Introducing VLANs to MikroTik CAPsMAN Network with Icotera FTTH Gateway – Topology Help Needed

I would like to introduce VLANs into my current MikroTik-based setup to:

• Isolate IoT, Guest, and Private networks
• Assign different SSIDs to different VLANs

image721×347 56.5 KB

The Icotera i6850 (ISP-supplied FTTH gateway) claims VLAN support, but:

• The Web administration interface shows no configuration options related to VLANs.
• LAN ports appear to operate strictly as untagged access ports.
• No options to set up trunking or port-based VLANs on the LAN side.

Due to this, I’m assuming that true VLAN separation must be done behind the Icotera, with another device handling routing and VLAN tagging. I was thinking to add another hAP ac2. How this device should be configured to have VLANs?

• What is the best way to introduce VLANs in this network given the limitations?
• Should I add a MikroTik router in front of the Icotera and let it handle VLANs + routing?
• Can the Icotera be bridged or bypassed entirely?
• How should I configure bridges and VLANs properly on hAP ac3 and hAP ac2 and on the newly, to be introduced hAP ac2?

Thanks for your hints.

You HAVE to read this: Using RouterOS to VLAN your network

If FTTH device does not provide VLAN support then you have to install any VLAN aware device that concentrates/manages APs traffic.

Hi @BartoszP Thank you for the link, I will dive into the topic.

Strictly speaking, if you are happy with the way the FTTH is managed by the Icotera thingy, you could do with a (managed) switch between the Icotera and your existing Mikrotiks.
If you are OK with SwOS, I think even a a RB260GS would do.
A Hap AC2 costs double the above, and - it having only 16 Mb storage - it is not really recommended to buy one new, as it is a bit tight for newest/latest ROS versions.

@jaclaz thanks for your hints. I have a spare hAP ac2, bought it second hand for good price, I just need a confirmation that it should work for my use case as switch too. I am not familiar with SwOS. Ok, so just before Icotera I can place that spare hAP ac2. Just like this, right?

             [Internet]
                 |
           [Icotera i6850]
             (LAN port)
                 |
              (ether1)
         +---------------------+
         |   hAP ac2 (new)     | ← Core Router
         |   VLAN trunking     |
         +---------------------+
          |        |        |
      ether2   ether3   ether4
        |         |        |
   [hAP ac3]  [hAP ac2]  (future)
   (CAPsMAN)   (CAP)     (guest, IoT, etc.)

Yep, exactly.
If you use it as a VLAN aware switch only, you can get away with a non-latest version of RoS, probably a 7.13.x or 7.14.x one, at the most 7.16.x, I don’t think that newer versions have anything added/fixed that you could take advantage of.
Or you can not install the wifi-qcom-ac to keep some free space, see starting from here:

sorry,but why overcomplicating things ?

OP have already 3 device
2 MT
1 FTTH Box

both MT are connected to box

so, why not simply EoIP between two MT over provider box ?
inside EOiP few vlans,and this is it

no additional device

Hi @npeca75 this would be perfect, and I was thinking the same direction as well, however I was thinking to have a Wireguard tunnel between the devices. Especially it would be great, because I have not much space in the electric cabinet where cables are terminated and where FTTH box is located - yes, hAP ac2 is small, but still.

On the other hand, I am using new Wifi (wifi-qcom-ac) CAPSman, and I was not sure if it would work with that configuration too. I could not find any example where VLANs are used with Wireguard and with CAPSman + CAP.

The thing is, all I want is isolated guest wifi, which I solved it, but now the isolation is done using firewall. I would like to improve it and have VLANs.

Do you have any example that I can use as starting point for such setup? (VLANs with Wireguard or EoIP tunnel)

Thanks in advance for your help and insights.

hi @atlanticd

you are mixing things
VLANS are L2
WG is L3

guest network could be achieved in both scenario but it is more complicated with WG (L3) because you need good FW isolation with routing

stick with EoIP and VLAN, it will ensure proper L2 isolation. I believe that there is tutorials for MT guest WIFI with vlans
then,after you done with vlan part, simply put vlans in EoIP and send them to another MT
simple

@npeca75 right, I will try, but I think CAPSman and CAP makes things more complicated. See here.
But I guess as soon as I have in my bridge EoIP interface listed as ports, and if I set datapath properly, it should work.

I won’t complicate things with a tunnel in a pure L2 environment. Can be done? Yes, but I thing it can be done easier other way. One of these two options

1. You don’t mind to touch your existing infra and put a Mikrotik running your network.
2. You stick to your current y config and just add extra vlans for anything apart from main network.

In first case, I would setup the current internet gateway as bridge mode, and put your ac3 (capsman) as main router for the entire setup, running your internet connection. That way you discover all the good stuff about having a nice router as main element on your setup. Please don’t do that if you are running with no default config and you have no previous experience with Mikrotik and its firewall.

In seconds case, I would just add vlan setup to your existing infra, managing them again from the CAPsMAN device. Main network will be run my your internet gateway, and the rest from Mikrotik. You will play with hybrid ports between the two Mikrotik devices, running your main network (from gateway) as untagged traffic, and pass the other as vlans tagged, delivering them untagged on WiFi interfaces where need it.

Kind regards.

hi @jhbarrantes great, I will research hybrid ports. But honestly this was my main concern, if the gateway does not offer configuration options for VLANs (despite on the datasheet they claim it supports), and if the Mikrotik devices are connected with it, I tought I can’t use VLANs at all. Ok, so hybrid ports could be worth to research. Thanks!

Most likely your gateway support vlans, but on the WAN side, as most of the internet FTTH gateways do, in order to support a triple play setup (internet, voice, tv), each on a different vlan. But for lan side, they treat all as a single flat network, a very basic router.

What I’m proposing is to leave that flat network as your main default network, commanded by the ISP gateway, and move the rest to the Mikrotik hAP-ac3. This last device will become a full router for these other vlans, while it would still operate as a simple AP for your main one, coming from your ISP router.

I’m assuming your vlan devices will be all connected to one of the two Mikrotiks devices obviously, either wired or wirelessly.

Kind regards.

hi @jhbarrantes Is my understanding correct, that with hybrid ports, I can use only one VLAN, because only one VLAN can be mapped to untagged traffic per port? So in theory I can do configuration on both hAP ac3 and ac2 like where untagged ingress traffic on ether1 is placed into VLAN 10, outgoing VLAN 10 traffic is sent untagged on ether1. (ether1 is where my devices are connected to ISP gateway.)
But I can’t use then any other VLANs than VLAN10, right?

Please explain a bit more detailed your proposed setup. I appreciate your support.

If I need multiple VLANs between routers through ISP gateway device, then I need tunnelling, like EoIP or VXLAN maybe?

An hybrid port can only have vlan untagged (same as any other access port), plus a bunch tagged. What I’m proposing is you configure both Mikrotik (taking your initial image as starting point) with all ports in a single bridge, as if they were simple APs, and enable vlan filtering on both. As soon as you do that, you will see vlan1 (the “no vlan”) in action on the bridge vlan table, managing the traffic that comes from the gateway (you could move this to a “vlan10”, but there is no real need for that). That will be your “untagged” traffic for the hybrid port ether1, in both Mikrotiks. Once you move the port in the bridge, remember to update the DHCP client (if any) or the static address, to be on the bridge, rather than ether1

From this moment you would have exactly the same network you have right now, but “vlan aware” from Mikrotik perspective, while gateway still don’t know what a vlan is. At this point, all that is in the bridge will have the default “no vlan” = 1, so all will still be addressed by the gateway. This could be your “default” or “home” network, that is born from the gateway (managed and addressed from there), and where you only play a role of access point on Mikrotik devices.

If it is easier for you, you can start both routers from scratch without config (System > Reset Configuration > no default configuration) and just create a single bridge, put all the ports in, create a dhcp client over the bridge and enable bridge vlan filtering. You will end up having something like this in both Mikrotik devices:

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2

/ip dhcp-client
add interface=bridge

Now, let’s add couple of vlans (who say “a couple”, say a dozen) for other use cases. For example, vlan 100 for “IoT” and vlan 101 for guest users. And, as a test, let’s deliver vlan 100 to ether4 and vlan 101 as to ether5 in both devices (access ports), making possible to communicate things connected to these port on both Mikrotik routers in L2, passing this through the gateway as tagged traffic (gateway won’t see this traffic, but it will forward it anyway). For achieving this, we should tag the vlans over the bridge and over ether1, that becomes our “hybrid” port, managing vlan1 untagged (coming from the gateway) + 100, 101 as tagged. This is to be executed in Mikrotik hAP-ac3. Why we create and tag vlans over the bridge? Because this device will be the one addressing the vlans, so we want this vlans to have access to device CPU for that. Why do we tag over ether1? because is the link that joins both routers using your gateway as an intermediate switch (no vlan aware), so that becomes our “hybrid” port, passing vlan1 untagged (gateway addressing) + vlan 100/101 as tagged.
For testing purposes, we will create ether5 as access port for vlan100, so we can test from there if the new L2 network is propagated accordingly.

# To execute at hAP-ac3
/interface vlan
add interface=bridge name=vlan-iot vlan-id=100
add interface=bridge name=vlan-guest vlan-id=101

/interface bridge vlan
add bridge=bridge comment=iot tagged=bridge,ether1 vlan-ids=100
add bridge=bridge comment=guest tagged=bridge,ether1 vlan-ids=101

/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=101

For the hAP-ac2, very similar, but only filtering the vlans, as they will be addressed from the hAP-ac3. In that case, we don’t need to create interface vlans, and we just need to work with bridge vlan table, declaring tagged both vlans for ether1, and updating PVID from bridge ports ether4, ether5 to create an access ports

# To execute at hAP-ac2
/interface bridge vlan
add bridge=bridge comment=iot tagged=ether1 vlan-ids=100
add bridge=bridge comment=guest tagged=ether1 vlan-ids=101

/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=101

At this point, if you connect two devices to ether4 / ether5 on each Mikrotik, and addresss them manually, they should be able to see each other in L2, isolated in layer2.

Let’s say now we want this addressing to be done at hap-ac3, the device we chose as your future CAPsMAN. All you have to do is to create the addressing information for those VLANs, plus pools, network, dhcp-server, etc.

Something like this:

# To execute at hAP-ac3

# Addressing
/ip address
add interface=vlan-iot address=192.168.100.1/24
add interface=vlan-guest address=192.168.101.1/24

# DHCP pool, network, server, etc...
/ip pool
add name=pool-iot ranges=192.168.100.2-192.168.100.254
add name=pool-guest ranges=192.168.101.2-192.168.101.254

/ip dhcp-server network
add address=192.168.100.0/24 comment=iot dns-server=1.1.1.1,1.0.0.1 gateway=192.168.100.1
add address=192.168.101.0/24 comment=guest dns-server=1.1.1.1,1.0.0.1 gateway=192.168.101.1

/ip dhcp-server
add address-pool=pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=pool-guest interface=vlan-guest name=dhcp-guest

# NAT outgoing bridge traffic (gateway)
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

At this point, if you connect something on ether4 in any of the Mikrotiks, you should get an IP from 192.168.100.X and be able to surf the internet, using your provider router as a gateway. Same way with ether5 and vlan-guest. If you connect anything to ether 2,3 in both routers, you should still get an address from the gateway.

At this point, VLANs would be isolated in L2, but visible from L3, as we don’t have any firewall rule preventing it. We will address this later at hAP-ac3, with a simple forward rule.

When you reach this point let me know, as it will be the moment to play with CAPsMAN setup, and this will depend on the wireless package version you have installed.

Kind regards!

hi @jhbarrantes

First of all, thank you for taking time and elaborating your proposed setup.

Unfortunately it does not work. I tried to connect to the ethernet4 port of hAP-ac3 a Windows laptop, with manually set IP address = 192.168.10.1/255.255.255.0
On hAP ac2’s ether4 port I connected a Mac, with manually set IP address = 192.168.10.2/255.255.255.0

Then I tried to ping, but it does not work.

What is suspicious to me is that in Bridge/VLANs tab on hAP-ac3, there is a dynamic entry added by pvid where ether4 is declared as current untagged:

image1708×604 70.9 KB

The PVID is correctly set on ether4:

image1420×572 57.3 KB

I assume I do not need to set VLAN id on the client’s NIC any VLAN ID, nevertheless I tried both ways: to have it set in Windows NIC settings and in Mac’s NIC settings VLAN ID = 100, but it did not make a difference.

Please find attached my exported configurations. Please note that for this test I am using my spare hAP-ac2 with default configuration, and not another hAP-ac2 that is currently act as CAP and to which you find references in hAP-ac3’s configuration.

I kindly ask you to take a look when you have time, and try to spot what could be the issue. Thank you!

I guess it doesn’t work for the mix of config from router mode. Try like this on each device, uploading the config file and running a System → reset configuration → run after reset = config.rsc

config.rsc for the future manager

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2

/ip dhcp-client
add interface=bridge

/interface vlan
add interface=bridge name=vlan-iot vlan-id=100
add interface=bridge name=vlan-guest vlan-id=101

/interface bridge vlan
add bridge=bridge comment=iot tagged=bridge,ether1 vlan-ids=100
add bridge=bridge comment=guest tagged=bridge,ether1 vlan-ids=101

/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=101

/ip address
add interface=vlan-iot address=192.168.100.1/24
add interface=vlan-guest address=192.168.101.1/24

/ip pool
add name=pool-iot ranges=192.168.100.2-192.168.100.254
add name=pool-guest ranges=192.168.101.2-192.168.101.254

/ip dhcp-server network
add address=192.168.100.0/24 comment=iot dns-server=1.1.1.1,1.0.0.1 gateway=192.168.100.1
add address=192.168.101.0/24 comment=guest dns-server=1.1.1.1,1.0.0.1 gateway=192.168.101.1

/ip dhcp-server
add address-pool=pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=pool-guest interface=vlan-guest name=dhcp-guest

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

config.rsc for cap

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2

/ip dhcp-client
add interface=bridge

/interface bridge vlan
add bridge=bridge comment=iot tagged=ether1 vlan-ids=100
add bridge=bridge comment=guest tagged=ether1 vlan-ids=101

/interface bridge port
set [find interface=ether4] pvid=100
set [find interface=ether5] pvid=101

Then try to communicate two devices between ether4 on each device or between ether5 on each.

Unfortunately it does not work either. I guess gateway device strips down some information, meaning, that ISP gateway device is not just blindly forwarding all Ethernet frames (probably because it is not in bridged or passthrough mode). I disabled Windows Firewall as well and also on Mac. Just to confirm: I must not set anything VLAN related on the client NICs, right?

No, nothing on client side to be done, just plug and play.

What happens when you connect something on ether4/5 on manager device? Does it work?

You are right, it could be the case where gateway won’t allow you to pass tagged traffic. But that normally means the device is “vlan aware”. If that is the case, best scenario to build is to bridge gateway and setup one of your Mikrotik as your main router.

Kind regards.

Ok, I will try to build up VLANs through EoIP or VXLAN. Do you have a starting configuration suggestion example, please, that I can further improve? I would like to avoid asking ISP to put the gateway in bridge mode.