Hi,
I´m trying to add a new HAPax3 to my network. In the network I have a WAPac-R, which serves as the Internet LTE uplink, router, firewall, dns and everything else. There is a switch connected over a trunk and a few CAPacs. This part works well, but the WAPac comes to it´s limits, as it acts as a router and firewall between a few VLANS. So I will keep that as my Internet gateway, but I will move it´s router/firewall/DHCP/DNS functionality to the new HAPax3.
I have simplified a bit and currently I just configured VLAN 9 (management) and VLAN2 (internal lan for my wired connections) on the future trunk to the HAPax3.
This trunk exists in a small 19" rack in a very narrow space, so I´m trying to set up my new device at my table, where I only have an access port in VLAN 2, as my switch is also located in the rack.
I have created a simplified diagram:
HAPax3 has no VLAN capable switch chip and of course no HW VLAN filtering.
I´m trying to configure the e1 port on the device as the future trunk port. I also tried to configure (just for the setup phase) my e2 and e3 ports as access ports in VLAN2 and I added all three to bridge br0.
There is not much else configured on this device, except p5, which is my “rescue” port, which has 192.168.88.1/24 configured in case I lock myself out.
My idea was to connect my HAPax3 to the access port via e2, then connect my PC to e3 into the same VLAN 2, where it usually stays, and the bridge forwards the frames between e2 and e3.
The HAPax3 has a VLAN 2 interface attached to the bridge, with a dhcp client, so it should get an IP from my WAP-R. At the same time it has a VLAN9 interface also attached to the bridge, so that I can connect to it via the management VLAN after I put it into the 19" rack and connect it to the trunk.
In the future, it should get a fixed IP on all VLANs and it should act as the default GW and the DHCP server for all VLANs. Until then I should be just able to connect to it from my PC, while simulataneously enable a connection from my PC to the LAN as well.
I´m stuck at the VLAN config. Whatever I try, I can´t connect to my HAPax3 and to my LAN simultaneously and I don´t get how to do the proper VLAN config for this router on a stick config, without a VLAN capable switch chip. I´m trying to have a VLAN filtering setup without HW offloading.
I can only find examples for attaching a single management VLAN to the bridge, but how can I attach multiple VLAN interfaces to the bridge?
Here is my very basic config, just the 2 VLANs and things like romon enabled, DHCP client on VLAN2=vl2lan enabled, to make the setup easier.
Nothing works, the router and my PC gets no IP. I can´t even access the router via e3.
# 2024-03-30 18:36:50 by RouterOS 7.14.2
# software id = xxxxabc123
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxabc123
/disk
add parent=usb1 partition-number=1 partition-offset="122 880" partition-size=\
"15 728 517 120" type=partition
/interface bridge
add frame-types=admit-only-vlan-tagged name=br0 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e1
set [ find default-name=ether2 ] name=e2
set [ find default-name=ether3 ] name=e3
set [ find default-name=ether4 ] name=e4
set [ find default-name=ether5 ] name=e5rescue
/interface vlan
add interface=br0 name=vl2lan vlan-id=2
add interface=br0 name=vl9mgt vlan-id=1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=br0 frame-types=admit-only-untagged-and-priority-tagged interface=\
e2 pvid=2
add bridge=br0 frame-types=admit-only-untagged-and-priority-tagged interface=\
e3 pvid=2
add bridge=br0 frame-types=admit-only-vlan-tagged interface=e1
/interface bridge vlan
add bridge=br0 tagged=br0,e1 untagged=e2,e3 vlan-ids=2
add bridge=br0 tagged=e1,br0 vlan-ids=9
/ip address
add address=192.168.88.1/24 interface=e5rescue network=192.168.88.0
add address=10.6.9.2/24 interface=vl9mgt network=10.6.9.0
/ip dhcp-client
add interface=vl2lan
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
Are you saying that the LTE output is colocated with the wapac and thats convenient for you?
It would make some sense simply to swap the two units??
Assuming the LTE device provides your current router the hapac with a private IP address for the WAN connection,
then for me the simplest thing to do is:
a. One trunk to hapax3
b. One trunk from ax3 to the switch.
The vlans on the trunk between the two MT devices depends upon how many subnets/vlans the wapac need for wifi.
minimally one needs
a. the subnet the wapac will get its ip address from and that should be a trusted subnet or management subnet like vlan99
( note: this is the only vlan defined on the wapac )
b. one vlan does nothing but transfer the LTE output to the hapax3
c. any other vlans over the trunk are dependent on if the wapac is providing wifi for any other lan subnets/vlans
In effect the wapac is setup as AP/switch with the added functionality of moving along LTE flow to terminate at the HAPAX3.
Sadly you provided no wapac config for me to work from…
For hapax3 Dont get cute with bridge!!! (dont add anything extra)
Also your use of vlans is strange, no guest wifi, no iot wifi, just one flat subnet???
Will work with the intention of at a least guest wifi from both devices. DONT USE VLAN-ID=1
Thanks for your answer!
No I´m not saying it was convenient to configure LTE+everything on the WAPac, but it was working well for over 3 years. In fact I don´t know how many hours I spent until I figured out everything and I definitely got desperate many times as this was my first MT setup.(I sincerely belive that some of my hair got gray while configuring.)
The performance was sufficient, as I don´t get more than around 50Mbps on the LTE and this is the newer quad core ARM version of WAPac-LTE.
Swapping is not possible, as the WAP is mounted on the outer wall of the house and it has the LTE module from MT integrated inside. It has to stay my uplink, but my goal is to move all functionality to the HAPax3. The HAPax3 goes into the rack as that is not weather proof. I don´t even need the WLAN from it, but it has decent performance an USB port and an RB5009 would have been an overkill.
For WLAN I´m using multiple CAPac units and an additional WAPac, but those are connected to the switch with trunks, but thats not really relevant for this question, so I did not put them on the drawing.
The most important question for me on this is currently: how in the heck can I achieve the config with multiple VLAN interfaces connected over a bridge with vlan filtering enabled and now VLAN capable switch chip? In all the examples I found, there is only a single managament VLAN with an IP configured directly on the bridge.
I have currently 5 VLANs on the WAPac, but I only configured VLAN9 and VLAN2 on the HAPax3 to test if both of those can coexist:
VLAN2 connected to the CPU and a trunk port (e1) and two access ports (e2 & e3)
VLAN9 connected to the CPU and the trunk (e1) only
My goals:
being able to connect my PC to my LAN over the HAPax3 if the e2 and e3 access ports of the HAPax3 are in between the PC and the switch sw1<>HAPax3<>PC instead of sw1<>PC
while being able to get an IP per DHCP on the vl2lan interface on the HAPax3 (I understand, this makes not much sense, but if that´s working, that´s an indicator, that my config is working)
having the trunk configured with at least vlan9 and an IP , so that when I go to my very small and inconveniently placed rack and connect the trunk, I can manage my HAPax3 at once.
Then I move all fuctionality (firewall, routing, nat, vpn, dhcp, dns, ntp …) from WAPac to HAPax3, so that WAPacs sole purpose will be to serve as an LTE modem (maybe also as an access point for the garden, but that´s not absolutely necessary). But that would be another topic and I believe I can manage that part, but VLANs on MT are still a bit of mistery to me…
I almost thought I´ve understood it, but no, not really.
Wow, @anav, that was fast! Many thanks!
I did not provide WAPac config as that´s not what I´m concerned about, that part works.
I first want to resolve my problem as above.
But now I got a nice portion of configs I will try to understand. It´ll take a bit longer for me to understand as it was taking for you to create!
I will be back as soon as I figured out.
Thanks! It still doesn´t work, and I tried to check everything. I believe there are no principal differences between my config and your example.
I have upgraded my HAPax3 from 7.14.2 to 7.15.2 now, but it did not help either.
Still only e2 and e3 are connected, and packets are not bridged in between. If I replace the HAPax3 by a patch cable, it works.
Comments inside my actual export:
/disk
set usb1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb1 partition-number=1 partition-offset="122 880" partition-size="15 728 517 120" type=partition
/interface bridge
add ingress-filtering=no name=br0 pvid=9 vlan-filtering=yes ##in your config you mention that I should not use vlan 1, I replaced by pvid=9, but it shouldn´t matter? I don´t have anything fancy here as I see? ingress-filtering=no is not in your config, but I can´t unset it, it´s either no or yes
/interface ethernet ## the whole thing is the same as yours
set [ find default-name=ether1 ] name=e1
set [ find default-name=ether2 ] name=e2
set [ find default-name=ether3 ] name=e3
set [ find default-name=ether4 ] name=e4
set [ find default-name=ether5 ] name=e5rescue
/interface vlan ##mostly the same, but only 2 vlans here so it "fits" into my brain
add interface=br0 name=vl2lan vlan-id=2
add interface=br0 name=vl9mgt vlan-id=9
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port ## I don´t see much difference
add bridge=br0 frame-types=admit-only-untagged-and-priority-tagged interface=e2 pvid=2 ##access port 1, mark with vlan2 on bridge ingress, remove tag on egress
add bridge=br0 frame-types=admit-only-untagged-and-priority-tagged interface=e3 pvid=2 ##access port 2, mark with vlan2 on bridge ingress, remove tag on egress
add bridge=br0 frame-types=admit-only-vlan-tagged interface=e1 ## that´s the only trunk, vlans remain untouched
/interface bridge vlan ## I don´t see much difference
add bridge=br0 tagged=br0,e1 untagged=e2,e3 vlan-ids=2 ##put tagged vlan2 packets on br0,e1, untaged on e2,e3
add bridge=br0 tagged=e1,br0 vlan-ids=9 ##put tagged vlan 9 on trunk and on bridge
/ip address
add address=192.168.88.1/24 interface=e5rescue network=192.168.88.0
add address=10.6.9.2/24 interface=vl9mgt network=10.6.9.0 ##ip on vlan9 interface
/ip dhcp-client
add interface=vl2lan ## dhcp client on vlan 2 interface
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool romon
Many thanks!