Unable to get VLAN working between RB5009 and AX2

RouterOS Beginner Basics
1

Currently I’m working out howto get everything working in Mikrotik land. Next to my RB5009 (which has a real basic setup for now) I also just bought an AX2. It will do its work as an AP and Switch on all 5 ports.
I created a VLAN (ID 200) on the RB5009 and the same VLAN (ID 200) on the AX2. On the RB5009 a cable is connected from ETH7 to ETH2 on the AX2.
In the bridge hosts table I do see that they somehow see each other (although on the router it is marked with DE and on the AP with D) But creating an address on the RB5009 and on the AX2 and try to ping each other does not work. DHCP also doesn’t seem to work.
Been trying for hours, but I cant seem to figure out the issue.

My RB5009 config:

# 2024-02-11 09:21:09 by RouterOS 7.13.4
# software id = *****
#
# model = RB5009UG+S+
# serial number = *****
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes l2mtu=1568
set [ find default-name=ether2 ] l2mtu=1568
set [ find default-name=ether3 ] disabled=yes l2mtu=1568
set [ find default-name=ether4 ] l2mtu=1568
set [ find default-name=ether5 ] l2mtu=1568
set [ find default-name=ether6 ] l2mtu=1568
set [ find default-name=ether7 ] l2mtu=1568
set [ find default-name=ether8 ] arp=proxy-arp l2mtu=1598 loop-protect=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether8 loop-protect=off name=vlan1.6 vlan-id=6
add interface=bridge-local name=vlan200 vlan-id=200
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan1.6 \
    keepalive-timeout=20 max-mru=1500 max-mtu=1500 name=pppoe-client-kpn \
    user=----REMOVED---
/interface list
add comment="All LAN interfaces" name=all_lan_interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=local-pool ranges=192.168.0.1-192.168.0.100
add name=extovpn-pool ranges=192.168.10.1-192.168.10.5
add name=wifi_pool ranges=192.168.1.1-192.168.1.100
/ip dhcp-server
add address-pool=local-pool interface=bridge-local name=server1
add address-pool=wifi_pool interface=vlan200 name=wifi_dhcp
/ppp profile
set *0 only-one=yes use-compression=yes use-ipv6=no use-upnp=no
set *FFFFFFFE use-ipv6=no
/routing bgp template
set default disabled=yes routing-table=main
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
/interface bridge vlan
add bridge=bridge-local tagged=ether7 vlan-ids=200
/interface list member
add interface=bridge-local list=all_lan_interfaces
add interface=ether1 list=all_lan_interfaces
add interface=ether2 list=all_lan_interfaces
add interface=ether3 list=all_lan_interfaces
add interface=ether4 list=all_lan_interfaces
add interface=ether6 list=all_lan_interfaces
add interface=ether7 list=all_lan_interfaces
add interface=vlan200 list=all_lan_interfaces
/ip address
add address=192.168.0.254/24 interface=bridge-local network=192.168.0.0
add address=192.168.1.254/24 interface=vlan200 network=192.168.1.0
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server lease
--REMOVED--
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.254 domain=intranet gateway=\
    192.168.0.254
add address=192.168.1.0/24 dns-server=192.168.1.254 domain=intranet gateway=\
    192.168.1.254 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    94.247.43.254,94.16.114.254
/ip firewall address-list
add address=192.168.0.0/24 list=allowed_to_router
add address=192.168.1.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="related and established" \
    connection-state=established,related log=yes log-prefix=aaa
add action=accept chain=input src-address-list=allowed_to_router
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge-local log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge-local
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-client-kpn log=yes log-prefix=\
    !NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    pppoe-client-kpn log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge-local \
    log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
add action=drop chain=input comment="Explicit drop all" log=yes log-prefix=\
    IPv4_DropAll
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="Needed for internet" \
    out-interface=pppoe-client-kpn src-address=192.168.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-client-kpn type=external
/ipv6 firewall filter
add action=drop chain=input comment="Explicit drop all" in-interface=\
    pppoe-client-kpn log=yes log-prefix=IPv6_DropAll_Input
add action=drop chain=forward comment="Explicit drop all" in-interface=\
    pppoe-client-kpn log=yes log-prefix=IPv6_DropAll_Forward
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=all_lan_interfaces
/tool mac-server ping
set enabled=no

My AP config:

# 2024-02-11 09:29:23 by RouterOS 7.13.4
# software id = ***
#
# model = C52iG-5HaxD2HaxD
# serial number = ****
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridgeap1 port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface vlan
add interface=bridgeap1 name=vlan200 vlan-id=200
/interface bridge port
add bridge=bridgeap1 interface=ether2
/interface bridge vlan
add bridge=bridgeap1 tagged=ether2 vlan-ids=200
/ip address
add address=192.168.1.101/24 interface=vlan200 network=192.168.1.0
/ip dhcp-client
add interface=vlan200
add interface=bridgeap1
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no

Router bridge hosts:
ap_bridge_hosts.png
AP bridge hosts:
router_bridge_hosts.png

hap ac2 switch chip vlan and WIFI setup with remote capsman
2

Welcome to the forum :smiley:

So on RB5009 under /interface bridge vlan you need to tag bridge as well as ether7 and set ether7 frame types as: admit only vlan tagged.

On AP you also need to tag bridge as well as ether2 for VLAN200. Also where are your wireless interfaces and other ports on your AP ?

3

Just did add the VLAN ID1 also tagged to Eth7 (router) and Eth2 (ap). Incl the admit only vlan tagged. Didn’t help.
Currently all ports on the AP are disabled. That’s because I want to keep it simple as long as VLANs are note working.

4

Maybe best to first digest this excellent VLAN tutorial.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

5

Forget VLAN1, if you go VLAN then you shouldn’t use VLAN1. Create management VLAN and use that VLAN for configuration. VLAN1 will run in the background. Tag bridge to VLAN200, no VLAN1

6

Yes that was my first idea and that is what VLAN100 is going to be. But than I don’t understand the statement of you tagging the bridge.

UPDATE: Managed to get it to work. What you said/meant was that the bridge also had to have the tagged VLAN200. Now I understand.
Did add VLAN 200 to the bridge on both devices and works great for now. Thanks!

7

Read and understand that tutorial…

8

No problem, but as @holvoetn said, read this tutorial if you are interested in learning VLANs

9

Yes thank you. I did read it, but I did oversee that fact the the bridge must carry the tagged VLAN.
Just managed to trunk the line with tagged VLANs only. Works nice.

10

But remember, if you have multiple VLANs going to the AP/Switch then on AP/Switch you create VLAN interface only for VLAN that you use to manage that device. (And you create DHCP client on that VLAN interface if you want your IP to be assigned by DHCP)

11

The AX is only acting as an AP switch.
Same principals as the router, ONE BRIDGE, ALL vlans, bridge does no DHCP, except

  • one interface list only ( call it MANAGE )
  • only one vlan needs to be identified and it belongs to the bridge as per normal.
  • give this vlan an IP address of your choosing as it will be fixed ( get the ax mac address and enter your desired IP address in the Leases on the 5009 for that subnet and make it static).
    ( i recommend you assign an address outside the normal dhcp pool for that subnet/vlan)
  • only this vlan has the bridge being tagged as well as it is terminated on the router ( as well as can be sent further down the line on any access port or trunk port)
  • all the other vlans come in on ETHER1 (or whatever trunk port comes from the router) and either go out an ether trunk port , an ether access port, or a wlan access port.
    -neighbours discovery set to the single interface list
    -tools winbox macserver set to single interface list.
  • MANAGE list contains the management or trusted vlan you identified above.

You dont necessarily need to create a separate vlan if you already have one that is trusted.

/ip dns
set allow-remote-requests=yes servers=address of vlan (x.x.x.1) { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=address of vlan (x.x.x.1) comment="ensures route avail through trusted subnet gateway"

\

Recommend you take one etherport like port 5, OFF the bridge and configure your AX from there and use it as an emergency access if something goes wrong on the bridge.
Just give ether5 an IP address like 192.168.55.1/24 network 192.168.55.0 and your done.
All you need to do is give your PC an IPV4 address of anything lets say 192.168.55.5 and you will have access.

Be sure to include ether5 in the MANAGE interface list for this to work..
And use safe mode all the time in winbox.

VLANS creation and testing-AX2
12

There was a good tutorial for this scenario… Unfortunately it’s taken down…

13

Truth to be told, it was the user himself who decided to take it down.
I only hope he saved the material so it can be brought back (by him or his alter ego …hint hint).
It’s a pity some friction and differences between said user and MT as a company made him decide to take down material which was highly valued by so many other users.

14

Which one ? :laughing: :laughing:

15

The one who continues to experience harassment by other folks not happy with posts and the one who still sees no significant progress on ensuring new posters have the best possible experience. :slight_smile:

16

And yet, he reincarnated as new user and is still helping others. One shouldn’t forget that he also have great respect from many users here on forum.

17

https://web.archive.org/web/20231216022654/https://forum.mikrotik.com/viewtopic.php?t=182373