No DHCP on Bridge VLAN interface.

RouterOS General
1

I’m almost 99% sure that the issue is not the DHCP, but is more generally that this configuration does not pass traffic on vlan 10, but I’m very grateful for any eyes to see why this doesn’t work:

# 1970-01-02 12:29:59 by RouterOS 7.14.2
# software id = 1J90-DG0X
#
# model = RB952Ui-5ac2nD
add band=5ghz-n/ac name=gizmo-5ghz
add band=2ghz-g/n name=gizmo-2ghz
/interface bridge
add admin-mac=78:9A:18:7E:54:5D auto-mac=no name=br0 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(28dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/caps-man interface
add disabled=no l2mtu=1600 mac-address=78:9A:18:7E:54:63 master-interface=none name=cap1 radio-mac=78:9A:18:7E:54:63 radio-name=789A187E5463
add disabled=no l2mtu=1600 mac-address=78:9A:18:7E:54:62 master-interface=none name=cap2 radio-mac=78:9A:18:7E:54:62 radio-name=789A187E5462
/interface vlan
add comment="Empty dump network" interface=br0 name=dump0 vlan-id=450
add comment="FMS Network" interface=br0 name=fms0 vlan-id=10
add comment=team451 interface=br0 name=team451 vlan-id=500
add comment=team452 interface=br0 name=team452 vlan-id=501
add comment=team453 interface=br0 name=team453 vlan-id=502
add comment=team454 interface=br0 name=team454 vlan-id=503
add comment=team455 interface=br0 name=team455 vlan-id=504
add comment=team456 interface=br0 name=team456 vlan-id=505
add comment=team457 interface=br0 name=team457 vlan-id=506
add comment=team458 interface=br0 name=team458 vlan-id=507
add comment=team459 interface=br0 name=team459 vlan-id=508
add comment=team460 interface=br0 name=team460 vlan-id=509
add comment=team461 interface=br0 name=team461 vlan-id=510
add comment=team462 interface=br0 name=team462 vlan-id=511
add comment=team463 interface=br0 name=team463 vlan-id=512
add comment=team464 interface=br0 name=team464 vlan-id=513
add comment=team465 interface=br0 name=team465 vlan-id=514
add comment=team466 interface=br0 name=team466 vlan-id=515
add comment=team467 interface=br0 name=team467 vlan-id=516
add comment=team468 interface=br0 name=team468 vlan-id=517
add comment=team469 interface=br0 name=team469 vlan-id=518
add comment=team470 interface=br0 name=team470 vlan-id=519
add comment=team471 interface=br0 name=team471 vlan-id=520
/caps-man datapath
add bridge=br0 local-forwarding=yes name=gizmo vlan-id=10 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team458 vlan-id=507 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team459 vlan-id=508 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team463 vlan-id=512 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team462 vlan-id=511 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team456 vlan-id=505 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team467 vlan-id=516 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team471 vlan-id=520 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team452 vlan-id=501 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team470 vlan-id=519 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team454 vlan-id=503 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team466 vlan-id=515 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team451 vlan-id=500 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team461 vlan-id=510 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team464 vlan-id=513 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team460 vlan-id=509 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team469 vlan-id=518 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team468 vlan-id=517 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team465 vlan-id=514 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team455 vlan-id=504 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team457 vlan-id=506 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team453 vlan-id=502 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team456
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team462
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team454
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team451
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team464
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team465
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team458
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team468
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team459
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team463
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=gizmo
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team467
/caps-man configuration
add channel=gizmo-2ghz country="united states3" datapath=team459 hide-ssid=yes mode=ap name=wifi459 security=team459 ssid=0bfcb3cea0454990b7c5be8c5ee3c53b
add channel=gizmo-2ghz country="united states3" datapath=team451 hide-ssid=yes mode=ap name=wifi451 security=team451 ssid=9efc9d8106f84956ae84dbba7043f587
add channel=gizmo-2ghz country="united states3" datapath=team452 hide-ssid=yes mode=ap name=wifi452 security=team452 ssid=92ad6541f91b409fa9fb3d53f6aa8293
add channel=gizmo-2ghz country="united states3" datapath=team464 hide-ssid=yes mode=ap name=wifi464 security=team464 ssid=5e77cad891f7435a8978e3a0a8774d85
add channel=gizmo-2ghz country="united states3" datapath=team457 hide-ssid=yes mode=ap name=wifi457 security=team457 ssid=ffb4b0958a4a4fb6883bd8d921c536ae
add channel=gizmo-2ghz country="united states3" datapath=team470 hide-ssid=yes mode=ap name=wifi470 security=team470 ssid=44b07071900f4795933a14d7f61c7b8a
add channel=gizmo-2ghz country="united states3" datapath=team454 hide-ssid=yes mode=ap name=wifi454 security=team454 ssid=cc20e808dfb84d549326616503c3bc26
add channel=gizmo-2ghz country="united states3" datapath=team456 hide-ssid=yes mode=ap name=wifi456 security=team456 ssid=24bb6836e9814791a2e46d1b942fb802
add channel=gizmo-2ghz country="united states3" datapath=team471 hide-ssid=yes mode=ap name=wifi471 security=team471 ssid=d5d0701b3f04437fbc675eae0b029f77
add channel=gizmo-2ghz country="united states3" datapath=team460 hide-ssid=yes mode=ap name=wifi460 security=team460 ssid=397f4eeea4b840ce90a07b3d82f93cd8
add channel=gizmo-2ghz country="united states3" datapath=team467 hide-ssid=yes mode=ap name=wifi467 security=team467 ssid=b4a78ab7b23d4d78b39f175728259235
add channel=gizmo-2ghz country="united states3" datapath=team463 hide-ssid=yes mode=ap name=wifi463 security=team463 ssid=88d6a1f393bf4979b48fd89f015836b1
add channel=gizmo-2ghz country="united states3" datapath=team468 hide-ssid=yes mode=ap name=wifi468 security=team468 ssid=f5a94bc1796c41e4b37033e67388d0df
add channel=gizmo-2ghz country="united states3" datapath=team455 hide-ssid=yes mode=ap name=wifi455 security=team455 ssid=28504f77b3c24ea08ffd04e2c56cb6ef
add channel=gizmo-2ghz country="united states3" datapath=team458 hide-ssid=yes mode=ap name=wifi458 security=team458 ssid=a3e8f24067d242f8aff680342cc6fe4e
add channel=gizmo-2ghz country="united states3" datapath=team466 hide-ssid=yes mode=ap name=wifi466 security=team466 ssid=8868daad755043a38e73432d0aae7d8e
add channel=gizmo-2ghz country="united states3" datapath=team469 hide-ssid=yes mode=ap name=wifi469 security=team469 ssid=ae0b61d58672400382a66daab98324e7
add channel=gizmo-2ghz country="united states3" datapath=team453 hide-ssid=yes mode=ap name=wifi453 security=team453 ssid=4f4abdece82745f199dbdc75a686e015
add channel=gizmo-2ghz country="united states3" datapath=team461 hide-ssid=yes mode=ap name=wifi461 security=team461 ssid=54ae163ca19a4f5890df9b34e54b63fe
add channel=gizmo-2ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-2ghz security=gizmo ssid=gizmo
add channel=gizmo-5ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-5ghz security=gizmo ssid=gizmo
add channel=gizmo-2ghz country="united states3" datapath=team465 hide-ssid=yes mode=ap name=wifi465 security=team465 ssid=67be3b52c1d9457e95c1f31db31c6fd1
add channel=gizmo-2ghz country="united states3" datapath=team462 hide-ssid=yes mode=ap name=wifi462 security=team462 ssid=ec33bef9ee8e46c295decdd6746d8ff7
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/user group
add name=readonly policy=ssh,read,web,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!rest-api
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=gizmo-5ghz hw-supported-modes=ac master-configuration=gizmo-5ghz
add action=create-dynamic-enabled comment=gizmo-2ghz hw-supported-modes=gn master-configuration=gizmo-2ghz
/interface bridge port
add bridge=br0 interface=ether1 pvid=10
add bridge=br0 interface=ether4 pvid=450
add bridge=br0 interface=ether5 pvid=450
add bridge=br0 interface=ether3 pvid=450
add bridge=br0 interface=ether2 pvid=450
/interface bridge vlan
add bridge=br0 comment=Uplink untagged=ether1 vlan-ids=10
add bridge=br0 tagged=ether1 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
add bridge=br0 comment="Bridge Networks" tagged=br0 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
/interface wireless cap
# 
set discovery-interfaces=br0 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=ether1
add comment="Internal Upstream" interface=fms0 use-peer-dns=no use-peer-ntp=no
/ip service
set telnet disabled=yes port=21
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=self disabled=no
set api disabled=yes port=8278
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name=gizmo-field-1
/system note
set show-at-login=no

I apply this config in 2 phases, with the first phase pushing everything as above, but with the bridge port disabled for ether1, and then the second phase is enabling ether1 as a bridge port. Since this causes a momentary loss of connection, I make sure the entire config is loaded before doing it. The hAP does not seem to recover its address though after enabling the bridge port. What I expect to happen is that the dhcp client directly on ether1 will become inactive, the client on fms0 will become active and solicit a lease, and then the bridge will be able to pass traffic on vlan 10 via the untagged port ether1, while other traffic flows out tagged on ether1.

2

Looks like DHCP server is confused with vlans in regard that the former cannot determine which interface to assign an address to after enabling according bridges. I advise to overlook vlans themselves to resolve the issue.

3

Two things strike me:

  1. you only mention adding ether1 to bridge br0 as port in step #2. You don’t mention enabling vlan-filtering on br0? Without it, pvid setting doesn’t get enforced.
  2. The VLAN table definition is borked. Most important: you have to add bridge port as tagged VLAN member for all VLANs that CPU has to communicate with (in your case VID 10 for ROS’ IP stack and all VIDs used for APs, CPU handles traffic over wireless although it’s L2). Slightly less important: you don’t need VLAN interfaces if ROS’ IP stack won’t talk to those VLANs (i.e. all but VID 10).

AFAIK the second quoted command will fail. VLAN table under /interface/bridge/vlan is about VLANs and by executing add you’re adding table entry with (until now) new VID. Setting port membership is secondary. So: your second command is trying to add VIDs which are already present in the VLAN table.
Or in other words: sane VID can not be used in multiple add stanzas, however port can be used in many stanzas.
You should rewrite these three rules into:

add bridge=br0 tagged=br0 untagged=ether1 vlan-ids=10
add bridge=br0 tagged=br0,ether1 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
4

Hmm, perhaps I misunderstood how vlan-filtering works. I thought setting

vlan-filtering=yes

would enable that behavior, but reviewing the manual it seems like I also need to enable ingress filtering. Do I have that right?

I’m trying to understand your comment on the vlan table definition. Here’s what I think I understood, and I’d appreciate if you can confirm/deny this:

  • Since the ROS IP stack isn’t doing anything with vlan 500-520, there doesn’t need to be an interface on the device for those VLANs, and just setting the numbers will be sufficient to allow traffic to transit the bridge based on the PVID setting and the VLAN settings in the relevant capsman profiles.

  • Each vlan ID should appear exactly once in the commands to modify the vlan table, splitting as necessary to make up the combo ports that will appear multiple times as untagged interfaces and tagged trunks.

5

I have amended my config to the following, which while cleaner does still have the same problem of the dhcp client not pulling an address on fms0 once ether1 is added to the bridge:

#
# model = RB952Ui-5ac2nD
# serial number = HF6090SBZFK
/caps-man channel
add band=2ghz-g/n name=gizmo-2ghz
add band=5ghz-n/ac name=gizmo-5ghz
/interface bridge
add admin-mac=78:9A:18:7E:54:5D auto-mac=no frame-types=admit-only-vlan-tagged name=br0 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add comment="Empty dump network" interface=br0 name=dump0 vlan-id=450
add comment="FMS Network" interface=br0 name=fms0 vlan-id=10
/caps-man datapath
add bridge=br0 local-forwarding=yes name=team466 vlan-id=515 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team462 vlan-id=511 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team464 vlan-id=513 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team465 vlan-id=514 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team463 vlan-id=512 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team459 vlan-id=508 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team468 vlan-id=517 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team461 vlan-id=510 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team453 vlan-id=502 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team452 vlan-id=501 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team455 vlan-id=504 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team458 vlan-id=507 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team470 vlan-id=519 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team457 vlan-id=506 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team471 vlan-id=520 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team451 vlan-id=500 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team456 vlan-id=505 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team454 vlan-id=503 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team460 vlan-id=509 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team469 vlan-id=518 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team467 vlan-id=516 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=gizmo vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team455
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team471
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=gizmo
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team466
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team457
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team459
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team467
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team453
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team458
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team451
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team468
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team460
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team463
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team462
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team461
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team456
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team464
/caps-man configuration
add channel=gizmo-2ghz country="united states3" datapath=team452 hide-ssid=yes mode=ap name=wifi452 security=team452 ssid=92ad6541f91b409fa9fb3d53f6aa8293
add channel=gizmo-2ghz country="united states3" datapath=team466 hide-ssid=yes mode=ap name=wifi466 security=team466 ssid=8868daad755043a38e73432d0aae7d8e
add channel=gizmo-2ghz country="united states3" datapath=team464 hide-ssid=yes mode=ap name=wifi464 security=team464 ssid=5e77cad891f7435a8978e3a0a8774d85
add channel=gizmo-2ghz country="united states3" datapath=team463 hide-ssid=yes mode=ap name=wifi463 security=team463 ssid=88d6a1f393bf4979b48fd89f015836b1
add channel=gizmo-2ghz country="united states3" datapath=team462 hide-ssid=yes mode=ap name=wifi462 security=team462 ssid=ec33bef9ee8e46c295decdd6746d8ff7
add channel=gizmo-2ghz country="united states3" datapath=team465 hide-ssid=yes mode=ap name=wifi465 security=team465 ssid=67be3b52c1d9457e95c1f31db31c6fd1
add channel=gizmo-2ghz country="united states3" datapath=team470 hide-ssid=yes mode=ap name=wifi470 security=team470 ssid=44b07071900f4795933a14d7f61c7b8a
add channel=gizmo-2ghz country="united states3" datapath=team453 hide-ssid=yes mode=ap name=wifi453 security=team453 ssid=4f4abdece82745f199dbdc75a686e015
add channel=gizmo-2ghz country="united states3" datapath=team467 hide-ssid=yes mode=ap name=wifi467 security=team467 ssid=b4a78ab7b23d4d78b39f175728259235
add channel=gizmo-2ghz country="united states3" datapath=team461 hide-ssid=yes mode=ap name=wifi461 security=team461 ssid=54ae163ca19a4f5890df9b34e54b63fe
add channel=gizmo-2ghz country="united states3" datapath=team471 hide-ssid=yes mode=ap name=wifi471 security=team471 ssid=d5d0701b3f04437fbc675eae0b029f77
add channel=gizmo-2ghz country="united states3" datapath=team458 hide-ssid=yes mode=ap name=wifi458 security=team458 ssid=a3e8f24067d242f8aff680342cc6fe4e
add channel=gizmo-2ghz country="united states3" datapath=team460 hide-ssid=yes mode=ap name=wifi460 security=team460 ssid=397f4eeea4b840ce90a07b3d82f93cd8
add channel=gizmo-2ghz country="united states3" datapath=team457 hide-ssid=yes mode=ap name=wifi457 security=team457 ssid=ffb4b0958a4a4fb6883bd8d921c536ae
add channel=gizmo-2ghz country="united states3" datapath=team469 hide-ssid=yes mode=ap name=wifi469 security=team469 ssid=ae0b61d58672400382a66daab98324e7
add channel=gizmo-2ghz country="united states3" datapath=team454 hide-ssid=yes mode=ap name=wifi454 security=team454 ssid=cc20e808dfb84d549326616503c3bc26
add channel=gizmo-2ghz country="united states3" datapath=team451 hide-ssid=yes mode=ap name=wifi451 security=team451 ssid=9efc9d8106f84956ae84dbba7043f587
add channel=gizmo-2ghz country="united states3" datapath=team459 hide-ssid=yes mode=ap name=wifi459 security=team459 ssid=0bfcb3cea0454990b7c5be8c5ee3c53b
add channel=gizmo-2ghz country="united states3" datapath=team455 hide-ssid=yes mode=ap name=wifi455 security=team455 ssid=28504f77b3c24ea08ffd04e2c56cb6ef
add channel=gizmo-2ghz country="united states3" datapath=team468 hide-ssid=yes mode=ap name=wifi468 security=team468 ssid=f5a94bc1796c41e4b37033e67388d0df
add channel=gizmo-2ghz country="united states3" datapath=team456 hide-ssid=yes mode=ap name=wifi456 security=team456 ssid=24bb6836e9814791a2e46d1b942fb802
add channel=gizmo-2ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-2ghz security=gizmo ssid=gizmo
add channel=gizmo-5ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-5ghz security=gizmo ssid=gizmo
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/user group
add name=readonly policy=ssh,read,web,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!rest-api
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=gizmo-5ghz hw-supported-modes=ac master-configuration=gizmo-5ghz
add action=create-dynamic-enabled comment=gizmo-2ghz hw-supported-modes=gn master-configuration=gizmo-2ghz
/interface bridge port
add bridge=br0 disabled=yes interface=ether1 pvid=10
add bridge=br0 interface=ether4 pvid=450
add bridge=br0 interface=ether3 pvid=450
add bridge=br0 interface=ether2 pvid=450
add bridge=br0 interface=ether5 pvid=450
/interface bridge vlan
# ether1 not a bridge port
add bridge=br0 comment="Bridge Networks" tagged=ether1,br0 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
# ether1 not a bridge port
add bridge=br0 comment=Uplink untagged=ether1 vlan-ids=10
/interface wireless cap
# 
set discovery-interfaces=br0 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=ether1
add comment="Internal Upstream" interface=fms0 use-peer-dns=no use-peer-ntp=no
/ip service
set telnet disabled=yes port=21
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=self disabled=no
set api disabled=yes port=8278
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name=gizmo-field-1
/system note
set show-at-login=no
6

You haven’t copied the /interface bridge vlan settings for VLAN ID 10 correctly - missing tagged=br0

7

Good catch.

I now have the tagged and untagged attributes on vlan 10, but still no joy. For completeness, here is the output of /export with the changes.

# 1970-01-02 03:15:46 by RouterOS 7.14.2
# software id = 1J90-DG0X
#
# model = RB952Ui-5ac2nD
# serial number = HF6090SBZFK
/caps-man channel
add band=5ghz-n/ac name=gizmo-5ghz
add band=2ghz-g/n name=gizmo-2ghz
/interface bridge
add admin-mac=78:9A:18:7E:54:5D auto-mac=no frame-types=admit-only-vlan-tagged name=br0 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add comment="Empty dump network" interface=br0 name=dump0 vlan-id=450
add comment="FMS Network" interface=br0 name=fms0 vlan-id=10
/caps-man datapath
add bridge=br0 local-forwarding=yes name=team458 vlan-id=507 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team462 vlan-id=511 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team466 vlan-id=515 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team465 vlan-id=514 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team459 vlan-id=508 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team464 vlan-id=513 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team468 vlan-id=517 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team454 vlan-id=503 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team455 vlan-id=504 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team469 vlan-id=518 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team457 vlan-id=506 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team460 vlan-id=509 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team456 vlan-id=505 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team451 vlan-id=500 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team463 vlan-id=512 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team461 vlan-id=510 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team453 vlan-id=502 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team467 vlan-id=516 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=gizmo vlan-id=10 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team470 vlan-id=519 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team471 vlan-id=520 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team452 vlan-id=501 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team454
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=gizmo
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team470
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team467
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team471
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team461
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team465
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team456
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team458
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team452
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team464
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team466
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team460
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team462
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team463
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team469
/caps-man configuration
add channel=gizmo-2ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-2ghz security=gizmo ssid=gizmo
add channel=gizmo-5ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-5ghz security=gizmo ssid=gizmo
add channel=gizmo-2ghz country="united states3" datapath=team452 hide-ssid=yes mode=ap name=wifi452 security=team452 ssid=92ad6541f91b409fa9fb3d53f6aa8293
add channel=gizmo-2ghz country="united states3" datapath=team468 hide-ssid=yes mode=ap name=wifi468 security=team468 ssid=f5a94bc1796c41e4b37033e67388d0df
add channel=gizmo-2ghz country="united states3" datapath=team463 hide-ssid=yes mode=ap name=wifi463 security=team463 ssid=88d6a1f393bf4979b48fd89f015836b1
add channel=gizmo-2ghz country="united states3" datapath=team456 hide-ssid=yes mode=ap name=wifi456 security=team456 ssid=24bb6836e9814791a2e46d1b942fb802
add channel=gizmo-2ghz country="united states3" datapath=team467 hide-ssid=yes mode=ap name=wifi467 security=team467 ssid=b4a78ab7b23d4d78b39f175728259235
add channel=gizmo-2ghz country="united states3" datapath=team464 hide-ssid=yes mode=ap name=wifi464 security=team464 ssid=5e77cad891f7435a8978e3a0a8774d85
add channel=gizmo-2ghz country="united states3" datapath=team451 hide-ssid=yes mode=ap name=wifi451 security=team451 ssid=9efc9d8106f84956ae84dbba7043f587
add channel=gizmo-2ghz country="united states3" datapath=team460 hide-ssid=yes mode=ap name=wifi460 security=team460 ssid=397f4eeea4b840ce90a07b3d82f93cd8
add channel=gizmo-2ghz country="united states3" datapath=team457 hide-ssid=yes mode=ap name=wifi457 security=team457 ssid=ffb4b0958a4a4fb6883bd8d921c536ae
add channel=gizmo-2ghz country="united states3" datapath=team466 hide-ssid=yes mode=ap name=wifi466 security=team466 ssid=8868daad755043a38e73432d0aae7d8e
add channel=gizmo-2ghz country="united states3" datapath=team462 hide-ssid=yes mode=ap name=wifi462 security=team462 ssid=ec33bef9ee8e46c295decdd6746d8ff7
add channel=gizmo-2ghz country="united states3" datapath=team454 hide-ssid=yes mode=ap name=wifi454 security=team454 ssid=cc20e808dfb84d549326616503c3bc26
add channel=gizmo-2ghz country="united states3" datapath=team471 hide-ssid=yes mode=ap name=wifi471 security=team471 ssid=d5d0701b3f04437fbc675eae0b029f77
add channel=gizmo-2ghz country="united states3" datapath=team470 hide-ssid=yes mode=ap name=wifi470 security=team470 ssid=44b07071900f4795933a14d7f61c7b8a
add channel=gizmo-2ghz country="united states3" datapath=team469 hide-ssid=yes mode=ap name=wifi469 security=team469 ssid=ae0b61d58672400382a66daab98324e7
add channel=gizmo-2ghz country="united states3" datapath=team461 hide-ssid=yes mode=ap name=wifi461 security=team461 ssid=54ae163ca19a4f5890df9b34e54b63fe
add channel=gizmo-2ghz country="united states3" datapath=team459 hide-ssid=yes mode=ap name=wifi459 security=team459 ssid=0bfcb3cea0454990b7c5be8c5ee3c53b
add channel=gizmo-2ghz country="united states3" datapath=team453 hide-ssid=yes mode=ap name=wifi453 security=team453 ssid=4f4abdece82745f199dbdc75a686e015
add channel=gizmo-2ghz country="united states3" datapath=team455 hide-ssid=yes mode=ap name=wifi455 security=team455 ssid=28504f77b3c24ea08ffd04e2c56cb6ef
add channel=gizmo-2ghz country="united states3" datapath=team465 hide-ssid=yes mode=ap name=wifi465 security=team465 ssid=67be3b52c1d9457e95c1f31db31c6fd1
add channel=gizmo-2ghz country="united states3" datapath=team458 hide-ssid=yes mode=ap name=wifi458 security=team458 ssid=a3e8f24067d242f8aff680342cc6fe4e
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/user group
add name=readonly policy=ssh,read,web,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!rest-api
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=gizmo-2ghz hw-supported-modes=gn master-configuration=gizmo-2ghz
add action=create-dynamic-enabled comment=gizmo-5ghz hw-supported-modes=ac master-configuration=gizmo-5ghz
/interface bridge port
add bridge=br0 disabled=yes interface=ether1 pvid=10
add bridge=br0 interface=ether3 pvid=450
add bridge=br0 interface=ether2 pvid=450
add bridge=br0 interface=ether4 pvid=450
add bridge=br0 interface=ether5 pvid=450
/interface bridge vlan
# ether1 not a bridge port
add bridge=br0 comment="Bridge Networks" tagged=ether1,br0 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
# ether1 not a bridge port
add bridge=br0 comment=Uplink tagged=br0 untagged=ether1 vlan-ids=10
/interface wireless cap
# 
set discovery-interfaces=br0 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=ether1
add comment="Internal Upstream" interface=fms0 use-peer-dns=no use-peer-ntp=no
/ip service
set telnet disabled=yes port=21
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=self disabled=no
set api disabled=yes port=8278
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name=gizmo-field-1
/system note
set show-at-login=no

Eventually I need to be able to control what vlan lands on ether{2,3,4,5}. Would I be doing roughly the same thing there of dynamically putting the vlans together with the tagged and untagged ports in addition to setting the port pvid?

8

You did enable ether1 in /interface bridge port?

Yes, set the PVID for those ports under /interface bridge port and add any tagged membership under /interface bridge vlan, explicitly adding untagged membership is optional as it will be dynamically added from the PVID setting. Some people prefer to explicitly add them, personally I don’t as you then have to remember to change it in two places and forgetting to do both can lead to odd behaviour.

One thing to watch for is that if you have multiple values for vlan-ids= in an entry under /interface bridge vlan these should only ever be used tagged. Where you have a mix of tagged and untagged membership of a VLAN ID that should have its own entry, as with your existing VLAN ID 10.

9

As noted, 1. ether1 is disabled in /interface/bridge/ports.

  1. You still need vlan 450 marked as tagged on bridge (br0)
/interface bridge vlan add bridge=br0 tagged=br0 vlan-ids=450
10

Correct, this is the last state in which I can still connect and pull the config. Upon enabling ether1 as a bridge port I lose connection to the device and from monitoring the dhcp server on the network, I can see it does not attempt to pull an address, leading me to believe that the connection has been severed and I’m left with a config that I need to revert.

vlan 450 is intentionally a dump vlan that should not pass traffic to anywhere, so that should be working as intended right now. It exists so that the automation I’m managing the ports with can either pick the vlan out for a given assignment, or if the assignment comes back null it assigns 450 as a default.

When you say that the untagged port does not have to be added separately, but does when a vlan is tagged elsewhere I’m getting lost. That sounds like for any vlan that I want to access untagged, it will need its own line like like for vlan10 to specify that its tagged on the bridge, and untagged on whatever port I need it on at the moment.

To turn this problem on its head for a minute, would it be better if I made ether1 a pure trunk with no untagged traffic on it? That’s not the easiest thing to do in my architecture since it makes bootstrapping much harder, but if that will make the system more robust I can do that.

11

It’s not issue of robustness. More that the separation between Layer2 and Layer3 is kinda muddled in the bridge, so config get tricky. You might want to check this article as it might explain why things appear complex esp. the tagged=br0 needed etc.: http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

To clarify, it seems you have a “hybrid” port on on ether1, you’d like the hAP to get DHCP address from the untagged traffic on ether1. Is that right?

If so, you’d want to make sure ether1 is enabled in /interface/bridge/port and set an as an untagged on /interface/bridge/vlan pvid=1. Currently, your config says to make VLAN packet with VLAN ID 1, and your /ip/dhcp-client is [essentially] looking at untagged packets (since dhcp-client not on some /interface/vlan with vlan-id=1 which is bad idea but likely work as configured in previous post). Also, you setting pvid of ether1 to VLAN 10, that makes VLAN 10 untagged FWIW.

Maybe you can clarify what the ideal end-state is for the various ports (e.g. what should be tagged and untagged by port).
_Couple notes:

  1. you can use MAC address in winbox to access the router even if bridge is messed up.
  2. “/interface/bridge/vlan print” with show the “dynamic” assignment (D in left column) done on a /interface/bridge/port based on PVID and frame-type=admit-only-untagged-and-priority-tagged_
12

I’ve read the linked post and the post that it links to for the “new” way of doing things and the one things that’s still not clear is if the “old” post is still relevant. It sounds like at the heart of this its all artifacts of the way the underlying linux DSA stiches together all the various interfaces, but I haven’t found any documentation that confirms that.

So to give a better explanation of what I’m doing here:

  • Ether1 is a hybrid trunk port with the management vlan (10) untagged and facing a hEX which provides all the IP services to the various subnets. The device that I’m trying to configure now is one of several identical hAP AC Lites which will have ether1 as a trunk port, and ether2-5 as pure access ports on specific VLANS.
  • The hAP AC Lite is also providing specific wireless SSIDs that map to specific VLANs.
  • At any given time, only 4 VLANs will be mapped (one each) to an access port, with the corresponding SSID made active as well.
  • There is a dhcp client on ether1 directly that provides an IP address when the port is not a member of the bridge, which does become inactive as soon as I add the port to the bridge. Since that’s what I expected to happen I assume its not messing anything up, but now I’m not so sure. Basically I expected that the dhcp client on ether1 would become inactive, and the dhcp client on fms0 would become active and solicit a lease.

The deeper context is that I’m designing all the infrastructure to support a robotics competition where each team gets a distinct isolated subnet, but their network is only made available when they’re scheduled to be in a match on the field, which means roughly every 6 minutes I’ll be cycling the set of PVIDs and adjusting the capsman slave configurations. Right now though I’m hung up on the more basic problem of getting the hAP to be accessible once I add ether1 to the bridge.

If so, you’d want to make sure ether1 is enabled in /interface/bridge/port and set an as an untagged on /interface/bridge/vlan pvid=1. Currently, your config says to make VLAN packet with VLAN ID 1, and your /ip/dhcp-client is [essentially] looking at untagged packets (since dhcp-client not on some /interface/vlan with vlan-id=1 which is bad idea but likely work as configured in previous post). Also, you setting pvid of ether1 to VLAN 10, that makes VLAN 10 untagged FWIW.

I’m trying to make sense of this. This is what I think I got: I’m setting ether1 to pvid 10, which dynamically adds it to the bridge and just generally results in things not being setup consistently. What I don’t get is how that went from saying “traffic with vlan 10 internally should become untagged externally” to “traffic that is tagged with vlan 10 internally will now be untagged and unavailable to tagged things internally and retagged as vlan 1 on egress”.

I think I also understood this to be that the dhcp client on fms0 is not configured to look at the packets once ether1 becomes a member of the bridge, because its not going to land the packets into the scope that fms0 is looking at.

13

Based on your advice to try the mac-telnet client (which I’d honestly forgotten exists) I can connect successfully from the hEX to the hAP when it becomes non-responsive. What appears to be happening is that the old DHCP address is remaining set even though the client is becoming inactive. What appears to be happening is that I’m getting two routes of the same cost:

[gizmo-fms@gizmo-field-1] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS    GATEWAY     DISTANCE
DAd+ 0.0.0.0/0      100.64.0.1         1
DAd+ 0.0.0.0/0      100.64.0.1         1
DAc+ 100.64.0.0/24  ether1             0
DAc+ 100.64.0.0/24  fms0               0

It does not appear, however, that there is a way to influence the cost of the subnet route, only a means of influencing the distance of the default route if one is added. In this case, it looks like what I probably need is a means of disabling the dhcp client entirely that’s used during provisioning after the port gets added to the bridge.

14

Progress!

I can now very reliably run through the provisioning workflow and get to a state where both devices are networked and do not lock up. The “script” that I have added disables the bootstrap dhcp client in a very dumb way, but it does work. I’m sure there’s a more clever way to get the ID other than just asserting that it will always be zero:

# 1970-01-02 00:07:23 by RouterOS 7.14.2
# software id = 1J90-DG0X
#
# model = RB952Ui-5ac2nD
add band=5ghz-n/ac name=gizmo-5ghz
add band=2ghz-g/n name=gizmo-2ghz
/interface bridge
add admin-mac=78:9A:18:7E:54:5D auto-mac=no frame-types=admit-only-vlan-tagged name=br0 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(28dBm), SSID: gizmo, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add comment="Empty dump network" interface=br0 name=dump0 vlan-id=450
add comment="FMS Network" interface=br0 name=fms0 vlan-id=10
/caps-man datapath
add bridge=br0 local-forwarding=yes name=team465 vlan-id=514 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team459 vlan-id=508 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team451 vlan-id=500 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team468 vlan-id=517 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team464 vlan-id=513 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team470 vlan-id=519 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team463 vlan-id=512 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team457 vlan-id=506 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team458 vlan-id=507 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team460 vlan-id=509 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team452 vlan-id=501 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team461 vlan-id=510 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team466 vlan-id=515 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team456 vlan-id=505 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team471 vlan-id=520 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team462 vlan-id=511 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team469 vlan-id=518 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team453 vlan-id=502 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team455 vlan-id=504 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team454 vlan-id=503 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=gizmo vlan-id=10 vlan-mode=use-tag
add bridge=br0 local-forwarding=yes name=team467 vlan-id=516 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team452
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=gizmo
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team468
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team451
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team467
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team454
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team459
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team461
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team453
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team466
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team460
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team457
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team469
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team470
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team456
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team458
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team462
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team471
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team463
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=team464
/caps-man configuration
add channel=gizmo-2ghz country="united states3" datapath=team464 hide-ssid=yes mode=ap name=wifi464 security=team464 ssid=5e77cad891f7435a8978e3a0a8774d85
add channel=gizmo-2ghz country="united states3" datapath=team463 hide-ssid=yes mode=ap name=wifi463 security=team463 ssid=88d6a1f393bf4979b48fd89f015836b1
add channel=gizmo-2ghz country="united states3" datapath=team458 hide-ssid=yes mode=ap name=wifi458 security=team458 ssid=a3e8f24067d242f8aff680342cc6fe4e
add channel=gizmo-2ghz country="united states3" datapath=team451 hide-ssid=yes mode=ap name=wifi451 security=team451 ssid=9efc9d8106f84956ae84dbba7043f587
add channel=gizmo-2ghz country="united states3" datapath=team469 hide-ssid=yes mode=ap name=wifi469 security=team469 ssid=ae0b61d58672400382a66daab98324e7
add channel=gizmo-2ghz country="united states3" datapath=team452 hide-ssid=yes mode=ap name=wifi452 security=team452 ssid=92ad6541f91b409fa9fb3d53f6aa8293
add channel=gizmo-2ghz country="united states3" datapath=team462 hide-ssid=yes mode=ap name=wifi462 security=team462 ssid=ec33bef9ee8e46c295decdd6746d8ff7
add channel=gizmo-2ghz country="united states3" datapath=team455 hide-ssid=yes mode=ap name=wifi455 security=team455 ssid=28504f77b3c24ea08ffd04e2c56cb6ef
add channel=gizmo-2ghz country="united states3" datapath=team460 hide-ssid=yes mode=ap name=wifi460 security=team460 ssid=397f4eeea4b840ce90a07b3d82f93cd8
add channel=gizmo-2ghz country="united states3" datapath=team468 hide-ssid=yes mode=ap name=wifi468 security=team468 ssid=f5a94bc1796c41e4b37033e67388d0df
add channel=gizmo-2ghz country="united states3" datapath=team471 hide-ssid=yes mode=ap name=wifi471 security=team471 ssid=d5d0701b3f04437fbc675eae0b029f77
add channel=gizmo-2ghz country="united states3" datapath=team470 hide-ssid=yes mode=ap name=wifi470 security=team470 ssid=44b07071900f4795933a14d7f61c7b8a
add channel=gizmo-2ghz country="united states3" datapath=team459 hide-ssid=yes mode=ap name=wifi459 security=team459 ssid=0bfcb3cea0454990b7c5be8c5ee3c53b
add channel=gizmo-2ghz country="united states3" datapath=team465 hide-ssid=yes mode=ap name=wifi465 security=team465 ssid=67be3b52c1d9457e95c1f31db31c6fd1
add channel=gizmo-2ghz country="united states3" datapath=team453 hide-ssid=yes mode=ap name=wifi453 security=team453 ssid=4f4abdece82745f199dbdc75a686e015
add channel=gizmo-2ghz country="united states3" datapath=team456 hide-ssid=yes mode=ap name=wifi456 security=team456 ssid=24bb6836e9814791a2e46d1b942fb802
add channel=gizmo-2ghz country="united states3" datapath=team466 hide-ssid=yes mode=ap name=wifi466 security=team466 ssid=8868daad755043a38e73432d0aae7d8e
add channel=gizmo-2ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-2ghz security=gizmo ssid=gizmo
add channel=gizmo-2ghz country="united states3" datapath=team461 hide-ssid=yes mode=ap name=wifi461 security=team461 ssid=54ae163ca19a4f5890df9b34e54b63fe
add channel=gizmo-2ghz country="united states3" datapath=team454 hide-ssid=yes mode=ap name=wifi454 security=team454 ssid=cc20e808dfb84d549326616503c3bc26
add channel=gizmo-5ghz country="united states3" datapath=gizmo hide-ssid=no mode=ap name=gizmo-5ghz security=gizmo ssid=gizmo
add channel=gizmo-2ghz country="united states3" datapath=team457 hide-ssid=yes mode=ap name=wifi457 security=team457 ssid=ffb4b0958a4a4fb6883bd8d921c536ae
add channel=gizmo-2ghz country="united states3" datapath=team467 hide-ssid=yes mode=ap name=wifi467 security=team467 ssid=b4a78ab7b23d4d78b39f175728259235
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/user group
add name=readonly policy=ssh,read,web,!local,!telnet,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!rest-api
/caps-man manager
set enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=gizmo-2ghz hw-supported-modes=gn master-configuration=gizmo-2ghz
add action=create-dynamic-enabled comment=gizmo-5ghz hw-supported-modes=ac master-configuration=gizmo-5ghz
/interface bridge port
add bridge=br0 interface=ether1 pvid=10
add bridge=br0 interface=ether5 pvid=450
add bridge=br0 interface=ether4 pvid=450
add bridge=br0 interface=ether3 pvid=450
add bridge=br0 interface=ether2 pvid=450
/interface bridge vlan
add bridge=br0 comment="Bridge Networks" tagged=ether1,br0 vlan-ids=500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520
add bridge=br0 comment=Uplink tagged=br0 untagged=ether1 vlan-ids=10
/interface wireless cap
# 
set discovery-interfaces=br0 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add add-default-route=no disabled=yes interface=ether1 use-peer-dns=no use-peer-ntp=no
add comment="Internal Upstream" interface=fms0 script="{/ip/dhcp-client/set 0 disabled=yes}" use-peer-dns=no use-peer-ntp=no
/ip service
set telnet disabled=yes port=21
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=self disabled=no
set api disabled=yes port=8278
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name=gizmo-field-1
/system note
set show-at-login=no

Where I now am troubleshooting is that the ‘gizmo’ ssid which uses a capsman datapath through to vlan 10 does not appear to be getting dhcp. This makes me think that none of the team SSIDs are either, but I’m still in the process of verifying that.

15

No sooner did I send that than I realized that wlan1 and wlan2 do not appear as bridge ports. On further inspection it became clear that the capsman wireless interface was configured for discovery on br0, but not actually configured to then use br0 for the datapath. After enabling that, all is well.

16

Just confirms that capsman is not worth the stress it causes.
All my non-capsman MT APs, rarely change mostly setup and forget

17

Let not blame CAPsMAN, it really the hybrid port and funky bridge VLAN configuration’s fault here :wink:. Not here, but with Wave2/AX drivers, you need CAPsMAN for roaming, so not so easily wished away…

I guess I’m unsure why you’re doing this in two phases. Perhaps have good reasons. But FWIW you can have the router load a config via “/system/reset-configuration keep-users=yes run-after-reset=myconfig.rsc” since the system runs it at startup, there should be no need worry about “breaking” the bridge. This allow you focus on getting the /interface/bridge/vlan and /interface/bridge/port stuff aligned as needed. Any tagging/untagging needed can be done with RouterOS… but trying to do it “phases” makes it even harder to think about.

18

The two phase approach is something I dove into more in my other thread, http://forum.mikrotik.com/t/network-topology-for-bootstraping/175239/1 but the gist of it is that other parts of this process are managed in a highly dynamic terraform workflow that’s driven by external automation, so it was convenient to me to leverage the terraform provider for routeros rather than trying to drive the API directly. I might revisit this at some point, but I have a really good understanding of terraform and a less good understanding of the API, so for fast implementation I went with what I knew. This is also why I used CAPsMAN, because the provider doesn’t have support for direct wireless interfaces.

19

Welp, I thought that was working, but it very clearly is not. Only vlan 10 works now and none of the other vlans do. Neither on wired, or as I’m digging in on wireless can I pass traffic. The familiar error in the bridge screen is up which warns me “port with pvid added to untagged group”. That’s what I expected to have happen because the port should be dynamically added. What has actually happened is that the port does not pass traffic at all, which is coming to be my experience with mikrotik hardware and vlans unfortunately.

Do dynamically added ports just not work? I guess I can engineer around that but wow that’s going to be a huge pain to on the fly compute the set of VLANs that need to be made explicitly untagged and which ports they go to.

20

Lots of gnashing of teeth, questioning of life choices, sacrifices to the gods of config management later and I think I have this understood. My upstream bridge did not have the correct vlans which compounded the problem, but I think that the understanding I’ve come to is that “port with pvid added to untagged group” is not actually a hard error. My current understanding is that it is a call to attention to clue the user in that some dynamic config has happened and the end state of that should be verified to ensure it is as intended, but it isn’t immediately an error.