MT Accesspoint configuration

qwerty0815 · November 25, 2022, 7:44pm

I’m confused now too, then the page
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
explain only the functionality of vlans in general :/, but without application to the cli and its commands.

qwerty0815 · November 26, 2022, 2:45pm

Hi,
I have now implemented the Access Point example from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I got the commands from the “VLAN Example #2” here: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

First I did a complete config reset on the AP.
Then i connected my pc and the ap nic ether2 over a singel switch that is not connected to my network.
The other nic of the ap (ether1) is connected with the managed switch on the trunk port.

I then implemented the whole thing as follows via mac access over ether2:

#Devicename:
/system identity set name="AccessPoint-WZ"


#Wlan Password policy:
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"

#Wlan-config
/interface wireless set [ find default-name=wlan1 ] ssid=USer-2G frequency=auto mode=ap-bridge disabled=no
/interface wireless set [ find default-name=wlan2 ] ssid=User-5G frequency=auto mode=ap-bridge disabled=no

#create a bridge:
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#Assign vlans to bridge-port interfaces

/interface bridge port
add bridge=BR1 interface=wlan1 pvid=7
add bridge=BR1 interface=wlan2 pvid=7

#create trunk ports

add bridge=BR1 interface=ether1


#egress config
/interface bridge vlan

set [find interface=BR1] tagged=ether1 vlan-ids=7
add bridge=BR1 tagged=BR1,ether1 vlan-ids=172

# IP Addressing & Routing
/interface vlan 

add interface=BR1 name=Management-Vlan172 vlan-id=172
/ip address add address=172.16.0.30/26 interface=Management-Vlan172
/ip route add distance=1 gateway=172.16.0.1

# VLAN Security
/interface bridge port

# Only allow ingress packets without tags on Access Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

#Mac Server settings

/interface list add name=BASE
/interface list member add interface=Management-Vlan172 list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

/interface bridge set BR1 vlan-filtering=yes

After doing this the config on the ap looks like this:

# jan/02/1970 02:56:28 by RouterOS 7.6
# software id = ZB9L-KM9R
#
# model = RBcAPGi-5acD2nD
# serial number = HD20854X659
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=2417 mode=ap-bridge skip-dfs-channels=all ssid=User-2G vlan-id=\
    7 vlan-mode=use-tag wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=germany disabled=no \
    mode=ap-bridge skip-dfs-channels=all ssid=User-5G vlan-id=7 vlan-mode=\
    use-tag wireless-protocol=802.11
/interface vlan
add interface=BR1 name=Management-Vlan172 vlan-id=172
add interface=BR1 name=User-Vlan7 vlan-id=7
/interface list
add include=all name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=BR1 tagged=ether1,BR1 vlan-ids=172
add bridge=BR1 tagged=ether1,BR1 untagged=wlan1,wlan2 vlan-ids=7
/interface list member
add interface=BR1 list=BASE
/ip address
add address=172.16.0.30/26 interface=Management-Vlan172 network=172.16.0.0
add address=192.168.0.2/21 interface=User-Vlan7 network=192.168.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=AccessPoint-WZ
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

So far so good…

I can now reach the management address 172.16.0.30 and the user interface 192.168.0.2 from outside. (Ping and webgui works)
Both addresses are now available on ether1 of the access point.
Unfortunately I still get an error when connecting to wlan1 and wlan2.
Have I overlooked something here?

anav · November 26, 2022, 3:11pm

(1) Yeah why are you putting vlan information WITHIN the wifi settings, should be REMOVED.
attaching vlans to wlans is done by settings at (which seem to be well done by the way)

/interface bridge port
/interface bridge vlan

(2) Why do you have address information for the vlans on the Access point, that is done on the main router ??? NOT REQUIRED
/ip address
add address=172.16.0.30/26 interface=Management-Vlan172 network=172.16.0.0
add address=192.168.0.2/21 interface=User-Vlan7 network=192.168.0.0

qwerty0815 · November 26, 2022, 3:24pm

to 1: ok understand, is now removed.

to2: ok for 192.168.0.2/21 i understand this because if a device i using the wlan1 or 2 it gets then a dhcp adresss over the network from the router.
but the management vlan has no dhcp its static based. how should i reach the webgui of the ap without the static ip?

# jan/02/1970 01:19:17 by RouterOS 7.6
# software id = ZB9L-KM9R
#
# model = RBcAPGi-5acD2nD
# serial number = HD20854X659
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no \
    frequency=2417 mode=ap-bridge skip-dfs-channels=all ssid=User-2G \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=germany disabled=no \
    mode=ap-bridge skip-dfs-channels=all ssid=User-5G wireless-protocol=\
    802.11
/interface vlan
add interface=BR1 name=Management-Vlan172 vlan-id=172
add interface=BR1 name=User-Vlan7 vlan-id=7
/interface list
add include=all name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan2 pvid=7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=BR1 tagged=ether1,BR1 vlan-ids=172
add bridge=BR1 tagged=ether1,BR1 untagged=wlan1,wlan2 vlan-ids=7
/interface list member
add interface=BR1 list=BASE
/system identity
set name=AccessPoint-WZ
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

anav · November 26, 2022, 3:35pm

you define vlan172 as being attached the bridge done!
you assign the vlan to the interface list of base. ( not the bridge )
you set neighbours discovery to interface list of BASE ( drop the fancy stuff vlan1 ???)
you set mac server winbox server entry to BASE. ( mac server by itself entry is set to NONE, not secure )
set /ip dns
set allow-remote-requests=yes servers=172.16.0.1 comment=“dns through trusted subnet gateway”
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.0.1 comment=“ensures route avail through trusted subnet gateway”
AND MY BAD yes you do need the one address for the device itself, I meant the vlan7 only should be scrapped.

you thus should keep
/ip address
add address=172.16.0.30/26 interface=Management-Vlan172 network=172.16.0.0

qwerty0815 · November 26, 2022, 3:44pm

Many Many Thx !!! Now it is working

qwerty0815 · December 1, 2022, 3:31pm

Hello me again…

I was able to expand my config so far and it works as learned.

What bothers me now is that when I connect the AP to the switch trunk, it starts to flap after a while. It also disappears after a short time, but it’s really annoying.

Without the Ap, everything runs normally.

Any ideas?

Ping From PC to DNS Server:

AP Config:

jan/02/1970 00:04:37 by RouterOS 7.6

software id = ZB9L-KM9R

model = RBcAPGi-5acD2nD

serial number = HD20854X659

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=Guest-Vlan15 vlan-id=1
add interface=BR1 name=IOT-Vlan39 vlan-id=39
add interface=BR1 name=Kameras-Vlan31 vlan-id=31
add interface=BR1 name=Management-Vlan172 vlan-id=172
add interface=BR1 name=User-Vlan7 vlan-id=7
/interface list
add include=all name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=IOT
supplicant-identity=“”
add authentication-types=wpa2-psk mode=dynamic-keys name=User
supplicant-identity=“”
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest
supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no
frequency=2417 mode=ap-bridge security-profile=User skip-dfs-channels=all
ssid=R2D2-User wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=germany disabled=no
mode=ap-bridge security-profile=User skip-dfs-channels=all ssid=R2D2-User
wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F0
master-interface=wlan1 multicast-buffering=disabled name=wlan3
security-profile=Guest ssid=R2D2-Guest wds-cost-range=0 wds-default-cost=
0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F1
master-interface=wlan2 multicast-buffering=disabled name=wlan4
security-profile=Guest ssid=R2D2-Guest wds-cost-range=0 wds-default-cost=
0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F2
master-interface=wlan1 multicast-buffering=disabled name=wlan5
security-profile=IOT ssid=R2D2-IOT wds-cost-range=0 wds-default-cost=0
wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F3
master-interface=wlan2 multicast-buffering=disabled name=wlan6
security-profile=IOT ssid=R2D2-IOT wds-cost-range=0 wds-default-cost=0
wps-mode=disabled
add keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F4 master-interface=
wlan1 multicast-buffering=disabled name=wlan7 ssid=R2D2-Kameras
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=1A:FD:74:92:5D:F5 master-interface=
wlan2 multicast-buffering=disabled name=wlan8 ssid=R2D2-Kameras
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan1 pvid=7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan2 pvid=7
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan3 pvid=15
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan4 pvid=15
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan5 pvid=39
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan6 pvid=39
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan7 pvid=31
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wlan8 pvid=31
/ip neighbor discovery-settings
set discover-interface-list=BASE lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=BR1 tagged=ether1,BR1 vlan-ids=172
add bridge=BR1 tagged=ether1,BR1 untagged=wlan1,wlan2 vlan-ids=7
add bridge=BR1 tagged=BR1,ether1 vlan-ids=1
add bridge=BR1 tagged=BR1,ether1 untagged=wlan3,wlan4 vlan-ids=15
add bridge=BR1 tagged=BR1,ether1 untagged=wlan5,wlan6 vlan-ids=39
add bridge=BR1 tagged=BR1,ether1 untagged=wlan7,wlan8 vlan-ids=31
/interface list member
add interface=BR1 list=BASE
/ip address
add address=172.16.0.30/26 interface=Management-Vlan172 network=172.16.0.0
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip route
add comment=“ensures route avail through trusted subnet gateway” disabled=no
dst-address=0.0.0.0/0 gateway=172.16.0.1
/snmp
set enabled=yes trap-target=0.0.0.0
/system identity
set name=AccessPoint-WZ
/system logging
add topics=wireless,debug
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

On the Switch runs SwitchOS

anav · December 1, 2022, 4:00pm

Try on bridge setting STP mode to RSTP from none, and if that doesnt work try MSTP. If that doesnt help no other ideas.

qwerty0815 · December 1, 2022, 4:05pm

Thx, i will try it

qwerty0815 · December 1, 2022, 4:26pm

Both options are not working

anav · December 1, 2022, 4:32pm

Hmmm, so the router is not connected diretly to the AP, its connected to an MT switch lite and then to the AP??

qwerty0815 · December 1, 2022, 4:49pm

yes thats right…

But i found now the Problem, i have a faulty LACP Bonding between two Switches wich was the reason of the Flaps.

anav · December 1, 2022, 7:39pm

Phew…