I want to take my VLAN further, the internet does work, but the users cannot see the login page, the further I take the VLAN, but do the pings respond?
Keep one vlan for managment.
VLAN99 lets say, all devices are assigned a static IP address on this subnet.
ON the trunk port is also all the data vlans needed.
use one vlan per subnet
what do you mean by wlan0 and LAN0??
Basically every device, besides the router, should look likeā¦
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridge name manageVlan vlan-id=99 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
as required
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 ( for for first device aka ONLY the AP, trunk port from router )
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=localWLAN pvid=XY { as required if serving local users }
add bridge=bridge ingress-filtering=yes frame=types=admit-only-vlan-tagged[b][color=#008000][b] interface WLAN-transfer[/b][/color][/b] comment="trunk to next device" { as required }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add bridge=bridge ingress-filtering=yes frame=types=admit-only-vlan-tagged[b] [color=#0000FF][b]interface=WLAN-incoming[/b][/color][/b] comment="trunk from previous device" { for all devices except first AP }
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridge tagged=bridge ether1,[color=#0000FF][b]WLAN-Transfer [/b][/color] vlan-ids=99 comment="bridge only tagged for management vlan - trunk from router"
add bridge=bridge tagged=ether1,WLAN-transfer vlan-ids=AB,CD
add bridge=bridge tagged=ether1,WLAN-transfer untagged=WLAN-local vlan-ids=XY { if any local wlan is applicable }
+++++++++++++++++++++++++++++++++++
For middle devices if the connection is wifi first line is replaced by [color=#0000FF][b]wlan-incoming[/b][/color] and its own wlan-transfer or call it out-going.
For middle devices if the connection is ethernet, then its back to ether1
For end devices, no need for transfer or outgoing trunk.
/interface list member
add interface=manageVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.84/24 interface=manageVlan network=192.168.10.0 comment="IP of AP on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management