Question: SSIDs on different VLANs on LAN

RouterOS Beginner Basics
1

Dear all,

I’m new to RouterOS although I have experience configuring firewalls (Palo Alto)
I’m using a Mikrotik hAP AX^3
Target setup:

  • Use it as an access point for different WLANs
  • Use different SSIDs for different access rights
  • Each SSID should use a different VLAN on the LAN interface
  • No need for any firewall rules, Internet/LAN access is configured on the Palo Alto firewall

I deleted the default bridge
I connected eth2 to the main LAN switch
I managed to assign an IP to eth2
I can connect from the LAN to the AP

I added a VLAN to eth2

[admin@MikroTik] /ip> address/print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS            NETWORK        INTERFACE
;;; LAN
0 192.168.xx.91/24   192.168.xx.0   ether2
;;; Influencershit
1 192.168.xy.91/24  192.168.xy.0  vlan198




 /ip/route> print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp
   DAc   dst-address=192.168.xx.0/24 routing-table=main gateway=ether2 immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.xx.91%ether2

   DAc   dst-address=192.168.xy.0/24 routing-table=main gateway=vlan198 immediate-gw=vlan198 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.xy.91%vlan198




/interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME      MTU  ARP      VLAN-ID  INTERFACE
;;; Influencer
0 R vlan198  1500  enabled      198  ether2

I can ping the default gateway for eth2, but I can’t ping the default gateway for vlan198
Am I missing some basic understanding?

Do I need a bridge to have one physical interface acting as a hybrid port, supporting both untagged and VLAN tagged networks?
Saw something along these lines when browsing previous posts.

Once this will be sorted the next questions comes up about routing:
The different VLANs will each have their respective firewall subinterface as the default route
The untagged LAN interface (eth2) has a corresponding LAN firewall interface as the default route

How can I create a routing table with different default routes based on the source interface?

I tried adding different default routes but not sure this is correct:

/ip/route> print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp
 0  IsH  dst-address=0.0.0.0/0 routing-table=main pref-src=192.168.xy.91 gateway=192.168.xy.254 immediate-gw="" check-gateway=ping distance=1 scope=30 target-scope=10
         vrf-interface=vlan198 suppress-hw-offload=no

 1  As   ;;; LAN management
         dst-address=0.0.0.0/0 routing-table=main pref-src=192.168.xx.91 gateway=192.168.xx.2 immediate-gw=192.168.xx.2%ether2 check-gateway=ping distance=1 scope=30
         target-scope=10 vrf-interface=ether2 suppress-hw-offload=no

   DAc   dst-address=192.168.xx.0/24 routing-table=main gateway=ether2 immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.xx.91%ether2

   DAc   dst-address=192.168.xy.0/24 routing-table=main gateway=vlan198 immediate-gw=vlan198 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.xy.91%vlan198

Thanks and Regards,
Andreas

2

A network diagram would do magic because the language you use is a bit ambiguous. Also, an exported config is always good to have:

/export file=anynameyouwish

3

I’ll try to create a network diagram later.

Target state in different words:

So far everything at home is wired.
Now I have a need for some WLAN devices to access the Internet.

WLANs should have no access to the internal network. Should be completely separated.
For that, each SSID should be on a different VLAN on the LAN side of the access point.
Each VLAN is terminated on the firewall and routing to the Internet happens on the firewall.

So each SSID WLAN should have a default route pointing to the different firewall VLAN interfaces as the default gateway.

Hope that makes sense.

Config (I just started)

# 2024-05-07 12:23:12 by RouterOS 7.12.1
# software id = 016R-KMTY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country=Switzerland .mode=ap \
    .ssid=xx disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=xy \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add comment=Influencer interface=ether2 name=vlan198 use-service-tag=yes \
    vlan-id=198
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=*8 comment=defconf disabled=yes interface=ether2
add bridge=*8 comment=defconf interface=ether3
add bridge=*8 comment=defconf interface=ether4
add bridge=*8 comment=defconf interface=ether5
add bridge=*8 comment=defconf interface=*6
add bridge=*8 comment=defconf interface=wifi2
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all
/interface list member
add comment=defconf interface=ether2 list=LAN
/ip address
add address=192.168.98.91/24 comment=LAN interface=ether2 network=\
    192.168.98.0
add address=192.168.198.91/24 comment=Influencershit interface=vlan198 \
    network=192.168.198.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.98.201
/ip dns static
add address=192.168.98.208 name=w2k22dc
add address=192.168.98.201 name=w2k12base
add address=1.1.1.1 name=google
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="LAN management" disabled=no dst-address=\
    0.0.0.0/0 gateway=192.168.98.2 pref-src=192.168.98.91 routing-table=main \
    suppress-hw-offload=no vrf-interface=ether2
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    192.168.198.254 pref-src=192.168.198.91 routing-table=main \
    suppress-hw-offload=no vrf-interface=vlan198
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.98.201
4

I’ll try to create a network diagram later.

Target state in different words:

So far everything at home is wired.
Now I have a need for some WLAN devices to access the Internet.

WLANs should have no access to the internal network. Should be completely separated.
For that, each SSID should be on a different VLAN on the LAN side of the access point.
Each VLAN is terminated on the firewall and routing to the Internet happens on the firewall.

So each SSID WLAN should have a default route pointing to the different firewall VLAN interfaces as the default gateway.

Hope that makes sense.

Config (I just started)

# 2024-05-07 12:23:12 by RouterOS 7.12.1
# software id = 016R-KMTY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country=Switzerland .mode=ap \
    .ssid=xx disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=xy \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add comment=Influencer interface=ether2 name=vlan198 use-service-tag=yes \
    vlan-id=198
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=*8 comment=defconf disabled=yes interface=ether2
add bridge=*8 comment=defconf interface=ether3
add bridge=*8 comment=defconf interface=ether4
add bridge=*8 comment=defconf interface=ether5
add bridge=*8 comment=defconf interface=*6
add bridge=*8 comment=defconf interface=wifi2
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all
/interface list member
add comment=defconf interface=ether2 list=LAN
/ip address
add address=192.168.98.91/24 comment=LAN interface=ether2 network=\
    192.168.98.0
add address=192.168.198.91/24 comment=Influencershit interface=vlan198 \
    network=192.168.198.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.98.201
/ip dns static
add address=192.168.98.208 name=w2k22dc
add address=192.168.98.201 name=w2k12base
add address=1.1.1.1 name=google
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="LAN management" disabled=no dst-address=\
    0.0.0.0/0 gateway=192.168.98.2 pref-src=192.168.98.91 routing-table=main \
    suppress-hw-offload=no vrf-interface=ether2
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
    192.168.198.254 pref-src=192.168.198.91 routing-table=main \
    suppress-hw-offload=no vrf-interface=vlan198
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.98.201
5

This is straightforward you are simply using the hapAX3 as a AP.switch
Thus I would expect the input port is a trunk port carrying all the vlans required for data and the management VLAN ( which may be considered an already existing trusted user vlan)

So which vlans are coming into the hapax3?
Which vlan/subnet is considered the management vlan and by the way, this is the subnet where the hapax3 gets its IP address from.

6

Hi Anav,

agreed, I have thought that this should be straight forward.

192.168.98.0/24 is the normal LAN with all servers and clients in the internal network.
Default gateway is 192.168.98.2
I can ping the gateway and I was able to upgrade to the latest software.
The AP has a fixed IP assigned in the LAN 192.168.98.91 on ether2
198/168.98.0/24 is the default VLAN with ID 1 and normally not tagged.

I then added a VLAN vlan198 to ether2

Routing:

/routing/route> print
Flags: U - UNREACHABLE, A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
    DST-ADDRESS       GATEWAY          AFI   DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW
UsH 0.0.0.0/0         192.168.198.254  ip4          1     30            10
;;; LAN management
As  0.0.0.0/0         192.168.98.2     ip4          1     30            10  192.168.98.2%ether2
Ac  192.168.98.0/24   ether2           ip4          0     10                ether2
Ac  192.168.198.0/24  vlan198          ip4          0     10                vlan198
A H ether2                             link         0
A H vlan198                            link         0

But I seem to be missing something basic, since I can’t ping the vlan firewall interface:

 ping 192.168.198.254
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 192.168.198.254                                              timeout
    1 192.168.198.254                                              timeout
    2 192.168.198.91                             84  64 935ms173us host unreachable
    3 192.168.198.254                                              timeout
    4 192.168.198.254                                              timeout
    5 192.168.198.254                                              timeout
    6 192.168.198.91                             84  64 122ms521us host unreachable
    sent=7 received=0 packet-loss=100%

I was reading through some other articles and it sounded like I need to define a bridge in order to use ehter2 as a hybrid port for both untagged and tagged VLAN traffic?

Thanks and Regards,
Andreas

7

Sorry, but your not making sense.

You want different vlans (at least two ) to enter the MT AP, so it can distribute them over WIFI.
If one of the those two vlans is not a trusted subnet ( limited to trusted users aka home vice guest ) then one should have a separate management subnet but will leave that for now.

The question becomes, on your upstream router, can you create vlans? Assuming the answer is yes because you want multiple subnets running with the main router providing DHCP etc…
YOu need to provide more detail.


All the hapax needs to know is
What is its IP address assigned on the trusted subnet
This address will be inserted into the MT AP.
Which vlans are coming in ether2 assuming VLAN10 and VLAN20 for example 10=home and 20=guest etc… 99 could be management etc.

Then the setup becomes…fairly simple.
+++++++++++++++++++++++++++++++++++++++++++++++\

CONFIG

/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether2 ] name=trunk-fromPA
set [ find default-name=ether5 ] name=off-bridge comment=“access config off bridge”

/interface vlan
add interface=bridge name=trustedVlan98 vlan-id=98 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }

/interface list
add name=management

/interface wireless { as required for hapax3 }
wlan1 name=trusted-wlan ssid=Regular
wlan2 name=guest-wlan ssid=Guests

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=trunk-fromPA
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=trusted-wlan pvid=98
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=guest-wlan pvid=198
{ ADD either VLAN to other physical ports as untagged if you want to attach other dumb devices to MT device }
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=98
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=98
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=98
{ RECOMMEND Take ether5 OFF the bridge as an emergency or off bridge access for safe configuring }

/ip neighbor discovery-settings
set discover-interface-list=management

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=trusted-wlan,ether1,ether3,ether4 vlan-ids=98
add bridge=bridge tagged=bridge,ether2 untagged=guest-wlan vlan-ids=198

/interface list member
add interface=trustedVlan98 list=management
add interface=offbridge list=management

/ip address
add address=192.168.98.91/24 interface**=trustedVlan98** network=192.168.98.0 comment=“IP of hapax on trusted subnet”
add address=192.168.36.1/24 interface=offbridge network=192.168.36.0 comment=“ether5 access off bridge”

NOTE: To access the hapax3 simply plug into ether5 and change your nic card IPV4 settings to 192.168.36.X for example.

/ip dns
set allow-remote-requests=yes servers=192.168.98.1 { Note: Done so all dns requests use trusted subnet }

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.98.1 comment=“ensures route avail through trusted subnet gateway”
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.98.1.1

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You CANNOT accept two subnet on ether2 the way you are trying.
You could make it a hybrid port in that you could accept a VLAN coming in and the main subnet untagged but THAT HAS TO BE DONE ON THE PAlto side as well.
In other words, the PAlto device must be capable of setting up its port as hybrid. I contend much easier to set both up as trunk ports on both sides.

8

Hi Anav,

of course I can define VLANs on my firewall (upstream router in your terms)

Firewall interface list:

total configured logical interfaces: 13

name                id    vsys zone             forwarding               tag    address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/3         18    1    L3untrust        vr:VR2                   0      
ethernet1/4         19    1                     N/A                      0      N/A
ethernet1/4.1       257   1    L3trust          vr:VR2                   1      192.168.98.2/24
ethernet1/4.10      258   1    VOIPDMZ          vr:VR2                   10     192.168.100.2/24
ethernet1/4.70      256   1    WLAN             vr:VR2                   70     192.168.70.254/24
ethernet1/4.198     260   1    influencer       vr:VR2                   198    192.168.198.254/24

On the MT AP 192.168.98.91 (assigned to ether2) should be just used for managing the MT AP.

WLAN clients should get an IP from the MT AP via a DHCP server I still need to configure and then the WLAN client IPs should get NATed to 192.168.198.91 on VLAN 198

VLAN 198 is separated from the internal LAN on the firewall and will only have Internet access

Thanks and Regards,
Andreas

9

Not being clear,

The MT you stated should be used as an AP.
The PA you stated handles creation of vlans/subnets and handles DHCP.

  1. On the MT AP 192.168.98.91 (assigned to ether2) should be just used for managing the MT AP.

Understood that the IP address is assigned to the MT device and thus its on what you call the management subnet or TRUSTED subnet.
So are there TWO other VLANS for WIFI, or is one of the WLANS for the trusted subnet. In other words, you may need two or possibly three vlans to the AP.

  1. WLAN clients should get an IP from the MT AP via a DHCP server
    WRONG, if the MT is an AP/switch, the devices get their IP from the Upstream Router, if you want the MT to give them, then the whole setup is completely different and the MT device will have to be setup as a router.

  2. VLAN 198 is separated from the internal LAN on the firewall and will only have Internet access
    Okay so thats WLAN2, if WLAN1 is the trusted subnet.
    Separation of the vlans is done on the upstream router, as well as determining internet access, via its firewall rules. The MT device is simply taking the vlans and distributing them out WIFI.


    I adjusted the config above so its closer to your numbers/scenario, assuming MT is simply AP/switch

10

Hi Anav,

thanks a lot for the clarification.

Your remark:
2. WLAN clients should get an IP from the MT AP via a DHCP server
WRONG, if the MT is an AP/switch, the devices get their IP from the Upstream Router, if you want the MT to give them, then the whole setup is completely different and the MT device will have to be setup as a router.

seems to be the important one.

I’ll do a bit more RTFM since it looks like this is what I need.

I have a similar setup currently running on a Raspberry PI, but it doesn’t have enough WiFi power.

 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.98.90  netmask 255.255.255.0  broadcast 192.168.98.255
        
influencer: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.198.90  netmask 255.255.255.0  broadcast 192.168.198.255
        
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255




 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.198.254 0.0.0.0         UG    20     0        0 influencer
default         192.168.98.2    0.0.0.0         UG    100    0        0 eth0
10.42.0.0       0.0.0.0         255.255.255.0   U     600    0        0 wlan0
192.168.98.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0
192.168.198.0   0.0.0.0         255.255.255.0   U     20     0        0 influencer

Thanks and Regards,
Andreas

11

OK, I did a bit more RTFM and played around with the config.
I simplified the setup a bit:

ether5 is now used for managing the device (LAN: 192.168.98.0/24)
ether1 is used to connect to the firewall (WLAN network 192.168.198.0/24, VLAN =198)
Firewall interface is at 192.168.98.254, used as the default gateway for the AP

It seems to work more or less OK except a couple of issues:

  • some times I don’t have an Internet connection from the WLAN
  • DHCP on WLAN is not working. I have to configure the IP manually.

current config:

# 2024-05-13 01:56:03 by RouterOS 7.14.3
# software id = 016R-KMTY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridge1 pvid=198 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether5 ] comment=mgmt
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=MikroTik-328170 \
    datapath.vlan-id=198 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=MikroTik-328170 \
    datapath.vlan-id=198 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.198.10-192.168.198.80
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1 server-address=\
    192.168.198.253
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wifi1 pvid=\
    198
add bridge=bridge1 comment=defconf ingress-filtering=no interface=wifi2 pvid=\
    198
add bridge=bridge1 ingress-filtering=no interface=ether1 pvid=198
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge1 tagged=ether1,wifi1,wifi2,bridge1 vlan-ids=198
/interface list member
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.198.253/24 interface=ether1 network=192.168.198.0
add address=192.168.98.91/24 interface=ether5 network=192.168.98.0
add address=192.168.198.1/24 interface=wifi1 network=192.168.198.0
add address=192.168.198.2/24 interface=wifi2 network=192.168.198.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.198.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=\
    192.168.198.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.198.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ssh address=192.168.98.0/24
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no

Any idea what is wrong with the DHCP server configuration?

Thanks and Regards,
Andreas