hAP ac² - vlan port configuration

I have configured my ports for VLAN 102 and recall them being functional at least for a while, but for some reason traffic is now passing on untagged LAN.
WLAN’s are still in said VLAN and function normally.

Below is the entire configuration export, minus some unused default settings.

# jun/02/2020 21:55:08 by RouterOS 6.47
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=finland disabled=no distance=\
    indoors frequency=auto hide-ssid=yes mode=ap-bridge ssid=WLAN1+ wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=finland disabled=no distance=\
    indoors frequency=auto hide-ssid=yes mode=ap-bridge ssid=WLAN2+ wireless-protocol=802.11
/interface vlan
add interface=ether1 name=eth1_vlan102 vlan-id=102
/interface wireless
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan1 name=guest-2.4 ssid=\
    GuestWLAN1 vlan-id=102 vlan-mode=use-tag wps-mode=disabled
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan2 name=guest-5 ssid=GuestWLAN2 \
    vlan-id=102 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1
add auto-isolate=yes bridge=bridge interface=guest-2.4
add auto-isolate=yes bridge=bridge interface=guest-5
add bridge=bridge interface=eth1_vlan102 pvid=102
/interface bridge vlan
add bridge=bridge tagged=ether2,ether3,ether4,guest-2.4,guest-5 vlan-ids=102
/interface list member
add interface=wlan2 list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.1.2/24 comment=defconf interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1

What’s wrong here?

My intent is to have ether2,ether3,ether4 as VLAN 102 access ports, and ether1 as trunk carrying both (V)LAN 1 and 102 to firewall.

You have ether1 as bridge member, but still have vlan, IP and dhcp-client assigned to this single interface. That doesn’t make sense, if you want ether1 as part of the bridge you should move any services assigned to it to the bridge itself.

See https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching for correct VLAN-configuration examples.

PS: Use Safe Mode when changing config in case you accidently lock yourself out.

Another problem is this configuration

/interface bridge vlan
add bridge=bridge tagged=ether2,ether3,ether4,guest-2.4,guest-5 vlan-ids=102

This line alone configures all listed interfaces to be tagged ports for VLAN 102 … which is quite the opposite of access port.

Suggest you to read through this tutorial, it should clear things for you.

I’ve skimmed through referenced links (“Access Point” and “Other devices without a built-in switch chip”), but somehow I’m either dumb or (possibly both) just having hard time picturing the final image of how a functional config should look in RouterOS.

Please let me know if I’m completely wrong, but to reach a working solution I would have to do something in the lines of:

1. Move IP from ether1 to bridge
2. Remove interface vlan
3. Set PVID in bridge ports (ether2,3,4)
4. (Re)create VLAN102 in the existing bridge and tag ether1, leaving rest untagged

That sounds like the right direction.
Depending on the way you want to access your mgmt IP, you should include the bridge itself (=its CPU interface) into your vlan setup. If you put the IP directly on the bridge, you probably want to add it as untagged with pvid set. Another option is to create a vlan interface with IP on top of the bridge and then add bridge (not the vlan interface!) as tagged vlan member.

By the way: The hAP ac² has a switch chip capable of vlan filtering, so you could also go the “Other devices with built-in switch chip” route for maximum performance. But it might be even more confusing as it requires settings in bridge and switch chip menu to work together.

Assuming I (finally) have better understanding how CPU bridge VLANs are supposed to be configured, I think I may have an idea how to make the switch chip work based on the “Other devices with built-in switch chip” section.

I tried to make the chip work initially, too, but I remember having problems (possibly to do with WLANs) and then ending up going with CPU bridges instead. This device is mainly serving as WLAN access point after all, the ports are more an afterthought for a couple less used devices.

Ok, so by taking the exact steps I described (plus I had to tag guest wlans on top of ether1 to make them work too) immediately made the config work as I intended.

Config now looks like this:

# jun/03/2020 16:28:27 by RouterOS 6.47
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=finland disabled=no distance=\
    indoors frequency=auto hide-ssid=yes mode=ap-bridge ssid=WLAN1+ wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=finland disabled=no distance=\
    indoors frequency=auto hide-ssid=yes mode=ap-bridge ssid=WLAN2+ wireless-protocol=802.11
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan1 name=guest-2.4 ssid=\
    GuestWLAN1 vlan-id=102 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan2 name=guest-5 ssid=GuestWLAN2 \
    vlan-id=102 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=102
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=102
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=102
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1
add auto-isolate=yes bridge=bridge interface=guest-2.4
add auto-isolate=yes bridge=bridge interface=guest-5
add bridge=bridge interface=*E pvid=102
/interface bridge vlan
add bridge=bridge tagged=ether1,guest-2.4,guest-5 vlan-ids=102
/interface list member
add interface=wlan2 list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge network=192.168.1.0

Now I tried using switch chip, by doing following:

1. Remove ether1 from bridge vlan 102
2. Remove PVID 102 from bridge port ether3
3. Add Interface switch vlan 102, include ether1,2,3,4
4. Set interface switch port ether2 vlan mode=secure, vlan header=always strip, default vlan id=102
5. Set interface switch port ether3 vlan mode=secure, vlan header=always strip, default vlan id=102
6. Set interface switch port ether4 vlan mode=secure, vlan header=always strip, default vlan id=102
7. Set interface switch port ether1 vlan mode=secure, vlan header=add if missing, default vlan id=1

However I always lose connection as soon as I am done saving interface switch port ether1 settings. Am I missing something?

I’d say yes, you do - you must make the switch1-cpu port also a member of vlan 1 and 102, otherwise setting mode=secure on ether1 prevents frames belonging to VLAN 1 from being forwarded from ether1 to the CPU port.

Alright, thanks for the heads up. I’ll do some testing later with the chip again, but for now I’m just content in the fact that bridge works as it should.
Marked topic solved, thanks all.

The bridge-VLAN setup is slightly “un-clean” in this part:

/interface wireless
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan1 name=guest-2.4 ssid=GuestWLAN1 > vlan-id=102 vlan-mode=use-tag > wds-default-bridge=bridge wps-mode=disabled
add default-forwarding=no disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan2 name=guest-5 ssid=GuestWLAN2 > vlan-id=102 vlan-mode=use-tag > wds-default-bridge=bridge wps-mode=disabled

/interface bridge port
add auto-isolate=yes bridge=bridge interface=guest-2.4
add auto-isolate=yes bridge=bridge interface=guest-5

One is supposed to configure everything VLAN-related on bridge, so the right thing would be to omit the bolded parts of wireless config and move it to bridge port config (by adding frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=102 to the shown config lines).

Good point, I was not quite sure if I should do anything with the wireless interface settings.
Somehow changing VLAN-Mode would break the WLAN (device could connect but not to correct LAN), and I had to remake the interface.

After that it seems like all good again.