Everytime I apply vlan filtering the access point burps! Rude thing!
I can only imagine its something I did on the config (new install).
However it looks identical to another capac that worked just fine…
# sep/28/2020 16:27:26 by RouterOS 6.47.4
# model = RBcAPGi-5acD2nD
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge_Gym
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface vlan
add interface=bridge_Gym name=Media_40 vlan-id=40
add interface=bridge_Gym name=homevlan vlan-id=11
/interface list
add name=WAN
add name=LAN
add name=capwin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=MediaSecurity supplicant-identity=""
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=homewifi supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-n/ac channel-width=\
20/40mhz-Ce country=canada disabled=no distance=indoors frequency=auto \
mode=ap-bridge name=HomeWIFI_bsmt security-profile=homewifi ssid=GymWIFI \
station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n country=canada \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=MediaDevices security-profile=MediaSecurity ssid=Media \
station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
/interface bridge port
add bridge=bridge_Gym comment=defconf frame-types=admit-only-vlan-tagged \
ingress-filtering=yes interface=ether1
add bridge=bridge_Gym comment=defconf interface=ether2
add bridge=bridge_Gym comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=MediaDevices pvid=40
add bridge=bridge_Gym comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=HomeWIFI_bsmt pvid=11
/ip neighbor discovery-settings
set discover-interface-list=capwin
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge_Gym tagged=ether1 untagged=MediaDevices vlan-ids=40
add bridge=bridge_Gym tagged=bridge_Gym,ether1 untagged=HomeWIFI_bsmt \
vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=HomeWIFI_bsmt list=LAN
add interface=MediaDevices list=LAN
add interface=homevlan list=capwin
add interface=homevlan list=LAN
/ip address
add address=192.168.5.yy interface=homevlan network=192.168.5.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge_Gym
/ip dns
set servers=192.168.5.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=
set api disabled=yes
set winbox port=
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Halifax
/system identity
set name="MikroTik Gym"
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
Can you please start by describing how you want your cap to function?
I’m puzzled with some of the choices you made. And perhaps you can also upgrade RouterOS/firmware?
Is there something different with the switch port the new ap is connected to?
Nothing obvious stands out to me, so I would personally check the switch next. I have a basic config I push to all of my cap acs - but it is meant for use by capsman. It uses a dhcp client on the bridge(which is untagged) and will tag ether2 for a specific vlan, different than the wifi mgmt vlan.
/interface bridge
add admin-mac= auto-mac=no name=bridge1 priority=0x9000 \
pvid=70 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge1 name=vlan70 vlan-id=70
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=70
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=500
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=500
add bridge=bridge1 tagged=ether1 untagged=bridge1 vlan-ids=70
/interface wireless cap
#
set bridge=bridge1 caps-man-names=lab,CHR,Wiring-Closet \
discovery-interfaces=vlan70 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=N-AP
/system leds settings
set all-leds-off=after-1min
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
Hi Erlinden, my setup is exactly as described in pcunites excellent thread. Where does it differ?
The main point is that the managment vlan in this case is vlan11, which also happens to be use for one of the WIFI networks 5AC.
The other WIFI network 2ghz using vlan 40
Hi Biomesh, your setup doesnt seem to reflect a capac, well to be accurate, I turned ether2 off on my capac, not used and thus bares little resemblance to your setup.
As for ether1, in the article described pcunite, this does NOT get assigned a pvid, it retains the default pvid=1, the only changes to ether1 (incoming from managed switch) is that its considered a trunk port with ingress filtering ON, and only vlans allowed.’
(thus I find the assignment of pvid=70 for ether 1 very strange indeed.)
Vlan 70 is my wifi management vlan. I don’t use vlan interfaces as my bridge address uses dhcp and I set the bridge pvid ( to 70). My dynamic vlan from capsman is added to the config once provisioned. I don’t use vlan 1 in my network at all.
This is indeed for cap ac as this config is running on five devices. The only thing I change outside of capsman is the admin Mac and the identity.
I also just tested enabling ingress-filtering=yes on all of my “static” interfaces: bridge, ether1 and ether2 and did not have any issues. I am the only one who configures my network, so I make sure the vlan config matches between the switch and the cap. The ingress-filtering would only impact my config if I were expecting other vlans to pass to/through the cap but I didn’t have the vlan specified in the bridge vlan table.
I see where at one point I had a vlan interface - I must have been testing something on that cap - my other caps don’t have that interface. Here is a better example. I set the pvid of ether1 to 70 to match the bridge where I actually have vlan 70 tagged on ether1 to avoid a ghost vlan1 since I allow both tagged and untagged packets. This prevents any vlan1 packets.
# sep/30/2020 08:31:43 by RouterOS 6.47.4
# model = RBcAPGi-5acD2nD
/interface bridge
add admin-mac= auto-mac=no name=bridge1 priority=0x9000 pvid=70 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(8dBm), SSID: XXXX, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik station-roaming=enabled
# managed by CAPsMAN
# channel: 5200/20/ac(13dBm), SSID: XXXX, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik station-roaming=enabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=70
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=500
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=500
add bridge=bridge1 tagged=ether1 untagged=bridge1 vlan-ids=70
/interface wireless cap
#
set bridge=bridge1 caps-man-names=lab,CHR,Wiring-Closet discovery-interfaces=bridge1 enabled=yes interfaces=\
wlan1,wlan2
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Upstairs-AP
/system leds settings
set all-leds-off=after-1min
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
That thread has examples. You can configure your devices many ways. My management vlan is 70 - I have the bridge set to untagged, so it will be vlan70 (as in the pvid=70 on the bridge). This is so I don’t need to create vlan interfaces that will tag the traffic for me. It keeps the config a bit simpler IMO. Nothing directly references ether1, so while I have it tagged, it could be untagged as well - the bridge in the case is the primary mgmt interface. On my switch I have vlan 70 on that port as the pvid and it tags the mgmt traffic. I guarantee you this works, as I also have a similar config on my CRS devices with regards to management VLANs.
Again, I don’t want vlan1 in my network, so I always change any pvid value to something other than 1 so I can control what is being handled.
Got it thanks!!
I managed to muddle through the capac going pouff, by playing with protocol on the bridge from RSTP to none and back.
Anyway all up and working now. The Safe mode seems to get in teh way of updating the device in these circumstances.