Hi guys,
im new to Mikrotik, this week i received my first cAP ac APs. My goal is to run them as AP only, routing, DHCP and so on is done with a Draytek Vigor. Id like to have multible SSIDs with different VLANs.
What i´ve done so far:
Updated to 7.14
Installed wifi-qcom-ac package
created a bridge and bridged all ports
assigned an IP adress to eth1
configured wifi1 and wifi2, works fine, can login and have access to the internet
Now i tried to create a second WIFI with a VLAN tag
I read the RouterOs documentation and searched for videos and so on. I couldn`t find any way to create a Virtual AP. All i could do was to create a new WIFI with f.e. wifi1 as master. But when i tried to assign a VLAN ID i get the message “vlan-id configured, but interface does not support assigning vlans”.
After googling around i found it might work with creating a bridge and assign VLAN for the bridge. So i created a wifi3 with wifi1 as master (without VLAN ID). Then i created a bridge and tried to add the port wifi3 to the new bridge. But then i get the message “Couldn`t add New Bridge Port - device already added as bridge port”.
In the Mikrotik documentation i found the following: “Virtual AP interface will only work if master interface is in ap-bridge, bridge, station or wds-slave mode.” What does that mean? In cAP ac i don`t have the option ap-bridge, only ap.
Can anyone please can push me in the right direction? Any help is appreciated. Thanks a lot!
I had a look at it and used the RSC file as a template but i struggle a little with the configuration of the VLANs.
At the moment i have in my home network only 1 VLAN. This is for some IoT stuff. Everything else in the network is running in standard network without VLAN.
This means, i only have one SSID with VLAN.
Do i need to configure a VLAN “BASE_VLAN” like in the example?
What i want is one SSID without VLAN, and one SSID with VLAN
Its an excellent link if NOT using capsman controller concept. Setting up the Capacs for the link above is easy and fast.
Setting up the off bridge access and doing the configuring from there is recommended.
just put something like 192.168.36.3 into the ipv4 settings of your laptop and you are in…’
Also ensure if the capac is not readily accessible, to wire a second cable to a place that is accessible to make changes later if you cannot reach the unit via the router.
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy master-interface=mediaWlan multicast-buffering=\
disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0 comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
@anav: i read your post a couple of times, but i couldnt get any information out of it. sorry for that, i assume thats my bad
I conitnued testing, read the whole link in i think i got a clearer understanding.
Here my situation.
I`ve got a Draytek Vigor Router. All used VLANs are managed on it, each with a separate DHCP. (VLANs also configured in Unif Controller)
All the VLANs are tagged on Port 1 of the Router.
From there a connection goes to a Unifi Switch. The Switch Port Profile is set to “All”, for those who are familair with Unifi (means it relays all VLAN tags afaik).
From this Switch i have a SFP connection to a Unifi POE Switch, both ports also have the Switch Port Profile “All”.
From this POE switch i have a connection to a CAP AC to Ether1.
No i applied the configuration below. (I used VLAN ID 1 for managment because this is the default Unifi ID for management LAN afaik)
As soon as i import the configuration (import was successfull) i can not reach the AP anymore with Winbox. Also i can not see any SSID`s. I tried to assign my computer to the VLAN 17, but it still does not work.
Any idea what might go wrong?
# 1970-01-02 00:24:07 by RouterOS 7.14.1
# software id = Q3XX-5EBT
#
# model = RBcAPGi-5acD2nD
# serial number = HG209G78CJB
#######################################
# VLAN Overview
#######################################
# 17 = Home (mkthome)
# 98 = IoT (mktIoT)
# 99 = HomeOffice (mktHomeoffice)
# 1 =Base (MGMT) VLAN
#######################################
# WIFI Setup
#
#######################################
/interface wifi configuration
add country=Germany disabled=no mode=ap name=cfg_mkthome ssid=mkthome
add country=Germany disabled=no mode=ap name=cfg_mktIoT ssid=mktIoT
add country=Germany disabled=no mode=ap name=cfg_mktHomeoffice ssid=mktHomeoffice
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mkthome wps=\
disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mktIoT wps=\
disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mktHomeoffice wps=\
disable
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg_mkthome configuration.mode=\
ap disabled=no security=sec_mkthome
set [ find default-name=wifi2 ] configuration=cfg_mkthome configuration.mode=\
ap disabled=no security=sec_mkthome
add configuration=cfg_mktIoT configuration.mode=ap disabled=no mac-address=\
D6:01:C3:13:82:6B master-interface=wifi1 name=wifi3 security=sec_mktIoT
add configuration=cfg_mktIoT configuration.mode=ap disabled=no mac-address=\
D6:01:C3:13:82:6C master-interface=wifi2 name=wifi4 security=sec_mktIoT
add configuration=cfg_mktHomeoffice configuration.mode=ap disabled=no mac-address=\
D6:01:C3:13:82:6D master-interface=wifi1 name=wifi5 security=sec_mktHomeoffice
add configuration=cfg_mktHomeoffice configuration.mode=ap disabled=no mac-address=\
D6:01:C3:13:82:6E master-interface=wifi2 name=wifi6 security=sec_mktHomeoffice
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
#/ip address
/system identity
set name=MikroTik_AP1
/system note
set show-at-login=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
# wifi1, wifi3, wifi5 = 2,4Ghz
# wifi2, wifi4, wifi6 = 5Ghz
#######################################
# ingress behavior
/interface bridge port
# mkthome, mktIot VLAN
#(192.168.17.x)
add bridge=BR1 interface=wifi1 pvid=17
add bridge=BR1 interface=wifi2 pvid=17
# (192.168.98.x)
add bridge=BR1 interface=wifi3 pvid=98
add bridge=BR1 interface=wifi4 pvid=98
# (192.168.99.x)
add bridge=BR1 interface=wifi5 pvid=99
add bridge=BR1 interface=wifi6 pvid=99
# egress behavior, handled automatically
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=BR1 tagged=ether1 vlan-ids=17
add bridge=BR1 tagged=ether1 vlan-ids=98
add bridge=BR1 tagged=ether1 vlan-ids=99
# (192.168.0.x)
add bridge=BR1 tagged=BR1,ether1 vlan-ids=1
#######################################
# IP Addressing & Routing
#######################################
# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=192.168.0.200/24 interface=BASE_VLAN
# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.0.1
#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi6]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
The problem is using vlan1. Your management vlan is the subnet BASE.
All your smart devices should get their IP address from the BASE subnet.
No one wants to look at a article format, next time post your config as it appears for real
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
If you look closely the referenced article does NOT use vlan1.
Regarding to config file, sorry thats the way i´ve seen it in another post, so i assumed its ok.
Here is my new config import file. Unfortunately i can not make an export as i can not reach my AP with this configuration.
But, independent from the vlan issues, i dont know why the AP doesnt send any SSID`s? Maybe there is something totally wrong in the config?
Now i tried a manual configuration, i set it up like described in the AccessPoint.rsc from the article above and adapted it to my needs (i did my very best )
The good news:
The SSID`s are visible
Still available with Winbox
Bad news:
Cant connect to the SSIDs, probably no IP adress from router…
I can`t reach the devices IP 192.168.0.200
Probably still far away from a success
Here is the current configuration i exported from the device manualsettings.rsc (2.93 KB)
Comparing my config to your config I can see two errors right away.
Hovle, should I report you to the UN for attempting to exterminate the newbie race by piling on crap when the solid foundation does not yet exist and furthermore a config that has errors which should be addressed first. If I was in charge you would be fired LOL.
The “bridge1” was missing here. Thats because i tried to config it in Winbox and couldnt figure out how to add both bridge1 and ether1. I know added it in the config file, imported it and afterwards the SSIDs are gone again. I assume this causes a major fault in the configuration?
Another thing in my configuration:
/ip address
add address=192.168.0.200 interface=Base_VLAN network=192.168.0.200
Think should be 192.168.0.0…
Not bad!! Good work.
(1) Correct only thing to change on the bridge is the name if you dont like bridge and turning on vlan-filtering=yes
As I stated I always assign ETHER2 an off bridge address to actually do the initial config and emergency access to the CAP, in case the bridge blows up.
(2) Yes, ether1 is the TRUNK port to the main router so this need to be tagged with the Bridge as its the management vlan,
I prefer to set the untagging manually so I can match visually my /interface bridge ports with /interface bridge vlan settings for a double check…
So, i fixed what you mentioned. The things under point (4) i adjusted to “emergaccess” where needed.
While importing i got the message input does not match any value of allowed-interface-list
I played a bit around but i guess this will not affect the overall functionality of my VLAN at the moment so i focused on that
So, what i found out is that i can not ping 192.168.0.1 and i can only connect to WIFI if i assign a static IP, but unfortunately no internet access.
I added the /ip dns entry but without effect.
I think there is still a piece missing in the puzzle. Attached the current config. Settings_20240327_01.rsc (3.75 KB)
All my SSID`s are available and i get an IP from the DHCP of the router, internet access works.
Now i´ve got still one problem to solve. But that`s probably a problem of my computer, or maybe the interface list?
My computer is on Network 192.168.0.xxx. I can ping the router with 192.168.0.1, but not the AP with 192.168.0.200. Also Winbox can`t find the AP.
Any idea?
Anyway, thank`s for your support! I really appreciate it!
Well its hard to say since the draytek is not an MT device.
I am also not aware of the firewall rules on the draytek etc..
So winbox doesnt see the capac at all?
Did you try it by IP address in Winbox?
192.168.0.200**:**winboxPort#
