Adding a second guest wifi bridge.

RouterOS General
1

I have just bought a second Mikrotik device (hAP ac). But I can’t get its guest wifi to work!

Before, the working setup is like this:

Mikrotik router:

  • wan on ether1
  • all other ports are slaves to ether2 trunk port
  • vlan-1003 on ether2 (“guest”)
  • separate dhcp server on untagged network (172.16.0.1/16) and on vlan-1003 (10.0.0.1/8)
  • firewall rules to only allow guest clients to reach the WAN interface

Apple Airport as AP for regular and guest users:
Bridge mode, regular wlan untagged, and guest wireless tagged with id 1003.

Now, I’d like to do a similar setup with the new hAP ac as with Airport. My goal is:

  • ether1 as trunk port to router
  • ether2 and slaves belong to regular net
  • wlan1, wlan2 (defaults - 2.4 and 5GHz) to regular net with SSID “regular”
  • new virtual wlan3 and wlan4 with SSID “guest” belong to tagged guest network with id 1003.

The setup I’ve tried:

  • FIrst, disabled NAT, DHCP Server etc. on the QuickSet (webfig) and selected “bridge mode”. Also in webfig, activated guest wifi which created virtual wifi interfaces wlan3 and wlan4.
    Then in the console:
  • created a new tagged interface “vlan1003” on top of ether1
  • added ether1 to the existing bridge “bridge”
  • created a new bridge “br-vlan1003”, and added vlan1003, wlan3 and wlan4.
    (When it didn’t work, I also tried adding the “vlan1003” on top of “bridge” - didn’t help)

The issue
The regular net is working fine. Clients get an address and can communicate as expected.
The guest net doesn’t work at all. Clients don’t get an address.
If inside hAP I add a dhcp-client to interface vlan1003, it doesn’t get an address either - not sure if that means anything.
I’ve also tried to exclude firewall issues with
/ip firewall connection tracking set enabled=no
which doesn’t change anything.
With webfig/torch and filtering traffic on port 67 (dhcp), I can see activity on the “br-vlan1003” interface, however there is no activity on the “vlan1003”.

Anyone knows what I am doing wrong? Am I doing something wrong with firewall? Help is greatly appreciated!

2

Oh well, actually, looks like it did work.

Just that when configuring the bridge, there happened to be a temporary bridge in-between swallowing the vlan tags..

3

It is not normally a good idea to make a tagged vlan subinterface member of one bridge, and the entire
ethernet interface member of another bridge. It would be better to make two tagged vlan subinterfaces
and make each of them member of the different bridges and the raw ethernet interface member of neither
of them. Of course this will change your network layout as both wireless interfaces now come out as
tagged (but with different tags) on the ethernet port. If desired, you can solve that problem in the
switch configuration for that port (stripping the vlan tag in the switch).

4

Thanks! I’m not that much of an expert.
Why is it not a good idea? And when you say strip the tag in the switch, what does switch refer to - is there any example you could point to?

5

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

I’m interested also, as I’ve seen this mentioned on another forum as well without any talk of what issues may actually arise and whether it would apply to our situations.

6

it is not a good idea because you now make the VLAN part of one bridge, and the interface that includes the VLAN part of another bridge.
the VLAN is now part of two bridges. that can cause issues, it seems. I have sometimes had weird problems with configurations like that
and I could solve them all by changing that to separate explicit VLANs.

Unfortunately, the switch is complicated even for experts. But the documentation is in the usual place (the WiKi) under the name “Switch”.