Hello!
# 2024-06-12 18:37:07 by RouterOS 7.15.1
/interface bridge
add name=lan-bridge vlan-filtering=yes
/interface vlan
add interface=lan-bridge name=guest vlan-id=10
add interface=lan-bridge name=lan vlan-id=100
/interface list
add name=Gateway
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5220,5180-5320,5660-5845 name=5ghz \
skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi configuration
add antenna-gain=0 country="United States" disabled=no name=home-private-cfg \
security.ft=yes .ft-over-ds=yes ssid=MikroTik-Home tx-power=30
add antenna-gain=0 disabled=no name=guest-cfg ssid=MikroTik-Home-Guest \
tx-power=30
/interface wifi datapath
add bridge=lan-bridge disabled=no name=home-private-datapath vlan-id=100
add bridge=lan-bridge client-isolation=no disabled=no name=\
home-guest-datapath vlan-id=10
/interface wifi security
add authentication-types=wpa2-psk disabled=no management-protection=disabled \
name=home-private
add authentication-types=wpa2-psk disabled=no management-protection=disabled \
name=guest
/interface wifi
set [ find default-name=wifi2 ] configuration=home-private-cfg \
configuration.mode=ap name=wifi-2.4ghz security=home-private \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel=5ghz configuration=home-private-cfg \
configuration.mode=ap disabled=no name=wifi-5ghz security=home-private
add configuration=guest-cfg configuration.mode=ap disabled=no mac-address=\
D6:01:C3:9D:86:32 master-interface=wifi-5ghz name=wifi-5ghz-guest \
security=guest
/ip pool
add name=lan ranges=192.168.100.2-192.168.100.254
add name=guest ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool=lan interface=lan-bridge name=lan
add add-arp=yes address-pool=guest interface=guest name=guest
/interface pppoe-client
add disabled=no interface=ether5 name=ISP profile=default-encryption user=\
v41012953
/interface bridge port
add bridge=lan-bridge interface=ether1
add bridge=lan-bridge interface=ether2
add bridge=lan-bridge interface=ether3
add bridge=lan-bridge interface=ether4
add bridge=lan-bridge interface=wifi-5ghz
add bridge=lan-bridge interface=wifi-2.4ghz
add bridge=lan-bridge interface=wifi-5ghz-guest pvid=10
/ip address
add address=192.168.100.1/24 interface=lan-bridge network=192.168.100.0
add address=192.168.10.1/24 interface=guest network=192.168.10.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=150 use-doh-server=\
https://8.8.8.8/dns-query verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=lan-bridge
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=lan-bridge out-interface=ISP
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat
I’ve tried both setting vlan through datapath, config posted has interface added manually to bridge. The problem is I can’t connect to the secondary SSID from android (shows connect failed) or PC (connects but can’t get address). Where did I fail in config?
You have to make guest interfaces static and manually add them to bridge and filter them in vlan filtering.
As such:
/interface wifi cap
set discovery-interfaces=vlan241_mgmt enabled=yes slaves-static=yes
New ax devices able to grab datapath from capsman and use vlan settings from capsman. Older devices qcom have to use local datapath on cap.
/interface wifi datapath
add bridge=bridge1 disabled=no name=bridge1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=242
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=240
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=240
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi15 pvid=247
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi16 pvid=247
You have to make guest interfaces static and manually add them to bridge and filter them in vlan filtering.
As such:
/interface wifi cap
set discovery-interfaces=vlan241_mgmt enabled=yes slaves-static=yes
New ax devices able to grab datapath from capsman and use vlan settings from capsman. Older devices qcom have to use local datapath on cap.
/interface wifi datapath
add bridge=bridge1 disabled=no name=bridge1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=242
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=240
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=240
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi15 pvid=247
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi16 pvid=247
Thanks for reply, device is hap ax3 without capsman. With datapath specified, when I try to connect, I see dynamic wireless interface with pvid 10 in /bridge/ports and dynamic “current tagged” vlan10 in bridge/vlans.
Thanks for reply, device is hap ax3 without capsman. With datapath specified, when I try to connect, I see dynamic wireless interface with pvid 10 in /bridge/ports and dynamic “current tagged” vlan10 in bridge/vlans.
Like I said dinamic bridging with vlan filtering isn’t working great with capsman2 currently. If you’re using vlan filtering - use static interfaces for wlan and bridge\filter them yourself.
Yes, I’ve added them statically. Here’s current relevant configuration
/interface bridge
add name=lan-bridge vlan-filtering=yes
/interface vlan
add interface=lan-bridge name=guest vlan-id=10
add interface=lan-bridge name=lan vlan-id=100
/interface wifi configuration
add antenna-gain=0 country="United States" disabled=no name=home-private-cfg security.ft=yes .ft-over-ds=yes ssid=MikroTik-Home tx-power=30
add antenna-gain=0 disabled=no name=guest-cfg ssid=MikroTik-Home-Guest tx-power=30
/interface wifi
set [ find default-name=wifi1 ] channel=5ghz configuration=home-private-cfg configuration.mode=ap disabled=no name=wifi-5ghz security=home-private
add configuration=guest-cfg configuration.mode=ap disabled=no mac-address=D6:01:C3:9D:86:32 master-interface=wifi-5ghz name=wifi-5ghz-guest security=guest
/interface bridge port
add bridge=lan-bridge interface=wifi-5ghz
add bridge=lan-bridge interface=wifi-2.4ghz
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi-5ghz-guest pvid=10
/interface bridge vlan
add bridge=lan-bridge untagged=wifi-5ghz-guest vlan-ids=10
So all interfaces (wlan and vlan) bridged, guest-vlan has dhcp server and IP on it, no success.
/interface bridge vlan
add bridge=lan-bridge untagged=wifi-5ghz-guest vlan-ids=10
Is that all you have in vlan filtering settings? And where should your AP send tagged traffic then?
There’s an interface in /interface/vlan it should go there, no?