Hi
I recently bought the hAP ac2 updated to the last version: RouterOS 7.1.1

In order to get familiar with the Router my goal was to

• configure the GW → achieved
  
  
  
• create VLANs → achieved
  
  
  
• create DHCP for each VLAN → achieved

The next step, is to create a Trunk on ether2 (as it would be for a Vmware Host connected to it) and define an access port (ether5) for the management.

I started to read some docs

• http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
  
  
  
• https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

As my scenario is close to the Router-Switch-AP (all in one), but i was surprise to discover, that even copy pasting those examples, it does not work (the computer connected to the port ether5,
does not get IP from DHCP, and even with a manual ip configuration, no way to get router answer to pings (192.168.19.1). Is it do to the fact that this router has the atheros8327? (i read somewhere
that the vlan header is managed diferently).

The DHCP config (and ping to GW) is working as soon as the DHCP server is installed on the etherX interface, but as soon as i install it on any vlan interface… nothing (no IP from DHCP, no ping, no RouterOS connection with MAC).
As i expect to setup the same VLAN on several physical interfaces (f.eg: management), the DHCP server has to be at this level.

#
/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes

#set bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]

/interface ethernet switch vlan
add ports=ether2 switch=switch1 vlan-id=200
add ports=ether2,ether5,bridge1 switch=switch1 vlan-id=99

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether5 vlan-mode=secure vlan-header=always-strip default-vlan-id=99

/interface vlan
add name=vlan200  interface=bridge1  vlan-id=200
add name=vlan_base  interface=bridge1  vlan-id=99

/ip pool
add name=pool200 ranges=192.168.10.201-192.168.10.250
add name=pool_base ranges=192.168.19.201-192.168.19.250

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=9.9.9.9 gateway=192.168.10.1 
add address=192.168.19.0/24 dns-server=9.9.9.9 gateway=192.168.19.1 

/ip dhcp-server
add address-pool=pool200 interface=vlan200 name=dhcp200
add address-pool=pool_base interface=vlan_base name=dhcp_base

/ip address
add address=192.168.249.2/30 interface=ether1
add address=192.168.10.1/24 interface=vlan200
add address=192.168.19.1/24 interface=vlan_base 

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.249.1 routing-table=main suppress-hw-offload=no

Could you please help me to get VLAN and DHCP working, any coments would be apreciated.

Thanks

Check out LINK C.- https://forum.mikrotik.com/viewtopic.php?t=182373

first of all thank your help.

However, as explained previously there is something that i miss with link C, as adjusting the config of “Router AP all in one”, all ports (Wlan or LAN) are locked. As soon as i activate the vlan at bridge level, the router:

• is not reachable with ping (static IP)
  
  
  
• dhcp is not working
  
  
  
• connect with MAC is not possible

and this for any of the ethernet o wlan ports

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="RouterSwitchAP"


#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 99 = BASE (MGMT) VLAN


#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################

# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE frequency=auto mode=ap-bridge disabled=no

# Optional: BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
/interface wireless security-profiles add name=Base authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan3 ssid=BASE master-interface=wlan1 security-profile=Base disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Blue VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1  pvid=10

# Green VLAN
add bridge=BR1 interface=ether4 pvid=20

# BASE_VLAN
add bridge=BR1 interface=wlan3 pvid=99
add bridge=BR1 interface=ether5 pvid=99

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=192.168.249.2/30 network=192.168.249.0

# router's gateway provided by ISP
/ip route add distance=1 gateway=192.168.249.1


#######################################
# IP Services
#######################################

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=20
/ip address add interface=GREEN_VLAN address=10.0.20.1/24
/ip pool add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=VLAN
add interface=BLUE_VLAN  list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN  list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

could you please gide me on the right direction.

thanks

Use an off bridge port to configure so any burps will not affect your connection etc.
https://forum.mikrotik.com/viewtopic.php?t=181718

As for reviewing your config, sure, but in the config format not the article format
/export hide-sensitive file=anynameyouwish

Hi anav,

thank you for your patience…

here my updated config, taking in consideration your comments about keeping ether5 out of the bridge

# jan/02/1970 00:18:02 by RouterOS 7.1.1
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    ssid=BLUE
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=Trusted
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=2E:C8:1B:F4:11:82 master-interface=wlan1 name=\
    wlan3 security-profile=Base ssid=BASE
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan3 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=ether5-access list=BASE
add interface=BASE_VLAN list=BASE
add interface=ether5-access list=Trusted
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.249.2/30 interface=ether1 network=192.168.249.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.249.1
/system identity
set name=RouterSwitchAP
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Very nice,
I am assuming your vlan99 is the home lan where the Admin resides all the time.

(1) Since you have BASE, that is your trusted subnet and thus you can remove the duplication of your extra trusted list which is a duplicate… the following items in orange, not required.

/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=Trusted

/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=ether5-access list=BASE
add interface=BASE_VLAN list=BASE
add interface=ether5-access list=Trusted

The right thing here is the fact that you added ether5 to the BASE interface list!!

(2) Firewall input chain rules need work. The only access to the router required is that for the trusted subnet, everyone else only requires such things as DNS services so here it goes:
/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow Base_Vlan” in-interface**-list**=BASE_VLAN dst-port=winboxport
add action=accept chain=input in-interface**-list**=VLAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface**-list**=VLAN dst-port=53 protocol=udp
add action=drop chain=input comment=Drop

Note: Caution - Prior to changing input rules, safest to unhook ethernet cable from wan side, and then disable ‘drop all rule’ temporarily. That way less likely to lock yourself out. More than once I monkeyed with the allow rules for admin and locked myself out.
Note: For future export of configs on the forums remove actual WINBOX port number and use fake number or simply replace with text.


(3) Firewall Forward chain needs a bit of work.
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“Internet” in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

Note the above assumes you are not doing any port forwarding. If you do later, the following rule needs to be added prior to the drop rule.
add action=accept chain=forward connection-nat-state=dstnat

(5) Have you tried access the router on ether5 by setting ipv4 dhcp of laptop to 192.168.5.5 netmask 255.255.255.0 yet ??
Remember your winbox entry will be 192.168.5.1:Winboxport

Thank you again.

So after your corrections, there are still some bugs

Summary of the situation: the router will play the role of “switch-router-ap all in one”, using the (famous) “Link C”, i would like to simulate 3 VLANS

• each one accessing internet
  
  
  
• each one locked inside it’s own VLAN
  
  
  
• execpt for the “basic” one which should be able to reach any host (even the router) 99
  
  
  
• port ether5 will only be used the time of the config

What is working:

• from ether5 with a fixed IP address i can connect to the router with winbox
  
  
  
• the router has access to internet

What is not working:

• no DHCP is providing IP (neither, blue or green) for any PC connected to any port (ether2, ether3, ether4, wlan1, wlan3)
  
  
  
• even specifiing manually a valid IP on each VLAN, a PC connected to ether2,3 or 4 is not able to ping to it’s gateway o reach internet

Here is how my config looks like after the last corrections:

# jan/02/1970 00:35:40 by RouterOS 7.1.1
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge \
    ssid=BLUE
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=2E:C8:1B:F4:11:82 master-interface=wlan1 name=\
    wlan3 security-profile=Base ssid=BASE
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether5-access list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.249.2/30 interface=ether1 network=192.168.249.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Base_Vlan" dst-port=8291 \
    in-interface-list=BASE protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=Internet in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.249.1
/system identity
set name=RouterSwitchAP
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

thanks

You are missing any /interface bridge vlan entries so there is no connection between the bridge-to-cpu interface and the /interface vlan entries

Yes but I dont blame the OP for that. Its the fall out of 'experts' who posture that one doesnt need to manually insert the untagged ports because its automagically done dynamically.
So then we see the results of relying on 'transparent' approaches. This thinking should be reserved for experienced Admins. I dont know how many times one needs to prove a point LOL.

Lets consult the GUIDE for the all-in-one, this is the appropriate section.
_**# egress behavior, handled automatically
\

L3 switching so Bridge must be a tagged member

/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]**_

What this is saying is the following:
a. egress behaviour refers to return traffic! Remember that when the 'dumb' devices/users on the vlan send traffic, like from a PC, its not tagged, therefore the router tags the traffic upon ingress into the port (since admin set the PVID in bridge ports). The egress stripping of said tags back to the PC is done automatically, or the UNTAGGING because the Router is aware of the PVID setting used on the ingress side of the house.

b. L3 switching refers to the fact that the Router has an L3 connection to all these VLANS (for firewall rules etc) and thus they need to be tagged at the Bridge.

Thus the missing part of the config is as follows:
/interface bridge vlan
set bridge=BR1 tagged=BR1 vlan-ids=10
set bridge=BR1 tagged=BR1 vlan-ids=20
set bridge=BR1 tagged=BR1 vlan-ids=99

I prefer manually inserting the untagging so that I can visually cross check my bridge ports to ensure they line up. Keep in mind without the manual insertion the interface bridge vlan settings wont show up on a config as they are created on the fly.................

/interface bridge vlan
set bridge=BR1 tagged=BR1 untagged=ether2,wlan1 vlan-ids=10
set bridge=BR1 tagged=BR1 untagged=ether4 vlan-ids=20
set bridge=BR1 tagged=BR1 untagged=ether3 vlan-ids=99

Final question, to ensure the base vlan has access to other hosts, add this rule BEFORE the drop rule in the forward chain.

add chain=forward action=accept in-interface-list=BASE out-interface-list=VLAN

Hi,

you can imagine that i was excited to get my connexion issue solve, once for all, implementing your last corrections…
but still not working (PCs do not recive any IP from DHCP, even with a fixed Ip no way to reach internet nor the router (in BASE VLAN), same since the beginning).

At least setting the ether5 as “off bridge” avoid loosing the whole config each time.

May be what is wrong in my configuration is the assumption i made with what you said :
1. I did not wrote this section:

/interface bridge vlan
set bridge=BR1 tagged=BR1 vlan-ids=10
set bridge=BR1 tagged=BR1 vlan-ids=20
set bridge=BR1 tagged=BR1 vlan-ids=30

As i followed your recommendation:

/interface bridge vlan 
set bridge=BR1 tagged=BR1 untagged=ether2,wlan2 vlan-ids=10 
set bridge=BR1 tagged=BR1 untagged=ether4 vlan-ids=20  
set bridge=BR1 tagged=BR1 untagged=ether3,wlan1 vlan-ids=99

2. as the routerOS asked me for a “numbers” for each command line “set bridge=BR1 tagged …”, and i continued to get the connection issue
i tried as well:

set bridge=BR1 tagged=BR1 untagged=ether2,wlan2 vlan-ids=10 [ find bridge=BR1 vlan-ids=10 ] 
set bridge=BR1 tagged=BR1 untagged=ether4 vlan-ids=20 [ find bridge=BR1 vlan-ids=20 ] 
set bridge=BR1 tagged=BR1 untagged=ether3,wlan1 vlan-ids=99  [ find bridge=BR1 vlan-ids=99 ]

At the end the whole config looks now like that (I guess due to what you explained about Dynamic, this part does not appear in the export):

# feb/10/2022 23:48:00 by RouterOS 7.1.1
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BASE
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether5-access list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.249.2/30 interface=ether1 network=192.168.249.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Base -> Winbox" dst-port=8291 \
    in-interface-list=BASE protocol=tcp
add action=accept chain=input comment="VLAN -> DNS tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="VLAN -> DNS udp" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Base -> VLANs" in-interface-list=\
    BASE out-interface-list=VLAN
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="VLAN  -> Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.249.1

/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=RouterSwitchAP
/system ntp client
set enabled=yes
/system ntp client servers
add address=130.206.3.166
add address=150.214.94.5
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Thank you for your help!

I dont see any issues.

The invalid rule in the forward chain should be right after the accept established rule
and normally the DHCP server settings for DNS are the gateway IP of the subnet but there is nothing wrong with using 192.168.0.1 like you have.

So outta ideas at the moment. Will look again in a bit just to make sure Im not glossing over something.

Are you sure the router doesnt give you any warnings or indications anywhere of problems??

Yesterday i dis not sée any error writing the commands.
I’ll go through the menus, and check in the GUI if I notice something.

• is there any test I can do?
  
  
  
• should I remove a part of the config (firewall rule,…) to get some more info about the problem?
  
  
  
• as I said at the beginning of my post, I tried to copy several examples, I found on the net and always the same issue. as soon as I activate the vlan filters, I get sticked.
  
  
  
• is there something different with the model hap ac2? (VLAN using switch chip config instead of bridge VLAN filtering [https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading] or [https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeHardwareOffloading])

this is a test system, I 'm free to change anything, please suggest

thanks

I checked and there is no error (Red parameter) in the whole config.
So in order to try, i disactivated any “Drop rule in Firewall”, but still the same situation.
Basically, if i connect a device on ether2, i can see in the interface list: for Rx small data (512bps), but the Tx rate remains at 0 (even without any drop rule in the firewall).

As it seems that my issue is not that simple to solve. I’ll try to configure the Router in “Switch mode” for the VLAN routing…

Hi,

so at the end, instead of doing VLAN routing, i followed another way… VLAN using switch chip.

in practice it seems that is working,

1. But i would appreciate your opinion about following config.
2. Ask you about how to configure WLAN1 and WLAN2 in order that each one is part of its VLAN (99 and 10) as well as sharing it’s DHCP pool

ether2: Trunk
ether3: Base VLAN(99) - access port
ether4: VLAN20 - access port
ether5: used for configuration.
wlan1: Base VLAN(99)
wlan2: VLAN20

# feb/14/2022 23:36:42 by RouterOS 7.1.2
# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD

/interface bridge
add name=BR1 protocol-mode=none

/interface ethernet
set [ find default-name=ether5 ] name=ether5-access

/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BASE
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BLUE

/interface vlan
add interface=BR1 name=vlan10 vlan-id=10
add interface=BR1 name=vlan20 vlan-id=20
add interface=BR1 name=vlan30 vlan-id=30
add interface=BR1 name=vlan40 vlan-id=40
add interface=BR1 name=vlan99 vlan-id=99

/interface ethernet switch port
set 1 default-vlan-id=99 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=99 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure

/interface list
add name=WAN
add name=VLAN
add name=BASE

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik

/ip pool
add name=VLAN10_POOL ranges=10.0.10.2-10.0.10.254
add name=VLAN20_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.1.10-192.168.1.254
add name=VLAN30_POOL ranges=10.0.30.2-10.0.30.254
add name=VLAN40_POOL ranges=10.0.40.2-10.0.40.254

/ip dhcp-server
add address-pool=VLAN10_POOL interface=vlan10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=vlan20 name=VLAN20_DHCP
add address-pool=BASE_POOL interface=vlan99 name=BASE_DHCP
add address-pool=VLAN30_POOL interface=vlan30 name=VLAN30_DHCP
add address-pool=VLAN40_POOL interface=vlan40 name=VLAN40_DHCP

/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4

/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,switch1-cpu switch=switch1 \
    vlan-id=99
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=\
    10
add independent-learning=no ports=ether4,switch1-cpu switch=switch1 vlan-id=\
    20
add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=40

/interface list member
add interface=ether1 list=WAN
add interface=vlan99 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan99 list=BASE
add interface=ether5-access list=BASE
add interface=vlan30 list=VLAN
add interface=vlan40 list=VLAN

/ip address
add address=192.168.1.1/24 interface=vlan99 network=192.168.1.0
add address=192.168.249.2/30 interface=ether1 network=192.168.249.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
add address=10.0.30.1/24 interface=vlan30 network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40 network=10.0.40.0

/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=199.85.126.30 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=192.168.0.1 gateway=10.0.40.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Base -> Winbox" dst-port=8291 \
    in-interface-list=BASE protocol=tcp
add action=accept chain=input comment="VLAN -> DNS tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="VLAN -> DNS udp" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Base -> VLANs" in-interface-list=\
    BASE out-interface-list=VLAN
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="VLAN  -> Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN

/ip route
add distance=1 gateway=192.168.249.1

/system clock
set time-zone-name=Europe/Madrid

/system identity
set name=RouterSwitchAP

/system ntp client
set enabled=yes

/system ntp client servers
add address=130.206.3.166
add address=150.214.94.5

/system routerboard settings
set cpu-frequency=auto

/tool mac-server
set allowed-interface-list=BASE

/tool mac-server mac-winbox
set allowed-interface-list=BASE

To be Frank (Francisco or Paco), I dont have any experience with switch chip method.
In bridge vlan filtering the connection of vlan to WLAN, is made in bridge port settings (PVID and interface). Clearly its difference on the switch chip setup.

These are good videos but not sure if they addresses your questions.

https://www.youtube.com/watch?v=Rj9aPoyZOPo&t=19s
https://www.youtube.com/watch?v=4BOYqtV4MCY

thanks anav for video .

Is the config actual config from your device or is it some concept yet to be applied? If the former, it seems that this config is redacted and without seeing complete setup it’s hard to comment.

But anyway: the config seems more or less fine. To make wlan part of selected VLANs, you have to

1. add wlan1 and wlan2 interfaces to bridge as ports
2. set properties vlan-id= vlan-mode=use-tag on both wlan interfaces

Thank you anav and mkx for your help!

What was missing, for the Wifi was what “mkx” said

set properties vlan-id= vlan-mode=use-tag on both wlan interfaces

, how can something that important be hidden in the Winbox ? (you have to click on Advanced to get access to it).

Anyway, thanks to this case i learned a lot. If it can help somebody else, or if, anybody want to improve it…
Here the whole config:

# software id = L7ZV-Q83I
#
# model = RBD52G-5HacD2HnD
/interface bridge
add name=BR1 protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] name=ether5-access
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BASE vlan-id=99 vlan-mode=use-tag
set [ find default-name=wlan2 ] country=spain disabled=no frequency=auto \
    installation=indoor mode=ap-bridge ssid=BLUE vlan-id=10 vlan-mode=use-tag
/interface vlan
add interface=BR1 name=vlan10 vlan-id=10
add interface=BR1 name=vlan20 vlan-id=20
add interface=BR1 name=vlan30 vlan-id=30
add interface=BR1 name=vlan40 vlan-id=40
add interface=BR1 name=vlan99 vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=VLAN10_POOL ranges=10.0.10.2-10.0.10.254
add name=VLAN20_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.1.101-192.168.1.254
add name=VLAN30_POOL ranges=10.0.30.2-10.0.30.254
add name=VLAN40_POOL ranges=10.0.40.2-10.0.40.254
/ip dhcp-server
add address-pool=VLAN10_POOL interface=vlan10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=vlan20 name=VLAN20_DHCP
add address-pool=BASE_POOL interface=vlan99 name=BASE_DHCP
add address-pool=VLAN30_POOL interface=vlan30 name=VLAN30_DHCP
add address-pool=VLAN40_POOL interface=vlan40 name=VLAN40_DHCP
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=wlan1
add bridge=BR1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface ethernet switch vlan
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=99
add independent-learning=no ports=ether2,switch1-cpu,ether3 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether4 switch=switch1 vlan-id=20
add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=30
add independent-learning=no ports=switch1-cpu,ether2 switch=switch1 vlan-id=40
/interface list member
add interface=ether1 list=WAN
add interface=vlan99 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan20 list=VLAN
add interface=vlan99 list=BASE
add interface=ether5-access list=BASE
add interface=vlan30 list=VLAN
add interface=vlan40 list=VLAN
/ip address
add address=192.168.1.1/24 interface=vlan99 network=192.168.1.0
add address=192.168.249.2/30 interface=ether1 network=192.168.249.0
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20 network=10.0.20.0
add address=192.168.5.1/24 interface=ether5-access network=192.168.5.0
add address=10.0.30.1/24 interface=vlan30 network=10.0.30.0
add address=10.0.40.1/24 interface=vlan40 network=10.0.40.0
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.1.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.1.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=199.85.126.30 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=192.168.1.1 gateway=10.0.40.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Base -> Winbox" dst-port=8291 \
    in-interface-list=BASE protocol=tcp
add action=accept chain=input comment="VLAN -> DNS tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="VLAN -> DNS udp" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Base -> VLANs" in-interface-list=\
    BASE out-interface-list=VLAN
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="VLAN  -> Internet" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.249.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=RouterSwitchAP
/system ntp client
set enabled=yes
/system ntp client servers
add address=130.206.3.166
add address=150.214.94.5
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

With this config (router used as “all-in-one” [router, switch, AP])

• DHCP server running on each VLAN
  
  
  
• each VLAN has access to internet
  
  
  
• each VLAN is isolated to it’s own network
  
  
  
• the BASE VLAN has access to any other VLAN
  
  
  
• wlan1 and wlan2 are configured with VLANs
  
  
  
• ether2 is a trunk
  
  
  
• ether3, ether4 are in access mode
  
  
  
• ether5 is “off bridge port” for configuration purposes