Need Help Configuring Hotspot & AP VLAN

txpcrescue · April 3, 2019, 10:54pm

Hello & Thank You!

I have 2 Mikrotik CRS124-24G-1S-2HnD - 1 is configured as the main ROUTER and runs all the network logic (2 DHCP Servers, Hotspot Server & Radius. The Radius server only allows guest WiFi access - DHCP is independent). 2nd mikrotik is utilized as a Managed SWITCH & AP for Hotspot. There are 3 addition AP appliances - RBcAPGi-5acD2nD-US connected to the Switch on ports 18, 20, 22 - also for the Hotspot. I have 2 VLANs - 1 (default - I’m calling it ‘Office’) & 200 ( ‘Hotspot’).

I have the ROUTER 99% configured (always that last 1%! ) and functional. The only issue I have at this point is guests accessing the internet through the Hotspot fail speedtests - the upload portion is always 0. Something I probably need to add in the firewall. All functionality of the Office VLAN (1) work normally.

The main issue - I’m not quite sure how to configure the SWITCH and APs. I’ve been reading many forum posts - and I thought I had it making sense - but nothing connected would receive a DHCP address (from Hotspot) or be able to ping the Hotspot servers or internet with statically assigned address.

I’ve attached a network diagram and output of the /export hide-sensitive

# apr/03/2019 16:05:40 by RouterOS 6.43.8
# software id = 7B86-7ZL3
#
# model = CRS125-24G-1S-2HnD
# serial number = 49C80458A3D7
/interface bridge
add disabled=yes fast-forward=no name=br-divlan10
add disabled=yes fast-forward=no name=br-divlan20
add disabled=yes name=br-hotspot-wifi vlan-filtering=yes
add admin-mac=4C:5E:0C:92:33:2F auto-mac=no fast-forward=no name=bridge-local \
    vlan-filtering=yes
add name=loopback
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=OFFICE wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] name=ether6-slave-local speed=100Mbps
set [ find default-name=ether7 ] name=ether7-slave-local speed=100Mbps
set [ find default-name=ether8 ] name=ether8-slave-local speed=100Mbps
set [ find default-name=ether9 ] name=ether9-slave-local speed=100Mbps
set [ find default-name=ether10 ] name=ether10-slave-local speed=100Mbps
set [ find default-name=ether11 ] name=ether11-slave-local speed=100Mbps
set [ find default-name=ether12 ] name=ether12-slave-local speed=100Mbps
set [ find default-name=ether13 ] name=ether13-slave-local speed=100Mbps
set [ find default-name=ether14 ] name=ether14-slave-local speed=100Mbps
set [ find default-name=ether15 ] name=ether15-slave-local speed=100Mbps
set [ find default-name=ether16 ] name=ether16-slave-local speed=100Mbps
set [ find default-name=ether17 ] name=ether17-slave-local speed=100Mbps
set [ find default-name=ether18 ] name=ether18-slave-local speed=100Mbps
set [ find default-name=ether19 ] name=ether19-slave-local speed=100Mbps
set [ find default-name=ether20 ] name=ether20-slave-local speed=100Mbps
set [ find default-name=ether21 ] name=ether21-slave-local speed=100Mbps
set [ find default-name=ether22 ] name=ether22-slave-local speed=100Mbps
set [ find default-name=ether23 ] name=ether23-slave-local speed=100Mbps
set [ find default-name=ether24 ] name=ether24-slave-local speed=100Mbps
set [ find default-name=sfp1 ] advertise=10000M-full name=sfp1-slave-local
/interface vlan
add comment="DVR & IP CAMERA" interface=bridge-local name=VLAN100 vlan-id=100
add comment="Hotspot WiFi" interface=bridge-local name=VLAN200 vlan-id=200
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] dns-name=daysinn-alice.pcrcloudservices.com \
    hotspot-address=10.5.50.1 login-by=http-chap,https name=hsprof1 \
    nas-port-type=cable radius-accounting=no rate-limit=\
    "2m/8m 10m/25m 7m/18m 30/30 8 1m/4m" ssl-certificate=\
    daysinn-alice_pcrcloudservices_com.crt_0 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=3m mac-cookie-timeout=1d \
    session-timeout=12h shared-users=unlimited
/ip pool
add name=dhcp ranges=192.168.0.101-192.168.0.150
add name=hs-pool-31 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge-local name=default
add address-pool=hs-pool-31 disabled=no interface=VLAN200 lease-time=3h name=\
    hs-dhcp-31
/ip hotspot
add address-pool=hs-pool-31 disabled=no interface=VLAN200 name=hotspot1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=hotspot-guest name-for-users=hotspot-guests override-shared-users=\
    unlimited owner=admin price=0 starts-at=now validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=3145728B group-name="" ip-pool="" name=\
    limit1 owner=admin transfer-limit=0B upload-limit=512000B uptime-limit=0s
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-local interface=ether6-slave-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=ether11-slave-local
add bridge=bridge-local interface=ether12-slave-local
add bridge=bridge-local interface=ether13-slave-local
add bridge=bridge-local interface=ether14-slave-local
add bridge=bridge-local interface=ether15-slave-local
add bridge=bridge-local interface=ether16-slave-local
add bridge=bridge-local interface=ether17-slave-local
add bridge=bridge-local interface=ether18-slave-local
add bridge=bridge-local interface=ether19-slave-local
add bridge=bridge-local interface=ether20-slave-local pvid=200
add bridge=bridge-local interface=ether21-slave-local pvid=200
add bridge=bridge-local interface=ether22-slave-local pvid=200
add bridge=bridge-local interface=ether23-slave-local pvid=200
add bridge=bridge-local interface=ether24-slave-local pvid=200
add bridge=bridge-local interface=sfp1-slave-local
add bridge=bridge-local interface=VLAN200 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge-local tagged=bridge-local,sfp1-slave-local untagged="ether24\
    -slave-local,ether23-slave-local,ether22-slave-local,ether21-slave-local,e\
    ther20-slave-local" vlan-ids=200
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-slave-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=ether11-slave-local list=discover
add interface=ether12-slave-local list=discover
add interface=ether13-slave-local list=discover
add interface=ether14-slave-local list=discover
add interface=ether15-slave-local list=discover
add interface=ether16-slave-local list=discover
add interface=ether17-slave-local list=discover
add interface=ether18-slave-local list=discover
add interface=ether19-slave-local list=discover
add interface=ether20-slave-local list=discover
add interface=ether21-slave-local list=discover
add interface=ether22-slave-local list=discover
add interface=ether23-slave-local list=discover
add interface=ether24-slave-local list=discover
add interface=sfp1-slave-local list=discover
add interface=bridge-local list=discover
add list=discover
add interface=br-divlan20 list=discover
add list=discover
add interface=br-divlan10 list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether4-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether6-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether6-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether11-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=ether12-slave-local list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=ether13-slave-local list=mactel
add interface=ether11-slave-local list=mac-winbox
add interface=ether14-slave-local list=mactel
add interface=ether12-slave-local list=mac-winbox
add interface=ether15-slave-local list=mactel
add interface=ether13-slave-local list=mac-winbox
add interface=ether16-slave-local list=mactel
add interface=ether17-slave-local list=mactel
add interface=ether18-slave-local list=mactel
add interface=ether14-slave-local list=mac-winbox
add interface=ether19-slave-local list=mactel
add interface=ether15-slave-local list=mac-winbox
add interface=ether20-slave-local list=mactel
add interface=ether16-slave-local list=mac-winbox
add interface=ether21-slave-local list=mactel
add interface=ether17-slave-local list=mac-winbox
add interface=ether22-slave-local list=mactel
add interface=ether18-slave-local list=mac-winbox
add interface=ether23-slave-local list=mactel
add interface=ether19-slave-local list=mac-winbox
add interface=ether24-slave-local list=mactel
add interface=sfp1-slave-local list=mactel
add interface=ether20-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether21-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether22-slave-local list=mac-winbox
add interface=ether23-slave-local list=mac-winbox
add interface=ether24-slave-local list=mac-winbox
add interface=sfp1-slave-local list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=ether1-gateway list=WAN
/ip address
add address=192.168.0.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.0.0
add address=97.79.173.210/29 interface=ether1-gateway network=xxx.xxx.xxx.xxx
add address=10.5.50.1/24 comment="hotspot network" interface=VLAN200 network=\
    10.5.50.0
add address=192.168.10.1/24 interface=loopback network=192.168.10.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server network
add address=10.5.50.0/24 comment="HOT SPOT - GUEST NETWORK" dns-server=\
    10.5.50.1 gateway=10.5.50.1 netmask=24
add address=192.168.0.0/24 comment="default configuration" gateway=\
    192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    208.67.220.220,208.67.222.222
/ip dns static
add address=192.168.0.1 name=router
/ip firewall address-list
add address=192.168.0.2 comment="Laundry Room - Mikrotik Router 2" list=\
    INTERNAL-OFFICE
add address=192.168.0.11 comment="Building A - Middle Hall - cAP" list=\
    INTERNAL-OFFICE
add address=192.168.0.12 comment="Building B - Middle Hall - cAP" list=\
    INTERNAL-OFFICE
add address=192.168.0.13 comment=\
    "Building A - Back Hall - Front of Laundry - cAP" list=INTERNAL-OFFICE
add address=192.168.0.252 comment="Camera DVR - port 8000" list=\
    INTERNAL-OFFICE
add address=192.168.0.253 comment="Camera DVR - port 8088" list=\
    INTERNAL-OFFICE
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=forward comment="Office Access to Hotspot Resources" \
    disabled=yes in-interface=bridge-local out-interface=br-divlan20
add action=accept chain=forward disabled=yes in-interface=br-divlan20 \
    out-interface=bridge-local
add action=accept chain=input comment=WHITELIST src-address-list=WHITELIST
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
add action=netmap chain=dstnat disabled=yes dst-address=xxx.xxxx.xxx.xxx \
    dst-port=8088 protocol=tcp to-addresses=192.168.0.253 to-ports=8088
add action=netmap chain=dstnat comment=\
    "Forwarding to Security Cameras  -- Front DVR (Lorex)" dst-address=\
    xxx.xxxx.xxx.xxx dst-port=35000 protocol=tcp to-addresses=192.168.0.252 \
    to-ports=35000
add action=netmap chain=dstnat dst-address=xxx.xxxx.xxx.xxx dst-port=35001 \
    protocol=udp to-addresses=192.168.0.252 to-ports=35001
add action=netmap chain=dstnat comment="                                      \
    \_                -- Back Laundry Room DVR" dst-address=xxx.xxxx.xxx.xxx \
    dst-port=8088 protocol=tcp to-addresses=192.168.0.253 to-ports=8088
add action=netmap chain=dstnat comment=\
    "OLD SETTINGS Forwarding to Security Cameras" dst-address=xxx.xxx.xxx.xxx\
    dst-port=8000 protocol=tcp to-addresses=192.168.0.252 to-ports=8000
add action=dst-nat chain=dstnat comment="PCR Remote to Network Locations      \
    \_       Laundry Room - Mikrotik Switch w/ WiFi" dst-port=31338 protocol=\
    tcp src-address-list=WHITELIST to-addresses=192.168.0.2
add action=dst-nat chain=dstnat comment="                                     \
    \_                     Building A - Middle Hall - Mikrotik cAP" dst-port=\
    protocol=tcp src-address-list=WHITELIST to-addresses=192.168.0.11
add action=dst-nat chain=dstnat comment="                                     \
    \_                     Building B - Middle Hall - Mikrotik cAP" dst-port=\
    protocol=tcp src-address-list=WHITELIST to-addresses=192.168.0.12
add action=dst-nat chain=dstnat comment="                                     \
    \_                      Building A - Back Hall - Mikrotik cAP" dst-port=\
     protocol=tcp src-address-list=WHITELIST to-addresses=192.168.0.13
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add disabled=yes name=guest server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept comment="DHCP Server" disabled=no dst-address=192.168.10.1 \
    !dst-address-list !dst-port !protocol server=hotspot1 !src-address \
    !src-address-list
add action=accept comment="Office Resources on Hotspot Bridge" disabled=yes \
    !dst-address dst-address-list=INTERNAL-OFFICE !dst-port !protocol server=\
    hotspot1 !src-address !src-address-list
add action=accept disabled=yes !dst-address !dst-address-list !dst-port \
    !protocol server=hotspot1 !src-address src-address-list=INTERNAL-OFFICE
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,65.36.17.210/32
set ssh disabled=yes
set www-ssl certificate=xxx.crt_0 disabled=no
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces=wlan1
/radius
add address=192.168.10.1 service=hotspot
/system clock
set time-zone-name=America/Chicago
/system identity
set name=router
/system ntp client
set enabled=yes primary-ntp=138.68.46.177
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon port
add
/tool sniffer
set only-headers=yes
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s limitation=limit1 profile=hotspot-guest till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=192.168.10.1 log=\
    auth-ok,auth-fail name=local-router use-coa=no
/tool user-manager user
add customer=admin disabled=no shared-users=unlimited username=daysinn \
    wireless-enc-algo=none wireless-enc-key="" wireless-psk=""

Hotspot VLAN.png

anav · April 4, 2019, 2:02am

Did you have a read through the mother of all vlan references LOL (not dragons though).
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

pcunite · April 4, 2019, 4:01am

You are using a CRS1xx switch. Therefore VLAN configuration is different, at least for the time being, from what CRS3xx and faster processors can do. However, do read the post that anav linked for you. This way you will have the current and modern MikroTik recommendations in your head. It will make the following more clear.

When it comes time to setup Trunk and Access ports on a CRS1xx, it goes something like this. Note that, in your case, you are using all-in-one type devices. So, you might need to add the switch1-cpu as a tagged member for all Trunk ports in the Trunk section. Please study:

###############################################################################
# Recommended reading
# https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
# https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples
# https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches
# https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Unknown.2FInvalid_VLAN_filtering
#
# Notes: Start with a reset (/system reset-configuration)
#
# Based on: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
###############################################################################


#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CRS1xx_Switch"


#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# Bridge
#######################################

# create one bridge
/interface bridge add name=BR1 protocol-mode=none

# add "all" ports to this one bridge
/interface bridge port
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
# and so on ...


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior, egress dynamically handled
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4


#######################################
#
# -- Trunk Ports --
#
#######################################

# Trunk Ports. L2 switching only, Bridge (aka switch1-cpu) not needed as tagged member (except for BASE_VLAN)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99


#######################################
# VLAN Security
#######################################

# Set which VLANs apply to which ports
/interface ethernet switch vlan
add ports=ether1,ether2 vlan-id=10
add ports=ether1,ether3 vlan-id=20
add ports=ether1,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99

# drop traffic that does not follow the above port layout
/interface ethernet switch set forward-unknown-vlan=no


#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0

# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

txpcrescue · April 8, 2019, 8:00pm

pcunite
So would I apply this same configuration on the SWITCH? What would you recommend for the access points?

pcunite · April 9, 2019, 3:37am

Access points follow the modern recommendation. The above example, is strictly for CRS1xx switches.

anav · April 9, 2019, 1:24pm

For switch configurations there is a nice review at the recent Austin MUM.
https://mum.mikrotik.com/presentations/US19/presentation_6723_1554716964.pdf

txpcrescue · April 10, 2019, 12:31am

Ok ..thank you for the help everyone. I feel as though I’ve made good progress, I have the ROUTER configured based on anav’s link. Fixed some of the issues I was having earlier and I think it is complete. I have the SWITCH configured as well - but I’m running into some issues - so something is not lining up right.

I have the following settings configured on the SWITCH: 1 VLAN - VLAN99 (Office / MGMT). Vlans 200 & 300 are referenced but not explicitly configured according to the documentaion. I have 2 trunk ports configured sfp1 & ether1 (for testing). On the switch I have ports 3-8 as vlan 99. Ports 9-16 as Vlan 200. Wlan1 & ports 17-24 as vlan 300.

When I connect a pc into the Office (vlan99) ports - 8 for example, the pc receives DHCP accesses the internet .. works normally - etc.
When I connect the pc into one of the other Vlan ports - I do not receive an address - and cannot see the DHCP server. If I set a static IP - I can’t ping any server / services on the ROUTER.
Here is the export of the SWITCH:

# apr/09/2019 19:07:19 by RouterOS 6.44.2
# software id = TA99-B27S
#
# model = CRS125-24G-1S-2HnD
# serial number = 78700840970E
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] country="united states" default-forwarding=no \
    disabled=no mode=ap-bridge ssid=MikroTik vlan-id=200 wireless-protocol=\
    802.11
/interface vlan
add interface=BR1 name=VLAN99 vlan-id=99
add disabled=yes interface=BR1 name=VLAN300 vlan-id=300
/interface list
add name=BASE_LIST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether10 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether11 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether12 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether13 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether14 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether15 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether16 pvid=300
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether17 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether18 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether19 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether20 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether21 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether22 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether23 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether24 pvid=200
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfp1
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=BASE_LIST
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp1,ether1 untagged=\
    ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=99
add bridge=BR1 tagged=ether1,sfp1 untagged=\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=\
    300
add bridge=BR1 tagged=sfp1,ether1 untagged=\
    ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,wlan1 \
    vlan-ids=200
/interface list member
add interface=VLAN99 list=BASE_LIST
/ip address
add address=192.168.0.2/24 interface=VLAN99 network=192.168.0.0
/ip dns
set servers=192.168.0.1
/ip route
add distance=1 gateway=192.168.0.1
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SWITCH
/tool mac-server
set allowed-interface-list=BASE_LIST
/tool mac-server mac-winbox
set allowed-interface-list=BASE_LIST

I’ve combed through the switch - even tried to make the vlans (200 & 300) configured the same way as vlan99 - but nothing had an effect. I don’t know where the block is.

anav · April 10, 2019, 11:48am

Try changing the bridge interface vlan rule by not tagging the bridge and see if that does anything…
would also like to see config on router too
from
/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp1,ether1 untagged=
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=99
to
/interface bridge vlan
add bridge=BR1 tagged=sfp1,ether1 untagged=
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=99

No routing done just switching so I believe this is the case where tagging bridge is not required. Not sure if it would stop traffic though???

txpcrescue · April 10, 2019, 5:41pm

I had it originally without the BR1 - but it didn’t work until I added it.

I got it fixed - thank you for your help anav - and everyone. As it turned out it was really dumb mistake on my part (I apparently added the ‘test’ trunk - ether1, to the VLAN99 ..but didn’t add it to the other Vlans on the ROUTER - so duh.)

At this point - everything is working well. Despite being an older model - the CPU isn’t spiking too high, and the bandwidth seems good on all vlans.

I may have one firewall issue that I may need help resolving - but I’m still in the process of testing it out.

txpcrescue · April 10, 2019, 11:27pm

So since enabling the VLAN - I lost all access to my internal services that I had netmapped. Do I need to somehow mark the incoming connections as being part of VLAN99? I don’t see an option on the NAT firewall rules. Do I add a Mangle rule to mark the connection or packets?

txpcrescue · April 11, 2019, 12:53am

Ok ..tracked it down the example router.rsc file - it has a section where you are configuring Firewall settings and it has the following line

add chain=forward action=drop comment=“Drop”

I changed this to -

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no

All functionality is working.