VAP and VLAN Question

RouterOS General
1

I have a fairly straight forward question that I seem to be fumbling with. I cannot currently post exports because I am still trying to get working in a lab, but basically what I have is a RB951 running as my “main” router and 3 RB912s running as wireless access points. I have three VLANs

Untagged - Main Traffic
Tagged 1 - Management Network
Tagged 1003 - Public Network

My RB951 is configured as follows:
Ether2,3,4,5 all slave to Ether1. VLAN1 and VLAN1003 are on Ether1. Addresses on Ether1 (10.1.0.1/24), VLAN1 (10.1.1.1/24), and VLAN1003 (10.1.103.1/24). DHCP servers setup on appropriate places. Currently there is NO other configuration on the 951 (e.g. reset without defaults).

The RB912s are blanked without defaults as well. They are configured to have Ether1 with VLAN1 and VLAN1003 on it as well as wlan1 (as main) and vap1 (public). I have ether1 bridged to wlan1, VLAN1 by itself, and vap1 and VLAN1003 bridged. There is only a single IP assigned the box on the VLAN1 (10.1.0.10/11/12). Other than that they were reset without defaults.

If I plug my laptop into ether5, I get a correct IP (e.g. 10.1.0.2) and can ping everything (e.g. all three ips on the router, and 10.1.0.10/11/12 (the RB912s)).

If, however, I connect to the wlan1 I get an IP from the proper DHCP server (e.g. 10.1.0.3), but I cannot ping anything other than 10.1.0.1. The gateway is setup as 10.1.0.1 on the laptop.

Does anyone see anything obviously wrong or where I could have possibly gone wrong? I am going to poke at it a big longer and grab some exports tomorrow. But I figured I’d see if anyone had any good ideas.

My overall goal would be to have the three networks setup and isolated… (I realize that the untagged tagged thing is a mess, but they have an existing network I am trying to build into and thats what is already there).

-Eric

2

RouterOS doesn’t always make life easy if trying to bridge the interface that a VLAN is declared on.

On the 912s try placing the VLANs on the bridge that has Ether1 as a port (rather than on Ether1 itself) and see if the behavior is any different.

3

I think you have to add vlans to bridge. If you add interface to bridge, you will get tagged traffic on wlan1.

4

Thanks for the idea… I’ll give that a try tonight and grab some exports. What is strange though is that the router can ping through the VLANs and get responses, so they seem to work…

-Eric

5

All running 6.18.

Current Exports:

Router
/interface wireless
set [ find default-name=wlan1 ] l2mtu=1600
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=
ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=
ether5-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1594 name=vlan-management vlan-id=1
add interface=ether1-master-local l2mtu=1594 name=vlan-public vlan-id=1003
/ip pool
add name=main ranges=10.1.0.200-10.1.0.205
add name=management ranges=10.1.1.200-10.1.1.205
add name=public ranges=10.1.103.200-10.1.103.205
/ip dhcp-server
add address-pool=management disabled=no interface=vlan-management name=
management
add address-pool=main disabled=no interface=ether1-master-local name=main
add address-pool=public disabled=no interface=vlan-public name=public
/ip address
add address=10.1.0.1/24 interface=ether1-master-local network=10.1.0.0
add address=10.1.1.1/24 interface=vlan-management network=10.1.1.0
add address=10.1.103.1/24 interface=vlan-public network=10.1.103.0
/ip dhcp-server network
add address=10.1.0.0/24 gateway=10.1.0.1
add address=10.1.1.0/24 gateway=10.1.1.1
add address=10.1.103.0/24 gateway=10.1.103.1
/ip upnp
set allow-disable-external-interface=no
/system leds
set 0 interface=wlan1
/tool sniffer
set filter-ip-protocol=icmp

Wireless AP #2
/interface bridge
add l2mtu=1600 name=bridge-main
add l2mtu=1596 name=bridge-management
add l2mtu=1596 name=bridge-public
/interface ethernet
set [ find default-name=ether1 ] name=ether01
/interface vlan
add interface=ether01 l2mtu=1596 name=ether01-vlan-management vlan-id=1
add interface=ether01 l2mtu=1596 name=ether01-vlan-public vlan-id=1003
/interface wireless security-profiles
add eap-methods=“” management-protection=allowed name=guest-profile
supplicant-identity=“”
add authentication-types=wpa2-psk eap-methods=“” management-protection=
allowed mode=dynamic-keys name=main-profile supplicant-identity=“”
wpa2-pre-shared-key=123456
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC
disabled=no frequency=2412 l2mtu=1600 mode=ap-bridge name=wlan-main
security-profile=main-profile ssid=Wireless tdma-period-size=auto
wireless-protocol=802.11
add disabled=no l2mtu=1600 mac-address=4E:5E:0C:40:EE:19 master-interface=
wlan-main name=wlan-public security-profile=guest-profile ssid=
WirelessGuest wds-cost-range=0 wds-default-cost=0
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
require-peer-certificate=yes
/interface bridge port
add bridge=bridge-main interface=ether01
add bridge=bridge-main interface=wlan-main
add bridge=bridge-management interface=ether01-vlan-management
add bridge=bridge-public interface=ether01-vlan-public
add bridge=bridge-public interface=wlan-public
/ip address
add address=10.1.1.12/24 interface=ether01-vlan-management network=10.1.1.0
/ip route
add distance=1 gateway=10.1.1.1
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/system leds
set 0 interface=wlan-main
/system routerboard settings
set cpu-frequency=600MHz
=Eric

6

Switching the VLANs to the Bridge fixed it. Thanks