Sorry for not having configuration available right now…
An access point is connected to a switch via tagged vlans trunk: Office Vlan 10, Guest Vlan 20 and Management Vlan 99
AP has a classic bridge with vlan filtering.
Ethernet and Bridge itself are declared as tagged Vlan ports (for 10, 20 and 99)
Wlan1 is declared as untagged port for Vlan10
Virtual Wlan2 is declared as untagged port for Vlan 20
Wlan1 clients correctly use Vlan10 adrresses
Wlan2 clients correctly use Vlan20 adrresses
Problem: If I assign a specific IP address for management bound to bridge or to ethernet, I CANNOT reach AP for management on tagged Vlan 99
If I create an interface Vlan with id 99 with its own ip address and associate it as UNTAGGED Vlan 99 port to bridge, I CAN reach AP for management on that ip address.
Why I can’t simply assign the management ip address to bridge or ethernet interface ?
Where am I wrong ?
In a switch scenario.
One should normally only identify the management vlan!
This vlan in /interface bridge vlans is the ONLY vlan-id that requires the bridge to be tagged, the rest are tagged on etherX and go out etherY or WLAN1/WLAN2 etc..
This vlans address is the address of the switch for management purposes.
For interface list simply one TRUSTED
membership is management vlan interface.
Ensure the following
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
and dont forget
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
I also usually take a port off the bridge, assign it an address and all configuring from that port, if interested let me know.
AP actually works this way :
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
add bridge=bridge1 interface=wlan3 pvid=30
add bridge=bridge1 interface=wlan4 pvid=40
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan4 vlan-ids=40
AP ether1 is of course connected to a switch ethernet carryng thge trunk of tagged vlans.
Multiple switches (running swos) are interconnected same way carrying vlan99 for devices management (all working fine now).
I want to add vlan99 to AP to manage Ap itself
I thought just adding an ip address of vlan99 subnet to eth1 or bridge1 with a tagged vlan99 menbership would do the trick, but it doesn’t work:
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
Where I’m wrong ?
Anyway, I solved it by adding a Vlan interface with id=99 and its related ipaddress , as member of bridge:
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/ip address
add address=192.168.99.101/24 interface=vlan99 network=192.168.99.0
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1 pvid=10
add bridge=bridge1 interface=wlan3 pvid=30
add bridge=bridge1 interface=wlan4 pvid=40
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1 vlan-ids=10
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=30
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan4 vlan-ids=40
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=99
Despite it works, I don’t know if it is a right/usual way to do.
ANAV: I read your posts in http://forum.mikrotik.com/t/beginner-vlan-questions/182851/1
Why should I involve /tool mac-server and various address-lists ?
My goal is to reach Access Point on management Vlan across switches tagged vlans trunks.
However, playing around, I realized no need for Vlan interface to be added as bridge port and to be declared as tagged into /interface bridge vlan" neither, as
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
meets both requirements (unless you enable vlan filtering on bridge).