Multi VLAN + router on the stick

RouterOS Wireless Networking
1

Hi.

I have read following VLAN article: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I know what VLAN is and how it works but I cannot make it work

I have following configuration on the AP:

[admin@MikroTik] > /interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  RS ether1                              ether            1500  1598       9214 74:00:00:00:00:E1
 1   S ether2                              ether            1500  1598       9214 74:00:00:00:00:E2
 2   S wlan1                               wlan             1500  1600       2290 74:00:00:00:00:E3
 3  XS wlan2                               wlan             1500  1600       2290 74:00:00:00:00:E4
 4     wlan3                               wlan             1500  1600       2290 76:00:00:00:00:E3
 5     wlan4                               wlan             1500  1600       2290 76:00:00:00:00:E4
 6     wlan5                               wlan             1500  1600       2290 76:00:00:00:00:E5
 7  R  ;;; defconf
       bridge                              bridge           1500  1598            74:00:00:00:00:E1
 8  R  vlan1                               vlan             1500  1594            74:00:00:00:00:E1
 9  R  vlan10                              vlan             1500  1594            74:00:00:00:00:E1
10  R  vlan20                              vlan             1500  1594            74:400:00:00:00:E1
11  R  vlan98                              vlan             1500  1594            74:00:00:00:00:E1
12  R  vlan99                              vlan             1500  1594            74:00:00:00:00:E1

Vlan configuration:

[admin@MikroTik] > /interface vlan print 
Flags: X - disabled, R - running 
 #   NAME                                                                    MTU ARP             VLAN-ID INTERFACE                                                                  
 0 R vlan1                                                                  1500 enabled               1 bridge                                                                     
 1 R vlan10                                                                 1500 enabled              10 bridge                                                                    
 2 R vlan20                                                                 1500 enabled              20 bridge                                                                    
 3 R vlan98                                                                 1500 enabled              98 bridge                                                                     
 4 R vlan99                                                                 1500 enabled              99 bridge 

[admin@MikroTik] > /interface vlan print detail  
Flags: X - disabled, R - running 
 0 R name="vlan1" mtu=1500 l2mtu=1594 mac-address=74:00:00:00:00:E1 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=1 interface=bridge use-service-tag=no 

 1 R name="vlan10" mtu=1500 l2mtu=1594 mac-address=74:00:00:00:00:E1 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=10 interface=bridge use-service-tag=no 

 2 R name="vlan20" mtu=1500 l2mtu=1594 mac-address=74:00:00:00:00:E1 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=20 interface=bridge use-service-tag=no 

 3 R name="vlan98" mtu=1500 l2mtu=1594 mac-address=74:00:00:00:00:E1 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s 
     loop-protect-disable-time=5m vlan-id=98 interface=bridge use-service-tag=no 

 4 R name="vlan99" mtu=1500 l2mtu=1594 mac-address=74:00:00:00:00:E1 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s
     loop-protect-disable-time=5m vlan-id=99 interface=bridge use-service-tag=no

I have 5 VLANs and 4 active SSID (test-5Ghz is disabled - home, children, etc.)

[admin@MikroTik] > /interface wireless print 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:00:00:00:00:E3 arp=enabled interface-type=IPQ4019 mode=ap-bridge ssid="test" frequency=auto band=2ghz-onlyn 
      channel-width=20/40mhz-XX secondary-channel="" scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none 
      wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=test 
      compression=no 

 1 X  name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:00:00:00:00:E4 arp=enabled interface-type=IPQ4019 mode=ap-bridge ssid="test5Ghz" frequency=auto band=5ghz-a/n/ac 
      channel-width=20/40/80mhz-XXXX secondary-channel="" scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none 
      wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=test
      compression=no 

 2    name="wlan3" mtu=1500 l2mtu=1600 mac-address=76:00:00:00:00:E3 arp=enabled interface-type=virtual master-interface=wlan1 mode=ap-bridge ssid="test-guest" vlan-mode=no-tag 
      vlan-id=98 wds-mode=disabled wds-default-bridge=bridge wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=test-guest 

 3    name="wlan4" mtu=1500 l2mtu=1600 mac-address=76:00:00:00:00:E4 arp=enabled interface-type=virtual master-interface=wlan1 mode=ap-bridge ssid="test2" vlan-mode=use-tag 
      vlan-id=20 wds-mode=disabled wds-default-bridge=bridge wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=no security-profile=test

 4    name="wlan5" mtu=1500 l2mtu=1600 mac-address=76:00:00:00:00:E5 arp=enabled interface-type=virtual master-interface=wlan1 mode=ap-bridge ssid="test-iot" vlan-mode=no-tag 
      vlan-id=99 wds-mode=disabled wds-default-bridge=bridge wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 
      default-client-tx-limit=0 hide-ssid=yes security-profile=test-iot

As you can see wlan3, wlan4 and wlan5 are virtual interfaces with master interface wlan1.
DHCP server is running per VLAN on router (router on the stick configuration). Not sure if important: pfsense physical device
AP connected to switch TP-Link so I have following:

CAP AP (eth1) —trunk—> TPLink —trunk—> pfsense

Only wlan1 works passing the DHCP. wlan3, wlan4 and wlan5 doesnt work. No DHCP but I can auth to all SSID

I am not sure about the configuration and I have couple of questions:

  • Is the wlan3-5 configuration correct? Should that be configured as virtual interface with wlan1 as master interface (interface-type=IPQ4019)?
  • Is it possible to assign VLAN on wlan1 interface (interface-type=IPQ4019) Cannot see such option in GUI.
  • I cannot remove SSID from wlan1 so I assume the default VLAN1 is assigned to wlan1. I dont need VLAN1 as my home VLAN is VLAN20. What can I do?
  • wlan3-5 VLAN Mode - should that be configured to no-tag or use-tag? My understanding is that SSID works as access port interface so it should be use-tag??
  • how can I configure static IP to manage the AP let say on VLAN20. I can access the AP on VLAN1 but not on VLAN20
  • should VLAN interfaces be assigned to bridge interface or to wlanX reflecting correlation between VLANX->wlanX so VLAN20->wlan4

Thanks

2

I have read following VLAN article: > http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

You nay have read it, but judging from questions at the end of your post I have doubts you understood the article.

Anyway, post configuration as printed using comnand /export hide-sensitive … all of it, only redact any data that might be too sensitive.

3

You nay have read it, but judging from questions at the end of your post I have doubts you understood the article.

I will not argue about it :slight_smile:

Here is my /export

[admin@MikroTik] > /export 
# apr/18/2020 13:41:05 by RouterOS 6.46.5
# software id = X3MP-7PP1
#
# model = RBcAPGi-5acD2nD
# serial number = B.............
/interface bridge
add admin-mac=74:00:00:00:00:E1 auto-mac=no comment=defconf name=bridge

/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=test supplicant-identity=MikroTik wpa2-pre-shared-key="00000000"
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=test-guest supplicant-identity=MikroTik wpa2-pre-shared-key=00000000
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=test-iot supplicant-identity=MikroTik wpa2-pre-shared-key="0000000"

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-onlyn channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge security-profile=test ssid=test \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge security-profile=test ssid=test5Ghz wireless-protocol=802.11
add disabled=no mac-address=76:00:00:00:00:E3 master-interface=wlan1 name=wlan3 security-profile=test-guest ssid=test-guest vlan-id=98 wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=76:00:00:00:00:E4 master-interface=wlan1 name=wlan4 security-profile=test ssid=test vlan-id=20 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=76:00:00:00:00:E5 master-interface=wlan1 name=wlan5 security-profile=test-iot ssid=test-iot vlan-id=99 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled

/interface vlan
add interface=wlan4 name=vlan20 vlan-id=20
add interface=wlan3 name=vlan98 vlan-id=98
add interface=wlan5 name=vlan99 vlan-id=99

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/ip address
add address=192.168.20.252/24 comment="Access from test newtwork" interface=wlan4 network=192.168.20.0

/ip dhcp-client

add comment=defconf disabled=no interface=bridge

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

/system clock
set time-zone-name=Europe/London

/system routerboard mode-button
set enabled=yes on-event=dark-mode

/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
4

You don’t have the slave wlan interfaces connected to the rest of L2 network.

Scrap the vlan interfaces vlan20, vlan 98 and vlan99. Add interfaces wlan3, wlan4 and wlan5 to bridge. And set vlan-mode=use-tag on wlan3 (I’m missing it).

As I said: you didn’t exactly understand the article about VLANs … your VLAN setup is missing a lot, as it stands the whole device is mostly vlan-ignorant. Which means that after you implement the bare minimum changes, your setup might seem to work, but VLANs will be bleeding all over the place.

I’m not willing to write you the correct setup (some consultant would be more than happy to do it). However I’m sure that you could do it yourself. Take your high level requirements and read the article afain … a few times if necessary. Try to chart the setup on paper (draw some lines connecting interfaces by vlan, think about what needs to be configured etc.). If you have some questions we’ll be happy to explain things to you.

You’ll get there, but the path is going to be steep :wink:

5

Thanks mkx. Much appreciated.

It looks like the main issue was the missing link between bridge and wlanX interfaces.
That part works fine now.

I dont understand what you meant by this:

… your VLAN setup is missing a lot, as it stands the whole device is mostly vlan-ignorant. Which means that after you implement the bare minimum changes, your setup might seem to work, but VLANs will be bleeding all over the place…

If I understand correctly the CAP AP is basiclly router with AP so I could do inter-VLAN routing on the device? I have router so I will not go crazy here just asking :slight_smile:
What I wanted is just simple client SSID auth with farmes beeing tagging based on SSID and assigned VLAN ID. Looks to be working fine - might be missing something. Mikrotik has so many options that I dont feel totaly comfortable with it.

Looking at wireshark dump all frames are tagged as they should IMO:
wireshark-vlan20.png
wireshark-vlan98.png
Going back to my questions from the 1st post:

  • Is it possible to assign specific VLAN on wlan1 interface?
  • If I cannot disable or remove SSID name from wlan1 and it looks like the assigned VLAN is default VLAN1 - any idea what can I do with it apart of hide SSID?
6

If you have some wired devices connected to your cAP ac, they will be able to see (and mess with) all VLANs. I guess that’s intended for the interface towards router, is it for the other ether interface as well?




  • you can set VLAN properties on master wlan interface just like you did on slave interfaces … this doesn’t interfere with slaves in any way.
  • the idea is to use master wlan interface “productively”, with real settings (e.g. SSID etc.) … not only as hardware layer for slaves. Slave devices are needed to add additional wifi “networks”, not to replace one offered by master interface.
7

If you have some wired devices connected to your cAP ac, they will be able to see (and mess with) all VLANs. I guess that’s intended for the interface towards router, is it for the other ether interface as well?

I dont use the other eth1 interface. It is home installation so I dont expect ~1Gbps traffic to use both ports.

There are problms though. Eather I have something missconfigured or it is the worst AP I ever purchesed.
I start from following:

  • bandwidth - I have 40/10
  • on cable - 30/10
  • 2.4Ghz - 10/5
  • if idle for some time it will start reconnecting before actually do anything - super anoying
  • I use MacOSX so I downloaded NetSpot wireless analyser - it shows my old AP mode correct (n) but Mikrotik which is is (n) mode shows as (b/g/n). If I change the mode to on Mikrotik to (g/n) the NetSpot shows correct mode. Looks to be the MIkrotik.

I have read some arts about performance tunning and the config I have is as following:

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-onlyn country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge security-profile=test ssid=test wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge security-profile=test ssid=test5Ghz \
    wireless-protocol=802.11

add disabled=no mac-address=76::::::::E3 master-interface=wlan1 name=wlan3 security-profile=test2 ssid=test2 vlan-id=20 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=76::::::::E4 master-interface=wlan1 name=wlan4 security-profile=test-guest ssid=test-guest vlan-id=98 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled

so 2.4Ghz N-only and 20Mhz channel width - nothing fancy. What I am missing here.

There is not much difference if I disconnect the other AP at home. Anyway there are on seperate channels - Mikrotik 3 and other AP 11.
Screenshot 2020-04-21 at 10.51.42.png
Anything I can do to improve the bandwidth and make it more stable? The AP is about 3 meters away from my laptop just to exclude walls etc.

8

For my taste, the channel is much too noisy … -68 dBm (if I interpret the table right) of noise is screaming, should be lower than -90 dBm. And signal strength from AP (-30 dBm) is too high as well - you can have problems to understand somebody shouting at your ear even though distant listeners can understand that person just fine.

For me optimal WiFi conditions are: signal strength between -40 dBm and -60 dBm with noise floor lower than -90 dBm. Anything outside these boundaries can cause one of devices to perform badly and if one of peers under-performs, the whole link sucks.