Mikrotik VLAN with Access Point Configuration

samreiss · January 23, 2021, 7:21pm

I am trying to connect a Mikrotik Access Point to Mikrotik Router. I am able to get the AP (mostly) working, but it doesn’t get assigned an IP by the main router (and also can’t access the internet). I believe this is happening because the Mikrotik AP is not tagging it’s own traffic. I want the Mikrotik AP to be a part of VLAN 20 and pull it’s IP via DHCP from the main router. I’ve included the configuration from the Access Point below. I believe that the main router configuration is correct because when i use ether2-5 on the access point, I am able to successfully get an IP assigned by the router’s DHCP server and am a part of VLAN 20. What am i missing? Thank you for the help!

# jan/02/1970 00:01:19 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-20-private vlan-id=20
add interface=bridge name=vlan-21-public vlan-id=21
add interface=bridge name=vlan-22-kids vlan-id=22
add interface=bridge name=vlan-23-vpn-mn vlan-id=23
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=20
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether2,ether3,ether4,ether5 \
    vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=21
add bridge=bridge tagged=ether1 vlan-ids=22
add bridge=bridge tagged=ether1 vlan-ids=23
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
# 
set discovery-interfaces=ether1 enabled=yes interfaces=wlan2,wlan1
/ip address
add address=192.168.20.2/24 interface=vlan-20-private network=192.168.20.0
/system identity
set name=MO-STL-BEDROOM

CZFan · January 23, 2021, 8:20pm

Add bridge as a tagged member/interface of management vlan in bridge vlan table

mkx · January 23, 2021, 8:35pm

Unlike @CZFan I don’t see an error in VLAN setup. However, according to configuration set, AP has static IP set (so it should be accessible within VLAN 20), but doesn’t have default route set (enough for it to not have internet access) nor does it have DNS server set (even if it did have IP connectivity to internet it could not access any named resource on the internet).

The rest of VLANs (21, 22, 23) are, as @CZFan noted, out of reach for AP’s CPU.

Which makes me wonder if wireless does get provisioned via CAPsMAN? /interface wireless cap is set to go via ether1 (which means untagged) … and ether1 is configured as trunk port (admit-only-vlan-tagged). IMO discovery interface should have been set to management VLAN interface (seems like vlan-20-private is the correct interface).

CZFan · January 23, 2021, 8:45pm

Apologies, @mkx correct, I quickly scanned over the config.

But I don’t see a dhcp client line item in config and that is probably reason AP can’t get IP from DHCP

anav · January 23, 2021, 10:41pm

Call me if you two can’t sort it out… me <---- busy,

samreiss · January 24, 2021, 5:15am

I appreciate the responses from both of you! @mkx - Yes, you are correct - ether1 should be configured as a trunk port. Good catch on the CAPsMAN discovery interface. I have updated as recommended (and it does work; you were correct that it was not working). Is this the type of default route that you think I am missing? I am surprised that I need to set DNS because I was hoping that the access point would receive DNS from the router’s DHCP server for VLAN 20.

/ip route
add distance=1 gateway=192.168.20.1

Here’s a current export with the CAPsMAN discovery interface fixed:

# jan/02/1970 00:08:36 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add name=bridge pvid=20 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(28dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-20-private vlan-id=20
add interface=bridge name=vlan-21-public vlan-id=21
add interface=bridge name=vlan-22-kids vlan-id=22
add interface=bridge name=vlan-23-vpn-mn vlan-id=23
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=20
add bridge=bridge interface=sfp1
add bridge=bridge interface=wlan2
add bridge=bridge interface=wlan1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether2,ether3,ether4,ether5 \
    vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=21
add bridge=bridge tagged=ether1 vlan-ids=22
add bridge=bridge tagged=ether1 vlan-ids=23
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
# 
set discovery-interfaces=vlan-20-private enabled=yes interfaces=wlan2,wlan1
/ip address
add address=192.168.20.2/24 interface=vlan-20-private network=192.168.20.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=\
    192.168.20.0/24
/system identity
set name=MO-STL-BEDROOM

mkx · January 24, 2021, 10:41am

A few things:

remove pvid setting from bridge
move DHCP client from ether1 to interface vlan-20-private
add interface vlan-20-private to LAN interface list (not that it actually matters in your particular setup but it’s the right thing nonetheless)
after DHCP client starts to work, remove static IP address … and remove the NAT rule

samreiss · January 25, 2021, 3:50am

@mkx - Worked like a charm! Thank you so much!