Re: VLAN On Main Router + 2 HAP

RouterOS Beginner Basics
1

Hello,
I’ve been trying to get the VLAN on my network up and running for over two weeks now, see the following diagram. The only place where my VLAN works is through CAPsMan and then on the ports in the main router where the end devices are directly connected. The HAP gets the correct IP in the DHCP client but no longer sends it on to the end devices. These devices have the address 192.168.1.xxx. What did I forget in the configuration?

Here is my configuration:

RB5009UG+S+:
/interface vlan
add interface=bridge-LAN name=vlan10 vlan-id=10
add interface=bridge-LAN name=vlan20 vlan-id=20
add interface=bridge-LAN name=vlan30 vlan-id=30

/caps-man datapath
add bridge=bridge-LAN name=datapath10 vlan-id=10 vlan-mode=use-tag
add bridge=bridge-LAN name=datapath20 vlan-id=20 vlan-mode=use-tag

/ip pool
add name=dhcp ranges=192.168.1.110-192.168.1.199
add name=VLAN10 ranges=192.168.10.110-192.168.10.199
add name=VLAN20 ranges=192.168.20.110-192.168.20.199
add name=VLAN30 ranges=192.168.30.110-192.168.30.199

/ip dhcp-server
add address-pool=VLAN10 interface=vlan10 lease-time=1w name=DHCP-10
add address-pool=VLAN20 interface=vlan20 lease-time=1w name=\DHCP-20
add address-pool=VLAN30 interface=vlan30-Device lease-time=1w name=\DHCP-30

/interface bridge port
add bridge=bridge-LAN interface=vlan10 pvid=10
add bridge=bridge-LAN interface=vlan20 pvid=20
add bridge=bridge-LAN interface=vlan30 pvid=30

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether2 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether2,ether3, ether4 untagged=ether5 vlan-ids=30
add bridge=bridge-LAN tagged=ether4,ether3,bridge-LAN untagged=ether6, ether7 vlan-ids=10

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-LAN network=192.168.1.0
add address=10.0.0.100/24 comment=WAN interface=ether1 network=10.0.0.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.1.1 gateway=192.168.30.1

/interface bridge set bridge-LAN vlan-filtering=yes

HAP AC2:
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan30 vlan-id=30

/interface ethernet switch port
set 0 default-vlan-id=1
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=no ports=ether1,ether5 switch=switch1 vlan-id=30
add independent-learning=no ports=ether1 switch=switch1 vlan-id=1

/ip dhcp-client
add disabled=no interface=bridge
add disabled=no interface=vlan10
add disabled=no interface=vlan30
2

Firstly, there is no need of L3 VLAN configuration (no interface vlan, dhcp-client, etc.) on the hAP ac^2 unless one of the VLANs is a management one. Secondly, I don’t see any bridge at all on the hAP (unless it’s not shown in the config). Another problem I notice is that the ports on the RB5009 which are part of the VLAN configuration are also not in a bridge (unless it’s not shown in the config). Instead, the VLANs are bridge members which shouldn’t be the case. Remove them instantaneously. Also, on which of the hAP ac^2s is the config?

In order everything to work, I’ll post an example config:

/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether5 pvid=30
add bridge=bridge-LAN interface=ether6 pvid=10
add bridge=bridge-LAN interface=ether7 pvid=10

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether3,ether4 vlan-ids=10
add bridge=bridge-LAN tagged=bridge-LAN,ether2 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether2,ether3,ether4 vlan-ids=30

/interface bridge set bridge-LAN vlan-filtering=yes

#middle hap

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5

/interface ethernet switch vlan
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=10
add ports=ether1,ether5 switch=switch1 vlan-id=30

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
3

The diagram should now be visible.

4

For me your missing some glue.
All smart devices should get an IP address on a managment vlan, or at least a trusted vlan like home vlan.
Also I would separate out media devices, from home camera device, from guest wifi, from iot devices, from home trusted vlan

5

Yes, this is set.


Yes, this is also set.


So what interface should be set for each VLAN?

6

Please, does anyone else have any other ideas?
I added VLAN88 as management. The middle hap is set up exactly as advised by TheCat12, but now it gives the IP address 192.168.88.xxx. I don’t know what interface to set for the VLAN, when the Bridge-LAN shouldn’t be there.

7

I would look but I dont do capsman sorry.

8

At router 5009
First go to interfaces and create 3 new interfaces with the names vlan10, vlan20 and vlan30 that will belong to the same bridge as the ethernet ports
Create addresses, dhcp pools, networks and dhcp servers for EACH of these new itnerfaces.
Then:
At bridge ports >> ports 2,3,4 are trunk ports so you should assign each port as pvid 1 and admit only vlan tagged and ingress filtering yes.
At bridge ports >> ports 5,6,7 are access ports so you should assign to each port as pvid the corresponding vlan id that you want (port 5 pvid 30 and ports 6 and 7 pvid 10) and admit only untagged and priority tagged and ingress filtering yes.

Now you will assign each vlan id with what you want to do at each interface:
At bridge vlan >> add for each vlan you will create an entry at vlan table as follow:
vlan 10, bridge the bridge that you have at 5009, and tagged the bridge of 5009 and all the trunk ports that vlan 10 will use to pass to other devices so 3,4 while untagged the access ports so 6,7
vlan 20 bridge the same bridge as above, tagged the bridge, and ports 2 while untagged nothing
vlan 30 bridge the same bridge as above, tagged the bridge, and ports 2,3,4 while untagged port 5

Now at hap ac2 no 1
At bridge ports >>
ports 2 and 3 are access ports for vlan 10 so give to each of them pvid 10 and admit only untagged and priority tagged, ingress filtering yes.
Port 5 is an access port for vlan30 so pvid 30 and untagged and priority tagged and ingress filtering yes.
At bridge vlan>>
vlan 10: vlan id 10, tagged the bridge and untagged the ports 2 and 3
vlan 30: vlan id 30, tagged the bridge and untagged the port 5

At hap ac2 number 2
port 2 are access port for vlan 10 so give pvid 10 and admit only untagged and priority tagged, ingress filtering yes.
Port 5 is an access port for vlan30 so pvid 30 and untagged and priority tagged and ingress filtering yes.
At bridge vlan>>
vlan 10: vlan id 10, tagged the bridge and untagged the port 2
vlan 30: vlan id 30, tagged the bridge and untagged the port 5

After you have finished all of that enable vlan filtering to the bridge of the router and haps

9

After I turn on bridge filtering, HAP becomes unavailable. I would rather expect that the VLAN setting takes place in the switch and not in the bridge, in order to use the HW chip.

10

If you want the hap also to acquire an ip address and you to be able to connect through web interface then you should add the bridge of the hap as Untagged interface to the vlan that you want through this to access the hap… if it is vlan 10 then you should go to bridge>vlan on the hap and add the bridge to the untagged interfaces in order to acquire an IP from the DHCP server

11

Sorry for the late response but a better practice would be a management VLAN as you tried to do it the first time. I’ll repost a full and refurbished variant of my config to include a MGMT VLAN where ether8 on the RB5009 and ether2 on the lower hAP would be access ports for it:

/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether5 pvid=30
add bridge=bridge-LAN interface=ether6 pvid=10
add bridge=bridge-LAN interface=ether7 pvid=10
add bridge=bridge-LAN interface=ether8 pvid=88

/interface vlan
add interface=bridge-LAN name=vlan10 vlan-id=10
add interface=bridge-LAN name=vlan20 vlan-id=20
add interface=bridge-LAN name=vlan30 vlan-id=30
add interface=bridge-LAN name=vlan88-mgmt vlan-id=88

/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.88.1/24 interface=vlan88-mgmt network=192.168.88.0

/ip pool
add name=VLAN10 ranges=192.168.10.110-192.168.10.199
add name=VLAN20 ranges=192.168.20.110-192.168.20.199 add name=VLAN30 ranges=192.168.30.110-192.168.30.199
add name=VLAN88-MGMT ranges=192.168.88.110-192.168.88.199

/ip dhcp-server network
add network=192.168.10.0/24 gateway=192.168.10.1
add network=192.168.20.0/24 gateway=192.168.20.1
add network=192.168.30.0/24 gateway=192.168.30.1
add network=192.168.88.0/24 gateway=192.168.88.1

/ip dhcp-server
add address-pool=VLAN10 interface=vlan10 lease-time=1w name=DHCP-10
add address-pool=VLAN20 interface=vlan20 lease-time=1w name=DHCP-20
add address-pool=VLAN30 interface=vlan30 lease-time=1w name=DHCP-30
add address-pool=VLAN88-MGMT interface=vlan88-mgmt lease-time=1w name=DHCP-88

/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether3,ether4 vlan-ids=10
add bridge=bridge-LAN tagged=bridge-LAN,ether2 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether2,ether3,ether4 vlan-ids=30
add bridge=bridge-LAN tagged=bridge-LAN,ether3,ether4 vlan-ids=88

/interface bridge set bridge-LAN vlan-filtering=yes

#upper hap

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether8

/interface vlan add interface=bridge name=vlan88-mgmt vlan-id=88

/ip dhcp-client add interface=vlan88

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4 switch=switch1 vlan-id=20
add ports=ether1,ether5,ether8 switch=switch1 vlan-id=30
add ports=switch1-cpu,ether1 switch=switch1 vlan-id=88

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set ether8 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure

#middle hap

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5

/interface vlan add interface=bridge name=vlan88-mgmt vlan-id=88

/ip dhcp-client add interface=vlan88

/interface ethernet switch vlan
add ports=ether1,ether2,ether3 switch=switch1 vlan-id=10
add ports=ether1,ether5 switch=switch1 vlan-id=30
add ports=switch1-cpu,ether1 switch=switch1 vlan-id=88

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure

#lower hap

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether5

/interface vlan add interface=bridge name=vlan88-mgmt vlan-id=88

/ip dhcp-client add interface=vlan88

/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=10
add ports=ether1,ether5 switch=switch1 vlan-id=30
add ports=switch1-cpu,ether1 switch=switch1 vlan-id=88

/interface ethernet switch port
set ether1 vlan-header=add-if-missing vlan-mode=secure
set ether2 default-vlan-id=10,88 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=30 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure

The CAPsMAN settings are most probablyalright, so no need to change them

12

Thank you, everyone. My VLANs have already started working.