I’m setting up a hap ac2 to work as a switch and an access point. All I need to do is for it to pick up a trunked traffic from upstream and put it to certain interfaces.
The idea is to have the following VLAN configuration:
ether1 - uplink from main router, trunk with all the VLANs
ether2 - main VLAN (100) - to be used by the server downstream
ether3 - trunk (all VLANs) - to be used by the server downstream
ether4 - main VLAN (100)
ether5 - “not” VLAN (103) - “not” stands for Network of Things
wlan1 - guest VLAN (101)
wlan1 slave - “not” VLAN (103)
wlan2 - main VLAN (100)
Here’s the script I’m provisioning it with after a factory reset with no default configuration:
#######################################
# VLAN Overview
#######################################
# 100 = main
# 101 = guest
# 102 = service
# 103 = not == Network of Things
#######################################
# Bridge
#######################################
/interface bridge add admin-mac=48:8F:5A:27:57:EC auto-mac=no name=BR1 \
vlan-filtering=no
#######################################
# WLAN
#######################################
/interface wireless security-profiles add name=guest-security-profile authentication-types=wpa2-psk mode=dynamic-keys \
wpa2-pre-shared-key="{{ GUEST_WIFI_PASS }}"
/interface wireless security-profiles add name=not-security-profile authentication-types=wpa2-psk mode=dynamic-keys \
wpa2-pre-shared-key="{{ NOT_WIFI_PASS }}"
/interface wireless security-profiles add name=main-security-profile authentication-types=wpa2-psk mode=dynamic-keys \
wpa2-pre-shared-key="{{ MAIN_WIFI_PASS }}"
# Main SSID
/interface wireless set [ find default-name=wlan2 ] ssid="{{ MAIN_WIFI_NAME }}" frequency=5300 mode=ap-bridge \
security-profile=main-security-profile disabled=no
# Guest SSID
/interface wireless set [ find default-name=wlan1 ] ssid="{{ GUEST_WIFI_NAME }}" frequency=2412 mode=ap-bridge \
security-profile=guest-security-profile disabled=yes
# NoT SSID
/interface wireless add name=wlan1-not master-interface=wlan1 ssid="{{ NOT_WIFI_NAME }}" \
security-profile=not-security-profile disabled=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Access ports
add bridge=BR1 interface=ether2 pvid=100
add bridge=BR1 interface=ether4 pvid=100
add bridge=BR1 interface=ether5 pvid=103
add bridge=BR1 interface=wlan2 pvid=100
add bridge=BR1 interface=wlan1 pvid=101
add bridge=BR1 interface=wlan1-not pvid=103
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
add bridge=BR1 interface=ether3
# egress behavior
/interface bridge vlan
# Trunk. L2 switching only, BR1 not needed as tagged member. Except vlan-main-100, for IP management access.
add bridge=BR1 tagged=BR1,ether1,ether3 untagged=wlan2 vlan-ids=100
add bridge=BR1 tagged=ether1,ether3 untagged=wlan1 vlan-ids=101
add bridge=BR1 tagged=ether1,ether3 vlan-ids=102
add bridge=BR1 tagged=ether1,ether3 untagged=wlan1-not vlan-ids=103
#################
## IP Settings
#################
# LAN facing Switch's IP address on a MAIN
/interface vlan add interface=BR1 name=vlan-main-100 vlan-id=100
/ip address add address=10.0.0.10/24 interface=vlan-main-100
# The Router's IP this switch will use
/ip route add distance=1 gateway=10.0.0.1
# The DNS server this switch will use
/ip dns set servers=10.0.0.1
#######################################
# VLAN Security
#######################################
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1-not]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
# This is a switch
/ip settings set ip-forward=no
/interface list
add name=MAIN
/interface list member
add list=MAIN interface=vlan-main-100
###########################
# Management access
###########################
/ip neighbor discovery-settings set discover-interface-list=MAIN
# Allow access to management via mac only from MAIN
/tool mac-server mac-winbox set allowed-interface-list=MAIN
/tool mac-server set allowed-interface-list=MAIN
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/16 disabled=yes
set api address=10.0.0.0/16 disabled=yes
set api-ssl address=10.0.0.0/16 disabled=yes
set www address=10.0.0.0/16
set ssh address=10.0.0.0/16
set www-ssl address=10.0.0.0/16 disabled=no certificate={{ DOMAIN_NAME }}_cert
/ip ssh set allow-none-crypto=no forwarding-enabled=no
### ## # --- SECRET --- # ## ###
/user set admin password="{{ SWITCH_PASS }}"
/interface ethernet
set [ find default-name=ether1 ] name=ether1-uplink-trunk
set [ find default-name=ether2 ] name=ether2-main
set [ find default-name=ether3 ] name=ether3-trunk
set [ find default-name=ether4 ] name=ether4-main
set [ find default-name=ether5 ] name=ether5-not
/interface wireless
set [ find default-name=wlan1 ] name=wlan1-guest
set [ find default-name=wlan2 ] name=wlan2-main
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Now, the problem is that the server downstream suffers from regular packet drops, here’s the snippet from netdata net.drops [d/s] chart:
The moment I disable the ether2 interface the drops stop (you can see the drops stopping on on the chart). When I disable the upstream device that comes to ether1, the chart doesn’t change, thus I believe the issue is with the configuration above.
What am I missing, what am I doing wrong? Or maybe the configuration is correct and the issue lies with the server configuration?