Hi there, using a cap AC (no capsman) but attached to a hex router via ethernet.
I have established two main wifi Radio networks, 1x5Ghz and 1x2.4Ghz with no issues.
I wanted to add a virtual AP to the AC network for Guest usage.
Everything seems fairly simple as using the capAC in the basic setup it was received in upon delivery and of course updated to the latest SW version (no vlans setup yet, and wps and wmm disabled).
Wireless Settings:
Mode - AP bridge
SSID - Guests
Master Interface - (The name of the parent AC SSID)
Security Profile - unique for guests
I applied the setup and the Virtual AP is visible when I do a scan of available networks
BUT, when I connect with the password it states, no internet connection.
Conclusion: Wifi is working tx/rcv, but unable to get to the LAN?
What am I missing?
I also added the Virtual AP to the Interface List, but that still didn’t do the trick. I don’t think I need to do anything on the hex router but am I missing something simple on the cap AC??
LAN - Guests (is also now added)
Perhaps I have something left to do wrt the Bridge part of the interface but what, if its already identified as part of the Parent 5Ghz AP??
If you want clients of that guest AP to be treated somehow special (limited access, limited speed, etc) you need to create a different ip configuration attached to it: address, dhcp-server and a set of firewall rules to define that special behaviour.
And since everything seems to be configured on your hex - you either need to configure vlans (that will deliver these two different ip configs from hex to desired wlan interfaces on cap), or let the cap do part of the job for guest wlan clients.
On the other hand, if you just want guests on separate AP, and that’s it - all you need is to add this virtual interface to the same bridge, where all your wlan interfaces are.
Hi xvo, I have been reading many of your replies on the forums, and just wanted to state I find them very helpful (big thanks!).
Okay I got it working without any IP configuration.
All I was missing was adding the virtual interface to the bridge BY WAY OF ASSIGNING IT A PORT
Is that what you meant by adding to the bridge??
It works fine but what I am wondering now is if it is possible to ensure the guest users have ONLY access to the internet without using VLANs?
I suspect the answer is no and will thus finally have to bite the bullet and enter the confusing world of VLANSs. I just wish there was a clear cut method or steps that was coherent.
I did read someones reply on one thread it might have been yours on a logical approach that simplified the mess everyone seems to come up with or suggest.
There are some ways to limit the access between devices on the same bridge without the use of VLANs, but they won’t work in your case (or it will be too difficult to configure and manage such a config), because you use two devices, not one.
For example you can rather easily configure some filters on a bridge on the cAP, for guest wlan to be separated from other two wlans, but devices connected to the hEX directly will be still visible from that guest wlan. So you will need to add some filters to the hEX as well.
My point is, in your case configuring VLANs on the bridge is actually a rather simple task, once you understand, how to do it - less than 10 additional lines in the config on both devices
And more: it is easy to understand such config, easy to maintain it, and easy to extend.
Wonderful xvo, that is great news to hear.
What I assume is that I will need to identify/create a VLAN for the guest wifi, call it VLAN100 on the HEX
I will have to create an address group and DHCP server for the VLAN (as I do want these device to get a different LAN nomenclature, lets call it 192.168.100.0/24)
I will need to create the necessary pool as well.
I am not at all sure on the cap AC access point, what changes I will need to make, other than somehow link the Guest SSID, to the VLAN created on the HEX.
To make a config even more readable and kind of symmetric, when I need to use vlans in configuration, I prefer to make all traffic to be tagged by some vlan-id when inside the router, opposed to what you are trying to describe - when you leave all non-guest traffic untagged inside the bridge (or it can be called the default vlan with vlan-id=1).
But that’s no big difference, I’ll write you a little guide how to make one vlan, and then it would be easy to move any other traffic inside it’s own vlan just in the same way.
So, step by step.
On hEX:
You create a vlan-interface for guest users on you bridge.
Attach an address and dhcp server to this vlan-interface.
These two steps you’ve already described yourself (VLAN100 with vlan-id=100)
Then in /interface bridge vlan you add the port leading to the cAP and the bridge itself as tagged ports for vlan-ids=100.
That will: a) make the port leading to your cAP a trunk port for your guest vlan and b) make a connection from the vlan-interface VLAN100 (and ip config configured on it) to the vlan-id=100 configured on the bridge.
Enter safe mode and enable vlan-filtering on the bridge.
If everything still works - leave the safe mode, and you are finished with configuring the hEX foe now.
Then proceed to cAP.
As you don’t need access to the guest ip config from the cAP itself, configuration here will be even simplier:
Almost the same as step (3), but you add to /interface bridge vlanas tagged port: the port leading to hEX and your virtual AP.
In configuration for your virtual AP you set vlan-id=100 vlan-mode=use-tag
Once again - safe mode and enabling vlan-filtering on the bridge.
Almost done. Now return to your hEX and there you need to add some rules to you firewall preventing access from VLAN100 to the rest of your LAN.
If you use default firewall, then one rule at the bottom will be enough:
Good timing, I just create about five vlans on the hex and for each:
a. identified as a unique interface/VLAN with my homebridge as the master interface (homebridge created long ago and my lan is on this interface).
b. assigned address
c. assigned DHCP and network, and
d. assigned pool
The instructions were a bit confusing. I will provide my interpretation to see if I am close:
When you said create vlan interface for guest users on your bridge, I assumed this meant my current bridge, which my LAN resides.
(in other words no need to create a new bridge).
Next you want me to go to BRIDGE winbox menu selection (not interface menu selection nor interface list )? This was a bit hard to fathom but since I knew ports selections were not on the interface menu but under BRIDGE menu item.
So under the port sub menu I selected the physical port that applies for all traffic actually.
Under the generalsub-tab
a. selected interface as the guest-wifi interface
b. selected bridge .. my ‘homebridge’
Under the Vlan sub-tab
c. selected PVID 100.
two things unsure, under the general sub-tab, a trusted checkbox is defaulted to unchecked and I left it that way.
under the vlan sub-tab, I also left the defaults in place, admit all frames and left ingress filtering and tag stacking unchecked.
Note: By the way the ethernet cabling path in my location, goes through two switches to get there, one managed but its not setup and one un-managed. I wont fiddle with those switches until a later date, so hopefully I can just assume they will be dummy switches till then (since they let everything pass). I have two mikrotik 5 port managed switches at the ready in case I have to have better fidelity, but trying to avoid layers of complication at this point.
There is a VLAN selection under BRIDGE but its not clear what you wanted me to do here if anything??? I ignored it.
4), Okay I had to go back to interfaces to select HomeBridge and find the VLAN filtering box, and then realized it was quicker if I had stayed in Bridge and simply doubleclicked on the Bridge itself (I was looking for it in the sub-tabs LOL).
a. selected vlan filtering in the checkbox which opened a popup mene and there I replaced PVID1 with PVID100
Router kicked me out (but I had safe mode selected to nothing lost).
It appears it does not like me to assign PVID 100 and checking vlan filtering here.
Revert it back to PVID 1 (at least for now) - this setting defines what vlan tag will be added to ingress untagged frames, you don’t need to change this behaviour.
Leave it as is for now.
Unmanaged switches ignore vlan tags so they are unlikely to spoil anything for you.
This is exactly the section where the most of relevant part of config has to be done - (3) and (5) in my original post.
Revert PVID 100 back to PVID 1 - that is why you was kicked from the device.
Just as in port settings it defines the default behaviour for untagged frames, so once you change it - it disrupts the whole connection between ip config that is attached directly to the bridge from all other ports that have PVID set to default values.
I suggest you to change PVID settings for bridge and ports only after you either have a guaranteed access to a device through one of the vlans.
Or you can remove one port from bridge (temporarily) and make sure you have emergency connection to your device through it.
Wont have time to work on this until later but the Bridge VLAN tab has the following selection (talking HEX).
Bridge - assume my home bridge goes here
VLAN ID - assume pvid 100 goes here
Tagged - ?
Untagged - ?
There are two more entries but they do not look modifiable
current tagged and current untagged
That’s right.
And in my post I wrote wich ports you need to configure as tagged (currently you don’t need any access - untagged - ports for your guest vlan).
It’s plural because you can specify multiple vlan ids if they have the same ports to be tagged.
Clear as mud right now, and thus posting a bit of my pertinent config to see where I am off the rails…
I have a single bridge, called ‘homebridge’ its active on port 2 on the router and is wired through various switches (consider them unmanaged) to all devices. Two end points are capACs where I want the vlans to go to eventually, right now showing a single VLAN, which is to go to one of the cap ACs.
All changes implemented and ready to test it shortly.
In terms of the cap AC setup. Let me recap.
a. its in ap bridge mode and not router mode so not sure why the default config has ether1 in WAN mode.
b. ether1 is active and is physically attached to the network, strangely the cap AC seems to be happily acting as an access point in this configuration.
c. ether2 is not active and not connected so I should probably disable it (x it off, or grey it out).
However, since its working fine I am loathe to change ether 1 from WAN to the more accurate LAN interface designation.
Ideas??
Since my firewall rules are drop all else and i dont implicitly allow VLAN to LAN traffic does this mean that such cross lan attempts would be blocked?
(Would the router attempt to route between the VLAN and the LAN?) All the traffic is on the hex bridge and on the same physical port into/out of the hex?
At some point will the router will try to route 192.168.100.X device that is looking for 192.168.0.x device ???
Do I have to create a masquerade rule for VLAN traffic?
Do I have to create a route for VLAN traffic?
“ap bridge” is a mode for wireless radio, it has nothing to do with the overall config of the router.
The type of config that you need to have on a cAP:
one bridge with all ports in it
no nat, firewall, dhcp-server, etc.
dhcp-client on the bridge
guest vlan configured on the bridge
two wireless interfaces configured
additional virtual wireless interface to participate in guest vlan
And that’s pretty much all you need.
Which way to get there - from blank, from one of quickset presets (WISP AP in bridge mode should be the closest) or from what you have now - is up to you.
I always prefer to start from blank.
We are talking about the firewall on hEX, right?
It will try to route between LAN and guest VLAN by default.
But I suggest you to move step by step.
First you make sure that you guest vlan is configured properly, and you can reach both to internet and the rest of you LAN from it.
And only then you proceed to firewall to make some restrictions.
You masquerade rule has to be universal, so that it will apply both to traffic from LAN and from guest VLAN:
Okay, all setup as I think it should be BUT no internet.
After persusing below it seems that, If I had to guess, the issue could be the fact that
I have a virtual AP: Basement Guests and I have
an associated VLAN: Guests_T&B_VLAN
I might have mixed up some nomenclature somewhere. I note on the hex I use the name: GuestWifi_T&B_V100
Hi xvo,
I hope you can understand my confusion on your last post as in an earlier post you stated for the cap AC
that instead of this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN vlan-ids=100
I should have this:
/interface bridge vlan
add bridge=bridge tagged=bridge,Basement_Guests vlan-ids=100
In your latest post, you are suggesting its still not correct and it needs modifying to this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,Basement_Guests vlan-ids=100
(in effect stating it wasnt the bridge that needed adding in the tagged selection but the virtual AP interface and VLAN that need to be tagged.)
Which begs the question on the
/interface bridge vlan,
what needs to be identified as tagged.
a. bridge? (cap AC default bridge)
b. Basement_Guests (the virtual AP created from the parent WIFI interface )
c. Guest_T&B_VLAN (the vlan interface running off the virtual AP, Basement Guests).
So basically also need a specific forward rule for VLAN to WAN?
In other words when the 192.16.8.100.x traffic reaches the router it is not forwarded to the internet because its being dropped?
Can I safely assume that the same occurs if the 192.168.100x traffic is requesting/heading towards 192.168.0.X destinations?
or do I have to explicitly state
Traffic from VLAN, to LAN drop?
I should add that I have not used vlan filtering anywhere in the config?
Hi xvo,
In my current forward rules I probably go overboard as I have
source address (192.168.0.0/24)
In-Inteface: HomeBridge
Out-Interface List: WAN
But I do that to distinguish which address source on the home bridge I am delineating.
Thus my intention for the VLAN to WAN allow forward chain is the following
source address VLANIP: (192.168.100.0/24)
In-Interface: HomeBridge
Out-Interface List: WAN.
It seems you are recommending
source address, leave blank
In-interface: GuestWifi_T&B_V100
Out-Interface list: WAN
I think both accomplish the same thing but which is better?
