I probably have a very basic question. Although I searched on the forum for an answer, I was unable to find one.
There is a lot of documentation on the forum regarding vlans and config, but what I cant find is how things add up on a all-in-one like the hEX.
All I need is a basic (non-vlan) network, and one VLAN for wifi guests.
The wifi part is already working. And in fact the wifi guests get ip-addresses in the correct range from the Mikrotik, so ‘something’ is working on the VLAN part.
Wifi guests are able to acccess each other over the VLAN, so VLAN setup on the accesspoint is working.
I do have experience with the setup, using Fortigates to I know my wireless part is allright.
However there is no way I can get access from the VLAN to the router (ICMP ping for instance) or to the internet.
I how someone can help me out from this community.
The (messy) config is attached.
thats exactly the page I meant…but that could not help me solve the issue.
I downloaded the config examples, and tried to match them with my own. However probably it’s a hardware thing that it’s not working.
Also, the examples are based on ‘VLAN only’ setups, and that is exactly what i don’t have…
Your configuration is very confused. Get rid of switch setting line in the config, mixing apples and oranges!!!
What the heck is 192.168.3 ?? doing in dhcp server network......... removed
Modified firewall rules order and content as required.
Which ports are connected to dumb devices that cannot read vlan tags. probably all?
Which ports are connection to smart devices that can read vlan tags probably none?
Which ethernet ports are supposed to be connected to vlan10 (guests), probably one, so will use ether3 for this purpose in the example below?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
First thing I would do is upgrade the firmware to 7.12RC.
I dont think you need to idenfity NTP in the dhcp server line.
You have set the router to client above ( gets NTP input from external servers ), then you need to add the NTP server option on the router ( which is what all the users will use and all they need to do is point to the subnet interface in their ntp client settings 192.168.7.1 ). If you want to restrict NTP access to certain users, then more tweaking would be required.
I admit it is not the cleanest config, but that is mainly because I tried everything…
I can see you moved over to all VLAN, I read this a lot but couldn’t understand.
Why the difference in ether3?
I want the homevlan (20 in your proposed config) to be availabe on ether 2-5 without setting any vlan on any device or packet. So if I connect a computer to one of the ports, I would be connected to that vlan.
On the other hand, if i connect an accesspoint for wifi to a aport, the non-tagged wifi network should be on the default vlan (20?) and the one I tag with 10 should be on the guest.
This setup is easy on other routers, however Microtik is not so easy as I thought.
May you can help me understand?
Simply attach the AP to etherport3.
The access point should get an IP address from vlan10 (either dynamically or statically set) up to you.
Make up your mind where the access port will be located.
Can the access port read vlan tags incoming to the device from an upstream route/switch? (most consumer models cannot, some can provide vlan tags to a guest but that is different and not the same thing)
any device (including the AP) will get an IP from the ‘normal’ not-tagged network. By default this is vlan 1 I assume.
Inside the AP we define 2 Wifi’s, the ‘internal Wifi’ that is not using VLAN tagging, and their clients thus being connected to the ‘normal’ or vlan1 network in the basic setup.
In the second Wifi we define VLAN10, so all clients will be assigned to that VLAN with a seperate ip range and firewall rules (and of course will not be able to reach the vlan1 by default).
This setup is the one we always use with our customer using other firewalls (like Fortigate) and now want to create in the Mikrotik’s low end solutions, especially for smaller customers (with only a few devices).
Anyone?
when appying the script i was unable to get any access to the device.
Needed to reset the whole config.
Shouldn’t be this difficult to create the setup I need?
All other vendors I used in the past supported this setup, and was not hard to build.
Please advise.
recap what I need.
eth 1 = wan DHCP
eth 2-5 bridge, native netword (vlan1) - (so no vlan when connecting a device to one of the ports) and vlan 10 with packets that have a vlan set. This is for the accesspoints attached that have 2 SSID’s. One on the default vlan, nothing special here, and one with VLAN10 set. This is for guests.
Basically what you are asking is to setup hybrid ports.
Any dumb devices attached to any of the above devices will get assigned to the vlan10 subnet.
Any smart devices attached to any of the above ports if setup properly will be able to ingest both subnets and do whatever is necessary.
This tiny device does not support HW-offloaded bridge VLAN filtering, so enabling bridge-vlan-filtering may have a rather serious impact on performance. In case you really need to do anything VLAN-wise on the switch/bridge you should do that in the /interface ethernet switch menu instead. But, based on how you describe your goals, I don’t think that’s needed at all. The only thing you really need is to add a vlan interface for routing purposes: