After extensive reading and experimentation, I’ve come here seeking help.
I’m struggling to get my guest network to function properly within its own VLAN.
The issue concerns the guest network SSID “73b” on the Hap4, using VLAN 108.
A client can connect to the SSID (interface 73-2GHz-Hap4 Woonkamer) but fails to receive an IP address from the DHCP on the main router.
Even when I manually assign a static IP, the client cannot communicate with the main router or access the internet.
From the Hap4, I can successfully ping the VLAN address on the main router (10.2.8.1).
Using Torch, I can see that packets are being tagged to VLAN 108, and I also notice the client performing ARP requests on VLAN 108.
The Hap4 is running CAPsMAN and appears to be functioning correctly.
The main router is running RouterOS 6, along with CAPsMAN for older HAPs. However, that setup is about to be decommissioned once I fully transition to the new HAPs—so please disregard that configuration.
The internal WiFi, which does not use VLANs (SSID 88), works fine.
The Hap4 is physically connected to the main router via interface ether2-Hap4-Woonkamer.
I’ll attach the configurations for both devices as well as my anonymized network diagram.
Thank you in advance for any advice or recommendations.
hap4.rsc (5.25 KB)
mikrotik mainrouter.rsc (25.7 KB)
Sorry, but I can´t find any routing entries in your config.
If the client successfully connect to your VLAN and can PING the CAPSMAN1-IP, but not the main router IP, I guess something is wrong with your routing.
And what device ist the “HAP4” in your picture?
Hi,
Thanks for your reply!
The routes seems to be added dynamically, not visible in the config file but are visible in the gui, see screenshot.
But even if routes were missing that would only explain the lack of internet, not of dhcp or being able to ping locally on the same vlan. I cannot ping the address of the capsman server.
What do you mean with this question?
And what device ist the “HAP4” in your picture?
The device type is in the picutre, or do you mean functionally? It is my access point from where i connect the client for testing.
Open terminal in Winbox.
In It issue:
/ip route print
and:
/ip address print
and post their output.
[admin@hap4 woonkamer] > /ip route print
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 10.2.3.254 1
DAc 10.2.3.0/24 bridge-bsl 0
DAc 10.2.8.0/24 vlanGuests2 0
DAc 10.2.9.0/24 vlanTest 0
[admin@hap4 woonkamer] > /ip address print
ADDRESS NETWORK INTERFACE
0 10.2.8.249/24 10.2.8.0 vlanGuests2
1 10.2.9.249/24 10.2.9.0 vlanTest
2 D 10.2.3.249/24 10.2.3.0 bridge-bsl
Good 
, so you have a DAd route (Dynamic Active dhcp) towards the internet, this one comes from the DHCP server on your network gateway and three DAc routes (Dynamic Active connected), these three are made automatically by the router when you assign IP addresses to interfaces, of the three addresses two are static and one is Dynamic, probably generated from your snmp or capsman settings.
Of these two:
/ip address
add address=10.2.8.249/24 interface=vlanGuests2 network=10.2.8.0
add address=10.2.9.249/24 interface=vlanTest network=10.2.9.0
the one that doesn’t work as expected is the vlanGuests2 (that uses vlan-id 108):
/interface vlan
add arp=proxy-arp interface=bridge-bsl name=vlanGuests2 use-service-tag=yes
vlan-id=108
that corresponds to the “73-2Ghz-hap4 woonkamer”
/interface bridge vlan
add bridge=bridge-bsl tagged=bridge-bsl untagged=“73-2Ghz-hap4 woonkamer”
vlan-ids=108
Now the situation seems to me clear (though I have no idea on where the issue may be).
The “73-2Ghz-hap4 woonkamer” only occurrence is in the above quoted /interface bridge vlan so it must be generated dynamically by capsman or some other RoS mechanism.
I´ve restored your config on an HEX S and my first suggestion is to simplify your config with using only ONE bridge and slave adapters for each VLAN you use (on that one bridge as slaves)
Use this documentation as the guide line for this:
https://help.mikrotik.com/docs/spaces/ROS/pages/28606465/Bridge+VLAN+Table
I personally use ROS 7.X on all my devices and the new CAPsMAN, but the config is similar to yours.
In my environment I use 4 VLANS and all 4 also with WiFi wothout any problems.
It looks like this:
After that you configure all the VLANS under Bridge->VLAN (TAGGED, UNTAGGED, aso.):
The DHCP server bindings are attached to the bridge-VLAN slave interfaces.
That worked for me.
Well Ullinator,
I think with simplifying you mean the bridges on my main router and i don’t want to touch them for now since they still in use for the old hap’s.
But you got me thinking and i did start simpliying by first focus on the access point only. I configured the dhcp server on their and still got no address.
Reading the article you send made me also go back (again) to this topic: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
And since i had 1 unused hap i started configuring the accesspoint configuration from scratch on that device.
And then i noticed that in that example the vlan interface and the vlan ip were not configured at all on the accesspoint.
So once i removed those on my accesspoint as well and disabled the vlan filtering on both devices i got an address and internet on the device.
Then it was only a matter of configuring the tagging and then it worked with the vlan filter enabled.
Btw, jaclaz, this also removed that dynamic route from the accesspoint since that device itself doesn’t have an ip in that vlan anymore, so all the routing is done via the main network 10.2.3.0 now.
There’s 1 thing that bothers me, during all the experimenting i remember something from Mahar’s vlan training, and that was in order to make an interface a trunc you just need to configure more than 1 vlan on it. Which i did and then it started to work. But by removing the extra vlan i cannot break it so i don’t know if this makes any sense or not since i did more changes than only that.
At least for now it seems to work, thanks both for thinking with me and pushing me in the right direction.