Hi everyone,
I’ve just got myself an hAP ax3 that I’ll use as part of setting up my network at home. I want to have two VLANs (10 = Home, 20 = Work), and my ultimate goal with this network is to be able to account for the number of bytes uploaded to and downloaded from the Internet from each VLAN separately.
Here’s some crude ASCII art showing how I’ve got things connected:
EdgeRouter X
+-----------------+
| |
| [0][1][2][3][4] |
+--|--|--------|--+
| | |
| | +------ Internet
| |
| | +--------- My laptop while I'm configuring the hAP
| | |
| | | +------ Downstream switch off which all the wired devices
| | | | in the house are connected
+--|--|-----|--|--+
| [1][2][3][4][5] |
| |
+-----------------+
hAP ax3
Here is what I want the hAP to do:
- Accept VLAN tagged traffic from the downstream switch on ether5 and allow it to be sent out through ether1 (if tag 10) or ether2 (if tag 20).
- Tag incoming untagged traffic on ether1 with tag 10 and on ether2 with tag 20.
- Have two SSIDs broadcast, one that tags traffic with tag 10 and the other with tag 20.
Why have I got two ports connected from the hAP to the ER-X? Because I have a script running on the ER-X that periodically queries the physical interface stats of ports 0 and 1 and uploads them somewhere. Since only Internet bound/sourced traffic for a given VLAN goes through one of the ER-X’s first two ports, it neatly gives me a way to measure this traffic separately.
(As an aside, there must be a better way of doing this! Maybe some router other than an ER-X could give me per-VLAN stats, and then I wouldn’t have to have two separate connections between it and the hAP. But that is what I have for now.)
At the moment I don’t care about preventing devices on the two VLANs from communicating, though I might in the future.
So I have configured the hAP in a way that I thought should work, but doesn’t. Maybe I have some conceptual errors in how I think it should be set up. But I’m basically doing this:
- Create a bridge, and have all five physical ports and my Wi-Fi interfaces as part of it.
- Assign pvids to ether1 and ether2, so that untagged traffic coming from upstream gets tagged.
- Create bridge VLAN table entries such that ether1 is “untagged ID 10”, ether2 is “untagged ID 20”, and ether5 is “tagged IDs 10 and 20”.
- Assign IP addresses 192.168.10.2 and 192.168.20.2 to my two VLAN interfaces.
- Run a DHCP server that responds with 192.168.{10,20}.0 network addresses for the two VLANs. (Though I haven’t got to the point of testing this yet.)
Where I’m stuck is that when I connect ether1 to the ER-X’s port 0 (where the ER-X has port 0 statically configured as 192.168.10.1), I cannot ping either side from the other.
Here’s my configuration. What am I missing, and how can I debug this myself?
# 2024-08-11 12:14:53 by RouterOS 7.15.3
# software id = 6ZGG-EVY7
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ...
/interface bridge
add admin-mac=D4:01:C3:44:30:8A auto-mac=no comment=defconf name=bridge port-cost-mode=short protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Australia .mode=ap .ssid=B715X disabled=no name=wlan0Home security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Australia .mode=ap .ssid=B715X disabled=no name=wlan1Home security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
add configuration.mode=ap .ssid=B715Xw disabled=no mac-address=D6:01:C3:44:30:8E master-interface=wlan0Home name=wlan0Work security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
add configuration.mode=ap .ssid=B715Xw disabled=no mac-address=D6:01:C3:44:30:8F master-interface=wlan1Home name=wlan1Work security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/interface vlan
add interface=bridge name=Home vlan-id=10
add interface=bridge name=Work vlan-id=20
/ip pool
add name="Home Pool" ranges=192.168.10.10-192.168.10.254
add name="Work Pool" ranges=192.168.20.10-192.168.20.254
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan0Home pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1Home pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan0Work pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wlan1Work pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=ether5 untagged=ether1 vlan-ids=10
add bridge=bridge tagged=ether5 untagged=ether2 vlan-ids=20
/ip address
add address=192.168.0.2/24 interface=bridge network=192.168.0.0
add address=192.168.10.2/24 interface=Home network=192.168.10.0
add address=192.168.20.2/24 interface=Work network=192.168.20.0
/ip dhcp-server
add address-pool="Home Pool" interface=Home name="Home DHCP Server"
add address-pool="Work Pool" interface=Work name="Work DHCP Server"
/ip dhcp-server network
add address=192.168.10.0/24 comment="Home DHCP Network" dns-server=1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 comment="Work DHCP Network" dns-server=1.1.1.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
From the hAP console:
[admin@MikroTik] > ping 192.168.10.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.10.1 timeout
1 192.168.10.1 timeout
2 192.168.10.1 timeout
3 192.168.10.2 84 64 77ms432us host unreachable
sent=4 received=0 packet-loss=100%
From the ER-X console:
ubnt@EdgeRouter-X-5-Port:~$ ping 192.168.10.2
PING 192.168.10.2 (192.168.10.2) 56(84) bytes of data.
From 192.168.10.1 icmp_seq=1 Destination Host Unreachable
From 192.168.10.1 icmp_seq=2 Destination Host Unreachable
From 192.168.10.1 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.10.2 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4084ms
I confirmed that when I plug another device into the ER-X’s port 0, and statically configure its IP address to 192.168.10.2, I can ping each side.
Thanks,
Cameron
