I’ve configured my Mikrotik with 2 active VLANS. The main VLAN, ID=10 and the guest VLAN (ID=20)
Ether1 is connected to the WAN and Ether2 is connected to a CISCO-AP in autonomous mode.
On the Mikrotik everything is working perfectly.
The Cisco-AP has a static IP (within the main VLAN range) and the gateway points to the of the main VLAN. The Cisco replicates the SSIDs of the Mikrotik with identical VLAN IDs.
My problem is that I am able to connect when I connect to the internet via the main VLAN (id=10), but not with the Guest VLAN (id=20). The device connects but is not able to exit to the internet?
I am posting my configs below:Thank you for any guidance in resolving the problem.
Cisco
!
! Last configuration change at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-AP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip source-route
no ip cef
ip name-server 192.168.0.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name GUEST_VLAN vlan 20
dot11 vlan-name SOHO_VLAN vlan 10
!
dot11 ssid SOHO-AP
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 ********************************8
!
dot11 ssid GUEST-AP
vlan 20
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 ******************************
!
!
!
no ipv6 cef
!
!
username admin privilege 15 secret 5 *********************
username administrator privilege 15 password 7 ******************************8
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid SOHO-AP
!
ssid GUEST-AP
!
antenna gain 0
stbc
beamform ofdm
mbssid
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
no dot11 extension aironet
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid SOHO-AP
!
ssid GUEST-AP
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
packet retries 128 drop-packet
channel dfs
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.10
encapsulation dot1Q 10 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface BVI1
mac-address xxxx.yyyy.zzzz
ip address 192.168.16.252 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http timeout-policy idle 120 life 300 requests 200
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
no cdp run
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input all
!
sntp server pool.ntp.org
sntp broadcast client
end
why are you using this proxy setting thingy… ???
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
Incomplete setup - I see vlan interface and address for base but thats it!!
Dont see pool for vlan99
Dont see dhcp server,
Dont see dhcp server network
so you have three WLANs per radio ON THe Mikrotik router.
a SOHO (main wlan), and two virtual WLANs, base and Guest-AP
assuming 3 vlans are applicable.
Without an active base vlan the cisco has no valid managment IP address??
Your bridge port setup is strange.
All WIFI connections are access ports and thus we should see this for wlan1 and wlan2 as well.
In addition it appears etherports 3 and 4 are both SOHO to PCs or other not smart devices (cannot read vlan tags). Correct??
Finally ether 2 is also setup as an access port by your definition here and really you want a trunk port to pass vlan 10 and vlan 20 to the CISCO for wifi and 99 for management.
Thank you for your inputs. Sadly I did not take a backup of my config while doing changes (apologies) and I ended messing up.
I restored from my backup and the config I am inserting has the following behaviour:
From Mikrotik, both SOHO-AP and GUEST-AP work without problems
From the Cisco-AP, the SOHO-AP works, GUEST-AP does not work.
Let me try my best to answer some questions raised.
The script originated from the reference listing for VLANS in the WIKI. I made a modification to allow OpenVPN access from two clients (who inherit an IP from the SOHO range). The ARP entry was to address the inability of these OpenVPN clients to access the resources. OpenVPN is working well.
I would like clients that connect to the GUEST-AP from the Cisco to be able to access the internet limiting to that VLAN.
Sorry for the trouble. I will backup before making changes.
My observations seem to agree with your observation. What I would like to achieve is the following:
Miktorik router stays behaving as it is while the Cisco allows VLAN’ed traffic depending on which SSID one connects to. On the Mikrotik there is defined VLAN ID=99 (BASE_VLAN). From my understanding of the script this is a backbone VLAN and I can observe traffic on it. Should it be defined on the Cisco?
Responding to some observations/question:
ether3 and ether4 will not be serving devices on any VLAN other than ID=10
I’ve removed the Wireless interfaces associated with ID=99. They were disabled.
I will try to sort it and will share the BACKEDUP incremental changes either way :-).
Sorry for not getting back on this topic. I tried assimilating what was being stated and have modified the configuration to eliminate VLAN ID=99. My problem is that I don’t have a Mikrotik to experiment with (have one ordered but with Covid no one knows when it will arrive) which means that when I screw up I bring down my network!
Since my last posting I’ve:
Removed VLAN 99. I prefer to have administrative function merged into VLAN 10.
Each VLAN has it’s own DNS rather than sharing a common one.
The setup is working although the original topic of not being able to access VLAN 20 through the Cisco AP still remains as I did not change anything.
@tdw pointed out that frame-types=admit-only-vlan-tagged could not work because ether2 is configured with VLAN10 untagged & VLAN20 tagged.
My needs are that a device connecting on the Cisco would, depending on the SSID (SOHO or GUEST) be restricted to the particular VLAN. Stressing that my understanding on this topic is basic, I think that modifying ether2 so that only tagged VLAN traffic is the right way. I’m assuming that in this scenario the VLAN ID to devices connected to the Cisco would automatically initiate from the Cisco itself.
I would greatly appreciate any guidance to modify the included script to do that.
Nothing will be done automatically by neither Cisco nor Mikrotik, they will do exactly what they are configured with and to make whole thing work, both configurations have to match. IMHO having both VLANs tagged between Cisco and MT is the right way to go. However if you want to go with least amount of changes, you should make ether2 access port for VLAN 10 while keeping it tagged for VLAN 20 (current setup, as @TDW noted, blocks tagged frames from ingressing ether2):
/interface bridge port
set [ find interface=ether2 ] frame-types=any
If you'd go with tagged only via ether2, you'd have to change a few things on Cisco as well ...
I already did ... either copy-paste the code to terminal window or change setting through GUI. I'm not fluent in ciscogibberish, so I couldn't guide you towards all-tagged setup.
I did not write that the solution shared was a no-go (I wouldn’t post it at all, I’d let somebody else do it), I just wrote my opinion about the right (best) solution. But that’s only my opinion and surely not everybody agrees.
My experiences with Cisco APs, albeit some years ago on 1230 series, was that they didn’t particularly like a fully tagged setup so I used managment to the BVI interface untagged. Their newer APs may be better.
Right you are, it should be admit-all … which is default and thus is not shown in your configuration export.
Regarding GUEST-AP: I don’t see anything wrong in hAP lite configuration, tagged frames with VID=20 should pass it. If GUEST-AP on hAP lite works fine, then I would suspect configuration on Cisco. As I already mentioned I don’t know cisco so I don’t know if the configuration is fine or not (and if not, what is wrong).
A decided to power cycle everything and I think everything is working as expected. Tomorrow I will be trying everything and will report back. I am hopeful that the matter is resolved.
I confirm that it works. Thank you. I marked the topic as solved.
I must admit that my lack of network knowledge, prevents me from appreciating how traffic flows on Ether2 and why there isn’t a complete mess on this port. My reasoning was that like BR1 this is a multi-VLAN channel and therefore all traffic should have been forced into this mode.
I also want to thank @mkx for your comments: an unintended consequence of your comment is that you helped me clean up the settings. I had been thinking of trimming out ID=99 but your observations made me bite the bullet
