configure wifi in router with switch chip

mvcorrea · July 13, 2022, 4:23pm

configuring vlans in a router “hap ac” that has a switch chip
physical ifaces working ok but unable to attach a wlan to a single vlan

# vlans
/interface bridge
add name=bridge-vlan

/interface bridge port
add bridge=bridge-vlan interface=ether2 hw=yes			# trunk
add bridge=bridge-vlan interface=ether3 hw=yes			# access
add bridge=bridge-vlan interface=ether4 hw=yes			# access

/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether2,switch1-cpu switch=switch1 vlan-id=20
# ?why do I need to put "switch1-cpu" on every entry?

/interface ethernet switch port
set ether2 vlan-mode=secure vlan-header=add-if-missing
set ether3 vlan-mode=secure vlan-header=always-strip default-vlan-id=10
set ether4 vlan-mode=secure vlan-header=always-strip default-vlan-id=10

/interface vlan
add name=vlan10 vlan-id=10 interface=bridge-vlan
add name=vlan20 vlan-id=20 interface=bridge-vlan

/ip address
add address=10.10.10.1/24 interface=vlan10
add address=10.10.20.1/24 interface=vlan20

# dhcp
/ip pool
add name=vlan10-pool ranges=10.10.10.200-10.10.10.254 
add name=vlan20-pool ranges=10.10.20.200-10.10.20.254 

/ip dhcp-server
add address-pool=vlan10-pool disabled=no interface=vlan10 name=dhcpd-vlan10
add address-pool=vlan20-pool disabled=no interface=vlan20 name=dhcpd-vlan20

/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.10.10.1 netmask=24 ntp-server=10.10.10.1 
add address=10.10.20.0/24 dns-server=8.8.8.8,8.8.4.4 \
    gateway=10.10.20.1 ntp-server=10.10.20.1

# wireless
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
   supplicant-identity=MikroTik wpa2-pre-shared-key=$uperpassw0rd
/interface wireless
set [ find default-name=wlan1 ] name=wlan-2Ghz ssid=wlan-2Ghz frequency=auto mode=ap-bridge disabled=no
set [ find default-name=wlan2 ] name=wlan-5Ghz ssid=wlan-5Ghz frequency=auto mode=ap-bridge disabled=no
# ?do I need the option "vlan-mode=use-tag" on the previous (tried but changing nothing)?


# what from here? ----------------------------------------
/interface bridge port
add bridge=bridge-vlan interface=wlan-2Ghz  hw=yes	
add bridge=bridge-vlan interface=wlan-5Ghz  hw=yes	

# wireless interfaces goes up (and stayed on connecting)
# ? how can I associate the wlans to vlan10 ?
# ? how to attach "dhcpd-vlan10" to the wlans ?

regards,

tdw · July 13, 2022, 6:58pm

Under /interface ethernet switch vlan switch1-cpu passes traffic from the switch chip to the CPU, only required for VLANs connected to services provided by the CPU such as IP address, routing, DHCP server and software-based interfaces (tunnels, wireless).

Under /interface ethernet switch port use vlan-header=leave-as-is for the switch chip in the hAP ac as mentioned in the wiki and help pages.

Under interface wireless use both vlan-mode=use-tag AND vlan-id= to specify which VLAN the interface should be connected to.

Under /interface bridge port setting hw=yes for the wireless interfaces is pointless, the drivers are implemented in software.

bpwl · July 13, 2022, 7:39pm

OP probably has to do some reading on VLAN in RouterOS. Please check: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

It is confusing ! There are old methods, and newer methods. The documentation is not version aware. There are old-method tutorials on the web.
With the current ROS versions, the “bridge” method is preferred, and the “switch VLAN settings” should then not be used.
The “Bridge” is handling the switch settings with hardware offloading (hw=yes) . If one adds other switch settings besides what “bridge” does, there may be misconfiguration. of the switch.
Unless you clearly know what you are doing, “/interface ethernet switch vlan” should not be in the config.
Sometimes you want/need to do the VLAN filtering in the switch settings depending on the switch chip offloaded support.

Old method is: using bridges per VLAN, and define VLAN interfaces as port for those bridges
Old method is: doing all ethernet VLAN filtering with the switch settings

New method is handling VLAN with the bridge. Bridge VLAN definitions are for all ports, including WLAN and VPN.
VLAN distribution and tag/untag is done in the bridge without creating VLAN interfaces, if no VLAN access is needed for the router.
VLAN interface is only created if the router wants itself to use that VLAN as node in that VLAN. (e.g. as said above, for the DHCP server, DNS service, …)
Use hw-offloading to optimise performance. (Ability for HW offload and VLAN filtering is very switch chip dependent !!!)

There is still at least one option left open. VLAN tagging for a WLAN interface can be done in the bridge, or can be done in the wireless interface itself. A WLAN interface is VLAN aware on it’s own.
(it can send different clients to different VLANs)

holvoetn · July 14, 2022, 8:34pm

Minor addition (I know, not applicable here with hap ac being mentioned in first post but I think it is useful to be mentioned for completeness): for those WLAN interfaces not using wifiwave2 package there is indeed a second option.
Otherwise it is bridge only (for those devices where wifiwave2 package has been applied)