pfSense + CRS328 + hAP ax3 + VLAN = no internet for VLANs

RouterOS Wireless Networking
1

Currently trying to move a TP Link Omada AP to the hAP ax3 and at my wit’s end on getting this to work. Internet works no issues through the wifi on the ax3, but trying to add VLANs gets me to the point where DHCP is working and hands out IP addresses but does not reach the internet. I have an allow all from the vlan (99) set on pfense. I have looked through the pfsense logs and don’t see anything reaching the firewall. On the old Omada, vlans are working there. Any help would be appreciated. configs below:

For the CRS:

# apr/08/2023 22:35:42 by RouterOS 7.8
# model = CRS328-24P-4S+
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add disabled=yes name=bridge1
/interface ethernet
set [ find default-name=ether3 ] name=ether3-P
set [ find default-name=ether6 ] name=ether6-P
set [ find default-name=ether7 ] name=ether7-BI
set [ find default-name=ether14 ] name=ether14-P
set [ find default-name=ether15 ] name=ether15-P
set [ find default-name=ether16 ] name=ether16-P
set [ find default-name=ether18 ] name=ether18-P
/interface vlan
add interface=ether9 name=vlan1 vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/user group
add name=ha policy="read,write,test,api,!local,!telnet,!ssh,!ftp,!reboot,!poli\
    cy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3-P pvid=50
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6-P pvid=50
add bridge=bridge comment=defconf interface=ether7-BI
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14-P pvid=50
add bridge=bridge comment=defconf interface=ether15-P pvid=50
add bridge=bridge comment=defconf interface=ether16-P pvid=50
add bridge=bridge comment=defconf interface=ether17 pvid=90
add bridge=bridge comment=defconf interface=ether18-P pvid=50
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23 pvid=50
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=ether1,ether4 untagged=ether17 vlan-ids=90
add bridge=bridge tagged=ether1,ether4 untagged=ether23,ether3-P vlan-ids=50
add bridge=bridge tagged=ether1,ether9 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3-P list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6-P list=LAN
add interface=ether7-BI list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14-P list=LAN
add interface=ether15-P list=LAN
add interface=ether16-P list=LAN
add interface=ether17 list=LAN
add interface=ether18-P list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=192.168.24.1/24 comment=defconf interface=ether2 network=192.168.24.0
add address=192.168.99.1 interface=vlan1 network=192.168.99.1
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/ip dns
set servers=9.9.9.9
/ip service
set www-ssl certificate=cert2023 disabled=no
/system clock
set time-zone-name=America/New_York
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static identity=MikroTik static-ip-address=\
    192.168.24.1

hAP

# apr/09/2023 02:24:40 by RouterOS 7.8
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge vlan-filtering=yes
add name=Bridge_vlan99 pvid=99 vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country="United States" .mode=\
    ap .ssid=NetworkTest5M disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=NetworkTest2M \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=LasVegas5M datapath.vlan-id=99 disabled=no \
    mac-address= master-interface=wifi1 name=wifi3 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=wifi3 name=vlan99 vlan-id=99
/ip pool
add name=dhcp_pool0 ranges=192.168.99.20-192.168.99.200
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge_vlan99 name=dhcp1
/interface bridge port
add bridge=Bridge interface=ether1
add bridge=Bridge interface=ether2
add bridge=Bridge interface=wifi1
add bridge=Bridge interface=wifi2
add bridge=Bridge_vlan99 interface=wifi3 pvid=99
add bridge=Bridge_vlan99 interface=vlan99 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=Bridge untagged=ether1,ether2,wifi1,Bridge,Bridge_vlan99 vlan-ids=\
    1
add bridge=Bridge_vlan99 tagged=ether1 untagged=Bridge_vlan99,wifi3,vlan99 \
    vlan-ids=99
/ip address
add address=192.168.24.2/24 interface=ether1 network=192.168.24.0
add address=192.168.99.1/24 interface=Bridge_vlan99 network=192.168.99.0
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Bridge
2

To confirm, the MT device is solely acting as a switch/AP and not a router correct ??
So you need a trunk port in from the upstream device carrying all the vlans required.
One of them needs to be the management/trusted vlan from which the hap will get its IP address.

Note: I always config my MT devices off bridge so that I avoid bridge hiccups, easy to do even when using safe mode.

One bridge,
The only vlan that needs to be defined is the managment vlan with interface=bridge

interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=trustedVlan vlan-id=12  { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address=xx.xx.xx.xx  master-interface=mediaWlan multicast-buffering=disabled \
    name=testaccess security-profile=testprofile ssid=capacbackdoor wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port  { 
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-vlan-tagged  interface=ether1  { trunk port to MT device }
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of MT device on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=y.y.y.y/24,z.z.z.z/24,s.s.s.s/24
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

3

Yes. No router functionality. The plan is to have several VLANs, all VLANs will need to be accessible through ethernet lines and both 2.4 and 5ghz wireless.