cAP ax - Multiple SSID + VLAN - No CAPsMAN - No DHCP

indivision · December 20, 2024, 2:08am

Hello.

Intro:
First time poster. I’m fairly new to Mikrotik and while I’ve been in engineering my entire career, I’m still pretty green in the networking area (learning as fast as I can!).

Goal:
I am looking to set up a new cAP ax so that it properly tags traffic from specific SSID interfaces for separate VLANs.

Context:
I’ve tried to set this up without asking for help for the last couple of days. I think that I’m pretty close. But, am taking a wrong turn at some point and each night I have to restore to a working backup. There are many links with information about something close to the goal. But, most of them either propose using DHCP on the AP or go into discussions about using CAPsMAN. So, they don’t quite match my needs.

I don’t want to use CAPsMAN because currently I only have one AP and it’s a home office setting. I feel that CAPsMAN would just add a layer of configuration that I don’t really need to manage the hardware I have. I also don’t want to use DHCP on the AP because I already have a router for that work.

Hardware:
switch0: CRS326-24G-2S+RM
router0: RB5009UPr+S+IN
wap0: cAP ax

There is some other hardware. But, not that is relevant to the issue.

Topology:
I already have an SPF trunk working between switch0 and router0. VLANs are working as expected between those two devices.

wap0 is plugged into switch0. The switch is configured to treat that connection as a trunk the same way it is configured for the connection to the router.

However, wap0 is currently configured (misconfigured) to send all direct wifi traffic back to the switch. So, it all just receives IP connections on the same range as the wap0 connection.

That all works in terms of getting internet to connected devices. But, I want to take the next step and divide the wap0 traffic into VLANs depending on which SSID is used.

I THINK that my mistake is in over-configuring it so that some kind of conflict is created between tagging and untagging packets.

Can someone please point me in the right direction on how to achieve my goal? Please let me know if I need to send further info to be helped.

Thank you in advance for any help!

holvoetn · December 20, 2024, 4:36am

With legacy wireless adding capsman layer makes things indeed more complex.
Not that much with wave2 drivers (95% is exactly the same) but you are correct that for 1 AP it’s not worth the extra effort.

A small drawing with your intended setup adding how VLANs should flow might help.
And of course config for AP as it is now. We may have to look as well into switch and/or router but let’s start with AP.

Reading material for reference (AP section):
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/4

You may want to cross-check your router and switch setup as well with the material in that referenced thread (it is the De Facto “VLAN on ROS” bible around here).

anav · December 27, 2024, 1:35pm

First thing I would do is take ether2 off the bridge, give it a unique IP address add it to trusted interface list and then plug in laptop to ether2 with 192.168.56.2 set on IPV4 settings and then do all the config from there, a safe spot.
example:
…

# model =MTwifi
/interface bridge
add  auto-mac=no comment=defconf ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=ether2-access
/interface vlan
add interface=bridge name=vlan11 vlan-id=11 comment="management or trusted vlan from RB5009"
/interface list
add name=MGMT
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5500 name=channel5 width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412 name=channel2 width=20/40mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=2WIFI
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=5WIFI
/interface wifi configuration
add channel=channel5 channel.band=5ghz-ax .frequency=5220 .width=20/40/80mhz country=Canada disabled=no mode=ap name=Config5 security=5wifi security.authentication-types=wpa2-psk,wpa3-psk .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .ft=no ssid=Fast-stream
add channel=channel2 channel.band=2ghz-ax .frequency=2412 .width=20/40mhz country=Canada disabled=no mode=ap name=config2 security=2WIFI security.authentication-types=wpa2-psk,wpa3-psk .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .ft=no ssid=LongRange-stream
/interface wifi
set [ find default-name=wifi1 ] channel=channel5 channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration=Config5 configuration.mode=ap disabled=no security=2WIFI security.authentication-types=wpa2-psk .encryption=ccmp .ft=no
set [ find default-name=wifi2 ] channel=channel2 channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration=config2 configuration.mode=ap disabled=no security=2WIFI security.authentication-types=wpa2-psk .encryption=ccmp .ft=no
/interface bridge port
add bridge=bridge ingress-filtering=yes  frame-types=admit-only-vlan-tagged  interface=ether1  comment="trunk from RB5009"
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=11 comment="trusted subnet"
add bridge=bridge tagged=ether1 untagged=wifi1 vlan-id=10  comment="HomeLAN 5Ghz" 
add bridge=bridge tagged=ether1 untagged=wifi2 vlan-id=20  comment="GuestLAN 2Ghz" 
/interface list member
add interface=vlan11 list=MGMT
add interface=ether2-access list=MGMT
/ip address
add address=192.168.56.1/30 interface=ether2-access network=192.168.56.0
add address=192.168.11.5/24 interface=vlan11 network=192.168.11.0  comment="vlan IP address on trusted subnet"
/ip dns
set servers=192.168.11.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.11.1 routing-table=main 
/system clock
set time-zone-name=America/Halifax
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.11.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT