hAP AX3 as a simple Layer2 switch

Dear all,

I simplified my configuration a lot.
Just trying to use the hAP as a Layer2 switch.

Ether1 is a trunk port for VLANs 70 and 198, connected to a trunk port on the switch.
The firewall has interfaces in these VLANS, acting as the default gateway for both and also has a DHCP configured on both interfaces
192.168.70.254
192.168.198.254

Ether5 is for hAP management only, connected to the internal network.

Goal:
Different SSIDs INFLUENCER1/2 and IOT1/2 should assign the WLAN clients to different VLANs connecting to different virtual interfaces on the firewall.

Initially I had the same SSID for wifi1 and wifi2, not sure if this was OK or better to separate the two radios?

There are no IP addresses assigned to ether1, bridge (WLAN) nor any of the wifi interfaces.
As mentioned, I want the hAP simply to act as a Layer2 switch, separating the VLANs.
Firewall rules are all disabled.

Current status:
DHCP servers don’t seem to work.
If I assign the IP and default gateway plus DNS manually, I get an Internet connection on IOT1/2, but I don’t get one for INFLUENCER/2.
The interesting part is that I can see the MAC addresses of my phone (used for testing) when checking the ARP entries on the firewall interface???

show arp ethernet1/4.198

maximum of entries supported :      3000
default timeout:                    1800 seconds
total ARP entries in table :        5
total ARP entries shown :           5
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/4.198   192.168.198.7   36:e7:f2:91:1f:56 ethernet1/4         c      330
ethernet1/4.198   192.168.198.8   52:a0:8d:41:87:af ethernet1/4         c      377
ethernet1/4.198   192.168.198.12  52:a0:8d:41:87:af ethernet1/4         c      360
ethernet1/4.198   192.168.198.90  b8:27:eb:d1:32:6d ethernet1/4         c      1132
ethernet1/4.198   192.168.198.243 ec:9b:8b:de:5b:1d ethernet1/4         c      637

I tried assigning different static IPs and the phone generates random MAC addresses.

It looks similar to the 70 VLAN ARP table:

show arp ethernet1/4.70

maximum of entries supported :      3000
default timeout:                    1800 seconds
total ARP entries in table :        3
total ARP entries shown :           3
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/4.70    192.168.70.7    0a:f1:74:aa:c0:4c ethernet1/4         c      96
ethernet1/4.70    192.168.70.8    8e:0e:ac:91:0f:23 ethernet1/4         c      286
ethernet1/4.70    192.168.70.243  ec:9b:8b:de:5b:1d ethernet1/4         c      1385

Configuration:

# 2024-05-20 00:53:43 by RouterOS 7.14.3
# software id = 016R-KMTY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add name=WLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=trunk poe-out=off
set [ find default-name=ether5 ] comment=mgmt
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=INFLUENCER1 \
    datapath.bridge=WLAN .vlan-id=198 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=Influencer2 \
    datapath.bridge=WLAN .vlan-id=198 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes
add configuration.mode=ap .ssid=IOT1 datapath.bridge=WLAN .vlan-id=70 \
    disabled=no mac-address=7A:9A:18:32:81:70 master-interface=wifi1 name=\
    IOTWLAN1 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
add configuration.mode=ap .ssid=IOT2 datapath.bridge=WLAN .vlan-id=70 \
    disabled=no mac-address=7A:9A:18:32:81:71 master-interface=wifi2 name=\
    IOTWLAN2 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=static name=WLAN1
/interface bridge port
add bridge=WLAN interface=wifi1 pvid=198
add bridge=WLAN interface=wifi2 pvid=198
add bridge=WLAN frame-types=admit-only-vlan-tagged interface=ether1
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=WLAN tagged=ether1 untagged=IOTWLAN1,IOTWLAN2 vlan-ids=70
add bridge=WLAN tagged=ether1 untagged=wifi1,wifi2 vlan-ids=198
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.98.91/24 interface=ether5 network=192.168.98.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,192.168.98.201
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set rtsp disabled=no
/ip route
add check-gateway=ping comment="management Interface Internet access" \
    disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.98.2 \
    pref-src=192.168.98.91 routing-table=main suppress-hw-offload=no \
    vrf-interface=ether5
/ip service
set ssh address=192.168.98.0/24
/ip traffic-flow
set interfaces=ether1
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.98.201
add address=192.168.98.208

Interestingly I don’t see all ports in the config, but checking in the CLI I see also IOT1/2:

/interface/bridge/port> print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
 0 I   interface=wifi1 bridge=WLAN priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=198 frame-types=admit-all
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

 1 I   interface=wifi2 bridge=WLAN priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=198 frame-types=admit-all
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

 2     interface=ether1 bridge=WLAN priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1
       frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
       multicast-router=temporary-query fast-leave=no

 3  D  interface=IOTWLAN2 bridge=WLAN priority=0x80 edge=auto point-to-point=no learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=70 frame-types=admit-all
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

 4 ID  interface=IOTWLAN1 bridge=WLAN priority=0x80 edge=auto point-to-point=no learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=70 frame-types=admit-all
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

So in a nutshell my questions are:

• can the hAP act as a simple Layer2 switch?
• Is it correct that I don’t need to assign IP addresses to the wifi interfaces, nor to the bridge nor ether1?
• What PVIDs to use for ether1 and the bridge? Ideally they shouldn’t have any.
• Any idea why I can connect to the Internet from the sub interfaces IOT1/2 but not from the main interfaces on wifi1/2?
• Any idea why the DHCP servers don’t work? Although I could live with that.

Thanks and Regards,
Andreas

So you have two vlans for WIFI?
Do you have a trusted vlan, or management vlan?
The HAP needs an IP address from the trusted vlan.

I will assume ether5 is an off bridge access such that you can configure the device safely away from bridge vlan filtering
I will assume vlan10 is the trusted VLAN coming into the hap and where it gets its assigned IP by the admin of 192.168.10.10.
REMOVE vlans from WIFI setting
REMOVE data paths from WIFI setttings

# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add name=[b]bridgeWLAN [/b]vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=trunk poe-out=off
set [ find default-name=ether5 ] comment=mgmt

/interface vlan
add interface=bridgeWLAN name=vlan10 vlan-ids=10 comment="Need to identify trusted vlan"

/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=INFLUENCER1 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=Influencer2 \
     disabled=no  security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes
add configuration.mode=ap .ssid=IOT1  \
    disabled=no mac-address=7A:9A:18:32:81:70 master-interface=wifi1 name=\
    IOTWLAN1 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
add configuration.mode=ap .ssid=IOT2  \
    disabled=no mac-address=7A:9A:18:32:81:71 master-interface=wifi2 name=\
    IOTWLAN2 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
/interface list
add name=MANAGE
/interface bridge port
add bridge=bridge ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=198
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi2 pvid=198
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=IOTWLAN1 pvid=70
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=IOTWLAN2 pvid=70
/interface bridge vlan
add bridge=bridgeWLAN tagged=bridgeWLAN,ether1  vlan-ids=10
add bridge=bridgeWLAN tagged=ether1 untagged=wifi1,wifi2 vlan-ids=198
add bridge=bridgeWLAN tagged=ether1 untagged=IOTWLAN1,IOTWLAN2  vlan-ids=70

/interface list member
add interface=vlan10 list=MANAGE
add interface=ether5  list=MANAGE

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/ip address
add address=192.168.55.1/24 interface=ether5 network=192.168.55.0  comment="off bridge access" 
add address=192.168.10.10/24 interface=vlan10 network=192.168.10.0 comment="Hap address on trusted subnet"

/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="DNS through trusted gateway"

/ip firewall filter ( NONE REQUIRED)

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1   

/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1

…

To access the off bridge port, simply change ipv4 settings on your PC to 192.168.55.X and you will have acess.

IF in addition to the off bridge access you wanted to add a trusted subnet port on the hap so you could access it by plugging into the port, lets say ether4, then…

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi1 pvid=198
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi2 pvid=198
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=IOTWLAN1 pvid=70
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=IOTWLAN2 pvid=70
/interface bridge vlan
add bridge=bridgeWLAN tagged=bridgeWLAN,ether1 untagged=vlan4 vlan-ids=10
add bridge=bridgeWLAN tagged=ether1 untagged=wifi1,wifi2 vlan-ids=198
add bridge=bridgeWLAN tagged=ether1 untagged=IOTWLAN1,IOTWLAN2 vlan-ids=70

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Hi anav,

thanks a lot for your reply.

I was reading through a lot of your posts on VLANs and in the meantime already removed the bridge and VLAN from the Datapath settings for the WLAN interfaces.

There is one question remaining:
Why do I need an interface on the bridge for managing the hap? (VLAN 10 in your example)

All management is done off bridge via ether5

If I read the configuration correctly, you added also another bridge bridgeWLAN.
Why exactly?


Thanks and Regards,
Andreas

1. I only renamed the bridge from WLAN to bridgeWLAN is all ( not a second bridge).
   The word WLAN has other connotations so I would never use a confusing term.

2. Because as admin you should be able to access all your mikrotiks for config purposes from the managment subnet or the trusted subnet ( trusted could be a home subnet for example ).
   When you access winbox, ALL your devices will show up and easy to access which device you want to config.
   Also, the MT needs an address, and the address should not be in the subnet of users (unless trusted).
   Its common practice, not doing anything strange here.

Hi Anav,

thanks again.
I renamed the bridge. Agreed that calling it WLAN was not a good idea.

As mentioned, MT access is only from a trusted network over ether5.
So I keep the bridge as a simple Layer2 switch without any address assigned.

I also found the missing piece: I had to define the port on my switch also as trusted for DHCP to work ( it is an HP JG963A).

Now everything seems to work as designed.

I was wondering initially about routing, but the WLAN clients now get their default gateway and DNS servers to use from the DHCP server.

I learned a lot from you.
Thanks a lot for your patience.

Regards,
Andreas