Help to configure hap ac^2 and vlans

i have hap ac^2 with this info:
lan1 - modem, with dhcp disabled but used also for wifi (ax, better than hap)

lan2 - pc

lan3 - nas

lan4 - switch home

lan5 - switch office

all port in bridge, dhcp server configured with 192.168.1.10-250 pool and 0.0.0.0 route with modem ip 192.168.1.1 gateway. and all work good.

the question is, i want each port withna different pool to have easy look at ip and understand from where it comes.

modem 192.168.1.1

mkt 192.168.1.2

pc 192.168.1.11

nas 192.168.1.12

home switch 192.168.1.20-29

office switch 192.168.1.30-90

wifi from lan1 192.168.1.91-199

how can i do it?

seems i cannot assign pool to interface if in bridge. so i tried using vlans, but i thought i did some erros because not working. enabled vfilter, created some vlans with pid and assigned pool to vlans. but not work. any infos?

You can't do it. When all ports are members of a bridge, then device "sees" bridge interface as ingress interface. Hence DHCP server is[*] bound to bridge interface.
To make things the way you'd want, you'd have to dissolve bridge and run one DHCP server per port. But that would also mean that traffic between ports is routed (instead of switched/bridged).

[*] ... the correct word in ROS world is should as ROS currently doesn't prevent admin from binding DHCP server to "slave" device (but it does show a comment about that being incorrect setup).

I had my draft ready but forgot to hit Reply ...

You mean you want all ranges to be in the same subnet ?
That can become challenging (not impossible but a bit more attention is needed).

How I would approach it trying to go your way:

• remove needed ports from bridge
• set each port up with own IP address (pay attention to netmasks, you will have to rearrange your current proposal to align with binary boundaries), DHCP pool and DHCP server etc
• performance impact very likely

Can become complicated.

What would be better:

• keep all ports in bridge
• define each port as access port for a separate VLAN
• create virtual VLAN interfaces, each having own IP address
• create DHCP servers for each VLAN interface, each having their OWN subnet
• create needed firewall rules what is allowed to have access to what

i did what you wrote, but not work. i have all vlan with different pid. all pool and dhcp server but all pool was on same 192.168.1.x , only last range different. is that the error?

If you are only changing that last part of IP address, you are still in the same subnet.
And then it becomes complicated. You really need to pay attention to the used subnets then !!

If you want different subnets, you need to use something like:
192.168.1.x
192.168.2.x
192.168.3.x
192.168.4.x
You see ?

Personally, I normally set 3th octet same as VLAN id (if used) so I can immediately see what VLAN an address belongs to.

I dont understand your setup.
Is this attached to an AX3?
Is the hapac connected to the internet or the AX3?

What you need to do is clearly indicate your network structure and thus a network diagram that also details the subnets/vlans and internet connection etc are very helpful.

Second
Identify all the user(s)/device(s) including the admin
Identify all the traffic they need ( line by line )

Until that is known making any recommendations is pointless.........a guessing game, patchwork.
And Holvoe knows how annoying that approach is to me LOL.

and on lan5 i have printer with ip 192.168.1.200. cannot change because it’s configured on all pc of that switch, i have to reverse pool 1.x to lan5 and change the modem to 5.1?

oh, so i need to have all device on different vlan AND subnet. but will be all visibles between?

@anav modem (AX) is used as WAN into LAN1 + wifi . better to show diagram if i can

lan564×360 37.4 KB

Okay your wording is very confusing, but lets see if we have a common understanding.

The hapac2 needs only to be acting as an AP/switch. It simply needs to have a trunk port from the AX3 carrying the necessary vlans to distribute traffic to dumb devices (pcs, printers etc) and smart devices (like switches that can read vlans). It does not create its own subnets.

The AX3 is connected to the internet and on port is connected ( trunk port ) to the hapac and this cable carries all the vlans. One of the vlans should be the TRUSTED or MANAGEMENT vlan. This is the only vlan we need to identify on the hapac.

/interface vlan
add interface=bridge name=vlan11-TRUSTED vlan-id=11
/ip address
add address=192.168.1.2/24 interface=vlan11-TRUSTED network=192.168.1.0

Then its normal vlan filtering aka pcunites article, look for ap/switch example.

A router acting like a switch is identical to this switch example for the most part.
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1366s&pp=ygUNd2lsbWVyIENSUzMyNg%3D%3D

THe key takeaways are
On /interface bridge vlans, only the vlan-id=11 (TRUSTED vlan) has the bridge tagged, the rest of the vlans come in ether1 (tagged) and go out their respective ports either tagged or untagged depending what device they are going to.

i not have mkt AX3, i have an ISP modem that support wifi 6 and 7 that hapac not does. so i use it for wifi and have wlan on hapac disabled.

i’m new to mkt and networking. sorry

Since your hap ac2 does not have switching offloaded to switch (bridge does not support HWoffload), you should be able to see the bridge mac address table via the

interface bridge host print

CLI command.

How often do your devices move? You can use static dhcp reservations, so a specific mac address will always obtain the same IP address. That won't help with devices that roam to different switches or worse use randomized macs.

As first said by @mkx in this topic, the dhcp server doesn't know what port a specific dhcp request is coming from, it just knows it is coming from the bridge. The port that a mac address was learned from is stored in the mac address table of the bridge or in the switch asic.

See Everything Switches do - Part 1 - Networking Fundamentals - Lesson 4 for how a switch's mac address table works.

It's the same problem as ether4 not knowing what port of the external switch a device is connected to. To determine that you need to be able to see the external switch's mac address table, and if it is a dumb switch with no management interface, or even a "smart" consumer switch (e.g. a TL-SG108E) it may not give you the ability to see the mac address table.

What you want should be achievable with DHCP Snooping and the Add DHCP Option 82 settings on the bridge. You can keep the ports in the bridge like currently, no needs to pull any port out of the bridge. And all client devices will still be in the same subnet and broadcast domain. There is also no need to configure different VLANs.

But first, a WARNING: with your hAP ac², while DHCP Snooping is compatible with L2 hardware offload, turning it on will disable FastPath, as a result, Fasttrack on the bridge will also become ineffective!

image313×139 1.8 KB

After turning on those two options, if you go to the IP -> DHCP Server -> Leases table, and make the Agent Remote ID and Agent Circuit ID columns visible, you'll see that some information has been added to these two fields. What's interesting for you is the Agent Circuit ID value, in this column, you'll see the router's ID, followed by the information about the port and VLAN ID, for example eth 0/2:1 for port ether2 VLAN ID 1.

What you can now do, is to go to IP -> Pool and add the different pools with the different ranges that you want to use for the ports (192.168.1.20-192.168.1.29, 192.168.1.30-192.168.1.90, 192.168.1.91-192.168.1.199, etc...).

Then, add Code 82 DHCP Option Matcher entries, that match on the substring that contains the router's ID and the port+vlan ID, and select the appropriate pool for the match:

image465×342 11.2 KB

/ip dhcp-server matcher
add address-pool=dhcp-ether2 code=82 matching-type=substring \
    name=match-ether2 server=dhcp1 value="MY_ROUTER_XXX eth 0/2:1"
# ...
/ip dhcp-server matcher
add address-pool=dhcp-ether5 code=82 matching-type=substring \
    name=match-ether5 server=dhcp1 value="MY_ROUTER_XXX eth 0/5:1"

From now on, when the DHCP clients obtain new leases, they will be put in the appropriate pools.

Additionally, you can do the following to force the clients to use the IP addresses assigned by DHCP, and not set an address on their own:

• In the DHCP Server setting, turn-on "Add ARP For Leases":

  

  image220×126 2.03 KB

• Next is a very important step: If you have any devices that do not use DHCP, but have their IP addresses manually configured, then you need to go to IP -> ARP and manually add entries for each of those devices, with matching MAC address and assigned static IP address. If you miss this step, then those devices not using DHCP will not be able to talk to the hAP ac²!

• Finally, in the setting of the bridge, set ARP mode to reply-only:

  

This will ensure that all devices, for which you've not manually added IP -> ARP entries, will have to use the IP addresses asigned by the DHCP server.

never, every device stay on his place.

not know what this 2 option are. so i think not need it?

Fasttrack improves the routing (including NAT) performance of your hAP ac². If you have Gbit internet, and will use the full of it, then your hAP ac² will need fasttrack to saturate your WAN, otherwise it might only be able to achieve 800Mbps or so when Fasttrack cannot be used (with RouterOS 7).

If your internet is less than that then you don't need Fasttrack with your router. You don't have VLAN so there is no need for inter-VLAN routing (another area that Fasttrack will help). Data transfer between the ports of your bridge (switching) will have no problem reaching 1 Gbps, and Fasttrack is not needed for that.

Also, if ether1 is your WAN port and is not part of the bridge, then Fasttrack will still work somewhat when routing between the bridge (LAN) and the WAN on ether1.

yes i have gigabit internet. other than that i use lot samba share. so i think i need them.
i'll try vlan configuration as suggested. only need to know if a 1.x ip set on a device on lan5 with a pool and vlan different will work or will be bloked?

if blocked i have to change modem ip to class 5.1 and make lan5 pool and vlan on 1.x

You currently have a "flat network", and that is the simplest way to configure things is you want everything to be able to comunicate freely with everything else. Once you go to multiple subnets, you may run into issues with the windows firewall, which by default will block connections from devices outside of the subnets that it has interfaces in. These can all be solved by making windows firewall adjustments, but don't be surprised when things don't work after introducing vlans and multiple subnets.

A flat network will also make using the wifi on your ISP modem/router/firewall/dhcp server easier to use. But if you keep a flat network (where the hap ac2 is essentially acting as an expensive 5 port switch), I would leave the dhcp server on the ISP modem/router; it will make things much simpler.

On the other hand, if you do want to be able to limit access by the different ranges, then vlans (or just not using the bridge at all, and applying ip addresses to the individual ethernet ports) will give you the ability to use the firewall on the hap ac2 to control what devices have access to. But this is a step up in what you will need to learn if you have not dealt with multiple subnets, routing and firewalling before. And in this case, I would have the hap ac2 be the dhcp server for ehter2-ether5 and configure ether1 as a dhcp client of the dhcp server running on your ISP modem/router.

So the first thing you need to decide on is whether you want everything to be able to directly communicate with all other local hosts (at switching Layer 2 level). This is what your switches do, and the hap ac2 would also do if you have a all ports in the bridge.

If you decide to stay with a flat network, because your devices don't move, then why not use use static dhcp reservations? Then you can still have all devices ip addresses in the ranges you want (for ease of knowing where they are), and still have the increased performance from Fasttrack.

It will make your configuration longer, but it will also act as documentation of the device's MAC and ip addresses.

You can set the pool to start with 200, then if you ever see a device with ip above 192.168.200, you will immediately know that there is a new device. But if the dhcp server is running on your IPS modem/router, you will need to have the ability to configure it, and to set up the dhcp server and reservations on it. Most consumer routers I have seen do allow this and support "static" dhcp reservations. Oh, and any wifi devices will also get their dhcp reservations from the dhcp pool you configure on the ISP modem/router.

What is your current plan? Going with 5 unique subnets, or just one? Your question makes it seem like 5 (or possibly 4). If you have 5 distinct vlans, then you should have 5 unique subnets. If you want the ether1 and ether5 to be in the same subnet, then you should configure ether1 and ether5 to be in the same vlan (both ether1 and ether5 should be configured as access ports for the same vlan). If you want to keep things connected to ether5 in the 192.168.1.0/24 subnet, then you should just leave the ISP modem/router at 192.168.1.1, and configure the hap's vlan for (ether1,ether5) to have ip address 192.168.1.2, and the hap ac2 should have its default gateway set to 192.168.1.1

i have to keep pc and nas (eth2 & eth3) secured. on eth5 and wifi too many devices as cleaning robots, amazon devices, iot cam etc. none of that have to see my pc. eth4 can see it only when i require.

i have to keep printer on eth5 on 192.168.1.200 + wifi inside same subnet.
not like to use dhcp from ISP modem, too supid modem. i also like to see bandthwith of eth ports, in future i'll need queue and more control, so i think have to use vlans
i'll read some documentation and try.

thanks for help. i'll wrote sure later when i test

If the majority of your NAS traffic is all in the same subnet (i.e. PC and NAS in 192.168.2.0/24) then the non-hw assisted bridge on the hap ac2 may be a limiting factor, since that traffic still has to be forwarded by the CPU.

Do you really need 1Gb internet? If so and you want to do vlans, and queuing (qos), then the hap ac2 may get overloaded when the network is busy.

If you can down grade your internet speed to get a cheaper monthly fee, you could save some money up for an RB5009, which would have a lot more headroom. It has a better CPU and much better switch than the hap ac2, but it does not have any wifi (but you could use your hap ac2 as an AP, although it doesn't support wifi 6). In my opinion, very few people need more than 300Mbps, unless you are doing backups of your systems to a remote site. And even then, 300Mbps may be sufficient if backups are scheduled during the time you are not using your network. Depending on your ISP, the cost difference between 300 and 1Gbps may be significant, or it may be very close to the same cost. If you could save $20/month you could buy a new RB5009 in a year from the savings.

my isp not sell less than 1gb internet. so no option here.
the nas is used only by me for some bk (raid1 disks)
pc will usually do hight download traffic daily
other devices will make very few traffic, tv and some internet searches.
i'm evaluating to buy a new mkt device, with 2.5gb lan for future expansion on nas too. i've all cat7 cable in home

will be ok an hAP ax³ ?