hEX and hAP ac with VLAN filtering - Integrating WLAN with VLAN tags

Niffchen · June 29, 2018, 9:16pm

Hello,

I’m using a hEX as my main router and FW instance (FW for futuer use).
I configured different VLANs for different devices. After configuring all the VLANs successfully I will start to limit communication between the VLANs. At the moment I try to implement an hAP ac as WLAN AP.

I comfigurd a VLAN 40 for all wireless traffic. I want the wireless traffic to take place only in this VLAN 40.
I also configured the VLAN 5 as my management VLAN.
On the hEX I use a configuration like this:
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.233_.28InterVLAN_Routing_by_Bridge.29

I tried different ays to implement the hAP usng the VLAN 40 for all wireless traffic butnit doesn’t works. I want to implement on special feature: The DHCP server for the wireless clients is located in the hEX and should servenall IPs for wireless clients. After tue first hAP I’m going do add another 2 hAPs the same way without their own DHCP server.

Do you have any ideas how this implementation can be realized?

Regards,
Jens

Sob · June 29, 2018, 11:50pm

Wireless interfaces have their own vlan option (vlan-mode=use-tag vlan-id=40). Set it, then add wlan interface as bridge port, and it will serve as untagged access port for vlan 40. Packets sent to other ports will be tagged. At least it worked like this before the new bridge implementation. It’s probably the same, but I didn’t test it yet.

Niffchen · June 30, 2018, 8:10am

I tried to configure as I understood your post.
I didn’t get an IP address for the WLAN device. Did I configure the hAP correctly?

# jan/02/1970 00:40:38 by RouterOS 6.42.3
# software id = N8B5-9W0L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 830608EA823A
/interface bridge
add admin-mac=CC:2D:E0:1D:5D:B5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=MikroTik-1D5DBA vlan-id=40 vlan-mode=use-tag \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Woodroot supplicant-identity=MikroTik \
    wpa2-pre-shared-key=********
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=2422 mode=\
    ap-bridge name=WLAN1_2GHz security-profile=Woodroot ssid=Woodroot2 \
    vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=40
add bridge=bridge comment=defconf interface=ether3 pvid=40
add bridge=bridge comment=defconf interface=ether4 pvid=40
add bridge=bridge comment=defconf disabled=yes interface=ether5 pvid=5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=WLAN1_2GHz pvid=40
add bridge=bridge comment=defconf interface=wlan2 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.40.20/24 comment="Bridge Address MGMT-VLAN" interface=\
    bridge network=192.168.40.0
add address=192.168.15.20/24 interface=ether5 network=192.168.15.0
/ip dhcp-relay
add dhcp-server=192.168.40.1 disabled=no interface=bridge local-address=\
    192.168.40.20 name=DhcpRelayBridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.40.1
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The hAP is connected with its “ether1” to the hEX. On the hEX “ether5” is configured as tagged port of VLAN40 and the hAP is connected to this port.
I have been testing the hEX configuration: Set the ether5 as an untagged port of VLAN40 and connected the pc. It got an IP address and has been connected to the internet. Looks good … I think …

squeeze · June 30, 2018, 11:02am

Why do you have a DHCP relay and why do you have DNS server (remote requests + cache) enabled on the AP?

On the AP, try adding a DHCP Client with interface set to the bridge and add ether1 as a bridge port too since there is no routing. Remember to change the list member of ether1 from WAN to LAN too.

Niffchen · June 30, 2018, 11:55am

I added the relay to get IP addresses from the hex. But I have thought about the DHCP client. Maybe I misunderstood the relay function. I think this needs to be checked by me. I will try the DHCP client later on!

I thought the hAP would also route if ether1 is WAN port. That seems to be a fault of mine. I will test this too.
Thank you very much for your help!

Niffchen · June 30, 2018, 7:12pm

So far I have done what you mentioned, squeeze. And after this everything was fine. But now the hAP has no access to the internet again and I did nothing. The WLAN ports didn’t have access to the hEX and the LAN ports also. I tried to find out what is wrong but I need your help again.
This is my config of the hAP:

# jun/30/2018 17:35:48 by RouterOS 6.42.3
# software id = N8B5-9W0L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 830608EA823A
/interface bridge
add admin-mac=CC:2D:E0:1D:5D:B5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-1D5DBA vlan-id=40 vlan-mode=use-tag wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Woodroot supplicant-identity=MikroTik \
    wpa2-pre-shared-key=***********
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    country=germany distance=indoors frequency=2422 mode=ap-bridge \
    security-profile=Woodroot ssid=Woodroot2 vlan-id=40 vlan-mode=use-tag \
    wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=40
add bridge=bridge comment=defconf interface=ether3 pvid=40
add bridge=bridge comment=defconf interface=ether4 pvid=40
add bridge=bridge comment=defconf disabled=yes interface=ether5 pvid=5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1 pvid=40
add bridge=bridge comment=defconf interface=wlan2 pvid=40
add bridge=bridge interface=ether1 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=LAN
add interface=ether5 list=LAN
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan1
/ip address
add address=192.168.40.20/24 comment="Bridge Address MGMT-VLAN" interface=\
    bridge network=192.168.40.0
add address=192.168.15.20/24 interface=ether5 network=192.168.15.0
/ip dhcp-client
add disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.40.1
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If there is something wrong on the hEX I provide you its config:

# jun/30/2018 21:05:36 by RouterOS 6.42.5
# software id = G7JR-VZNY
#
# model = 960PGS
# serial number = 89F908AE5EB1
/caps-man channel
add frequency=2412 name=1
add frequency=2417 name=2
add frequency=2422 name=3
add frequency=2427 name=4
add frequency=2432 name=5
add frequency=2437 name=6
add frequency=2442 name=7
add frequency=2447 name=8
add frequency=2452 name=9
add frequency=2457 name=10
add frequency=2462 name=11
add frequency=2467 name=12
add frequency=2472 name=13
add frequency=5180 name=36
add frequency=5200 name=40
add frequency=5220 name=44
add frequency=5240 name=48
add frequency=5260 name=52
add frequency=5280 name=56
add frequency=5300 name=60
add frequency=5320 name=64
add frequency=5500 name=100
add frequency=5520 name=104
add frequency=5540 name=108
add frequency=5560 name=112
add frequency=5580 name=116
add frequency=5600 name=120
add frequency=5620 name=124
add frequency=5600 name=128
add frequency=5660 name=132
add frequency=5680 name=136
add frequency=5700 name=140
/interface bridge
add admin-mac=CC:2D:E0:68:3D:3E auto-mac=no comment=defconf name=MainBridge \
    pvid=5 vlan-filtering=yes
add fast-forward=no name=SubBridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=MainBridge name=VLAN5 vlan-id=5
add interface=MainBridge name=VLAN40 vlan-id=40
add interface=MainBridge name=VLAN110 vlan-id=110
add interface=MainBridge name=VLAN120 vlan-id=120
add interface=MainBridge name=VLAN130 vlan-id=130
add interface=MainBridge name=VLAN140 vlan-id=140
add interface=MainBridge name=VLAN150 vlan-id=150
add interface=MainBridge name=VLAN160 vlan-id=160
add interface=MainBridge name=VLAN170 vlan-id=170
/caps-man datapath
add bridge=MainBridge local-forwarding=yes name=datapathSubBridgeWlan
/caps-man configuration
add channel=3 channel.band=2ghz-g/n channel.extension-channel=Ce \
    channel.frequency=2422 country=germany datapath=datapathSubBridgeWlan \
    datapath.local-forwarding=yes distance=dynamic name=ConfigWoodroot2GHz \
    security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.passphrase=************ ssid=Woodroot
add channel=56 channel.band=5ghz-n/ac channel.frequency=5280 country=germany \
    datapath=datapathSubBridgeWlan datapath.local-forwarding=yes distance=\
    dynamic name=ConfigWoodroot5GHz security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm security.passphrase=************ ssid=Woodroot5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.110.150-192.168.110.200
add name=dhcp_pool2 ranges=192.168.120.150-192.168.120.200
add name=dhcp_pool3 ranges=192.168.130.150-192.168.130.200
add name=dhcp_pool4 ranges=192.168.140.150-192.168.140.200
add name=dhcp_pool5 ranges=192.168.150.150-192.168.150.200
add name=dhcp_pool6 ranges=192.168.160.150-192.168.160.200
add name=dhcp_pool7 ranges=192.168.170.150-192.168.170.200
add name=dhcp_pool8 ranges=192.168.40.150-192.168.40.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=VLAN110 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN120 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=VLAN130 name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=VLAN140 name=dhcp4
add address-pool=dhcp_pool5 disabled=no interface=VLAN150 name=dhcp5
add address-pool=dhcp_pool6 disabled=no interface=VLAN160 name=dhcp6
add address-pool=dhcp_pool7 disabled=no interface=VLAN170 name=dhcp7
add address-pool=dhcp_pool8 disabled=no interface=SubBridge name=dhcp8 relay=\
    255.255.255.255
/caps-man manager
set enabled=yes
/caps-man manager interface
add
add interface=VLAN40
add forbid=yes interface=MainBridge
add disabled=no interface=SubBridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    ConfigWoodroot2GHz
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    ConfigWoodroot5GHz
/interface bridge port
add bridge=MainBridge comment=defconf interface=ether2 pvid=5
add bridge=MainBridge comment=defconf interface=ether3 pvid=40
add bridge=MainBridge comment=defconf interface=ether5 pvid=40
add bridge=MainBridge comment=defconf hw=no interface=sfp1 pvid=5
add bridge=MainBridge interface=VLAN110 pvid=110
add bridge=MainBridge interface=VLAN120 pvid=120
add bridge=MainBridge interface=VLAN130 pvid=130
add bridge=MainBridge interface=VLAN140 pvid=140
add bridge=MainBridge interface=VLAN150 pvid=150
add bridge=MainBridge interface=VLAN160 pvid=160
add bridge=MainBridge interface=VLAN170 pvid=170
add bridge=SubBridge interface=VLAN40 pvid=40
add bridge=MainBridge interface=VLAN5 pvid=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge,ether2,ether3,ether5 vlan-ids=40
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=110
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=120
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=130
add bridge=MainBridge tagged=ether2,MainBridge untagged=VLAN140 vlan-ids=140
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=150
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=160
add bridge=MainBridge tagged=ether2,MainBridge vlan-ids=170
/interface list member
add comment=defconf interface=MainBridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether4 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
add interface=VLAN130 list=LAN
add interface=VLAN140 list=LAN
add interface=VLAN150 list=LAN
add interface=VLAN160 list=LAN
add interface=VLAN170 list=LAN
add interface=VLAN5 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether5 list=LAN
add disabled=yes list=LAN
add disabled=yes list=LAN
add disabled=yes interface=SubBridge list=LAN
add interface=VLAN40 list=LAN
/ip address
add address=192.168.2.11/24 interface=MainBridge network=192.168.2.0
add address=192.168.15.15/24 interface=ether4 network=192.168.15.0
add address=192.168.2.10/24 interface=ether1 network=192.168.2.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.110.1/24 interface=VLAN110 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN120 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN130 network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN140 network=192.168.140.0
add address=192.168.150.1/24 interface=VLAN150 network=192.168.150.0
add address=192.168.160.1/24 interface=VLAN160 network=192.168.160.0
add address=192.168.170.1/24 interface=VLAN170 network=192.168.170.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0
add address=192.168.40.5/24 interface=SubBridge network=192.168.40.0
/ip dhcp-server lease
add address=192.168.40.150 always-broadcast=yes client-id=1:cc:2d:e0:1d:5d:b5 \
    mac-address=CC:2D:E0:1D:5D:B5 server=dhcp8
add address=192.168.40.152 always-broadcast=yes client-id=1:0:a0:de:fc:a7:12 \
    mac-address=00:A0:DE:FC:A7:12 server=dhcp8
add address=192.168.40.151 client-id=1:2c:f0:a2:40:bb:99 mac-address=\
    2C:F0:A2:40:BB:99 server=dhcp8
add address=192.168.40.153 client-id=1:e4:8b:7f:ca:3f:ed mac-address=\
    E4:8B:7F:CA:3F:ED server=dhcp8
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1,192.168.2.1 gateway=\
    192.168.40.1
add address=192.168.110.0/24 dns-server=192.168.110.1,192.168.2.1 gateway=\
    192.168.110.1
add address=192.168.120.0/24 dns-server=192.168.120.1,192.168.2.1 gateway=\
    192.168.120.1
add address=192.168.130.0/24 dns-server=192.168.130.1,192.168.2.1 gateway=\
    192.168.130.1
add address=192.168.140.0/24 dns-server=192.168.140.1,192.168.2.1 gateway=\
    192.168.140.1
add address=192.168.150.0/24 dns-server=192.168.150.1,192.168.2.1 gateway=\
    192.168.150.1
add address=192.168.160.0/24 dns-server=192.168.160.1,192.168.2.1 gateway=\
    192.168.160.1
add address=192.168.170.0/24 dns-server=192.168.170.1,192.168.2.1 gateway=\
    192.168.170.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-Keller2
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

squeeze · July 1, 2018, 10:35am

hEX:

Why are you using dhcp-relay?
Do not add VLAN interfaces, which are logical interface, to bridge ports. They are meant only for physical interfaces
Do not add VLAN interfaces to bridge vlan interfaces (“untagged=VLAN140”). Again use physical interfaces only, except for the bridge interface itself.

Spartacus · July 1, 2018, 2:14pm

Hi,
I have nearly the same issue, posted here:
http://forum.mikrotik.com/t/need-help-with-cap-ac-and-virtual-ap-managed-by-capsman/120982/1

Can someone please check this, and help me to get rid of the issue?
Thanks,
Christian

Niffchen · July 1, 2018, 6:33pm

The DHCP relay was a old configuration. I deleted this value.
I removed the VLANs from the bridge ports, removed the mentioned VLAN from the bridge blan interface and changed the ethernet ports 3 and 5 from tagged to untagged. Everything is up and running now!
Thank you very much for taking so much time. I take a look if eveything is working correctly until tomorrow.

Spartacus · July 1, 2018, 7:47pm

Hi Niffchen ,
can you please post your config for the Router and the AP? I don´t know why my config doesn´t work!
Thanks,Christian

Niffchen · July 20, 2018, 5:12pm

Hi Squeeze,

Thank you very much! Now I got it working and it seems to be stable. Thank you very much.

@Spartacus: I will post my config. Sorry about being late, But I read your last answer. Tomorrow I will post my config of hEX, hAP and wAP working together.