Help with VLAN

bduijnhouwer · July 31, 2020, 9:10am

I have a question about VLAN’s. I’ve been looking at a lot of Youtube tutorials
but I can’t seem to figure it out.

What I have is a 2011UiAS-2HnD. Ether1 is connected to my modem.
I have four WiFi access points, one master which is hidden and three virtual access points
which are called management, here and hass. Management has VLAN99, here has VLAN10 and hass has
VLAN50.

Ether2 is connected to a Mikrotik hEX PoE. How can I configure the Miktotik hEX PoE to also
use the VLAN’s? I know it has something to do with bridge etc., but I tried a lot, but it makes
my head spin. Can somebody explain me the ‘dumbass’ way?

This is my configuration of the 2011UiAS-2HnD:

# jul/31/2020 10:52:10 by RouterOS 6.47.1
# software id = V4HQ-YRUL
#
# model = 2011UiAS-2HnD
# serial number = 7A67063B51B8
/interface bridge
add admin-mac=6C:3B:6B:B3:40:8F auto-mac=no comment=defconf name=bridge
add name=bridge-trunk vlan-filtering=yes
add name=bridge-vlan10
add name=bridge-vlan50
add name=bridge-vlan99
/interface ethernet
set [ find default-name=ether2 ] name=ether2-trunk
set [ find default-name=ether3 ] name=ether3-vlan50
set [ find default-name=ether4 ] name=ether4-vlan50
set [ find default-name=ether5 ] name=ether5-vlan50
set [ find default-name=ether8 ] name=ether8-vlan50
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=8 band=2ghz-g/n channel-width=\
    20/40mhz-XX comment="free_coffee_management WiFi" country=no_country_set \
    disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower \
    hide-ssid=yes installation=indoor mode=ap-bridge name=free_coffee_master \
    ssid=free_coffee_master station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
add disabled=no mac-address=6E:3B:6B:B3:40:98 master-interface=\
    free_coffee_master name=wlan-Free_coffee_here ssid=free_coffee_here \
    vlan-id=10 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
/interface wireless manual-tx-power-table
set free_coffee_master comment="free_coffee_management WiFi"
/interface wireless nstreme
set free_coffee_master comment="free_coffee_management WiFi" enable-nstreme=\
    yes
/interface vlan
add interface=wlan-Free_coffee_here name=vlan10 vlan-id=10
/caps-man configuration
add country=no_country_set datapath.bridge=bridge name=cfg1 \
    security.authentication-types=wpa2-psk security.passphrase=xxxxxxxx ssid=\
    free_coffee_here
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity="caf\E9_gratis_aqu\ED" wpa2-pre-shared-key=xxxxxxxx
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=free_coffee_here supplicant-identity=MikroTik \
    wpa2-pre-shared-key=xxxxxxxx
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=free_coffee_hass supplicant-identity=MikroTik \
    wpa2-pre-shared-key=xxxxxxxx
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=free_coffee_management supplicant-identity=MikroTik \
    wpa2-pre-shared-key=xxxxxxxx
/interface wireless
add disabled=no mac-address=6E:3B:6B:B3:40:9A master-interface=\
    free_coffee_master name=wlan-Free_coffee_management security-profile=\
    free_coffee_management ssid=free_coffee_management vlan-id=99 vlan-mode=\
    use-tag wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=6E:3B:6B:B3:40:99 master-interface=\
    free_coffee_master name=wlan-free_coffee_hass security-profile=\
    free_coffee_hass ssid=free_coffee_hass vlan-id=50 vlan-mode=use-tag \
    wds-default-bridge=bridge wps-mode=disabled
/interface vlan
add interface=wlan-free_coffee_hass name=vlan50 vlan-id=50
add interface=wlan-Free_coffee_management name=vlan99 vlan-id=99
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.250
add name=vpn-pool ranges=192.168.90.10-192.168.90.29
add name=dhcp_vlan10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_vlan50 ranges=192.168.50.2-192.168.50.254
add name=dhcp_vlan99 ranges=192.168.99.2-192.168.99.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2m name=defconf
add address-pool=dhcp_vlan10 disabled=no interface=bridge-vlan10 name=\
    dhcp-vlan10
add address-pool=dhcp_vlan50 disabled=no interface=bridge-vlan50 name=\
    dhcp-vlan50
add address-pool=dhcp_vlan99 disabled=no interface=bridge-vlan99 name=\
    dhcp-vlan99
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge-trunk comment=defconf interface=ether2-trunk
add bridge=bridge-vlan50 comment=defconf interface=ether3-vlan50
add bridge=bridge-vlan50 comment=defconf interface=ether4-vlan50
add bridge=bridge-vlan50 comment=defconf interface=ether5-vlan50
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge-vlan50 comment=defconf interface=ether8-vlan50
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=free_coffee_master
add bridge=bridge-vlan10 interface=wlan-Free_coffee_here
add bridge=bridge-vlan10 interface=vlan10
add bridge=bridge-vlan50 interface=wlan-free_coffee_hass
add bridge=bridge-vlan50 interface=vlan50
add bridge=bridge-vlan99 interface=vlan99
add bridge=bridge-vlan99 interface=wlan-Free_coffee_management
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-trunk untagged=bridge-trunk,ether2-trunk vlan-ids=10
add bridge=bridge-trunk untagged=bridge-trunk,ether2-trunk vlan-ids=50
add bridge=bridge-trunk untagged=bridge-trunk,ether2-trunk vlan-ids=99
/interface ethernet switch vlan
add independent-learning=no ports=ether5-vlan50 switch=switch1 vlan-id=50
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pptp-bastiaan list=LAN
add interface=pptp-bastiaan-vpn list=LAN
add interface=ether2-trunk list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-trunk network=\
    192.168.88.0
add address=192.168.10.1/24 interface=bridge-vlan10 network=192.168.10.0
add address=192.168.50.1/24 interface=bridge-vlan50 network=192.168.50.0
add address=192.168.99.1/24 interface=bridge-vlan99 network=192.168.99.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    domain=leiden.local gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

zcqian · August 6, 2020, 10:12pm

I think you’re doing the bridge wrong. You would most likely require one bridge interface with VLAN filtering on, and add ether2 as a trunk port, and other ones as access ports with appropriate Port VLAN IDs. Then you would have the bridge VLAN send tagged frames on ether2.

Josep2020 · December 8, 2020, 12:58am

I do have a similar setup and there is a single interface “bridge” with VLAN Filtering enabled.
Still, can’t make it work.
If the default DHCP for the bridge is active, all connected clients receive the bridge’s pool IPs.
If the default DHCP for the bridge is not active, but the DHCP for the VLAN interfaces are, none of the clients receive IPs.

anav · December 8, 2020, 1:03pm

Joseph start your own thread and post the config
/export hide-sensitive file=anynameyouwish

anav · December 8, 2020, 1:16pm

HI Buij…
To understand you have 1 Access Point with three WLANs.
You also wish to pass your vlans onto the Hex router on ether2

(1) Remove any vlan IDs from wifi (they dont belong in the master or virtual wlans)
(2) Why is your config disjointed, you have two /interface wireless locations and two /interface vlan - makes it hard to read/understand the config!!!
(3) You cannot name a WLAN as the interface for a vlan. ALL VLANS interface are the bridge!!!
(4) YOU need ONE bridge!!

Ahh okay I give up, this is a mess because you need a better starting point.
Suggest you read this document to get you going!!! Will see your next config attempt after digesting it…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1