Setting virtual wireless interface onto VLAN

Hi all,

Tell me if I’m being thick, but I can’t for the life of me get traffic from a virtual wireless interface to go to a VLAN. Here’s my situation:

Ether2 runs my default VLAN (192.168.88.0/24), and VLAN20 (10.20.20.0/24)

I’ve got 2 SSID’s: Main (on wlan1) and Guest (on wlan_VLAN slave to wlan1)

Very simply I want anyone connecting to Guest to go to VLAN20 but nothing that I do makes that happen. The only way I’ve been getting it to work, is by assigning the VLAN to the wireless interface, which I don’t want to do because I want multiple access points to be able to use it. Essentially I think I need the AP to be able to tag its own traffic, and send that traffic over a bridge that acts as the trunk in order to reach VLAN20, so to achieve this I’ve ste the virtual wlan to use tag VLAN ID 20. I’ve then added wlan_VLAN to the LAN bridge which has Ether2 in it. I first tried doing it over the bridge without VLAN tagging, and then with. I’ve tried the dynamic bridge VLAN interface tagging, and tried statically assigning the tagged and untagged ports. Please help!

Its not exactly the same topology but I’ve tried appropriating this wiki page - https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless no no avail.

Can you please share your config? /export file=anynameyoulike Make sure that it doesn’t contain any personal information…
Have you seen this great topic?
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Hi Erlinden, I've not seen that, thanks will take a read. Herewith my config - Bare in mind that I've tried so many different configs, this is just the last one I've tried.

 model = RBD52G-5HacD2HnD
# serial number = D7160D9E7B13

/interface bridge
add name="LAN Local" vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password= user=

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="south africa" disabled=no mode=ap-bridge ssid=Main
set [ find default-name=wlan2 ] country="south africa" disabled=no mode=ap-bridge ssid=Main_5G
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:11:7D:0B master-interface=wlan1 multicast-buffering=disabled name=wlan_VLAN20 ssid=VLAN_Test vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/interface vlan
add interface=ether2 name=VLAN_20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=wpa2-pre-shared-key=

/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
add name=dhcp_pool5 ranges=10.20.20.20-10.20.20.254

/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface="LAN Local" name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=VLAN_20 name=dhcp2

/interface bridge port
add bridge="LAN Local" interface=ether2
add bridge="LAN Local" interface=ether4
add bridge="LAN Local" interface=wlan2
add bridge="LAN Local" interface=wlan1
add bridge="LAN Local" interface=wlan_VLAN20 pvid=20

/interface bridge vlan
add bridge="LAN Local" tagged=wlan_VLAN20,VLAN_20 vlan-ids=20

/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.20.20.1/24 interface=VLAN_20 network=10.20.20.0

/ip firewall filter
add action=accept chain=input comment="Allow good connection state input" connection-state=established,related in-interface="LAN Local"
add action=accept chain=input comment="Allow input from LAN" in-interface="LAN Local"
add action=accept chain=input comment="Allow winbox access from LAN" dst-port=8291 in-interface="LAN Local" protocol=tcp
add action=drop chain=input comment="Drop invalid input" connection-state=invalid
add action=drop chain=forward comment="Drop invalid forward" connection-state=invalid
add action=accept chain=input protocol=icmp src-address=*
add action=accept chain=input in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input comment="Vrising server" disabled=yes dst-address=*
add action=drop chain=input comment="Drop all connections" in-interface=pppoe-out1 log=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

You may want to remove the serial number from that export.
What ROS version are you using ?

IMHO VLAN interface should be connected to bridge, not ether2.
And the rest follows accordingly.