Double-check my first hAP ac2 configuration

sealouiw · March 9, 2021, 4:40pm

I recently purchased a hAP ac2 and this is the first time I play with such a product. It would be great if someone could take a look at my configuration and tell me if I made any obvious mistakes or if you would have done anything differently.

[admin@MikroTik] > /export hide-sensitive 
# mar/09/2021 17:23:56 by RouterOS 6.48.1
# software id = AQPZ-DUUH
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=all ssid=WLAN-XXXXXX \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=\
    all ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan2 vlan-id=32
add interface=ether1 name=vlan3 vlan-id=33
add interface=ether1 name=vlan4 vlan-id=36
add interface=ether1 name=vlan5 vlan-id=39
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=intranet supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=wlan1 name=management
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=39
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes primary-ntp=192.168.30.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

erlinden · March 9, 2021, 4:52pm

/interface vlan
add interface=ether1 name=vlan2 vlan-id=32
add interface=ether1 name=vlan3 vlan-id=33
add interface=ether1 name=vlan4 vlan-id=36
add interface=ether1 name=vlan5 vlan-id=39

Instead of using ehter1 I would expect to see the bridge.

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=vlan5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=39

Why are there vlan interfaces here?

Perhaps you can give some information on the purpose for using VLAN’s?

anav · March 9, 2021, 7:26pm

The configuration you have does nothing.
Suggest you read this reference and give it another shot…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

sealouiw · March 10, 2021, 1:30pm

I use ether1 as hybrid port, which is connected to my firewall.

It does not work without them.

ether2, ether3, ether4 and ether5 are supposed to be access ports with separate vlan ids and ether5 is supposed to be on the same vlan as the two wifi interfaces.

My configuration seems to be doing exactly what I want, at least as far as I can tell. I've read the entire thread you linked, but this configuration is the best I could come up with.

erlinden · March 10, 2021, 1:54pm

So you are trying to configure it as switch with 1 trunk port (eth1) and only accessports, correct?
Because it makes no sense to use NAT…

I think this would be sufficient (haven’t tested it) to reset without default configuration and then add:

/interface bridge
add admin-mac=XX:XX:XX:XX:XX auto-mac=no name=bridge1 protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=32
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=33
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=36
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan0 pvid=39
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=39

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=32
add bridge=bridge1 tagged=ether1 vlan-ids=33
add bridge=bridge1 tagged=ether1 vlan-ids=36
add bridge=bridge1 tagged=ether1 vlan-ids=39

Be aware that you might be disconnected…

sealouiw · March 10, 2021, 4:04pm

Correct, but eth1 is supposed to be a hybrid port. I want the hAP ac2 to be part of the 192.168.30.1/24 subnet.

The dhcp-server stuff in my config is a leftover from my backup management access through wlan1, because I'm not using Winbox.

I don't understand that part.

erlinden · March 10, 2021, 4:15pm

Have a look at the link that anav posted, their you will find all info you need.

anav · March 10, 2021, 6:00pm

While rea.g the link also provide a network diagram as it should help figure out what you are trying to accomplish.

sealouiw · March 11, 2021, 10:26am

I'll try my luck once more and report back.

I simply want the hAP ac2 to act as a managed switch with the management interface only accessible via untagged traffic on eth1.

anav · March 11, 2021, 3:43pm

I am using my hex as a managed switch.

My management vlan is 11
I have a bridge and on the bridge vlan filtering is selected and pvid=1 the default.

ether1 - trunk port , all vlans running on this trunk
ether2 - pvid44 - access port on specific vlan (DIRECT link to secondary ISP)
ether3 - trunk port running vlan11, and two other vlans for testing and config purposes(simulating hooking up managed devices anywhere on my network)
ether4 pvid11 access port to access point in the room
ether5 pvid11 access port to pc

The ip address of the switch is on the management vlan11.
If it was a hapac, the only difference would be
adding WLANS to the bridge as ports and associated pvids.

sealouiw · March 11, 2021, 10:15pm

Where exactly is the issue with my current configuration? Is it plain wrong or just not elegant? As I said earlier, it does seem to do exactly what I want.

anav · March 11, 2021, 10:29pm

If it works, then great! probably thought it was a router not a switch at the start, my bad.

sealouiw · March 12, 2021, 8:21am

I am by no means an expert, so it may well be that I simply don’t recognize a mistake. That’s why I came here.

PS: I did give the “all interfaces on a single bridge” approach another try, but failed miserably.

erlinden · March 12, 2021, 9:27am

Can you please have a look at this configuration: https://forum.mikrotik.com/download/file.php?id=45586 (it is referred to in this topic: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1)
This is an example of a switch with trunk port, access ports and hybrid ports.

Tip: set vlan filtering ON on the bridge in the last step of configuring the device.

sealouiw · March 16, 2021, 10:41am

I found the relevant help section that describes exactly why my current configuration is problematic: https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANinabridgewithaphysicalinterface

anav · March 16, 2021, 2:35pm

Which problem specifically page number para #?
The correct configuration of vlans was addressed in the link provided initially??

sealouiw · March 17, 2021, 7:47am

Yes, but I also wanted to know what kind of problems might arise with my current configuration.

Take a look at the “VLAN in a bridge with a physical interface” section (the link in my above post should point right at it).

sealouiw · March 25, 2021, 3:23pm

I have updated my configuration - thanks to all who helped me:

[admin@MikroTik] > /export hide-sensitive 
# mar/25/2021 16:18:09 by RouterOS 6.48.1
# software id = AQPZ-DUUH
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn country=germany \
    default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge skip-dfs-channels=all \
    ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-onlyac channel-width=20/40/80mhz-XXXX \
    country=germany default-forwarding=no distance=indoors guard-interval=long installation=indoor mode=ap-bridge \
    skip-dfs-channels=all ssid=WLAN-XXXXXX wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=intranet supplicant-identity=MikroTik
/interface wireless
add mac-address=CE:2D:E0:E5:2E:FB master-interface=wlan1 name=wlan3 security-profile=intranet ssid=xxxxxxxxxxxxxxxx \
    wds-default-bridge=bridge1 wps-mode=disabled
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=72
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=73
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=76
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=79
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3 pvid=76
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=72
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=73
add bridge=bridge1 tagged=ether1 untagged=ether4,wlan3 vlan-ids=76
add bridge=bridge1 tagged=ether1 untagged=ether5,wlan1,wlan2 vlan-ids=79
/ip dhcp-client
add disabled=no interface=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes primary-ntp=192.168.70.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

sealouiw · March 26, 2021, 3:32pm

Does vlan-mode=secure make any different with the above bridge vlan configuration?