hAP lite Vlan Configuration

kolbep · March 6, 2018, 8:28pm

Hi All.

I have an installation where the client has a HP Procurve Network switch.
They also run 2 Vlans :
Vlan 1 - Admin Vlan - Network 192.168.100.0/24
Vlan 2 - Guest Wifi Vlan - Network 172.10.20.0/24 (I know that is a public range, that they are using as a private, but it is their existing configuration. And being a Class C, should not create too much of a problem.

The Port on the switch is configured as Tagged in Vlan 1 and Vlan2 (so if the hAP lite sends a packet tagged, it gets passed on the correct vlan. Untagged packets do not go anywhere).

I want the Wifi on the hAP lite to put it’s users on Vlan2 (just bridging, no NAT).
But the hAP lite must also be accessible on Vlan1, which it will also use for an outbound tunnel.

Am I correct in assuming the following (on the hAP lite) :

create a vlan (Name vlan1, VLAN ID 1, Interface Eth1),
create a vlan (Name vlan2, VLAN ID 2, Interface Eth2),
add IP address on vlan1 (192.168.100.16/24)
add IP address on vlan2 (172.10.20.16/24)
add default route out of vlan1 (to 192.168.100.254 - the gateway router)

create wireless Interface:
name - wlan1,
mode - AP Bridge,
Bridge Mode - Disabled,
Security Profile with WPA2
Vlan Mode - no tag

create a bridge (Name bridge1)
add vlan 2 to bridge1
add wlan1 to bridge1

Will this then :
If Wireless Client sends traffic (untagged), the router then tags it with vlan2 before passing on to the Ethernet interface (and strip the tag as it passes vlan2 traffic back to the wireless)
Allow me to access the hAP using winbox (using 192.168.110.16 on Vlan1)
Allow me to access the hAP using winbox (using 172.10.20.16 on Vlan2)
Allow me to access the hAP using winbox (using 172.10.20.16 on the Wireless without VLAN tag)

I tried before to do something like this at this client (but then I was using NAT, etc, and could not get access to the hAP from the Vlan2, or from the Wifi.

Thanks for the assist.

P

samsung172 · March 6, 2018, 9:25pm

try to change your vlan 1 to something like vlan 10 or something else. It use to be a pain to have vlan1 as tagged.

after this make vlan2 bridged to your wlan interface, and vlan 0 to a loopback (bridge) with njust a ip)

eg. ether_vlan10 bridged to loopback_lan (bridge interface) managment ip to this interface.
ether1_vlan2 bridged to wlan bridge and together with wlan1 interface. add wlan ip to this.
then add a src-nat - masq to the router. so that 172 net nat out by the 192 net.

mkx · March 6, 2018, 9:37pm

You probably want both vlan interfaces (vlan1 and vlan2) to be created on same ether port (e.g. ether1) in order to make it trunk port.

There’s another possibility to get WLAN packets tagged: configure wireless interface with “vlan mode = use tag” and set “vlan id” to whatever needed. Then add this wireless device to a bridge together with ether1 (or create a new bridge if there’s none suitable already). If you do it this way, then you want to create the vlan interfaces on the very same bridge instead of ether1 port.

If hAP is not intended to be routing between the two LAN segments, then you’ll need to add a firewall rule which will forbid routing between them. By default it will happily do that.

kolbep · March 8, 2018, 6:29pm

Oops, my bad, I meant to say

create a vlan (Name vlan1, VLAN ID 1, Interface Eth1),
create a vlan (Name vlan2, VLAN ID 2, Interface Eth1),

kolbep · March 8, 2018, 6:40pm

Unfortunately I am integrating with the existing network,and do not have access to change the vlan settings on their SonicWall Gateway. So Pretty much stick with Vlan Tag 1 for the Private network

eg. ether_vlan10 bridged to loopback_lan (bridge interface) managment ip to this interface.

Where do I get this loopback_lan from. Or do I just create a Bridge, and only add vlan1 (which you say would be better as vlan10) to it. Then Assign the Bridge the 192.168.110.x Address?

then add a src-nat - masq to the router. so that 172 net nat out by the 192 net.

Do I need to do Masquerading? The Sonicwall which is their Gateway has the same 2 vlans configured on it, and it does the routing, and masquerading, and DHCP.
I am trying to simply bridge the Mikrotik Wireless (Untagged) onto Eth1 with a VLAN tag of 2 (For Guest Wifi Passthrough).
Then I am also trying to allow access to maintain the Mikrotik via Eth1 with VLAN tag of 2 (with Address 172.10.20.x),
and Also Allow access to maintain the Mikrotik via Eth1 with VLAN tag of 1 (with address 192.168.110.x)
and Also Allow access to maintain the Mikrotik via Wireless Interface (with Address 172.10.20.x).

I do not want the Mikrotik to bridge or nat between the 2 networks.

Thanks

sindy · March 10, 2018, 12:37pm

Make sure that you can connect to your Mikrotik some other way than via ether1 or via wireless, and connect that way (e.g., if you start from the default configuration, connect to any of ether2..ether4 to 192.168.88.1)
Create a bridge called “bridge-vlan”
Remove the dhcp client or any static IP address from ether1
Make ether1 a member port of that bridge (/ip interface bridge port add bridge=bridge-vlan interface=ether1)
Make the wireless port a member of that bridge (/ip interface bridge port add bridge=bridge-vlan interface=wlan1)
Create an “interface vlan” with that bridge as “interface” and with “vlan-id=1”, named “admin-vlan” (/interface vlan add interface=bridge-vlan vlan-id=1 name=admin-vlan)
Attach a DHCP client to that “interface vlan” if there is a DHCP server somewhere in the admin subnet, or attach an available static IP address from 192.168.100.0/24 to that “interface vlan” (/ip address add address=192.168.100.7/24 interface=admin-vlan), and add a default route via a gateway in the admin subnet (so that you could access the Mikrotik from somewhere else than the admin subnet itself).
In the configuration of the wireless interface, choose “use tag” and set vlan-id to 2.

Done.
Now you may eventually reconnect via the admin subnet and disable the other ports.