Hello All,
Thank you for the help in advance. We are new to Mikrotik and need a little guidance. We are using an hAP ac that has a SFP slot, 5 Ethernet ports, and wifi. How would you setup the device to accept a trunk port (tagged VLANs with 3 VLANs) in the fiber, then act as a wireless router.
Please see the following image.
Thank you so much again.
To ensure hardware offload on LAN ports, create first bridge and assign ports 1-4 and wifi to it.
Create vlan interfaces and assign them to SFP interface.
NATing, firewall rules, etc will need to be setup against relevant VLAN’s, i.e. masquerade will need to go on out interface vlan 5.
Create 2nd bridge and add voice vlan and ether 5 to it
Thanks for your help CZfan
I got it working. It might be a little ugly and I'd appreciate any suggestions on making it better but here is my working config:
\
/interface bridge
add admin-mac=CC:2D:E0:E6:D7:88 auto-mac=no name=LocalNetwork
add fast-forward=no name=PhoneBridge pvid=15
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MINet_Wifi wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="united states" disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MINet_Wifi wireless-protocol=802.11
/interface vlan
add interface=PhoneBridge name=vlan15 vlan-id=15
add interface=sfp1 name=vlan15Wan vlan-id=15
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LocalNetwork name=defconf
/interface bridge port
add bridge=LocalNetwork comment=defconf interface=ether2
add bridge=LocalNetwork comment=defconf interface=ether3
add bridge=LocalNetwork comment=defconf interface=ether4
add bridge=PhoneBridge comment=defconf interface=ether5 pvid=15
add bridge=LocalNetwork comment=defconf disabled=yes interface=sfp1
add bridge=LocalNetwork comment=defconf interface=wlan1
add bridge=LocalNetwork comment=defconf interface=wlan2
add bridge=LocalNetwork interface=ether1
add bridge=PhoneBridge interface=vlan15 pvid=15
add bridge=PhoneBridge interface=vlan15Wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=LocalNetwork list=LAN
add interface=sfp1 list=WAN
add interface=PhoneBridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=MINet
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN