caps and access router question

RouterOS General
1

I have this situation in a working network without vlans (ignore the text on the right top corner, that is the desired state)

In the router I have one the default bridge where both the ethernet ports as the hardware wireless interfacess are attached to. I also have a virtual access point on another subnet for guests, and I firewalled the lan bridge and the wifi subnet they are isolated. A few years later, I added the additional access point which is hanging from an access router placed in the attic, no guest virtual access point in the CAPS. No especial setting

I now want to properly segment the network with vlans, so my question is: in order to use the access point, do I need to connect it to a trunk port on the cisco access switch where all the necessary vlans I want to use?
So for my internet provider I have vlan6 for internet, and vlan4 for tv. I have another vlan for guest devices, and I have already tested (I have another mikrotik for testing when the family is not around, so I can switch the router) downstairs and that is working. If I connect the access point to the access point on with a trunk port on the switch, will it work? Apologies if this is a trivial question, but before I mess with the internet access of the teenagers, I need some confirmation :wink:.

Thanks in advance.
caps_access_switch.png

2

ok, no answers so far.

So I have this now (the cisco switch is out of the picture now, after an erase it will not come back online so I replaced it with a netgear GS105Ev2 I had somewhere).

This is my router export hide-sensitive:

[admin@MikroTik] > /export hide-sensitive 
# jan/20/2023 08:49:50 by RouterOS 6.49.7
# software id = 9J60-IJQN
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add name=br-vlan2
add arp=proxy-arp igmp-snooping=yes name=br-vlan4
add name=br-vlan5
add name=br-vlan6
add name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=ether1 name=ether1.4 vlan-id=4
add interface=ether1 mtu=1508 name=ether1.6 vlan-id=6
add comment=mgmt interface=ether2 name=ether2.2 vlan-id=2
add interface=ether2 name=ether2.5 vlan-id=5
add comment=lan interface=ether2 name=ether2.6 vlan-id=6
add interface=ether5 name=ether5.2 vlan-id=2
add interface=ether5 name=ether5.4 vlan-id=4
add interface=ether5 name=ether5.5 vlan-id=5
add interface=ether5 name=ether5.6 vlan-id=6
/caps-man datapath
add bridge=br-vlan6 name=br-vlan6 vlan-id=6 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1.6 max-mru=1500 max-mtu=1500 name=pppoe-client use-peer-dns=yes user=\
    user@internet
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=lan
/caps-man configuration
add channel.band=5ghz-a/n/ac country=netherlands datapath=br-vlan6 distance=indoors installation=indoor mode=ap name=dd-wrt-5g \
    security=lan ssid=dd-wrt-5g-test
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=lan supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:1D:2C:57 master-interface=wlan1 multicast-buffering=disabled \
    name=kk-6-2g security-profile=lan ssid=kk-6-2g vlan-id=6 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-eeeC country=netherlands disabled=no frequency=auto \
    mode=ap-bridge name=kk-dd-wrtg-5 security-profile=lan ssid=dd-wrt-5g vlan-id=6 vlan-mode=use-tag
/interface vlan
add interface=kk-dd-wrtg-5 name=kk-dd-wrtg-5.6 vlan-id=6
/interface wireless
add keepalive-frames=disabled mac-address=6E:3B:6B:1D:2C:56 master-interface=kk-dd-wrtg-5 multicast-buffering=disabled name=\
    kk-6 security-profile=lan ssid=kk-6 vlan-id=6 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add disabled=yes interface=kk-6 name=kk-6.6 vlan-id=6
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'10.0.4.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=10.0.2.20-10.0.2.254
add name=dhcp_pool2 ranges=10.0.4.2-10.0.4.254
add name=dhcp_pool3 ranges=10.0.6.2-10.0.6.254
add name=dhcp_pool4 ranges=10.0.5.2-10.0.5.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-local name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=br-vlan2 name=dhcp2
add address-pool=dhcp_pool2 dhcp-option-set=IPTV disabled=no interface=br-vlan4 name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=br-vlan6 name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=br-vlan5 name=dhcp5
/ppp profile
set *0 only-one=yes use-compression=yes use-ipv6=no use-upnp=no
add name=default-ipv6 only-one=yes use-compression=yes use-upnp=no
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=dd-wrt-5g
add action=create-dynamic-enabled hw-supported-modes=b,gn
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=br-vlan2 interface=ether5.2
add bridge=br-vlan4 interface=ether5.4
add bridge=br-vlan2 interface=ether5
add bridge=br-vlan6 interface=ether5.6
add bridge=br-vlan5 interface=ether5.5
add bridge=br-vlan6 interface=kk-6
add bridge=br-vlan6 interface=kk-6-2g
add bridge=br-vlan6 interface=kk-6.6
add bridge=br-vlan6 interface=kk-dd-wrtg-5
add bridge=br-vlan6 interface=kk-dd-wrtg-5.6
add bridge=br-vlan2 interface=ether2.2
add bridge=br-vlan2 interface=ether2
add bridge=br-vlan6 interface=ether2.6
/ip address
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
add address=10.0.2.1/24 interface=br-vlan2 network=10.0.2.0
add address=10.0.4.1/24 interface=br-vlan4 network=10.0.4.0
add address=10.0.6.1/24 interface=br-vlan6 network=10.0.6.0
add address=10.0.5.1/24 interface=br-vlan5 network=10.0.5.0
/ip dhcp-client
add default-route-distance=210 dhcp-options=option60-vendorclass disabled=no interface=ether1.4 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.2.254 lease-time=1d mac-address=34:98:B5:9F:94:EF server=dhcp2
/ip dhcp-server network
add address=10.0.2.0/24 gateway=10.0.2.1
add address=10.0.4.0/24 gateway=10.0.4.1
add address=10.0.5.0/24 dns-server=10.0.5.1 gateway=10.0.5.1
add address=10.0.6.0/24 gateway=10.0.6.1
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=rfc8690 list=not_inet_routable
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="iptv multicast vlan 1.4" in-interface=ether1.4 protocol=udp src-address=217.166.226.138 \
    src-port=49152
add action=drop chain=input in-interface=pppoe-client log=yes
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=forward disabled=yes log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Needed for IPTV" dst-address=213.75.112.0/21 out-interface=ether1.4
add action=masquerade chain=srcnat comment="Needed for IPTV" dst-address=217.166.0.0/16 out-interface=ether1.4
add action=masquerade chain=srcnat out-interface=pppoe-client
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1.4 upstream=yes
add interface=br-vlan4
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add disabled=yes topics=dhcp
add topics=wireless

On the netgear, I have a trunk port on interface one and the rest of the interfaces are untagged vlan6. I have connected the caps mikrotik on port 3 of the netgear, started on caps mode and I see it acquires an ip adress from the dhcp server listening on the br-vlan6 interface.

I can connect from the router to the access point using mac telnet.

On my mobile I see the new ssid dd-wrt-5g-test appear, and I can login with the password, but It does not get an ip address, giving up and using one of the apipa ones.

I am obviously missing something, but I cannot figure it out. Any help appreciated :slight_smile:

3

Is there a reason why you are not doing VLAN filtering on the bridge (instead of creating a bridge per vlan)?
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

4

hi,

well, every time I have tried that I have locked myself out of the router, so I basically have given up on that. Using these vlan settings is more understandable to me. Are there any undesirable side effects of configuring the vlans like this?

So I got it working by removing the vlan configuration on the datapath. The port is untagged, so it is not necessary to tag it on the datapath. And now it works, great speed.

5

HI oxtan,

The way to overcome the issues is to create an off bridge port to do all you configuring…
https://forum.mikrotik.com/viewtopic.php?t=181718

6

hi,

I added an input acl to allow connections from one ether port directly, so this is not an issue any more :wink:. I do miss a console port on this, for the rest, very nice applicances.