Bridges and VLANs

gdavydov · September 18, 2018, 2:55am

Greetings. There’s a task which I can’t solve (I’m quite new to MikroTiks). Initial data:
1. RouterOS 6.43
2. Mikrotik router (if it’s important test router is RB951Ui-2Hnd but task would be implemented on RB3011UiAS and others);
3. AP (not MikroTik - test AP is D-Link DAP-2360 but task would be implemented on HP VM200 and others);
4. 3 bridges - br1 (main LAN - eth2, eth3), br2 (Wi-Fi for employee’s phones, tablets, etc. - no ethernet ports assigned), br3 (guest Wi-Fi without access to br1 and br2 - no ethernet ports assigned). All bridges have different DHCP servers and pool IPs (e.g. br1 - 192.168.100.x; br2 - 192.168.15.x; br3 - 192.168.16.x);
5. At AP there’re 3 VLANs (for each SSID) - 1 (default - should be assigned to br1), 4 (for guest Wi-Fi - should be assigned to br3), 5 (for employee’s Wi-Fi - should be assigned to br2);
6. AP is connected to eth3

How I’d configure MikroTik to solve this task? I’ve tried many ways but because of lack of knowledge in MikroTiks I can’t solve this task with my own

P.S. If APs were MikroTiks there won’t be any difficulties - with CAPsMAN (all equipment was MikroTik) I solved this task few times and everything works great.

mkx · September 18, 2018, 7:35am

There’s no need to use 3 bridges, you can do it with single bridge. The logical hierarchy in mikrotik is something like this:

physical interfaces (ether, wifi, ...) <---> bridge <---> logical interfaces, such as VLAN interfaces

If you’re dealing with VLANs, then you configure them on bridge.

So the setup would be roughly as follows:

add all ether ports to single bridge, with setting PVID to each port:

/interface bridge port
add bridge=bridge interface=ether2 pvid=1
add bridge=bridge interface=ether3 pvid=1

configure VLANs to ports on bridge.

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=4
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=5
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=1

(I’m not sure about last one, I’m not using “native” VLANs on my VLAN-infested devices, I allways tag them explicitly to some “normal” VLAN ID).
3. create needed VLAN interfaces.

/interface vlan
add interface=bridge name=vlan-guestWiFi vlan-id=4
add interface=bridge name=vlan-employeeWiFi vlan-id=5
add interface=bridge name=vlan-default vlan-id=1

(Again I’m not sure about the last one.)
4. configure whatever you wanted to configure on dedicated bridges on vlan interfaces. If the last lines in previous two bullets are needed, then you absolutely must configure IP address on the vlan-default interfaces so that you will have access to the router

/ip address
add address=<router IP address>/<subnet mask> interface=vlan-default

If the last two lines mentioned above are not necessary, then you don’t have to change current settings (assuming IP address and the services are bound to bridge “interface”).
For the rest of subnets, you do it something like this:

/ip address
add address=<router IP address in guest Wifi subnet>/<subnet mask> interface=vlan-guestWiFi
/ip dhcp-server
add address-pool=<pool for guestWiFi> interface=vlan-guestWiFi name=dhcp-guestWiFi

Add firewall according to your needs…