Configure vAP with multiple vLAN

RouterOS Wireless Networking
1

Hi everybody,
I’ve bought a MikroTik device in order to provide wireless like an AP to my clients.
It has got only an ethernet port and a wifi anthenna.
There are a cupple of SSID I want to broadcast, each one depends on different vlans.
I’ve configured an IP address for the ethernet port and configured wifi interface like AP-Bridge mode.
1.jpg
I’ve created two vLAN and two bridges. Each bridge has got his vlan port assigned.
2.jpg
To provide wireless through multiple SSID I’ve configured two vAP one for each vlan, and put WDS in dynamic mode with the bridge that belongs to this vlan.
3.jpg
Despite this I can’t connect to my SSIDs with my laptop. I see traffic on the vAP where I’m connecting like you can see in the attachment but it doesn’t route me to my network.
I don’t know what I’m doing wrong… I would appreciate any help!

Thanks in advance.

PD: Sorry for my english, I’m spanish.

2VLANs on RB2011 and other routers for guest and office access
2

Can you post /export compact

3

Thank you for your answer C.Brown.

Here it is:

[code2=ros]
[admin@MikroTik] > export compact  
# jan/08/1970 18:10:59 by RouterOS 5.16
# software id = 3M8V-IUMK
#
/interface bridge
add l2mtu=1594 name=bridge_3004 protocol-mode=stp
add l2mtu=1594 name=bridge_3100 protocol-mode=stp
/interface wireless
set 0 country=spain disabled=no l2mtu=2290 mode=ap-bridge ssid="" wireless-protocol=802.11
/interface vlan
add interface=ether1 l2mtu=1594 name=vlan_3100 use-service-tag=yes vlan-id=3100
add interface=ether1 l2mtu=1594 name=vlan_3004 vlan-id=3004
/interface wireless
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=no \
    hide-ssid=no l2mtu=2290 mac-address=D6:CA:6D:4A:F8:47 master-interface=wlan1 max-station-count=2007 mtu=1500 multicast-helper=default name=vap_3004 proprietary-extensions=post-2.9.25 \
    security-profile=default ssid=voip update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=bridge_3004 wds-default-cost=0 wds-ignore-ssid=no wds-mode=dynamic wmm-support=\
    disabled
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes disable-running-check=no disabled=no \
    hide-ssid=no l2mtu=2290 mac-address=D6:CA:6D:4A:F8:48 master-interface=wlan1 max-station-count=2007 mtu=1500 multicast-helper=default name=vap_3100 proprietary-extensions=post-2.9.25 \
    security-profile=default ssid=gestion update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=bridge_3100 wds-default-cost=0 wds-ignore-ssid=no wds-mode=dynamic \
    wmm-support=disabled
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/interface bridge port
add bridge=bridge_3004 interface=vlan_3004
add bridge=bridge_3100 interface=vlan_3100
add bridge=bridge_3004 interface=vap_3004
add bridge=bridge_3100 interface=vap_3100
/ip address
add address=172.30.0.160/25 interface=ether1
/ip neighbor discovery
set wlan1 disabled=yes
set vlan_3100 disabled=yes
set vlan_3004 disabled=yes
set vap_3004 disabled=yes
set vap_3100 disabled=yes
/ip route
add distance=1 gateway=172.30.0.254
/system leds
set 0 interface=wlan1
[/code2]
4

WDS is irelevant in this situarion. I see one problem there:

add interface=ether1 l2mtu=1594 name=vlan_3100 use-service-tag=yes vlan-id=3100

remove the use-service-tag

add interface=ether1 l2mtu=1594 name=vlan_3100 vlan-id=3100

There is no way to do a TRUNK with native VLAN on mikrotik. All VLAN must be tagged. Directive use-service-tag is for tagging VLAN in VLAN :slight_smile: I think you don’t want to use it.

I see, the VLANs are not terminated on this device, so there can be also problem on device terminating the VLANs.

5

You are right. I’ve deleted the service tag from this vlan, but problem persists… :frowning:

Thanks for helping fxx! I appreciate very much your help.

6

Can you verify that the vlans to your router are working?

7

Yes C.Brown, Mikrotik is connected to one of my Cisco switches on vlan3200.

interface GigabitEthernet4/10
 description *** Mikrotik AP ***
 switchport access vlan 3200
 switchport mode access
 spanning-tree portfast
 spanning-tree bpduguard disable
end

I’ve got many Cisco AP on the same network working with the same port config. This vLAN has access to all other vLANs on the network, so if I configure a vAP in vLAN 3004 for example, I think that traffic should route well… But it doesn’t. :frowning:
I’ve got all Cisco APs configured on that way, but it seems to be different in Mikrotik.

I appreciate very much your help C.Brown!

8

Can you try turning off STP on your bridge interfaces?

9

I’ve turned off STP from both bridges and it doesn’t work…

I’ve seen that wifi interface is always shown in italic letter… Don’t know if it is relevant…
4.jpg

10

You need a trunk port, and the trunk needs to pass all vlans to the MT which you have configured.

11

Thank you savage, I had a trunk port configured the first day I power on my Mikrotik device, but I desperately change it a cupple of times in order to see if works on some way, but it doesn’t work in any way.

I’ve now my mikrotik device configured on trunk port without STP (I’ve also tried with STP) and still the same… :frowning:

interface GigabitEthernet4/10
 description *** Mikrotik AP ***
 switchport trunk native vlan 3200
 switchport trunk allowed vlan 3004,3008,3009,3012,3016,3200
 switchport mode trunk
 power inline never
 spanning-tree portfast
 spanning-tree bpduguard disable

This is becoming a nightmare!

Thank you everybody for helping

12

As mentioned previously - native VLAN’s aren’t supported on MT. You have to tag all VLANs.

 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allow vlan 3004,3100

If you look at the bridge hosts, and get the MAC addresses for the VLAN interfaces on the switch on MT, then the VLAN’s aren’t your problem… What you are trying to do definitely works - I do the same for some APs…

EDIT: Had a look at some of my configurations now, and your MTU and l2MTU settings are completely whacked. I suggest you remove the bridge & vlan interfaces and recreate them with the default settings.

13

Thank you savage, but if I don’t configure native vlan on my switchport I cannot reach Mikrotik on the network. I can’t reach it neither ping tests reply.
Maybe I have to create vlan 3200 on Mikrotik and use as service tag?

14

You must assign the IP address to the bridge, not to the interface. STP is irrelevant on this arrangement. STP must be on, if there is on can be circle.

15

I haven’t change MTU settings, I think these are my default settings… I’ll remove vlan and bridges and compare values and I’ll try then. Thank you savage.

16

Thank you fxx, I’m trying to assing the IP address to the bridge and I’ve done, but I cannot reach mikrotik through ping test.
The old ethernet interface IP address (172.30.0.160) belongs to VLAN 3200 so I’ve created a new bridge_3200 and assign it the IP address 172.30.0.160. I’ve also created a new VLAN 3200 on Mikrotik.
In this VLAN I’ve configured bridge_3200 as interface and haven’t check “use service tag”.

Am I missing anything?

17

Anybody knows how to make this work???
I’ve been trying all the things you recommend me without luck…

I’d be eternally grateful if somebody has got this scenario working and could send/show me his config…

Thank you everybody

18

OK, I have check your config once again. Disable the WDS mode on all VAP, don’t setup WDS. WDS mode is not for clients. wlan1 is italic because you setup both SSID on VAP. If you move one SSID to wlan1, it come normal (R).

19

Problem solved!

I’ve had to check “Use IP Firewall” and “Use IP Firewall for VLAN” in bridge settings…!

Thank you everybody.