I’m working with a Hap AC2 router linked directly to my modem and have set up a bridge for ports ether2-5, which connects to devices like TP Link Deco Mesh access points, without using VLANs.
I aimed to enable the Guest Network on the TP Link units to allocate a separate SSID for guests, with traffic marked as VLAN 519. However, the router overlooks the VLAN tags, and guest devices end up on my main IP range.
My goals are:
Keep changes minimal: I want the regular (untagged) traffic to remain on the existing bridge and IP range yet enable both tagged and untagged traffic on the access point-connected ports.
Route VLAN 591 traffic to a new IP range (e.g., 192.168.2.x/24), with its own DHCP and DNS, allowing internet access but preventing access to my main network (192.168.0.0/24) for less trusted devices.
After setting up VLAN 591 on the MikroTik and configuring an IP and DHCP for it, I’m stuck on how to manage both tagged and untagged traffic. I’m questioning whether I need two bridges or a way to keep the traffic separate while maintaining the flow of untagged traffic as is.
The MikroTik’s role is to recognize the VLAN tags without altering them, ensuring both networks remain distinct.
Would appreciate any suggestions on tackling this. Thanks in advance!
Could you help me with how I would create a config to separate tagged 519 vlan traffic from non vlan traffic on the same bridge?
If you read the TPLINK user guide, it is not designed to be able to read and handle VLAN tagging.
Therefore its not suprizing that new clients were assigned to the same vlan.
HOWEVER, what you should know and can test is that the GUEST vlan and IOT vlan on the decos are set so that:
a. they cannot even talk to each other or to the other wifi users on main wifi.
b. they cannot reach any other wired users on the same vlan
I did some further digging to double check my earlier post and research to see if that was the case
I found a forum post telling me to check the debug logs of my deco’s and i can confirm my system debug logs show the following:
config{enable_5g:1,ssid:MYSSID_Guest,encryption:1,enable:1,password:VERY_STRONG_PASSWORD,usr_set:1,access_duration:-1,enc_type:wpa2,start_time:1706879140,enable_2g:1,enable_5g2:0}
Fri Feb 2 13:05:44 2024 daemon.notice nrd[19861]: Leaving nrd executive program
Fri Feb 2 13:05:44 2024 user.info root: guest-eth [trigger]wifi config has changed, check vlan
Fri Feb 2 13:05:44 2024 user.info root: guest-eth guest vlan enable, guest_vlan id is 591
Fri Feb 2 13:05:44 2024 user.info root: guest-eth guest vlan id is changed -> 591, or iptv port changed to other, restart apsd and switch
Fri Feb 2 13:05:45 2024 daemon.info /usr/bin/apsd: config_load:415: Info: backhual lan:ath02.1, guest:ath02.2
.........
Fri Feb 2 13:05:45 2024 daemon.emerg procd: uci: Entry not found
Fri Feb 2 13:05:45 2024 user.info root: guest-eth AP role, eth0 set tag port, vlan id is 591
Fri Feb 2 13:05:45 2024 user.info root: guest-eth AP role, eth1 set tag port, vlan id is 591
Fri Feb 2 13:05:45 2024 user.info root: wps: wpsd reload
......
Now how would I check the devices on the mikrotik to se if the vlan tag is being applied and passed to the mikrotik?
And then how do I put the vlan591 tagged packets in isolation from the untagged ones?
Hiya. Actually any of the clients on the clan tagged guest WiFi still get up address and DHCP from the normal bridge, so my tags are not working on the mikrorik to separate it