Followed guide can't get VLANs to work . ( Mikrotik + OpnSense)

RouterOS General
1

So i have OPNSense as gateway,firewall and dhcp/dns server. Mikrotik Hap Lite is acting as managed switch.

Tagged Vlan on Wifi works, but on the ports it doesn’t. I have tried all written scenarios from this forum and manual and i just cannot get additional Vlan to work.

Here’s setup:

OPNSense 192.168.1.3

  • default network 192.168.1.0
  • Vlan 20 - 192.168.20.0 (works)
  • Vlan 30 - 192.168.30.0 (doesn’t work, see below case)

Mikrotik 192.168.1.2

  • Ether1 connected to OPNSense
  • Ether2 laptop (192.168.1.0)
  • Ether3 IPTV (192.168.1.0)
  • Ether4 Vlan30 (192.168.30.0)
  • Wlan 192.168.1.0
  • Wlan2 Vlan 20 (192.168.20.0)

So with this configuration from the guides, Vlan30 doesn’t work, node on Ether4 doesn’t get IP or doesn’t pass traffic

/interface bridge add ether-type=0x88a8 fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no mode=ap-bridge ssid=MKTK158
/interface vlan add disabled=yes interface=ether4 name=vlan30 vlan-id=30
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=iot supplicant-identity=""
/interface wireless add disabled=no keepalive-frames=disabled mac-address=**** master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=iot ssid=IOT_SH_158 vl
an-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port add bridge=bridge1 interface=wlan1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4 pvid=30
/interface bridge port add bridge=bridge1 interface=wlan2
/interface bridge vlan add bridge=bridge1 tagged=wlan1,ether1,ether2,ether3,wlan2 untagged=ether4 vlan-ids=30
/interface ethernet switch vlan add disabled=yes ports=ether1 switch=switch1 vlan-id=30
/interface list member add interface=ether2 list=LAN
/interface list member add interface=ether3 list=LAN
/interface list member add interface=ether4 list=LAN
/interface list member add interface=ether1 list=LAN
/interface list member add interface=wlan1 list=LAN
/interface wireless access-list add interface=wlan2 mac-address=***

With this configuration which i am sure is not correct per this artcilehttps://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_on_a_bridge_in_a_bridge , all Vlans work and i can ping node on Ether4

/interface bridge add ether-type=0x88a8 fast-forward=no name=bridge1 vlan-filtering=yes
/interface bridge add fast-forward=no name=bridgeVlan
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no mode=ap-bridge ssid=MKTK158
/interface vlan add interface=bridge1 name=Intrerface-vlan30 vlan-id=30
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=iot supplicant-identity=""
/interface wireless add disabled=no keepalive-frames=disabled mac-address=******* master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=iot ssid=IOT_SH_158 vl
an-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port add bridge=bridge1 interface=wlan1
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=ether2
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridgeVlan interface=ether4 pvid=30
/interface bridge port add bridge=bridge1 interface=wlan2
/interface bridge port add bridge=bridgeVlan interface=Intrerface-vlan30
/interface list member add interface=ether2 list=LAN
/interface list member add interface=ether3 list=LAN
/interface list member add interface=ether4 list=LAN
/interface list member add interface=ether1 list=LAN
/interface list member add interface=wlan1 list=LAN
/interface wireless access-list add interface=wlan2 mac-address=******
2

Why would I care if openPFS works for vlan30…

As for the MT product…
/interface bridge add ether-type=0x88a8 fast-forward=no name=ONEBRIDGE vlan-filtering=yes

/interface vlan
add interface=ONEBRIDGE name=Intrerface-vlan30 vlan-id=30
add interface=ONEBRIDGE name=Intrerface-vlan20 vlan-id=20

/interface list add name=WAN
/interface list add name=LAN

/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no mode=ap-bridge ssid=MKTK158
add disabled=no mac-address=xxx master-interface=wlan1
name=wlan2 security-profile=iot ssid=IOT_SH_158 vl ssid=xxxxxxx
wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port add bridge=ONEBRIDGE interface=wlan1 frame-types=admit-only-untagged-and-priority-tagged
{access port - pvid of 1 is implied aka the default network}
/interface bridge port add bridge=ONEBRIDGE interface=ether1 ingress-filtering=yes
{trunk port carrying vlan20,30)
/interface bridge port add bridge=ONEBRIDGE interface=ether2 frame-types=admit-only-untagged-and-priority-tagged
{access port - pvid of 1 is implied aka the default network}
/interface bridge port add bridge=ONEBRIDGE interface=ether3 frame-types=admit-only-untagged-and-priority-tagged
{access port - pvid of 1 is implied aka the default network}
/interface bridge port add bridge=ONEBRIDGE interface=ether4 pvid=30 frame-types=admit-only-untagged-and-priority-tagged
{access port}
/interface bridge port add bridge=ONEBRIDGE interface=wlan2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged
{access port)

Where are the /interface bridge vlan settings???
/interface bridge vlan
add bridge=ONEBRIDGE tagged=ether1 untagged=wlan1,eth2,eth3
add bridge=ONEBRIDGE tagged=ether1,ONEBRIDGE untagged=eth4 vlan-ids=30
add bridge=ONEBRIDGE tagged=ether1,ONEBRIDGE untagged=wlan2 vlan-ids=20

3



Mentioned OPNSense just to say that it is handling IP addressing not Mikrotik.
I follow what you suggested and network crashed. Internet was lost and i couldn’t ping anything not even gateway
Here’s export

/interface bridge add ether-type=0x88a8 fast-forward=no name=ONEBRIDGE vlan-filtering=yes
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no mode
=ap-bridge ssid=MKTK158

/interface vlan add interface=ONEBRIDGE name=Intrerface-vlan20 vlan-id=20
/interface vlan add interface=ONEBRIDGE name=Intrerface-vlan30 vlan-id=30
/interface list add name=WAN
/interface list add name=LAN

/interface wireless security-profiles set [ find default=yes ] authentication-type
s=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk ea
p-methods="" management-protection=allowed mode=dynamic-keys name=iot supplicant-i
dentity=""
/interface wireless add disabled=no keepalive-frames=disabled mac-address=**** master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-
profile=iot ssid=IOT_SH_158 vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-defa
ult-cost=0 wps-mode=disabled

/interface bridge port add bridge=ONEBRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=20
/interface bridge port add bridge=ONEBRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
/interface bridge port add bridge=ONEBRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether3
/interface bridge port add bridge=ONEBRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=ether2
/interface bridge port add bridge=ONEBRIDGE ingress-filtering=yes interface=ether1
/interface bridge port add bridge=ONEBRIDGE frame-types=admit-only-untagged-and-priority-tagged interface=wlan1

/interface bridge vlan add bridge=ONEBRIDGE tagged=ether1,ONEBRIDGE untagged=wlan2 vlan-ids=20
/interface bridge vlan add bridge=ONEBRIDGE tagged=ether1 untagged=wlan1,ether2,ether3 vlan-ids=1
/interface bridge vlan add bridge=ONEBRIDGE tagged=ether1,ONEBRIDGE untagged=ether4 vlan-ids=30
/interface ethernet switch vlan add disabled=yes ports=ether1 switch=switch1 vlan-id=30
/interface list member add interface=ether2 list=LAN
/interface list member add interface=ether3 list=LAN
/interface list member add interface=ether4 list=LAN
/interface list member add interface=ether1 list=LAN
/interface list member add interface=wlan1 list=LAN
/interface wireless access-list add interface=wlan2 mac-address=****
4

The only difference between my config and yours is basically I use vlans for all networks.
So the home network is also on a vlan.