroTik terms and methods, so could you explain why it would be better to add the management VLAN to the bridge instead of the physical management port?
