Simple VLAN / AP setup question has me stumped

I do a lot of cisco. A couple years ago bought a Mikrotik and loved it, set it up as a router for my telescope gear, multi-path, OSPF… worked great. No VLAn’s, just subnets.

Needed a new access point for home so bought a hAP ax2, I thought a real simple configuration - two vlan’s, a few SSID’s… and I just cannot get the VLAN’s to work properly, and would appreciate any help.

The desire is ethernet 1 is going to be an uplink port, native (PVID) 1, trunked VLAN 134. Several SSID’s, some on VLAN 1 (those called Reboot-2 and Reboot-5 in the config) and some on VLAN 134 (RebootGuest-2 and RebootGuest-5). The plan is VLAN 134 is just a pass thru, the device is managed from and has an IP on VLAN 1 (192.168.130.213) but for testing I have an address on VLAN 134 also (192.168.134.213). No routing needed, upstream OPNsense handles that.

I have connectivity to the two IP addresses, which are present on their respective vlan’s. And the wifi for VLAN 134 is working, but when I associate with (for example) Reboot-5 SSID, the association and authentication work, but it cannot pull an IP indicating it has no connectivity through on VLAN 1.

I’ve tried all sorts of combinations of tagging and untagging on the various ports and VLAN’s, and I am guessing that I am losing a tag or being filtered somewhere, but I just cannot get the right combination. I’ve spent a lot of time on this http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 success.

Here is the current config that doesn’t work:

# nov/03/2023 10:05:03 by RouterOS 7.8
# software id = XVHW-0BBF
#
# model = C52iG-5HaxD2HaxD
# serial number = XXXXXXXXXXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan134 vlan-id=134
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=InternalPSK
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=GuestPSK
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20mhz configuration.country="United States" .mode=ap .ssid=Reboot datapath.bridge=bridge .vlan-id=1 disabled=no name=Reboot-2 security=InternalPSK
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=Reboot datapath.bridge=bridge .vlan-id=1 disabled=no name=Reboot-5 security=InternalPSK
add configuration.mode=ap .ssid=RebootGuest datapath.vlan-id=134 disabled=no mac-address=4A:A9:8A:CA:C8:45 master-interface=Reboot-2 name=Guest-2 security=GuestPSK
add configuration.mode=ap .ssid=RebootGuest datapath.vlan-id=134 disabled=no mac-address=4A:A9:8A:CA:C8:44 master-interface=Reboot-5 name=Guest-5 security=GuestPSK
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=Reboot-5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=Reboot-2
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=Guest-2 pvid=134
add bridge=bridge frame-types=admit-only-vlan-tagged interface=Guest-5 pvid=134
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan134 pvid=134
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan1
/interface bridge vlan
add bridge=bridge tagged=bridge,Reboot-2,Reboot-5 untagged=ether1,ether2,ether3,ether4,ether5,vlan1 vlan-ids=1
add bridge=bridge tagged=ether1,bridge,Guest-2,vlan134,Guest-5 vlan-ids=134
/ip address
add address=192.168.130.213/24 interface=vlan1 network=192.168.130.0
add address=192.168.134.213/24 comment="Temporary just to test connectivity" interface=vlan134 network=192.168.134.0
/ip dns
set allow-remote-requests=yes servers=192.168.130.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.1 pref-src="" routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/New_York

HAHAHA, friggen NYer… you didnt read it that well, NO indication to use vlan1 in that excellent article!!!
Okay I will admit the paragraph stating this is so WEAK, that I have suggested improving it.

Native, Base, & MGMT (management) VLAN:
Before designing IP Addressing & Routing, you’ll need to choose a VLAN scheme. To get your VLAN going you have to start somewhere and that’s usually something termed the Native VLAN. This would be the base network that you used to initiate your first connection to a router or switch. The Native VLAN is not a requirement but rather something that continues to exist if you allow it. Think of the Native VLAN as a term used to describe packets without a VLAN tag that move between your equipment and network. Whether or not this is a good thing is up to you. In our examples, we do not allow for this scenario. Instead we implement a Base VLAN (our name for the management VLAN). Over this network will be device to device traffic (routing, etc.). We also default Winbox availability here as well.

Easy fix change 1 to 11
Dont use datapath and vlan settings on wifi settings, for non-capsman setup!!

Also assuming this is AP, you dont need an address for the second VLAN, nor do you need to identify it.
The vlan and DHCP are identified in the upstream router, this device is merely connecting the 134 vlan coming in on ether1 to the wlan port like any other switch.
The only vlan that needs identification and tagging on the bridge is the BASE/TRUSTED?MANAGEMENT VLAN where the device gets its IP address from.
A VLAN by itself is not a bridge port!!

Okay the challenge here is that ON ether1 incoming is not two vlans but only one vlan and basically untagged traffic.
So basically we tag vlan11 when it enters ether1 and untagg on the way out on ether1.
Internally we take vlan 11 and untagg it out to the etherports and appropriate wlans.
Vlan134 comes into ether1 tagged and then we untagg it out on the appropriate wlans.

serial number = XXXXXXXXXXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=48:A9:8A:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=InternalPSK
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=GuestPSK
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20mhz configuration.country="United States" .mode=ap .ssid=Reboot disabled=no name=Reboot-2 security=InternalPSK
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=Reboot  disabled=no name=Reboot-5 security=InternalPSK
add configuration.mode=ap .ssid=RebootGuest disabled=no mac-address=4A:A9:8A:CA:C8:45 master-interface=Reboot-2 name=Guest-2 security=GuestPSK
add configuration.mode=ap .ssid=RebootGuest disabled=no mac-address=4A:A9:8A:CA:C8:44 master-interface=Reboot-5 name=Guest-5 security=GuestPSK
/interface bridge port
add bridge=bridge  interface=ether1 pvid=11  comment="hybrid port"
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2  pvid=11
add bridge=bridge   ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=11
add bridge=bridge   ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge   ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge  ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=Reboot-5 pvid=11
add bridge=bridge   ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=Reboot-2 pvid=11
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=Guest-2 pvid=134
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged  interface=Guest-5 pvid=134
/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether1,ether2,ether3,ether4,ether5,Reboot-5,Reboot-2   vlan-ids=11
add bridge=bridge tagged=ether1  untagged=Guest-2,Guest-5 vlan-ids=134
/ip address
add address=192.168.130.213/24 interface=vlan11 network=192.168.130.0
/ip dns
set allow-remote-requests=yes servers=192.168.130.1
/interface list
add name=BASE
/interface list members
add interface=vlan11 list=BASE
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.130.1 pref-src="" routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/New_York
/tool mac-server mac-winbox
set allowed-interface-list=BASE

I will read this more carefully but you have lost me, especially here:

Okay the challenge here is that ON ether1 incoming is not two vlans but only one vlan and basically untagged traffic.

The feed from the uplink switch/router is a trunk port with two vlan’s, vlan 1 (untagged) and vlan 134 (tagged).

The only reason I have an IP on the VLAN 134 on the mikrotik is for testing. I want the AP to have an address on VLAN 1 for management.

I am off on a tangent helping a client (with cisco stuff where I actually feel competent)… I’ll delve more deeply into your reply in a bit, unless the above affects it?

Postscript: I just realized maybe your statement “basically untagged traffic” is saying the same thing as I did. I think of it as two vlan’s, one untagged. I think you may mean it is one tagged vlan and the rest traffic untagged (that just happens to originate on VLAN 1). Is that what you meant?

I don’t do any WiFi on Mikrotik, so not much help there, but as a general rule of thumb avoid using VLAN 1 unless absolutely required. Too many devices treat VLAN 1 as “special” and often don’t behave as you might expect.

For enterprise setups with cisco I follow that advice, unfortunately a lot of my stuff is netgear, which insists on VLAN 1 for its mediocre implementation of spanning tree. And frankly I could just turn off spanning tree and follow that advice (since only I plug in cables), but I followed the path of least resistance here.

I am aware that it has… issues… in heterogenous networks in particular.

Correct. DONT USE VLAN1 as if its a data vlan. Its the glue in the background just working.

In effect you have untagged and tagged traffic arriving at either 1, the tagged traffic being 134.
That is how I handled the config.
If you decide that vlan1 is actually a data path as well, then assign vlan11 to the main upstream router and tag it to the port going to the AP.
Then you will have two tagged vlans hitting ether1 on the AP and it will be a trunk port vice a hybrid port.

Are you saying RouterOS cannot handle it as a hybrid port? I can send both 1 and 134 as tagged on that port if that is preferred.

But as to re-numbering the VLAN’s: I have about 25 wired devices all around the house, using VLAN’s 1, 131, 134, 135, 136. Most traffic is on vlan 1. I really do not want to renumber my whole house’s VLAN structure just for one AP.

Yes, the AP can handle a hybrid port just fine. That is the config I gave you.
No need to change anything on your home devices. I personally dont have vlan1 assigned anywhere passing data on any config Ive worked on or helped here.

Ok, let me review it more carefully when this police department stops bugging me because their network is down, or more precisely when I convince them it’s their upstream provider that is down.

Sounds like you need recursive routing bwahahaha

It’s going to be another hour before I can try this but I have been looking at your config, and may I clarify something. I’m not questioning if it works but trying to test my own understanding as I want to build mental maps of how this works compared to other switches and routers…

This appears to be tagging (by presumption of the pvid=134) data from the guest wifi interfaces, but otherwise the router is not aware of VLAN 134 at all as a VLAN.

I’m used to cisco world, where if a VLAN is not explicitly declared, it will not pass through even on a trunk port without (explicit) filtering. At least in the xos switches.

This seems to say that the RouterOS needs to be aware of a VLAN only if it has to have an interface on it with an IP, that otherwise the tagged traffic just flows through as tagged.

Am I understanding that aspect?

Also, is there a layer 2 or 3 reason for the use of BASE, it appears to be more about access control, not switching or routing, am I understanding correctly?

I should have added up front I have done nothing yet about security, tuning wifi, channels, have some more SSID’s to add, etc. I just wanted to get the basic layer 2 stuff working first.

Well, a lot more than an hour…

I merged in your changes one by one to try to understand them, and when all were there (except BASE which i didn’t ask, and using 1 vs 11), it all worked, I can associate and get an IP from the right VLAN, the two switches in between it and my OPNsense are happy.

I need to star at it a lot longer, but it’s an arcanely different way to specify VLAN connects than I am used to. Or it LOOKS arcane.

I think the key thing I do not understand is why the interface Vlan1 (11 in your case) is not attached to bridge=bridge. It’s on the /interface bridge valn as tagged but under /interface bridge port it’s not present. Yet it works.

PS. Thank you very much for getting me straightened out.

1. The guest wifi interface tags the incoming traffic from the user ( the user never sees vlan tags ). This traffic then goes straight out ether1 to the main router for dhcp assignment to internet etc… Return traffic is untagged when it exits the the guest wifi WLAN towards the user.

2. Not sure what you mean.
   Under /interface bridge vlans you will note that the bridge is tagged when vlan11 (the base vlan) is defined.
   All other vlans do not require the bridge to be tagged as its only switching traffic in this case.

3. Under /interface bridge ports, ether 1 is a hybrid port we are untagging vlan11 for ether1 and flowing through tagged vlan134.
   In other words, from a user perspective all user traffic coming in ether2,3,4,5 and wlan1,2 is tagged with vlan11, when it hits ether1 outbout to the main router, the vlan tagg is stripped and its untagged traffic. The return traffic untagged when it enters ether1 is vlan tagged with eth11 and sent back to the etherports where it is untagged upon departure of those ports wlans.

In other words whey you say vlan1, it really means untagged traffic so I handled it as such on the MT.

Perhaps this nerdy explanation will help!!
http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

Thank you for that. It does help, especially some of the middle comments that parallel mine (i.e. there’s just no reason for a simple, well known concept to be made so obscure). But I think I understand better.

I do have a question though – and maybe this is obvious but a quick search didn’t show it – is there a way to get back into a Mikrotik for configuration if you screw up the configuration without resetting it to default? I’ve practically worn out the reset button, then put back the prior (-1) configuration and experiment again.

Though what I needed is running fine, and I went back to my telescope’s main router and updated it (I had not realized that update and upgrade were separate channels so it was way back in the 6’s somewhere – current, but 6). It updated without issue (there are no explicit vlan’s in it, just lots of subnets and routing – I think "router"OS makes a lot more sense as a router than a switch, at least to me).

Yes, use one port off the bridge.
https://forum.mikrotik.com/viewtopic.php?t=181718

Thank you.