RB2011iL + CSS326-24G-2S + hAP Ax3 VLANS working but...

nashaden · September 9, 2023, 11:31pm

Hi,

Long story short. My previous setup was RB2011iL + 2x hAP AC3. It was working fine with AC3 as CAP and RB2011iL as main router and CAPsMAN with two subnets (people and iot) configured via datapaths. I got hAP Ax3 to replace AC3 but it turned out RB2011 CAPsMAN was unable to control Ax3, so I got CSS326-24G-2S and opted for Ax3 as standalone APs and VLANs to separate the two subnets.

Here is a simplified config of my present setup.
On RB2011iL:

# 2023-09-10 01:10:44 by RouterOS 7.11.2
#
# model = RB2011iL
/interface vlan
add interface=ether2 name=vlan12-iot vlan-id=12
add interface=ether2 name=vlan24-users vlan-id=24
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 user=USER
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-vlan12 ranges=192.168.12.2-192.168.12.254
add name=pool-vlan24 ranges=192.168.24.4-192.168.24.254
/ip dhcp-server
add address-pool=pool-vlan12 interface=vlan12-iot lease-time=1d name=dhcp-vlan12
add address-pool=pool-vlan24 interface=vlan24-users lease-time=1d name=dhcp-vlan24
/interface list member
add interface=pppoe-out1 list=WAN
add interface=vlan12-iot list=VLAN
add interface=vlan24-users list=VLAN
add interface=ether10 list=LAN
/ip address
add address=192.168.12.1/24 interface=vlan12-iot network=192.168.12.0
add address=192.168.24.1/24 interface=vlan24-users network=192.168.24.0
/ip dhcp-server network
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1
add address=192.168.24.0/24 dns-server=192.168.24.1 gateway=192.168.24.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.12.0/24 list=vlan12
add address=192.168.24.0/24 list=vlan24
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=vlan12
add action=masquerade chain=srcnat src-address-list=vlan24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1

On Ax3s:

# 1970-01-02 02:55:37 by RouterOS 7.11.2
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wifiwave2 channel
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name=ch2 skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5500 name=ch5 skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=sec-users
add authentication-types=wpa2-psk disabled=no name=sec-iot
/interface wifiwave2 configuration
add channel=ch2 disabled=no mode=ap name=cfg2-users security=sec-users ssid="SSID for users 2GHz"
add channel=ch2 disabled=no mode=ap name=cfg2-iot security=sec-iot ssid="SSID for iot"
add channel=ch5 disabled=no mode=ap name=cfg5-users security=sec-users ssid="SSID for users 5GHz"
/interface wifiwave2
set [ find default-name=wifi2 ] configuration=cfg2-users configuration.mode=ap disabled=no
add configuration=cfg2-iot configuration.mode=ap disabled=no mac-address=7A:9A:18:13:DA:54 master-interface=wifi2 name=wifi2-iot
set [ find default-name=wifi1 ] configuration=cfg5-users configuration.mode=ap disabled=no name=wifi5
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=24
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-iot pvid=12
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi5 pvid=24
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=12
add bridge=bridge1 tagged=ether1 vlan-ids=24

On CSS326-24G-2S:
port1: trunk port connected to RB2011iL ether2
port2: trunk port connected to Ax3_1 ether1
port3: trunk port connected to Ax3_2 ether1
port4: access port vlanid=12 connected to IOT server
port5-port24: access ports vlanid=24 for users
Administrative access allowed from VLAN=24

This works as intended with both, wired and wifi connections. However, there are two things I do not know how to achieve:

Ax3 have 5 ether ports. I want them to be a part of vlan=24, and the only thing that came to my mind was to add those ports to the bridge with:

/interface bridge port 
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=24
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=24
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=24
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=24

Unfortunately, it does not work. Can this be even done, or are those ports unusable?

When I’m connected to Ax3 wifi winbox discovers only RB2011 and CSS326-24G-2S. If I want to access Ax3s I have to use a wired connection directly to them from my laptop. How to set up a possibility to access them via wifi?

mkx · September 10, 2023, 9:19am

This is correct configuration. I don’t have an ax3, but I seem to remember other forum threads mentioning bugs in some recent ROS versions regarding bridge HW offload on IPQ-6010 devices. So you may want to disable HW offload on all wired ports (including the ether1 trunk) by setting “hw=no”. You will be able to change this back (to yes) after the bug is fixed (probably in 7.12).

Bridge CPU-facing port (inconveniently called “bridge”, implicitly created together with bridge - the switch-like entity) is not part of any of VLANs (neither 12 nor 24). You have two options:

set pvid on bridge port (under /interface/bridge)
add bridge as tagged port to desired VLAN (under /interface/bridge/vlan) and create a vlan interface (under /interface/vlan) with corresponding vlan-id

My personal choice would be option #2, it makes clearer distinction between bridge switch-like entity and interface (via whichndevice then interacts with the rest of network).
You don’t have any IP setup on hAP ax3 … which is fine as long as you’re using winbox to configure it. If you’ll decide to add IP setup for any reason, you’ll reuse the result of the exercise above (either bridge with pvid set or vlan interface).

nashaden · September 10, 2023, 3:39pm

Yep. It did the trick. What’s funny is that I had hw=yes for ether1 (trunk port) and it was working. I added the remaining ether ports with hw=off and now it works. I did change hw=no on ether1 as well, just to be on the safe side.

Did that and now Ax# is being discovered by winbox via wifi!

I never have IPs on APs. o need for it as I use winbox.

Thank you for your help.

mkx · September 10, 2023, 5:58pm

Setting hw=yes vs. hw=no only affects traffic between wired ports. If there’s traffic between two ports (e.g. between ether1 and wifi2) and any if those ports doesn’t have hw=yes, then traffic is not offloaded. Since wireless interfaces don’t get HW ofgloaded, you didn’t hit the bug.

nashaden · September 11, 2023, 9:58am

I see. Thank you once again for the help. Now, everything works perfect. Since my previous setup and present one share the same subnets I did not have to fiddle with the firewall

The VLAN journey has, however, just begun. My IOT server is a proxmox server with virtual machines. So now, I can pass different VLANs to different VMs. Going even deeper, one of the VMs is ubuntu sever with docker and I can also pass different VLANs to docker images. Oh, the fun has just begun