I am currently trying to integrate an MT AP into my existing network.
I was able to successfully assign the Vlan 172 and Vlan7 on ether1 to the AP with the static management address 172.16.0.30 (Vlan172) and 192.168.0.2 (Vlan7).
So far so good, now I want to assign the Vlan 7 to the Wlan interface Wlan1 and Wlan2, but I dont know how.
Can someone tell me how I assign this Vlan to the Wlan1 +2?
# jan/02/1970 02:22:43 by RouterOS 7.6
# software id = ZB9L-KM9R
#
# model = RBcAPGi-5acD2nD
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=User-2G
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=User-5G
/interface vlan
add interface=ether1 name=ether1-vlan7 vlan-id=7
add interface=ether1 name=ether1-vlan172 vlan-id=172
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 comment="FirstConfig 192.168.16.70" interface=ether2
add bridge=bridge1 comment="TRUNK " interface=ether1
/ip address
add address=192.168.16.70/21 comment="FirstConfig Statische Adresse 192.168.16\
.70 can be disabled after configuration" interface=ether2 network=\
192.168.16.0
add address=172.16.0.30/26 comment="AP Managment Address" interface=\
ether1-vlan172 network=172.16.0.0
add address=192.168.0.2/21 comment="AP Ip for SSID Wlan1 and Wlan2" \
interface=ether1-vlan7 network=192.168.0.0
As soon as I connect my phone to wlan1 / 2G, I see traffic on the interface for a short time and then the message Connection error comes up on the phone.
# jan/02/1970 04:03:34 by RouterOS 7.6
# software id = ZB9L-KM9R
#
# model = RBcAPGi-5acD2nD
# serial number = HD20854X659
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country=**** disabled=no frequency=2417 \
mode=ap-bridge skip-dfs-channels=all ssid=User-2G vlan-id=7 vlan-mode=\
use-tag
set [ find default-name=wlan2 ] country=**** disabled=no mode=ap-bridge \
skip-dfs-channels=all ssid=User-5G vlan-id=7 vlan-mode=use-tag
/interface vlan
add interface=ether1 name=ether1-vlan7 vlan-id=7
add interface=ether1 name=ether1-vlan172 vlan-id=172
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 comment="FirstConfig 192.168.16.70" interface=ether2
add bridge=bridge1 comment="TRUNK " interface=ether1
/ip address
add address=192.168.16.70/21 comment="FirstConfig Statische Adresse 192.168.16\
.70 can be disabled after configuration" interface=ether2 network=\
192.168.16.0
add address=172.16.0.30/26 comment="AP Managment Address" interface=\
ether1-vlan172 network=172.16.0.0
add address=192.168.0.2/21 comment="AP Ip for SSID Wlan1 and Wlan2" \
interface=ether1-vlan7 network=192.168.0.0
Look again. When the main interface is in Simple mode it does not show VLAN options, but for the virtual interface in Simple mode it does show it.
Exactly what you describe. When you see the button “Advanced mode” it is in Simple mode.
It is normal (today) that a device will not connect until everything is configured correctly, including having a working DHCP server on that network.
Now you are clouding issues, there is no need for dhcp server on the MT Access point in most cases… one is simply carrying the vlans from the router to the Access point…
In fact the only vlan that actually needs to be identified as a vlan is the management or base vlan from which the AP gets its own IP address and still no DHCP is require for that.
ok but as I said I opened the advanced mode and there I set the mode and VLAN ID as you can see in the config.
All services are available on the trunk connected to ether1 on the AP, including DHCP.
Yesterday it was already running and I also got a dhcp address on my phone via this ap.
Unfortunately, I shot the config to pieces when I wanted to expand the config with a third guest vlan and virtuel wlan 3 and 4 and mentally took a wrong turn somewhere…
But there I get the whole thing realized with individual bridges for each vlan.
It’s also one of those things that every guide I find does it differently.
one says no, only one bridge, others say you need one for each vlan.
Anyway, do you have a link to a how-to that explains step by step how to set up an access point via the routo’s webgui and maybe it’s similar to my setup only with other vlans?
I write “on the network”. he is setting up a network using VLANs, and he has not got that working. Until he has the proper connectivity to the intended VLAN, he probably has no DHCP server and the behavior is as expected.
Right, there can’t be anything wild about getting the ap to work. Everything is provided in the trunk. 3 switches before is an opensense vm on an esxi and provides routing, dhcp and firewall functionalities over the network.
All the info is there!!! The first link gives you the concepts, then follow the **^^^**My advice is
Work on the config for both devices after reading and applying the knowledge of the two linked articles and will provide support.
/export file=anynameyouwish ( minus router/device serial number and any public wanip information )
i fly over but saw that i then have to deal with the cli. I actually wanted to avoid that with the webgui, but if there are no webui turorials, then I’ll read up and then do it completely via the console.
I like the easy way, nothing wrong with web gui if you know what the commands are doing.
I still use CLI to read all configs so it still has its place for most of us one way or another.
yes right , you have to understand the gui switches and most youtube videos use different approaches for the vlan configuration, it just confuses.
In one video he builds the vlans over several bridges. the other says no more than one bridge and builds it completely differently.
Well, I’ll will read it all over the weekend and then come back with other questions. xD
KISS, one bridge all vlans attached to bridge, all vlans get ip pool, dhcp server, dhcp server network, ip address, bridge does NO dhcp etc…
Vlans disseminated via etherports and wlans at /interface bridge ports and /interface bridge vlans, firewall rules to match, bingo bongo done!
Same same fw rules.
Concept input chain and forward chain.
Default rules
User added rules
DROP all else
https://forum.mikrotik.com/viewtopic.php?t=180838
If you want to get cute and bloated, not on my watch LOL. Do it after you have a solid basic working config and you leave here so I dont have to see it>
Probably due to the fact just joined, but to be honest the config examples are not in config format and thus confusing.
##############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Access Point
# Web: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS: 6.43.13
# Date: April 15, 2021
# Notes: Start with a reset (/system reset-configuration)
# Thanks: mkx, sindy
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="AccessPoint"
#######################################
# VLAN Overview
#######################################
# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN
#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no
# Red SSID
/interface wireless security-profiles add name=RED_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan3 ssid=RED_SSID master-interface=wlan1 security-profile=RED_PROFILE disabled=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Blue, Green, Red VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=20
add bridge=BR1 interface=wlan3 pvid=30
# egress behavior, handled automatically
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN
# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.0.1
#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
