please help me to configure my RB962UiGS-5HacT2HnT. I don’t know, I tried to read the tutorials, but they are a little confusing and I don’t know how to do it.
I would like to make three VLANs at the beginning to isolate the devices from each other:
trusted devices (laptops, mobile phones) - Internet and printer access
TV - Internet access only
printer - cut off from the Internet
I created three VLANs in the following way:
I’ve made a new Wireless security profile.
2. I’ve created a new virtual WiFi with this profile.
3) I’ve created a VLAN with a ‘use tag’ and assigned it to the virtual WiFi above.
4. I’ve created a bridge.
5) I made the following ports for the bridge: a) virtual WiFi - bridge b) VLAN - bridge
6. I’ve set an address for Bridge.
7. I’ve set up DHCP for Bridge.
This way I have three separate WiFi visible, probably with VLAN, but I have no idea what to do next.
I read the text. I’ll try to understand the scripts. But I’ve already noticed one thing.
IP Addressing & Routing:
There is only one hardware device, of which we create one bridge to manage all LAN side devices. We set this IP address to 192.168.0.1. Everything gets routed out the Yellow WAN interface for Internet access.
There is mentioned creating one bridge, and I created a separate bridge and a separate address pool for each VLAN: 192.168.10.1/24 for trusted devices, 192.168.20.1/24 for TV and 192.168.30.1/24 for printers. I don’t quite understand the concept of bridges…
In context of VLANs, bridges are VLAN-aware switches. So when following tutorial I linked, it is essential to have only one bridge per device.
Tutorials about one bridge per VLAN are old school (before bridges became aware of VLANs) and you shouldn’t be looking at them. At all.
I suggest you to scrap your previous config, reset with no defaults and start over … but follow the tutorial I linked.
when I do IP addressing points, something gets mixed up in the configuration so much that it logs me out of the winbox and I can’t log in again.
Can you please tell me which points in the RouterSwitchAP.rsc script I should be careful to prevent this? I do the configuration step by step while connected to wifi with default address pool 192.168.88.1/24?
When you change IP setting (and don’t do it with safety straps attached … it’s beyond this topic to describe them), then it’s somehow expected to loose management access. In such moments it’s fine to use winbox with its ability to connect to router via MAC (without IP).
And here is the Dynamic Bridge config that I think can’t be seen in the export above. This is the remains of the default configuration. Maybe this is the reason? I don’t know if and possibly how to get rid of it.:
Okay before I delve into the config, I need more info about your network.
Assuming BASE (99) is your home and trusted network
What is your WLAN1 network for (2ghz) Is this just for the TV??
What is your WLAN2 network for (5ghz)
Then you have a virtual WLAN (master being wlan1) just for base (home trusted??)
Then you have second virtual WLAN (master being wlan1) just for the printer.
All require access to the internet EXCEPT the printer.
Who needs access to the printer?
What is connected to ether2? A PC, a managed switch??
Is there anything else wired or just the device(s) on eth2?
As I said, cannot figure out the config without more knowledge of the structure of your network and also the use cases (what users need what).
The VLAN-aware bridge documentation indicates you have to configure the PVID in /interface bridge port and the untagged membership in /interface bridge vlan to match each other, you are missing the PVID in the bridge port entry for wlan1 (and a couple of others you may not have tested yet).
In practice if you only configure it in /interface bridge port the corresponding membership is added dynamically to /interface bridge vlan. So
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=???
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=???
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-printer pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-base pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wlan-printer vlan-ids=20
add bridge=bridge tagged=bridge untagged=wlan-base vlan-ids=99
First, thanks for your patience. This should clarify things a bit:
Red are connections that I do not test now, because I just tried to use tutorial script and I wanted to check if I can conigure anything working…
wlan1 was the default 2 GHz WiFi and for now I add virtual interfaces to it.
wlan2 was the default 5 GHz WiFi. I havn’t disabled it, because I believe I will be able to use it for trusted devices VLAN (don’t know how to configure it now).
With the config pasted earlier the current situation is:
All require access to the internet EXCEPT the printer.
No, not only printer. My understanding from the tutorial is that BASE (management) network shouldn’t have Internet access too.
(I just realized that BASE VLAN is in BASE and VLAN interface lists, that’s why I have Internet access in BASE… )
Who needs access to the printer?
BLUE VLAN - trusted devices.
What is connected to ether2? A PC, a managed switch??
I’m going to connect TV here, so it will use cable instead of WiFi. In the tutorial linked above it was said that I should limit wireless VLANs “to minimize WiFi inefficiency”.
Is there anything else wired or just the device(s) on eth2?
As in the diagram above, I’d like to connect Synology NAS. Would be perfect to have external access to it.
Thanks!
