MikroTik hEX s with properly working segregated VLANs (3 VLANs for wired hosts, working fine + 1 VLAN for WiFi, not working)
TP-SG108E Switch managing VLANs
NetGear WAX204 in AP mode connected to switch port 7
GPT-2841GX4X5 (Movistar router, in bridge mode)
Switch Configuration (Port 7 - AP):
Member of VLAN 1,100
Tagged on VLAN 100 (WiFi)
Untagged on VLAN 1 (default)
PVID 100
MikroTik WiFi Configuration:
VLAN 100 (10.100.100.0/24)
DHCP Server on vlan100-wifi
Pool: 10.100.100.100-200
Firewall rules below
NAT configured
Objective:
Segmented wired VLANs, with specific access rules between them and to the Internet. - OK
Use the WAX204 to have 3 SSIDs, which go through the switch and are in VLAN100, isolated from everything else, only with Internet access. - KO
Current situation:
Some WiFi clients get correct IP range (10.100.100.x), some only got APIPA address, but none got internet connectivity.
WAX204 gets management IP but is not accessible (10.1.1.3). Only way is connecting my laptop directly to wax and go to 10.1.1.3 from there.
No ping between router and WiFi clients
Client isolation disabled on WAX204, all in AP mode.
All other wired VLANs work perfectly
DHCP logs show nothing, just normal offering.
You can see my current firewall rules on file.
Im going crazy trying to get the AP working. What am I missing in the WAX204/VLAN configuration? Same EXACT configuration with wired VLANs, working fine, but not with WiFi.
Are these firewall rules secure enough for a homelab? Any recommendations?
When using VLAN on Mikrotik devices, it is generally advised here to NOT use VLAN 1.
Some devices from other brands can do funny things with pvid=1 making the whole thing break down when it passes Tik gear.
The last two bullets contradict each other. Setting PVID on port means that anything untagged on physical media outside the device (e.g. ethernet cable), connected to this port, will (or should be) mapped to VLAN 100 (value of PVID setting). Any untagged frame, ingressing through this port, will get VLAN 100 header applied, and any frame with VLAN ID 100 header will have header stripped on egress. Unless you actually force VLAN 1 as untagged VLAN on this port … in which case also frames, belonging to VLAN 1, will egress with VLAN header stripped. But regardless, bidirectional communication in VLAN 1 won’t be possible due to PVID=100 setting.
Additionally: separating 3 SSIDs while all of them being mapped to same VLAN is not really separating them. If not other things, they’ll all transmit same broadcasts (originating from wired side of AP). Proper way would be to map each SSID to different VLAN and then use firewall in ROS to properly block traffic between them (and the rest of network).
If you provide jpegs of all vlan setting pages on TP link switch ( at least two, maybe three if pvid is a separate setting page )
Full config of hex.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
It should be fairly quick to straighten out.
++++++++++++++++++
Also to be clear is the HEX acting as a router getting public IP from the bridged moviestar??
You note mikrotik wifi, but hex is wired only, and no mention of another MT access point device??
I finally managed to find the key. It turns out that I had the switch configured incorrectly with respect to the port that was connected to the WAX in AP mode (in this case, port 7).
I followed your advice and omitted the vlan1 that comes by default in the Switch. Also, analyzing it carefully, it seemed very “overkill” to use 3 SSIDs if they were going to be passed through the same cable, and the VLANs would have to be managed internally in the HEX, when really the only thing I am interested in is isolating the Wifi traffic from all the other VLANs, so I have simply left one SSID.
Now, the HEX acts as a router, and obtains a public IP from Movistar (bridge mode). It is connected to a switch where I have all the VLANs via cable, and port 7 is connected to the WAX204 that acts only as AP with correct tagge
d.
The wifi clients couldn’t get IP from DHCP because there were conflicts with the switch’s own default VLAN 1. The rest of the VLANs worked because they used different tagged ports, but the WAX used port 1 for management, which is why it was driving me crazy.
These were some silly errors that could be solved with your clues and by fixing some details of the switch. Newbie mistakes ;D.