FYI: wireless in vlan - perversion config

GSXR · October 29, 2014, 11:53am

Hello world
This is my perversion experimet how to use wireless in VLAN
I know - this is stupid, but it works:

vlan1 is a transport vlan between switches and routers
vlan 2-3 are ordinary vlans
vlan 4 is an ordinary vlan with wi-fi AP
clients of all vlans get ip-adresses from another DHCP servers in the networks
DNS’s are on the another servers too
Mikrotik is a just AP with VLAN support

resetting without default config ( it’s important )
/system reset-configuration skip-backup=yes no-defaults=yes

configuring interfaces
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above default-authentication=no dfs-mode=no-radar-detect
disabled=no distance=indoors frequency=2457 l2mtu=2290 mode=ap-bridge
scan-list=2412-2457 wireless-protocol=802.11 default-authentication=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
mode=dynamic-keys wpa-pre-shared-key=password wpa2-pre-shared-key=
password

adding unusual bridge:
/interface bridge
add mtu=1500 name=bridge1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1

time to configure VLANs on swich:
/interface ethernet switch vlan
add independent-learning=no ports=
ether2,ether5,switch1-cpu switch=switch1
vlan-id=2
add independent-learning=no ports=
ether3,ether5,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=no ports=ether4,ether5
switch=switch1 vlan-id=4
add independent-learning=yes ports=ether5,switch1-cpu switch=
switch1 vlan-id=1
dhcp client for future access:

/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=
no interface=ether1

configuring ports:
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=1 vlan-mode=disabled

be patient ! interface numbers are different in different swiches !
here (RB751) 0 is ether2, 1 is ether3, 2 is ether4, 3 is ether5 4 is cpu-swich1

and now - my main stupid secret : patch-cord between interfaces 1 and 4

enjoy !

CelticComms · October 29, 2014, 1:53pm

OK - but why not just bridge the WLAN interface to a VLAN4 interface on Ether2? You are still using a software bridge either way.

GSXR · October 29, 2014, 2:44pm

becourse interface used as slave in swich not available for bridging

this is dilemma -
if we need VLANs - we must use interfaces as slave in the swich
if we need bridging - we must not use interfaces as slave

master port available for bridging, but doesn’t work in the bridge with VLAN

CelticComms · October 29, 2014, 3:24pm

In your config Ether2 is the master. You can enable the VLAN on Ether2 and bridge it directly to the WLAN.

GSXR · October 29, 2014, 3:31pm

I’ve try it.
It working with wire, but doesn’t work with bridge

CelticComms · October 29, 2014, 3:41pm

You need to make sure in the switch settings that the VLAN is presented on the CPU interface - which will appear as Ether2 to ROS. If you have it appear as tagged on the CPU interface then use a VLAN interface on Ether2 to select the VLAN for bridging to the WLAN.

GSXR · October 30, 2014, 7:33am

Please, check my config.
Where I’m wrong ?

/interface bridge
add mtu=1500 name=bridge1

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-ht-above dfs-mode=no-radar-detect disabled=no distance=indoors
frequency=2457 l2mtu=2290 mode=ap-bridge scan-list=2412-2457
wireless-protocol=802.11

/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2

/interface vlan
add interface=wlan1 l2mtu=2286 name=vlan1 vlan-id=4

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=“”
mode=dynamic-keys wpa-pre-shared-key=password wpa2-pre-shared-key=
password

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan1

/interface ethernet switch vlan
add ports=ether2,ether5,switch1-cpu switch=switch1 vlan-id=2
add ports=ether3,ether5,switch1-cpu switch=switch1 vlan-id=3
add ports=ether4,ether5 switch=switch1 vlan-id=4
add ports=ether5,switch1-cpu switch=switch1 vlan-id=1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=
no interface=ether1

/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=15 vlan-mode=disabled

CelticComms · November 4, 2014, 8:13pm

You seem to have added VLAN 4 to the WLAN interface.

You should:

Enable VLAN 4 on the Switch CPU interface - it should be tagged.
Add a VLAN 4 interface to the Ether 2 interface.
Bridge the VLAN 4 interface created above to the WLAN interface using a bridge.

GSXR · November 18, 2014, 2:46pm

yes it works. My mistake was that I was not connected CPU to the VLAN4.
I did it because I did not want users of the guest wi-fi have ability to access to management

thank you