Hi,
I have now implemented the Access Point example from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I got the commands from the “VLAN Example #2” here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
First I did a complete config reset on the AP.
Then i connected my pc and the ap nic ether2 over a singel switch that is not connected to my network.
The other nic of the ap (ether1) is connected with the managed switch on the trunk port.
I then implemented the whole thing as follows via mac access over ether2:
#Devicename:
/system identity set name="AccessPoint-WZ"
#Wlan Password policy:
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
#Wlan-config
/interface wireless set [ find default-name=wlan1 ] ssid=USer-2G frequency=auto mode=ap-bridge disabled=no
/interface wireless set [ find default-name=wlan2 ] ssid=User-5G frequency=auto mode=ap-bridge disabled=no
#create a bridge:
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#Assign vlans to bridge-port interfaces
/interface bridge port
add bridge=BR1 interface=wlan1 pvid=7
add bridge=BR1 interface=wlan2 pvid=7
#create trunk ports
add bridge=BR1 interface=ether1
#egress config
/interface bridge vlan
set [find interface=BR1] tagged=ether1 vlan-ids=7
add bridge=BR1 tagged=BR1,ether1 vlan-ids=172
# IP Addressing & Routing
/interface vlan
add interface=BR1 name=Management-Vlan172 vlan-id=172
/ip address add address=172.16.0.30/26 interface=Management-Vlan172
/ip route add distance=1 gateway=172.16.0.1
# VLAN Security
/interface bridge port
# Only allow ingress packets without tags on Access Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
#Mac Server settings
/interface list add name=BASE
/interface list member add interface=Management-Vlan172 list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
/interface bridge set BR1 vlan-filtering=yes
After doing this the config on the ap looks like this:
# jan/02/1970 02:56:28 by RouterOS 7.6
# software id = ZB9L-KM9R
#
# model = RBcAPGi-5acD2nD
# serial number = HD20854X659
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
frequency=2417 mode=ap-bridge skip-dfs-channels=all ssid=User-2G vlan-id=\
7 vlan-mode=use-tag wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=germany disabled=no \
mode=ap-bridge skip-dfs-channels=all ssid=User-5G vlan-id=7 vlan-mode=\
use-tag wireless-protocol=802.11
/interface vlan
add interface=BR1 name=Management-Vlan172 vlan-id=172
add interface=BR1 name=User-Vlan7 vlan-id=7
/interface list
add include=all name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 pvid=7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan2 pvid=7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=BR1 tagged=ether1,BR1 vlan-ids=172
add bridge=BR1 tagged=ether1,BR1 untagged=wlan1,wlan2 vlan-ids=7
/interface list member
add interface=BR1 list=BASE
/ip address
add address=172.16.0.30/26 interface=Management-Vlan172 network=172.16.0.0
add address=192.168.0.2/21 interface=User-Vlan7 network=192.168.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=AccessPoint-WZ
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
So far so good…
I can now reach the management address 172.16.0.30 and the user interface 192.168.0.2 from outside. (Ping and webgui works)
Both addresses are now available on ether1 of the access point.
Unfortunately I still get an error when connecting to wlan1 and wlan2.
Have I overlooked something here?