Problems getting VLANs between two Mikrotik devices

I have spent hours today trying to get some virtual wireless networks on a cAP-AC to work with a Mikrotik Chateau LTE. I am following old guides I have found, none of which are working. I don’t know if I should have multiple bridges or one bridge. I don’t know if VLAN interfaces are assigned to a bridge or a physical port. Is there a guide to get this working?

At present I have Device-A as the router / DHCP server and Device-B (cAP-AC) as the WAP. I want multiple SSID’s each on a different VLAN with Device-A having multiple DHCP servers for the different pools. Device-A is connected to Device-B via ethernet1 port on both.

Device-A

/interface vlan
add interface=ether1 name=vlan100 vlan-id=100

/interface bridge
add admin-mac=48:8F:5A:11:24:D8 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3

/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=100

/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0

Device-B

/interface bridge
add admin-mac=48:8F:5A:2D:15:F8 auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik2 wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=MikroTik5 wireless-protocol=802.11
add disabled=no mac-address=4A:8F:5A:2D:15:FA master-interface=wlan1 name=wlan3 ssid=Mikrotik100 vlan-id=100 vlan-mode=use-tag wds-default-bridge=bridgeLocal wps-mode=disabled

/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wlan2
add bridge=bridgeLocal interface=wlan1

/interface bridge vlan
add bridge=bridgeLocal tagged=wlan3,ether1 vlan-ids=100

If I connect to SSID Mikrotik100 on Device-B I am unable to ping 192.168.100.1 on Device-A and when I had a DHCP server configured I was unable to get an IP address.

Any help or guides would be appreciated.

This topic taught me a lot about VLAN’s on MikroTik devices:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I spent an hour reading this and still got nowhere. I know how VLANs work, I just dont know how to implement in routerOS.

I followed this config without success:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

To summarize your wishes:
You want to have a trunk between the two devices
You want to separate your network into 3 VLAN’s (and perhaps an additional management lan?)

Here is a working config for a cAP ac I configured for 2 VLAN’s:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge1 name=VLAN60_VLAN vlan-id=60
/interface list
add name=VLAN60
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-a/g=12Mbps basic-rates-b="" country=netherlands disabled=no mode=ap-bridge rate-set=\
    configured security-profile=VLAN60_Profile ssid=VLAN60 station-roaming=enabled supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b="" wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac basic-rates-a/g=12Mbps channel-width=20/40/80mhz-Ceee country=netherlands disabled=no \
    frequency=5500 mode=ap-bridge rate-set=configured security-profile=VLAN60_Profile ssid=VLAN60 station-roaming=enabled supported-rates-a/g=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no mac-address=xxx master-interface=wlan1 name=wlan3 security-profile=VLAN61_PROFILE ssid=VLAN61-2.4G \
    station-roaming=enabled wmm-support=enabled wps-mode=disabled
add disabled=no mac-address=xxx master-interface=wlan2 name=wlan4 security-profile=VLAN61_PROFILE ssid=VLAN61-2.4G \
    station-roaming=enabled wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=60
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3 pvid=61
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=60
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan4 pvid=61
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=61
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=60
add bridge=bridge1 tagged=ether1 vlan-ids=61
/interface list member
add interface=VLAN60_VLAN list=VLAN60

Thanks. Do you have similar config for the other Mikrotik router with DHCP server?

Your wish…

/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-nas
set [ find default-name=ether3 ] name=ether3-solar
set [ find default-name=ether5 ] name=ether5-ap
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge-LAN name=VLAN60_VLAN vlan-id=60
add interface=bridge-LAN name=VLAN61_VLAN vlan-id=61
add interface=bridge-LAN name=SOLAR_VLAN vlan-id=63
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2-nas pvid=60
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3-solar pvid=63
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=61
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5-ap
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether5-ap vlan-ids=60
add bridge=bridge-LAN tagged=bridge-LAN,ether5-ap vlan-ids=61
add bridge=bridge-LAN tagged=bridge-LAN vlan-ids=63
/interface list member
add interface=ether1-wan list=WAN
add interface=VLAN60_VLAN list=LAN
add interface=VLAN61_VLAN list=LAN
add interface=SOLAR_VLAN list=LAN

In addition: eth5 is the trunk port, connected to the cAP ac, all other ports (except for eth1 being the WAN port) are accessports.

Thanks for the configs. I’ll try and piece it all together.

So I’ve spent another night on this and I’ve got closer after reading through the posts in this thread but I can’t get it working as it should

I have two VLANs, 10 (INTERNAL_VLAN) and 99 (MGT_VLAN)

I can get a DHCP address via VLAN 10 and VLAN 99 (after a very large delay)

I have intermittent internet access on VLAN 10, no internet on VLAN 99

Internet is extremely slow

I can’t perform a config export as the .in_progress file just sits at 13.7kB

Config:

/interface/export
# nov/22/2020 22:03:48 by RouterOS 7.1beta3
# software id = 8DD5-P647
#
# model = RBD53G-5HacD2HnD

/interface bridge
add admin-mac=48:8F:5A:11:24:D8 auto-mac=no name=bridge protocol-mode=none vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-Ce country=australia disabled=no distance=indoors frequency=auto installation=indoor keepalive-frames=disabled \
    mode=ap-bridge multicast-buffering=disabled multicast-helper=full ssid=LIBERTY station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-onlyac channel-width=20/40/80mhz-Ceee country=australia disabled=no distance=indoors frequency=auto installation=indoor keepalive-frames=\
    disabled mode=ap-bridge multicast-buffering=disabled multicast-helper=disabled ssid=LIBERTY_AC station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled
add disabled=no mac-address=4A:8F:5A:11:24:DE master-interface=wlan1 multicast-helper=full name=wlan3 ssid=ESPHOME wds-default-bridge=bridge wps-mode=disabled

/interface lte
set [ find ] allow-roaming=no band=1,3,7,20,8,38,40,41,5,28 name=lte1 network-mode=lte

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="xxxxxxx"

/interface vlan
add interface=bridge name=INTERNAL_VLAN vlan-id=10
add interface=bridge name=MGT_VLAN vlan-id=99

/interface list
add name=WAN
add name=VLAN
add name=MGT

/interface lte apn
set [ find default=yes ] apn=telstra.extranet ip-type=ipv4 name=telstra_extranet

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxxxx wpa2-pre-shared-key=\
    xxxxxxx
add authentication-types=wpa2-psk mode=dynamic-keys name=MGT supplicant-identity=MikroTik wpa2-pre-shared-key=xxxxxxx

/interface wireless
add disabled=no mac-address=4A:8F:5A:11:24:DF master-interface=wlan2 name=wlan4 security-profile=MGT ssid=LIBERTY_MGT wps-mode=disabled

/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan4 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=99

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan4,ether1 vlan-ids=99
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,wlan1,wlan2,wlan3 vlan-ids=10

/interface detect-internet
set detect-interface-list=all

/interface list member
add interface=lte1 list=WAN
add interface=MGT_VLAN list=VLAN
add interface=MGT_VLAN list=MGT
add interface=INTERNAL_VLAN list=VLAN

/interface wireguard peers
add allowed-address=192.168.200.10/32 endpoint="[::]:0" interface=wireguard1 persistent-keepalive=25 preshared-key="xxxxxxxxx" public-key=\
    "xxxxxxxxx"

/ip export

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip pool
add name=MGT_POOL ranges=10.0.99.11-10.0.99.254
add name=INTERNAL_POOL ranges=192.168.10.11-192.168.10.254

/ip dhcp-server
add address-pool=MGT_POOL disabled=no interface=MGT_VLAN lease-time=10h name=MGT_DHCP
add address-pool=INTERNAL_POOL disabled=no interface=INTERNAL_VLAN lease-time=10h name=INTERNAL_DHCP

/ip address
add address=192.168.200.1/24 interface=wireguard1 network=192.168.200.0
add address=10.0.99.1/24 interface=MGT_VLAN network=10.0.99.0
add address=192.168.10.1/24 interface=INTERNAL_VLAN network=192.168.10.0

/ip dhcp-server network
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=home gateway=192.168.10.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip firewall address-list
add address=192.168.10.11-192.168.10.255 list=lan_clients
add address=192.168.10.100 list=support
add address=192.168.200.10 list=support
add address=192.168.200.11 list=support

/ip neighbor discovery-settings
set discover-interface-list=MGT

/ip firewall filter
add action=accept chain=input comment="TEMP Allow VLAN Full Access" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGT_VLAN Full Access" in-interface-list=MGT
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=!support
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=accept chain=input comment="wireguard accept" dst-port=13231 in-interface=lte1 protocol=udp
add action=accept chain=input comment="wireguard accept dns" dst-port=53 in-interface=wireguard1 protocol=udp src-address-list=support
add action=accept chain=input comment="wireguard accept ssh" dst-port=22 in-interface=wireguard1 protocol=tcp src-address-list=support
add action=accept chain=input comment="wireguard accept winbox" dst-port=8291 in-interface=wireguard1 protocol=tcp src-address-list=support
add action=accept chain=input comment="wireguard accept http/https" dst-port=80,443 in-interface=wireguard1 protocol=tcp src-address-list=support
add action=accept chain=forward comment="wireguard accept to lan" dst-address=192.168.10.0/24 in-interface=wireguard1 src-address-list=support
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!*2000011
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=";;; force DNS" disabled=yes dst-address=!192.168.10.2 dst-port=53 in-interface=bridge protocol=udp src-address=!192.168.10.2 src-address-list=!support \
    to-addresses=192.168.10.2
add action=masquerade chain=srcnat comment=";;; force DNS" disabled=yes dst-address=192.168.10.2 dst-port=53 protocol=udp src-address=192.168.10.0/24 src-address-list=!support

/ip service
set telnet disabled=yes
set ftp disabled=yes

/ip vrf
add list=all name=main

Your trunk port (the one between the Audience and the cAP ac) should be a trunk port. Therefor, on /interface bridge port this port should be be marked on the bridge with default pvid 1 and VLAN tagged only). Same on the trunk port of the cAP ac. Please check again the samples I provided.

On /interface bridge vlan you only mark tagged ports (untagged will be handled automatically). You only configured the bridge, the trunk port is missing.

As erlinded stated you dont need to untag access ports on the bridge vlan rules (but word is NEED not absolute), I actually prefer to put them in the rules as it allows me to see the logic and functionality actually being applied on each line of the config.

Correct the ports that connect the smart devices need to be tagged as well as the bridge.
If you want to have all devices being controlled by the management VLAN then each device gets its IP from the managment vlan

I’ve taken the cAP out of the picture initially, I was trying to get the VLANs working before trying the trunk port and cAP. I have initially followed this config from the pages mentioned up top of this thread - Using RouterOS to VLAN your network

The intention was to get the VLAN's working on wireless interfaces and to provide a MGT VLAN before I tried to convert ether1 to a trunk port and introduce the cAP with VLAN's 10 and 99. In the config example posted above I had tried to put ether1 on VLAN 99 and an access port to see if I could get DHCP working on ethernet vs wireless.

The MGT VLAN should only be used to access HTTP/S and SSH ports on the devices, each VLAN has an interface on the main router that serves DHCP, DNS etc.

I have no idea what you are talking about (too much kangaroo boxing??) . On the internal network only admin staff should have access to the management lan, and one still needs the right IP address if you have done it right, and of course username and password (and non-standard winbox port). If you need remote access, use VPN. All the switches that need it and access points have IPs on the management vlan.

Obviously if its a home network one may have a trusted home vlan acting also as a management vlan in terms of admin access and having all devices switches and APs getting their IPs from that trusted vlan.

Not sure whats so hard to understand. I’ll try and make it simpler for you.

VLAN 10 - INTERNAL VLAN
VLAN 99 - MGT VLAN

I have a 5 port Mikrotik Chateau LTE router with 4 SSIDs.

• 4 ethernet ports should be on INTERNAL VLAN 10 as access ports (ether2-5). 1 port should be on MGT VLAN 99 as access port (ether1).
• 3 of the wireless networks should be on VLAN 10, the 4th wireless network should be on MGT VLAN 99.
• Admin interfaces on the router (SSH, HTTP/S) should only be accessible from VLAN 99.

Router interface addresses:

• VLAN 99; 10.0.99.1/24

• VLAN 10; 192.168.10.1/24

• DHCP servers for VLAN 10 and VLAN 99.

• DNS listener on routers VLAN 10 and VLAN 99 interfaces.

Expectations:

• a user can join a VLAN 10 network (wifi or ethernet) and get a VLAN 10 IP address
• an admin can join a VLAN 99 network (wifi or ethernet) and get a VLAN 99 IP address
• internet access via SRCNAT NAT rule on router

Once this is working I want to turn ether1 into a trunk port and trunk VLAN 10 and VLAN 99 to the cAP AC.
cAP AC admin interfaces (SSH, HTTP/S) should only be available on VLAN 99, ether2 will be a trunk port for VLAN 10 and 99 ( to connect another cAP AC to) and it will have a VLAN 10 wireless network.

Not sure how I can be much clearer.

ps - I haven’t seen a kangaroo here in Australia for years, dropbears are another issue though.