Adding Virtual AP to cAP AC -Missing a Step?

Hi.

They do the same thing indeed, and there’s almost non-existing number of scenarios when they can act differently.
However, the approach I suggest have one less condition to check - so less load to the CPU.
And checking in/out-interface(-list) being the least cpu-intense of all checks (except for maybe connection-state), I always prefer it over dst/src-address(-list), when the logic allow it.
Not if there is a huuuge difference for a home use

Aside from firewall, have you got everything else running as it supposed to?
Or still something stays in the way?

Still no joy.

Just another suggestion: test with cAP attached directly to hEX (with no switches in between) - there’s still a tiny chance, that they can mess with the process.

Hi xvo, thanks for your patience. I do have a way of connecting the cap directly to the router via ethernet cable but tis a bit difficult and will keep it in mind as a last resort.
The two switches in the way are a managed switch DLINK DGS-1100-24 with no settings (default) and close to the cap AC a 16 port unmanaged zyxel switch.
I just reviewed the dlink settings and there is nothing on it that should prevent all traffic from flowing.

General settings
Ports - default
Jumbo State - disabled
Clock settings - correct
Port based VLAN - disabled
Managment VLAN: Vid 1, State: disabled
Assymetric VLAN State: disabled
Auto Video VLAN: disabled
Voice VLAN: disabled

Vlan settings 802.1q
VID: 1
Name: VLAN001
Tagged Member Ports: blank (nil entries)
Untagged Member Ports: eth01-eth24
VLAN Type: blank (nil entry)

VLAN Interface Table
Ports: eth1-eth24, Vlan Type: Hybrid, Ingress checking: enabled, Acceptable Frame Type: Admit ALL

OKAY THIS POST I am using to TALK my way through the setup, so perhaps you can pick out where I have gone wrong from the following ;conversational approach:

Hex.
Bridge Name = “HomeBridge”
Port Eth2 is associated with the HomeBridge and is the port that goes to the Dlink Switch and to all locations.
HomeLAN (my wired LAN) is also on the HomeBridge
I created a VLAN (Vid=100) with name “GuestWifi_T&B_V100” with interface being the HomeBridge.
I created a dhcp pool for the VLAN
I created and address list for the VLAN (linked to the above vlan interface)
I created a DHCP Server for the VLAN ( (linked to the above vlan interface, and linked to the dhcp pool above)
I created a DHCP Network for the VLAN *****
**** There is no obvious link to the interface in the Network settings?? I did put in

• Network of 192.168.100.0/24
• Gateway IP of 192.168.100.1
• DNS Server IP of 192.168.100.1

Under IP Routes, the applicable VLAN Line entry show: DAC - the VLAN Interface with distance 0 and states is reachable.

For the INTERFACE MENU, when selecting the actual Bridge Entry in the Table area, and its VLAN Tab, the selection of VLAN filtering is NOT checked.
For the BRIDGE MENU, under the VLAN TAB, the HomeBridge is selected for bridge, and tagged elements include the HomeBridge and Ether2.

Lastly for FW rules. I have Forward DROP ALL ELSE rule in place as last rule and thus created a VLAN to WAN accept rule
source address 192.168.100.0/24
In-interface: VLAN-interface
Out-Interface-List: WAN

On the Cap AC
I ensured that the VLAN interface I created now has the same name.
The cap AC is running in default mode (like an AP I suppose).
Eth 1 is WAN and is connected physically to the unmanaged zyxel 16 port switch.
Eth 2 is not used.

The Cap AC has a bridge with default name: Bridge


I have two existing WIFI networks as there are two radios
There is a 2G network called DevicesAP and a 5AC network called Basement_WIFI
I created a Virtual AP called Basement_Guests off of the 5AC network.

For Bridge port interface purposes
eth1 connected to WAN is port 0 (designated port)
I put 2GHZ network on port 2 (designated port)
I put 5AC network on port 3 (designated port)
I put Virtual AP on port 4 (disabled port) ???

On the Interface list, under LAN i have both wifi networks, the Virtual AP and the VLAN BUT NO BRIDGE *****,
WAN is ether 1.
***** This is different from the Hex where the entries for m LAN are only HomeBridge (and eth4 which connects to my DMZ lan), and udner WAN my two ISPs.
The error could be here??
I am thinking that the proper entry here for Lan Interface on the capAC should be BRIDGE only ???


For the INTERFACE MENU, when selecting the actual Bridge Entry in the Table area, and its VLAN Tab, the selection of VLAN filtering is NOT checked.
For the BRIDGE MENU, under the VLAN TAB, the “Bridge” is selected for bridge, and tagged elements include the Basement_Guests and Ether1. ###

Tagged ports is slightly different from the Hex, ether2 is the physical ethernet port for the hex and ether1 for the cap AC so that is consistent, however, on the hex we have identified the bridge but on the capAC we have identified the Virtual Access Point (and not the bridge)???

Address List: The only address list showing on the cap AC is the HomeLAN 192.168.0.1 list. Perhaps because the capAC is assigned a LANIP from the hex that this shows up. I do not remember assigning a list but if there was a default 192.168.88.X list I probably replaced with the Homelan list.

No DCHP networks or servers identified, no dhcp pools, no FW rules.

Under IP routes I see:
DAS 0.0.0.0/0 192.168.0.1 reachable
DAC 192.168.0.1 bridge reachable preferred source 192.168.0.xx (lanip of the bridge)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If nothing of the above warrants concern or change and you would like to see the config again let me know.

I see no structural flaws: so the last thing left to do is to enable vlan filtering for bridges on both devices.

Answers to your questions:

1. I suggested to connect cAP to hEX directly only temporarily - to debug their config and get them running 100% as they should, and only then to deal with any potential problems caused by the environment.
2. Addition of interfaces to the interface lists on cAP does’t make much of a difference: as you have all ports on it added to the same bridge, there is actually no WAN or LAN interfaces - they are all LAN. These list are mostly used in firewall (that you don’t need on a cAP) and to define the ports from which you can access to winbox etc.
   To make this part consistent with overall config you can remove all ports from WAN list and all ports to the LAN list, but again - it won’t make any difference in the behaviour. with current config
3. Concerning the difference of tagged ports listed under /interface bridge vlan on two devices: on hEX your vlan connects the guest ip config hosted on vlan interface to the trunk port, on cAP your vlan connects trunk port to the guest AP, so the whole system connects guest ip config to the guest ap - exactly as it should. That explains the difference.
   The absence of bridge among tagged ports on cAP (together with absence of vlan interface) can also be explained by the fact, that you don’t really need the cAP itself to have any ip address inside guest vlan.

Okay I will try the VLAN filtering.
Not sure what function this does but the last time we tried it at least on the hex, in safe mode, it didnt like it LOL.

On the Bridge Vlan checkbox after selecting VLAN filtering, there is only one option to enter a VLAN,
Right now it defaults to PVID1
Should I entere PVID100? and if so What happens when I add other VLANS??

Do I keep Admit ALL for Frame Types?
Do I check off ingress filtering or leave it unchecked?

(same for both units?)

Checking this checkbox enables the whole vlan configuration ))
Without it all vlan config is simply ignored, and the bridge works just like before you started
Don’t change PVID and anything else, only check the checkbox.

Done, and still not working.
Something is preventing the devices using the virtual AP from a. getting dhcp assigned and b. no internet.
I wonder if because I am connected to homelan on my smart phone, when I try to connect to the vlan, the smartphone isnt able to switch IP structures (unlikely).
So what do you recommend I setup on the managed switch then?

PORT that comes from the HEX?
PORT that goes to the zyxel Unmanaged Switch.

If you dont see any errors on my actual config, the discussion config, then we can assume that its not the hex or capAC and thus it has to be the switch LOL.
Yes, I know try it direct… I will do this some time today but I also want to start thinking about the managed switch setup.

Is there any log setup on the hex or capAC I can setup to try and figure out where the blockage is occuring? “packet sniffer” ?

The checkbox is checked on both devices?
Then let’s wait until you connect them directly to eliminate all external influence.
If it doesn’t help, then post both configs again: maybe there’s something else that I missed.

Yes both checked in safe mode and nothing bad happened so safe mode is off.
Operations direct connect commences today. Actually I have a spare (second ethernet cable, diverted from an unused location box, before the basement was recently finished, so I have a direct line to the patch panel going to the basement. I will plug that directly into the POE device for the capAC and directly at the other end into physical port 3 on the Hex.

Port 3 is also homelan
Port 3 is also on the bridge
However, it looks like on the hex I will have to modify the BRIDGE VLAN menu to also tag this port??? ( so it will be homebridge, ether2 and ether3)

By the way, there is now a second entry on the Bridge VLAN menu and it starts with a D. ( I didnt put it there, one of those magical mikrotik made it miracles LOL)
There is the HOMEBRIDGE ENTRY where I entered the tags and below that as follows:
D - HomeBridge - (vlanid) 1 - (current tagged) blank - (current untagged) HomeBridge, ether2

Now ether3 my second LAN port on the hex is showing as a disabled port (role). I cannot find anywhere where to enable it? I am assuming its simply showing disabled due to not being connected to any devices and thus not “live”. However it seems to be preventing it from being displayed on the tagged list on teh Bridge VLAN menu and well as on that second entry. Normal?
(its (ether3) also showing as italic text, vice straight up and down as normal text)

If you use ether3 to connect directly to cAP, that’s right - you need to set it as tagged as well.

That is right - it is the default vlan with PVID=1 on which the rest of your LAN continues to run.
Nothing unexpected here.

Nothing wrong here either.
Just plug anything in it, and it will also emerge as untagged for vlan 1 (of course if you haven’t already changed it to be the part of a guest vlan).

My backup ethernet cable is showing nothing but shorts so I suspect it was damaged in renovations.
Thus I used the current cable (from Dlink Switch to Zyxel Switch) plugged it directly into the capAC POE device at one end and directly plugged it into ether 3 of the Hex at the other end.
Same result no internet for the VLAN.
I did ensure that the Two WIFI networks worked from the cap AC in this configuration.
Only the Virtual AP running on the VLAN didnt work.
I want it to be clear that the Virtual AP worked fine without a VLAN in place.
I am posting the latest config for you to have a look at.
( I tried sniffing vlan traffic using packet sniffer on both hex and capAC and got zero hits not even a quark byte.)

HEX

# model = RouterBOARD 750G r3
/interface ethernet
set [ find default-name=ether5 ] comment=Port5 name=Bell_eth5 speed=100Mbps
set [ find default-name=ether1 ] comment=Port1 name=Eastlink_eth1 speed=\
    100Mbps
set [ find default-name=ether2 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether3 ] comment=LAN1-Home speed=100Mbps
set [ find default-name=ether4 ] comment=LAN2-DMZ speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=HomeBridge \
    protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=Bell_eth5 name=vlanbell vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-HomeLAN ranges=192.168.0.33-192.168.0.254
add name=dhcp_DMZ ranges=192.168.2.2-192.168.2.100
add name=dhcp_WIFI_T&B ranges=192.168.100.5-192.168.100.50
/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=HomeBridge lease-time=1d \
    name=HoMeLAN
add address-pool=dhcp_DMZ disabled=no interface=ether4 lease-time=1d name=\
    DMZLAN
add address-pool=dhcp_WIFI_T&B disabled=no interface=GuestWifi_T&B_V100 \
    lease-time=1d name="Wifi-Guests T&B_Server"
/interface bridge port
add bridge=HomeBridge comment=defconf interface=ether2
add bridge=HomeBridge comment=defconf interface=ether3
/ip settings
set allow-fast-path=no icmp-rate-limit=100 rp-filter=loose
/interface bridge vlan
add bridge=HomeBridge tagged=ether2,HomeBridge,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=HomeBridge list=LAN
add comment=defconf interface=Eastlink_eth1 list=WAN
add interface=vlanbell list=WAN
add interface=ether4 list=LAN
add interface=ether3 list=LAN
/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\
    192.168.100.0
/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeLAN_Network dns-server=192.168.0.1 \
    gateway=192.168.0.1
add address=192.168.2.0/24 comment=DMZLan_Network dns-server=192.168.2.1 \
    gateway=192.168.2.1
add address=192.168.100.0/24 comment=Guests_T&B dns-server=192.168.100.1 \
    gateway=192.168.100.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="DROP ALL ELSE" log-prefix=\
    "INPUT DROP ALL"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
    HomeBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
    src-address=192.168.0.0/24
add action=accept chain=forward comment="ENABLE DMZ to WAN" in-interface=\
    ether4 log=yes log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=\
    WAN src-address=192.168.2.0/24
add action=accept chain=forward comment="ENABLE VLAN100 to WAN" in-interface=\
    GuestWifi_T&B_V100 log=yes log-prefix="ALLOWED GuestVLAN TRAFFIC" \
    out-interface-list=WAN src-address=192.168.100.0/24
add action=accept chain=forward comment=\
    "Allow Port Forwarding -  DSTNAT" connection-nat-state=dstnat
add action=accept chain=forward comment=Admin_for_Septic dst-address=\
    192.168.2.0/24 in-interface=HomeBridge src-address=192.168.0.xx
add action=drop chain=forward comment=\
    "DROP ALL other  FORWARD traffic" log=yes log-prefix=\
    "FORWARD DROP ALL"
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
    ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
    out-interface=vlanbell
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
    tcp
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
    udp

CapAC

# model = RouterBOARD cAP Gi-5acD2nD
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=GuestWifi_T&B_V100 vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=canada disabled=no distance=indoors frequency=\
    auto mode=ap-bridge name=Basement_WIFI security-profile=BasementLogin \
    ssid=TT_B wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=2462 \
    mode=ap-bridge name=DevicesAP security-profile=RemoteDevicesBasement \
    ssid=RD1 wireless-protocol=802.11 wps-mode=disabled
add disabled=no mac-address=master-interface=Basement_WIFI \
    name=Basement_Guests security-profile=Guests_T&B ssid=Guests_T&B vlan-id=\
    100 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=DevicesAP [my 2.4ghz network]
add bridge=bridge comment=defconf interface=Basement_WIFI [my 5ghz network]
add bridge=bridge interface=Basement_Guests [my virtual AP]
/interface bridge vlan
add bridge=bridge tagged=Basement_Guests,ether1 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=Basement_WIFI list=LAN
add interface=DevicesAP list=LAN
add interface=Basement_Guests list=LAN
add interface=GuestWifi_T&B_V100 list=LAN
/interface wireless access-list
add mac-address=
add mac-address=
add interface=DevicesAP mac-address= vlan-mode=no-tag

What other information can I provide from both devices or packet sniffer tests etc, that I can run that can assist in troubleshooting??

Found this:

/ip address
add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0
add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=
192.168.100.0

Unless it’s a typo in the post, looks like a reason to me

Well &^%^ me! Awesome pickup.
When you come to Canada, I will have a cold beer waiting for you, heck a whole case for all the trouble I have put your through for one little typo.
I will fix and try right away!

Okay, partial success!!!
I now get an IP and connect to the router through the capAC.
However no internet connection (unable to browse).
Perhaps now I will invoke logging rules and use packet sniffer to see what is going on.

A quick look at the Logs shows the iP being assigned and then Forward Drop rules being applied to the traffic.
Upon closer inspection its dropping traffic from 192.168.100.xx (my smart phone) to and address on my home lan 192.168.0.xx
(this is actually a good thing as it is supposed to be dropped).

No indication of any other traffic.

I think the reason is that you force everybody to use your router as DNS server, but haven’t allowed Guest VLAN clients to use it

Hi xvo,
I have looked at wireshark (sniffer tool output) and I see the DHCP ACK which confirms IP assignement.
Then you are correct, there looks to be a DNS problem.
Howevever if you look at my DSTNAT RULES, the force DNS rules are currently inactive for troubleshooting purposes (DISABLED)"

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN Users" \
    ipsec-policy=out,none out-interface=Eastlink_eth1
add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \
    out-interface=vlanbell
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
    tcp
add action=redirect chain=dstnat comment=\
    "Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
    udp

{On my packet sniffer outputs}
(1) What I am seeing is (lines shaded in blue) many internet requests (most of them DNS requests) as follows:

a. the ones I am doing myself through the browser (google, yahoo etc) to try and reach search engine sites and
b. the hidden stuff ones effing phone does on your behalf (firehose.us-east-1.amazonaws.com, api.instabridge.com, icloud.com,
One that I have no clue about…
c. 192.168.100.50",“224.0.0.251”,“MDNS”,“154”,“Standard query 0x0000 PTR _companion-link._tcp.local, “QU” question PTR _homekit._tcp.local, “QU” question PTR _sleep-proxy._udp.local, “QU” question OPT”
another that I have no clue about
d. 192.168.100.50",“224.0.0.251”,"IGMPv2",“56”,“Membership Report group 224.0.0.251”

(2) Then I am seeing many lines (shaded in pink) which are ICMP requests/replies/ between the smart phone and the router.

a. 192.168.100.50",“192.168.100.1”,“ICMP”,“122”,“Echo (ping) request id=0x002a, seq=0/0, ttl=64 (reply in 25)”
b. 192.168.100.1",“192.168.100.50”,“ICMP”,“122”,“Echo (ping) reply id=0x002a, seq=0/0, ttl=64 (request in 24)”

So, am I having DNS issues or ICMP issues?
Its not quite clear here what is going on as the other wifi networks on the capAC have no issues with gaining access to the internet.

OH I am blind as a bat…
I have to include ALLOW DNS queries to the VLAN as well in my input rules.
Thanks for the helping the IT cripple.

Okay, it worked but I am confused.

I added the guest vlan to the interface list for LAN and voila magic it worked.
BUT…
I already had.
a. homebridge on the lan interface list
b. ether2 on the lan interface list
c. ether3 on the lan interface list
d. ether4 on the lan interface list

Since ether2, ether3 and the vlan are on the homebridge AND
Since the vlan is also on ether 2 (or latest testing 3)
WHY DO I NEED TO ADD VLAN TO INTERFACE LIST TO GET INTERNET CONNECTIVITY FOR A RULE THAT STATES LAN INTERFACE LIST???

in actuality I think I should only need to identify
homebridge (which covers ether2, ether3 and Vlan)
ether4 (for the dmz)

Nope.
You need homebridge, ether4 and VLAN:
ether2 and ether3 are slave interfaces to the bridge, so they doesn’t make any difference
but VLAN interface have it’s own IP config - that was the whole point - to make it independent from the bridge.

Good to know, now I can add the other vlans I have been planning;

Much thanks!
Forget the Ghost Busters, call XVO!!