Hi,
I’m trying to configure a WAP to Mikrotik routeur using VLANs, the WAP is on VLAN 11 for management and SSID configured on VLAN 10.
how can i define the vlan 11 as native vlan so the WAP can connect to the controller and take the configuration?
There are two parts of configuration: tagged trunk ethernet between WAP and the rest of network and VLAN tagging/untagging of traffic travelling over wireless interface.
Please describe with more details what you aim to achieve, what you already did and what is the problem you’re having. Export of current config using /export hide-sensitive and post it here (in the code block for better readability).
My need is to connect AP directly to Mikrotik routeur instead of switch which it’s worked perfectly.The AP need to be connected to the controller on VLAN 11 as untagged to be take ip from DHCP server , take SSID (vlan 10) and to be managed.
The WAP was able to contact the controller when I configure the mikrotik port (connected to WAP) bridged to vlan11, but the issue is by adding the SSID vlan ,the WAP is no more connected to controller and even in some case it take IP from Guest pool (vlan 10).
bellow my configuration
/interface bridge
add name=bridge1-VLAN10
add name=bridge2-VLAN11
/interface ethernet
set [ find default-name=ether3 ] comment=Ether3 name=CnMaestro
set [ find default-name=ether4 ] comment=Ether4 name=Ether4
set [ find default-name=ether5 ] comment=Ether5 name=Ether5
set [ find default-name=ether2 ] comment=Ether2 name=WAN
set [ find default-name=ether1 ] comment=Ether1 name=WAP
/interface vlan
add interface=WAP name=vlan10 vlan-id=10
add interface=WAP name=vlan11 vlan-id=11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.local hotspot-address=10.192.168.1 name=hsprof1
/ip pool
add name=hs-pool-2 ranges=10.192.0.1-10.192.168.0
/ip dhcp-server
add address-pool=hs-pool-2 disabled=no interface=bridge1-VLAN10 lease-time=1h
name=dhcp2
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 interface=bridge1-VLAN10 name=
hotspot1 profile=hsprof1
/interface bridge port
add bridge=bridge2-VLAN11 interface=CnMaestro
add bridge=bridge1-VLAN10 interface=Ether4
add bridge=bridge2-VLAN11 interface=Ether5
add bridge=bridge1-VLAN10 interface=vlan10
add bridge=bridge2-VLAN11 interface=vlan11
/ip address
add address=192.168.11.1/24 interface=bridge2-VLAN11 network=192.168.11.0
add address=10.192.168.1/16 interface=bridge1-VLAN10 network=10.192.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=10.192.0.0/16 comment=“hotspot network” gateway=10.192.168.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address-list
add address=192.168.30.0/24 list=Local
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat out-interface=WAN
The configuration assumes that all traffic between this Routerboard and WAP (off ether1 port) is tagged with either VID=10 or VID=11. The configuration is a bit awkward (the modern way of doing it is using single bridge and properly configured VLAN filtering) but should work never the less.
What’s configuration on WAP?
I don’t see clearly what you mean, there is no solution to untagg vlan 11 and tagged vlan 10 on the same port?
WAP is configured to broadcast SSID on vlan 10 that all , and it’s managed on different vlan ( vlan10)
I’m not sure if I understand your setup right. Is this the way your devices are connected:
- main router (mikrotik with config you posted)
Has connections: - Internet through ether2 (dynamic IP settings via DHCP client)
- wireless controller through ether3 - untagged member of VLAN 11?
- WAP (which device type is it) through ether1 - needs 2 VLANs: 10 and 11 … which tagged and which untagged?
- ether4 - untagged member of VLAN 10
- ether5 - untagged member of VLAN 11
- wireless controller … does it need tagged or untagged connectivity to VLAN (with ID=11 I presume?)
- WAP with SSID (VLAN ID 10 - tagged?) and management (VLAN ID 11 - tagged or untagged?)
- …
All of that can be configured on RB using single bridge, which is VLAN-aware. But it will come with performance hit (all traffic between ports belonging to same VLAN, tagged or untagged, will go through CPU). Or, if device has decent switch chip, most of things can be offloaded to hardware.
Which particular Routerboard is it?
Yes this is exactly my setup,
-Internet through Ether2.
- wireless controller (Cnmaestro combium) through Ether3 , (untagged member of VLAN 11 only)
- WAP (cambium) through ether1 - needs 2 VLANs ( untagged on VLAN 11 to get to wireless controller , and tagged on VLAN 10).
- wireless controller need to be only untagged on VLAN 11.
- WAP which is connected to ether1 need to be untagged on VLAN 11 and tagged on VLAN 10.
Which type of Routerboard is your main router?
RB759GL but this one is just for the test, I have CCR 12 ports that will be used later
Using CCR (most likely) means no switch chip. So here’s the config which should be working on both models you mentioned (I’ll use generic interface names, you can change them to whatever you’ll be using):
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=11
add bridge=bridge interface=ether3 ingress-filtering=yes pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether3 vlan-ids=11
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan11 interface=bridge vlan-id=11
This setup adds L2 connectivity as well as two interfaces available for L3 services on router … you might want to use vlan11 interface for management access to router, while you’ll use vlan10 for routing wireless traffic towards internet (and possibly bind DHCP server for wireless clients).
If you don’t need router access to some VLAN (e.g. you’ll have some other management access instead of VLAN 11), you can omit creation of vlan interface in /interface vlan section and omit bridge as tagged member interface in /interface bridge vlan section.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
It doesn’t work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
It doesn’t work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
It doesn’t work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
Thank you for your response ;
@mkx : It doesn’t work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
Thank you for your response ;
@mkx : It doesn’t work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
Please post your current full config (place it into [ code ] environment for better readability), you can get it executing command “/export hide-sensitive” (without double quotes) …
/interface ethernet
set [ find default-name=ether3 ] comment=Ether3 name=CnMaestro
set [ find default-name=ether4 ] comment=GUEST-Laptop name=Ether4
set [ find default-name=ether5 ] comment=Ether5 name=Ether5
set [ find default-name=ether2 ] comment=Ether2 name=WAN
set [ find default-name=ether1 ] comment=Ether1 name=WAP
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11
/ip pool
add name=hs-pool-2 ranges=10.192.0.1-10.192.168.0
/ip dhcp-server
add address-pool=hs-pool-2 disabled=no interface=vlan10 lease-time=1h name=
dhcp2
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=WAP pvid=11
add bridge=bridge1 ingress-filtering=yes interface=CnMaestro pvid=11
add bridge=bridge1 interface=Ether4 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,WAP untagged=Ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=WAP,CnMaestro vlan-ids=11
/ip address
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=10.192.168.1/16 interface=vlan10 network=10.192.0.0
Let’s pretend that the above is full config. From that I’d say there’s no way to get DHCP lease anything else than from VLAN 10 range:
- there’s only one DHCP server bound to vlan10
- ether4 is untagged member of vlan10
There are many bits of information missing, such as complete configuration export and context of your LAN (any other devices on any of VLAN).
Sometimes I wonder why I even bother helping people which don’t want to provide us with necessary information to solve their problem which might be out of their focus and providing only information they consider relevant doesn’t help to see the big picture.
Hi ,
I did send you the complete configuration , I have just removed what it’s not necessary , Hostspot config ( too much logins infos ..)
Yes I have only one DHCP Server which on VLAN 10, VLAN 11 get their IP from CnMaestro host (ether3) not from Mikrotik that why you see just one DHCP pool.
I have just applied your configuration as it is, what I have added is untagged ether4(my local pc) on vlan10 , and I wonder why I don’t get the IP from vlan 10 dhcp pool and I get it from VLAN11 pool .