I’m experiencing what I feel is a pretty unusual problem. I’m running the latest version of RouterOS ( as of this writing, 2.9.38 ). I have two access points with level 5 lic, connected to a Cisco catalyst 3750, ports are in trunk mode. The Catalyst 3750 is trunked back to a Catalyst 6500 multi-layer with vlan routing. I’m then creating two vlans on ether1, named Management and WiFi1 - vlan id’s 36 and 257 respectively. I assign IP’s to the vlan interfaces, and can ping across the network to each of the IP’s, on each access point. I then create the wireless security profile for wpa2 in passthrough mode, and set up the radius server. I set up the wireless card to the correct frequency, but not assigning a ssid. Next I create a virtual AP, assign it to the security profile, assign the ssid, and slave it off of wlan1. I then create a bridge group that consists of my virtualAP and wireless vlan. The vlan master, the Catalyst 6500, is set up to forward dhcp requests to an internal dhcp server. The AP’s at this point can now ping each others wireless vlan ip address and management ip address. I can then associate a client to either AP, it authenticates via 802.1x, and is assigned an ip address in the correct vlan by the dhcp server. The client can ping either AP, and either AP can ping the client. The client can then ping anything else on the network - however, nothing on the network can ping (or pass any other kind of data) to the client. There are no access lists running on the switches, and no firewalling enabled on either the client or AP’s.
What am I doing wrong?
Also, I am not enabling wds, and it’s my understanding that I will not need it (interpretation of the documentation), as all the AP’s will be connected back to a wired network.
My goal, once I pass this hurdle, is to activate wlan2 with another virtualAP, add another vlan, and have it use another source of authentication. Then immediately scale this up to 16 wap’s to cover part of our enterprise campus, and 50 to 60 more wap’s over the course of the next year.
My command line config is as follows (cleansed for security):
/interface set ether1 disabled=no
/interface set ether2 disabled=yes
/interface set wlan1 disabled=no
/interface set wlan2 disabled=yes
/interface vlan add name=Management vlan-id=36 interface=ether1 disabled=no
/interface vlan add name=WiFi1 vlan-id=257 interface=ether1 disabled=no
/ip address add address=/24 interface=Management
/ip address add address=/22 interface=WiFi1
/ip route add gateway=
/radius add service=wireless address= secret= authentication-port=1812 accounting-port=1813 timeout=300
/interface wireless security-profiles add name= mode=dynamic-keys authentication-types=wpa2-eap unicast-ciphers=aes-ccm group-ciphers=aes-ccm group-key-update=30m eap-methods=passthrough tls-mode=no-certificates
/interface wireless set wlan1 mode=ap-bridge frequency=2462 band=2.4ghz-b/g default-authentication=yes
/interface wireless set wlan1 default-forwarding=yes hide-ssid=no compression=no country=“united states”
/interface wireless set wlan1 wds-mode=disabled wds-default-cost=100 wds-cost-range=50-150 antenna-mode=ant-a
/interface wireless add master-interface=wlan1 name=vap257 disabled=no
/interface wireless set vap257 security-profile=
/interface wireless set vap257 mode=ap-bridge frequency=2462 band=2.4ghz-b/g ssid= default-authentication=yes
/interface wireless set vap257 default-forwarding=yes hide-ssid=no compression=no country=“united states”
/interface wireless set vap257 dfs-mode=none frequency-mode=manual-txpower preamble-mode=both max-station-count=2007
/interface wireless set vap257 wds-mode=disabled wds-default-cost=100 wds-cost-range=50-150 antenna-mode=ant-a
/interface bridge add name=br0
/interface bridge port add bridge=br0 interface=WiFi1 disabled=no
/interface bridge port add bridge=br0 interface=vap257 disabled=no
/ip service set telnet disabled=yes