AX3 wifiwave2 VLAN

mantouboji · May 19, 2023, 7:07am

a new hAP-AX3, routeros 7.9

I want to build a guest WLAN with a vlan to seprate from main home network.

because Apple AirPort use 1003 as gueast vlan , so I choose it,too.

according to routeros documents, in RouterOS 7 use bridge vlan-filtering and bridge port tag are enough？

but I found that must both set datapath vlan-id and brigde ?

here is my configuration, welcome any suggestion.

/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface wifiwave2
/interface vlan
add comment=Guest interface=bridge name=vlan1_iot vlan-id=1003
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa-psk,wpa2-psk name=Guest
/interface wifiwave2
add comment="Guest wifi 5G" configuration.mode=ap .ssid=YFWIFI2_IOT \
    datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:0F:05:27 \
    master-interface=wifi1 name=wifi3 security=Guest
add comment="Guest wifi 2.4G" configuration.mode=ap .ssid=YFWIFI2_IOT \
    datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:0F:05:28 \
    master-interface=wifi2 name=wifi4 security=Guest
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
add name=pool_iot ranges=192.168.90.100-192.168.90.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w name=defconf
add address-pool=pool_iot comment=Guest interface=vlan1_iot lease-time=1d \
    name=dhcp-iot
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge ingress-filtering=no interface=wifi3 pvid=1003
add bridge=bridge ingress-filtering=no interface=wifi4 pvid=1003
/interface bridge vlan
add bridge=bridge comment=Guest tagged=wifi3,wifi4,bridge vlan-ids=1003
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg2 list=LAN
add interface=wg1 list=WAN
add interface=vlan1_iot list=LAN
/ip address
add address=192.168.90.1/24 comment=Guest interface=vlan1_iot network=\
    192.168.90.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 comment=Guest dns-server=192.168.90.1 gateway=\
    192.168.90.1

holvoetn · May 19, 2023, 7:18am

Datapath is only to be used when you use capsman, a controller for managing multiple access points (MT proprietary).

Just like for ether-ports, add wifi ports to bridge with required VLAN settings. And that’s enough.

mantouboji · May 19, 2023, 7:24am

Are you sure?

I added them:

add bridge=bridge ingress-filtering=no interface=wifi3 pvid=1003
add bridge=bridge ingress-filtering=no interface=wifi4 pvid=1003

but without datapath.vlan-id, the clients can connect to WLAN and get DHCP address but can’t ping to anyone.

holvoetn · May 19, 2023, 7:30am

I’m sure, yes.
That’s how I have it setup already quite a while since I use VLANs on Wifi with AX3 and AX2 (and before AC3).
Never touched that datapath setting except for capsman experiments (it’s only when capsman config for wifiwave2 came available, that datapath setting came available too).

For me it is like this (AX3, only wifi itf shown):

add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge interface=wifi3 pvid=20

wifi3 is a slave of wifi2 for IoT purposes.

You also need to set the VLAN part of the bridge settings (my config):

/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether3,ether4 vlan-ids=2
add bridge=bridge tagged=bridge,ether1 vlan-ids=1
add bridge=bridge tagged=ether1 untagged=wifi2,wifi1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wifi3 vlan-ids=20

ether1 is trunk to RB5009.

Please post full config between code quotes [ __], leave out serial number and public WAN IP so we can have a look.

mantouboji · May 19, 2023, 8:08am

I’m sure, yes.
That’s how I have it setup already quite a while since I use VLANs on Wifi with AX3 and AX2 (and before AC3).
Never touched that datapath setting except for capsman experiments (it’s only when capsman config for wifiwave2 came available, that datapath setting came available too).

For me it is like this (AX3, only wifi itf shown):
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge interface=wifi3 pvid=20
you use 3 VLANs? I only use two: the default 1 and guest 1003

If no any datapath.vlan_id , client will get a DHCP offer such as 192.168.90.199, but con’t ping to 192.168.90.1 ,

wifi3 is a slave of wifi2 for IoT purposes.

You also need to set the VLAN part of the bridge settings (my config):
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether3,ether4 vlan-ids=2
add bridge=bridge tagged=bridge,ether1 vlan-ids=1
add bridge=bridge tagged=ether1 untagged=wifi2,wifi1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wifi3 vlan-ids=20
ether1 is trunk to RB5009.

Please post full config between code quotes [ __], leave out serial number and public WAN IP so we can have a look.

mantouboji · May 19, 2023, 8:16am

see my config
ax3.txt (2.91 KB)

holvoetn · May 19, 2023, 9:24am

Looks like you have a mix of VLAN and no-VLAN.
Your bridge is not set to only accept VLAN-tags but your non-IoT wifi interfaces are not VLAN aware.

My guess is that if you change this
/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no comment=defconf
ingress-filtering=no name=bridge vlan-filtering=yes

To this
/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no ingress-filtering=no name=bridge vlan-filtering=yes frame-types=admit-all

That it should work for IoT channels.
But it’s not a clean config.

Either go VLAN all the way, or don’t use it at all.

Now, for only 1 AP and only 1 (or 2) Guest networks, you do not need VLAN (it can be used but it is not required).
Simple DHCP server on interface and proper firewall rules will accomplish the same.

PS since you do not have any firewall right now on your device (unless your config is incomplete ?), it doesn’t make any sense either to use VLAN.
Everything can reach everything as it is now (from what you show as config …).

mantouboji · May 19, 2023, 12:28pm

OK.

it looks wifiwave2 is so different .

I change to use 2 bridges to run 2 networks .

holvoetn · May 19, 2023, 12:58pm

Errm … unless you REALLY know what you’re doing, don’t use 2 bridges.
If you do not know why it should or should not be done, you definitely don’t need it.

THAT I can fully agree with.
But if one has ever used capsman in the past (with legacy wifi), it’s not that different from what was used there.
So depending on your previous experience, wifiwave2 can be a real shock

mantouboji · May 19, 2023, 4:02pm

Maybe you are right, two bridges are very ugly, I don’t like at all.

In fact I have a RB4011 running ROS 7.9，no wifiwave2，two other vlans （one for guest and one for IoT），just use bridge vlan filtering, works very well.