how to tag lan and wifi on the same vlan

squid778 · July 25, 2020, 2:20pm

i am trying to setup hap lite as switch only without firewall, how do i tag lan and wifi on the same vlan, so both can communicate with each other?

anav · July 27, 2020, 12:04pm

Best bet is to read this article…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

nithinkumar2000 · July 27, 2020, 12:08pm

you can just try useing Bridge to make them communicate with each other.

squid778 · July 29, 2020, 10:33am

I created a bridge on all the interfaces, then set Ether3, Ether4 to vlan30 on switch chip, and then tag the wifi to vlan30

Ether3 can ping Ether4 and vice versa, but wifi client fail to ping Ether3 or Ether4. (both ethernet client and wifi client are on the same IP subnet:192.168.30.0/24)

below is the configuration:

[admin@MikroTik] > /export hide-sensitive 
# jul/29/2020 17:20:40 by RouterOS 6.47
# software id = C3P8-J3AC
#
# model = RB941-2nD
# serial number = D0550BE73DBB
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no mode=ap-bridge ssid=Mikrotik vlan-id=30 vlan-mode=use-tag wireless-protocol=802.11
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=all
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3,ether4,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add disabled=no interface=bridge1

mkx · July 29, 2020, 11:01am

You should set appropriate VLAN mode for switch1-cpu port in /interface ethernet switch port … I guess on your device it will be interface with index number 4 (if index starts from 0). Disabled is default, according to manual it should be fine (port should pass all VLANs), but who knows.

Another setting I find logical to include and never gave me problems is independent-learning=yes in /interface ethernet switch vlan. Could be it makes problems in combination with above-mentioned part of config.

To aide debugging, you can create vlan interface on bridge for VID 30, add IP address to that interface … then you can ping different VLAN30 members directly from your RB. This way you might be able to narrow down the problem in config.

nichky · July 29, 2020, 11:06am

use this:

/interface vlan set name=w1.vl100 interface=wlan1 vlan-id=100
/interface wireless set vlan-mode=use-tag vlan-id=100

xvo · July 29, 2020, 11:06am

I don’t see settings for switch1-cpu here.

/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure

Should have vlan-header=add-if-missing and vlan-mode=secure.
Same for eth1 if it is used as a trunk port towards the main router.

squid778 · August 3, 2020, 7:23am

i set vlan header to add-if-missing and vlan-mode secure on vlan20, and camera feed stop working.
i set vlan mode for switch1-cpu to secure/always strip vlan 30, and lost connection to the RB and all the clients,
if i set vlan mode for switch1-cpu to check/add-if-missing vlan 30, all the clients on vlan 30 works normally (wifi and eth can ping each other), the only drawback is i can not access the RB anymore.

the RB is on vlan 5 (10.10.5.16) and can ping both ethernet (192.168.30.31) and wifi clients (192.168.30.110) directly, independent-learning is also added.

[admin@MikroTik] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0 D 10.10.5.16/24      10.10.5.0       bridge1                                  
 1   10.10.30.0/24      10.10.30.0      bridge1                                  
[admin@MikroTik] > ping 192.168.30.31
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 192.168.30.31                              56 254 15ms 
    1 192.168.30.31                              56 254 17ms 
    sent=2 received=2 packet-loss=0% min-rtt=15ms avg-rtt=16ms max-rtt=17ms 

[admin@MikroTik] > ping 192.168.30.110
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 192.168.30.110                             56  63 13ms 
    1 192.168.30.110                             56  63 22ms 
    sent=2 received=2 packet-loss=0% min-rtt=13ms avg-rtt=17ms max-rtt=22ms

i try this creating vlan 30 on wlan1 and the wifi client is not working.

xvo · August 3, 2020, 7:32am

To access the RB itself you should add at least one vlan-interface on top of the bridge and address/dhcp-client running on that vlan-interface.
Like that:

/interface vlan add name=mgmt interface=bridge1 vlan-id=30

squid778 · August 3, 2020, 9:33am

Everything is working fine now, Thank you all for the help.

Below is the final config for setting RB as wifi vlan switch
vlan 5 : management
vlan 20 : ip cameras
vlan 30 : laptop,etc

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no mode=ap-bridge ssid=Mikrotik vlan-id=30 vlan-mode=use-tag wireless-protocol=802.11
/interface vlan
add interface=bridge1 name=mgmt vlan-id=5
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=30 vlan-header=add-if-missing vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=all
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=20
add ports=ether1,ether3,ether4,switch1-cpu switch=switch1 vlan-id=30
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add disabled=no interface=mgmt