I am just configuring some access points, with 2 SSIDs that have to break out to different VLANs on ether1.
I found multiple possibilities and hope, you can help me to use the “easiest” one fot the futur:
Background:
SSID1 to vlan 10
SSID2 to vlan 20
Management on default VLAN 1 (untagged)
Confusing world for me. But have recently been doing some experiments.
with vlan-filtering =no, the WLAN connection works when tagged is used. (The bridge/switch did not consider the VLAN tag, and the WLAN is extracting the correct VLAN and untags)
with vlan-filtering=yes the WLAN interface must be a tagged interface, and the port pvid not set to the VLAN number of the WLAN, but left on default. The WLAN is used as tagged.
with vlan-filtering=yes the WLAN interface can be untagged , but then the VLAN table must define the WLAN as an untagged interface for that specific VLAN, port pvid set to the same number.
Interesting reading was: https://wiki.mikrotik.com/wiki/Manual:Wireless_VLAN_Trunk.
(Not exactly this case, but at least a “bridge method” example.) “Since RouterOS v6.41 this can be done using bridge VLAN filtering and should be used instead of any other methods (including bridging VLAN interfaces)”
@mkx: On the hAP ac2 I could not use the management link from a tagged VLAN. (Not WLAN related). Delivering untagged traffic to an ether port with pvid equal to the bridge pvid did work.
Looks similar to the “switch method” struggle for mgmt link on the hAP ac2. (http://forum.mikrotik.com/t/vlan-set-a-port-to-untagged-using-switch-chip/143382/1)
@bpw, VLANs are indeed one of moot points in ROS. I’ve managed to get around by going strictly tagged inside device, which means management is on VLAN interface as well.
The later config works for me just fine (in RBD52G as well). Plus this makes bridge config more uniform, all L3 setup is done on top of VLAN interfaces, management being no exception.
Things are not that confusing. It’s simple: packet, coming untagged from wireless, has to be tagged and only once.
It can either be tagged by wireless interface (by having vlan-mode=use-tag vlan-id=XX) or by bridge (having pvid=XX set on member port wlan).
If one decides to get it tagged by wireless interdace, then bridge has to leave tag alone. Either bridge has to be dumb (with vlan-filtering=no) or wireless port has to be tagged port of same VLAN.
Of course decision stream can go in another direction: is bridge VLAN aware or not? If not, then the only solution is to get wireless interface tagging packets. If yes, then do we want to spread VLAN-related config in multiple places or do we want to keep it under /interface bridge?
And we didn’t even start to talk about CAPsMAN datapath settings
Thanks MKX. If do have the second config. The problem was another brand device (Draytek router) that did not connect VLAN-tagged and same VLAN-untagged on the same interface properly.
My setup WAS complex … WAN and LAN both basically untagged streams … with a hAP ac2 on the WAN side cabling, that had to have an SSID of the LAN side as well.
And I started configuring with an Omnitik ac(for its switch chip only, using that HW), a RB260 switch, and a hAP ac2 on the WAN side, and a wAP ac on the LAN side.
WAN and LAN defined by the Draytek (RoaS). There are multiple LAN side VLAN’s (guest, iot, domotics, …)
Well starting Omnitik in switch method, learning the RB260 SwOS, and using the hAP ac2 in bridge method, all at the same time, was quite a challenging learning.experience.
I do understand the “pvid” / “Default VLAN id” now, I think. The SwOS has a nice interface to test those switch VLAN properties fast. The untagged WAN and LAN, and the mix of WAN VLAN’s and LAN VLAN’s could be added on top, could all be handled by the RB260 only. And as the switch method is almost identical, the QCA8337 in the Omnitik could do it as well.
I enjoyed the 141 posts in http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Just weird. After cleaning up my experiment, (removing all VLAN settings in the Omnitik as I could eliminate that node from my VLAN network) my home network failed every two or 3 days. The Draytek router crashed and reported “fraggle attack”. Just by accident while looking in the Omnitik sitting idle, just connected with ether1, I saw it’s DHCP lease go from offered-bounded-error. Never seen that error before. Nothing in the log. The config was cleaned back to default (except for ether1 on the bridge, DHCP server removed and DHCP client on the bridge). Reboot, 10 min power off, nothing helped. Ultimately had to reset the configuration, and make the same simple changes again. All clear, network stable , DHCP lease bound for 5 days.
This VLAN stuff seems not to be cleaning up everything, if just removed manually. Is it ? I have no explanation for the “fraggle attack” nor for the error of the DHCP leases. Don’t like hidden persistent parameters or configurations. ROS 6.47.4 related ???
Yes, lots of ICMP, but the cleaned up Omnitik, with only one connection, must have caused that loop. It only stopped after the configuration reset of the Omnitik.
There was only all ethernet ports on bridge, no config in interface VLAN, bridge VLAN or switch, but I made quite some switch VLAN and bridge VLAN tests before, even combined bridge+switch VLAN.
I suspect you might be onto something here, i.e. configs not cleaning up properly. I suspect it is more a “Winbox” issue.
Was playing around with various configs re EoIP tunnel now in GNS 3 on CHR 6.45.9, had tunnel up, then made changes, tunnel down, then reverted the changes, tunnel stayed down.
Did an export of the config, copied to clipboard, reset chr in terminal, after restart pasted the exported config and tunnel came up immediately!!!
EDIT: This can be extremely dangerous bug!!!
EDIT2: I might have jumped to conclusion too quickly, my issue might have been FW connections have not timed out yet and restart of chr might have resolved the problem also, so ignore above
Good morning,
I am running into a very weird problem. I have setup my mikrotik router with 2 vlans and I am using Port 2 to send the vlans to another building throug ethernet cable. In that building there is an unmanaged switch that distributes to 2 levell. In each of these levels, I have a TPlink multi ssip AP (that deals with vlans)… Please see picture attached.
When I configure the multi ssid AP with vlan 10 and vlan 100 and connect to vlan100 wirelessly everything works fine except I dont see Iot devices connected to the unmanaged switch (NAS). If I replace in tplink multi ssid ap the vlan 100 number by vlan 1, I still get the same IP address and then I can see the NAS, printer …etc.
For wired clients plugged to the managed switch likemy PC, everything works fine also, and it can ping the NAs also.
Here is my config if you can please have a look and tell me what I am doing wrong.
Many thanks
