It is now working fine. In the next step, I would like to add the second HAP AC2 device for two things: use it as a switch for vlan10 network, and also use it as a wireless access point later (CAP with multiple SSIDs on different vlans).
I did not turn on vlan filtering on the bridge yet. If I login the this AP router, then I can ping the other router, and I can also access the internet.
But the access ports do not work. If I connect my laptop into one of the access ports of the switch, then I get an IP address from the DHCP server (running on the wan router). But if I connect to one of the access ports of the AP router (e.g. ether3-blue), then it does not work. Even if I type in an address/gateway/netmask manually, it does not work.
Access ports won’t work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership.
So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your management connection doesn’t break, then disable safe mode and check if access ports started to work. If your management connection broke, then wait a few seconds until device rolls back the change and re-connect.
Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you’ll almost definitely loose management access. OTOH BR1 doesn’t have to be member of the rest of VLANs, ROS will not interact with them (not until you have corresponding vlan interface with IP address set).
Yes, it rolls back. If I enable vlan filtering, then I cannot connect from access ports, nor through the trunk port.
Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through the ether1-trunk port.
I’m going to add wireless interfaces to those vlans later because I want this device to function as a CAP too. I just did not do it yet, because I wanted to setup access ports first.
And yes, I have followed the given tutorial to setup this device too. I can go through the tutorial again but I’m not sure if it will help.
The first setting (creation of vlan interface) means interface BR1 has to be tagged member of VLAN 99 on bridge BR1. The third setting (bridge vlan configuration) does configure it indeed. But is there any other member interface? No. As long as you don’t have vlan-filtering=yes set on bridge, the security setting from configuration #2 above (ingress-filtering=yes) doesn’t do anything. As soon as you enable vlan-filtering, this option will consult egress vlan table (egress vlan table is constructed according to settings in /interface bridge vlan) and block frames belonging to VLANs not enabled on ingress. Port ether1-trunk is only tagged member of VLAN ID 10 but not member (neither tagged nor untagged) of VLAN ID 99. As long as vlan-filtering is disabled, frames tagged with VLAN ID 99 are passed through ether1-trunk, bridge BR1 acts as dumb switch and passes tagged frames to any port willing to take them. That icludes port BR1, where vlan interface BASE_VLAN gladly accepts them. Similar on the way back.
And now verything works as expected: I can enable vlan filtering on the bridge, connect to the AP router through the trunk port, and I can also use the access ports on it.
In the next step, I’ll be adding wireless interfaces (CAP). I have never done that together with vlans, I just hope that I’ll be clever enough to do that without asking dumb questions.
