I’ve a network with 2 VLAN’s (apart from the default VLAN 1). The VLAN 101 is for Guest and 102 is for management. For some reason I cannot get my wAP configured to have 2 WIFI’s, one for the guest and the other one for management. To simplify it, I’ve disconnected the wAP from the main network and I’m now trying to configure the wAP isolated on its own device. Hope anybody can help me with this.
I’ve setup to virual wlan’s, vlan101 has not vlan config and with vlan102 I’m trying to configure the VLAN. I’m doing this so that I can compare what is working and not working.
What am I doing wrong? Is this approach to simulate it on a single device achievable? And finally if I’ve a working setup I want to migrate this to a CAPSMAN configuration. But one step at the time for now.
# oct/28/2021 20:11:23 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge
add name=bridgevlan101 vlan-filtering=yes
add name=bridgevlan102
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=\
TestVLAN102 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan102 vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_vlan101 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool_vlan102 ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan101 disabled=no interface=bridgevlan101 name=\
dhcp1
add address-pool=dhcp_pool_vlan102 disabled=no interface=bridgevlan102 name=\
dhcp2
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridgevlan101 interface=wlan3 multicast-router=disabled
add bridge=bridgevlan102 interface=wlan4 multicast-router=disabled
add bridge=bridgevlan101 interface=vlan101 multicast-router=disabled
add bridge=bridgevlan102 interface=vlan102 multicast-router=disabled
/interface bridge vlan
add bridge=bridgevlan101 tagged=wlan3,ether1 vlan-ids=101
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=bridgevlan101 list=LAN
add interface=bridgevlan102 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.0
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=dhcp
add topics=wireless
Looking forward to some suggestions on how to address this.
You want to create a Bridge and assign all Interfaces to it.
You want to create a Bridge and assign all Interfaces to it.
Ok, thanks for the suggestion, testing it right now.
As I can only set one dhcp server on the bridge, I cannot fully simulate this on one wAP. Because now all the virtual wlans are getting an IP address from the same server.
How do I do the VLAN tagging when using one bridge?
On the wlan config I set “use tag” with vlanid 101 or 102 (depending on which wlan interface).
Is this how is should work?
Oh am sorry..
VLAN101, VLAN 102 are not assigned to the bridge.
Hhmm, not working. I don’t get an IP address assigned on either one of the two virtual wlans.
both wlan interface use a vlan tag 101 and 102, no vlans on the bridge and the bridge itself doesn’t do vlan filtering.
This is the config:
oct/28/2021 20:11:23 by RouterOS 6.48.1
software id = TMGN-VZVM
model = RouterBOARD wAP G-5HacT2HnD
serial number = 69A50578307F
/interface bridge
Suggestion on what I’m doing wrong?
I still have a CAPac somewhere…
I will configure it and send you the Export.
Thanks, you support is really appreciated.
Extra info, when I remove the “Use Tag” and put VLAN ID to 1, I do get an IP address on the wlan interface.
bpwl
October 28, 2021, 7:12pm
9
some reading: http://forum.mikrotik.com/t/wlan-ssids-attached-to-vlans/149454/1
Start with the “great tutorial” mentioned there , it’s a must read !
Found a big mistake :
This is wrong172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0
This is right!
This is how i configured the CAPac in the LAB…
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=\
802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik \
wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=TestVLAN101 vlan-id=101 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=TestVLAN102 vlan-id=102 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
Step 1: Create Bridge
/interface bridge
add name=bridge1
Step 2: Create VLAN-Interfaces
/interface vlan
add interface=bridge1 name=bridge1_vlan101 vlan-id=101
add interface=bridge1 name=bridge1_vlan102 vlan-id=102
Step 3: Assign IP-Addresses
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.1/24 interface=bridge1_vlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridge1_vlan102 network=172.16.1.0
Step 4: Create DHCP-Server
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1_vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1_vlan102 name=dhcp3
Step 5: Assign Interfaces to Bridge
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
Found a big mistake :
This is wrong172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0
This is right!
THanks for the catch, good point, That is indeed a mistake. I updated the config, see total overview below, but still the wlan client device doesn’t get an IP address!
oct/28/2021 22:41:53 by RouterOS 6.48.1
software id = TMGN-VZVM
model = RouterBOARD wAP G-5HacT2HnD
serial number = 69A50578307F
/interface bridge172.16.0.1/24 > interface=bridgeVLAN101 network=172.16.0.0172.16.1.1/24 > interface=bridgeVLAN102 network=172.16.1.0
Thanks, started reading already. Always good to do some catch up reading, there is always something new to learn
This seems to be working, I’ve two virtual wlans and I can connect on both of them getting the correct IP address assigned. This is really good. Surprised to see a complete different configuration as what I was trying to do, but happy there is something working.
There is no internet connection at the moment. But this is probably due to the fact that the switch I’m using at the moment is not configured with VLAN’s. So now I need to move the wAP to real setup and see if it is working. If it is working, I need to move this configuration into a CAPSMAN configuration
This is the full config I’m using which is basically a copy of the config provided by ConnyMercier.
oct/29/2021 09:17:50 by RouterOS 6.48.1
software id = TMGN-VZVM
model = RouterBOARD wAP G-5HacT2HnD
serial number = 69A50578307F
/interface bridge
I’m having a working setup right now, this is the config:
# oct/29/2021 12:27:52 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=\
802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=\
TestVLAN102 vlan-id=102 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge1 name=bridge1_vlan101 vlan-id=101
add interface=bridge1 name=bridge1_vlan102 vlan-id=102
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1_vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1_vlan102 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3 pvid=101
add bridge=bridge1 interface=wlan4 pvid=102
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=bridge1_vlan101,ether1,wlan3 vlan-ids=\
101
add bridge=bridge1 disabled=yes tagged=bridge1_vlan102,ether1,wlan4 vlan-ids=\
102
/interface list member
add interface=ether1 list=WAN
add interface=bridge1_vlan101 list=VLAN
add interface=bridge1_vlan102 list=VLAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.1/24 interface=bridge1_vlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridge1_vlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=192.168.0.254 gateway=172.16.0.1 \
netmask=24
add address=172.16.1.0/24 dns-server=192.168.0.254 gateway=172.16.1.1 \
netmask=24
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=new in-interface-list=VLAN \
out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
anav
October 31, 2021, 4:06pm
17
You want to create a Bridge and assign all Interfaces to it.
Vlans are not bridge ports.
Is the WAPAc acting as a router or simply an access point switch?
Personally I would have three vlans and nothing dhcp related to the bridge, its confusing otherwise.
You want to create a Bridge and assign all Interfaces to it.
Vlans are not bridge ports.
Is the WAPAc acting as a router or simply an access point switch?
Personally I would have three vlans and nothing dhcp related to the bridge, its confusing otherwise.
Thanks for your feedback. Regarding your question of the wAP AC is acting as router or access point switch. To my understanding and that is how I’m using it it is an access point switch.
I agree in my test setup the 192.168.88.1 is not really required. I kept in in the test setup so that I can still make a connected to the wAP in case a make mistakes in the configuration, it happend to often that I could access the device due to a misconfiguration.
The DHCP server on my network is running on the device (Cradlepoint) responsible for the internet connection, that is where all the VLANs come together. THis device is responsible for handing out IP addresses on the network. In my test setup, I don’t have a DHCP server, that is why for now it is configured on the Mikrotik itself, but that should removed once in the final setup.
The final solution that I’m trying to build is that each wifi access points as two wlan’s and each one with its own vlan and this configuration needs to be managed from the CAPSMAN. This is what I’m trying to setup and having challenges.
So which config should be done in the CAPSMAN, this seems to be straight forward, but how does the CAPS client needs to be configured from a VLAN point of view, from a bridge point of view, etc. etc.
mkx
November 1, 2021, 9:50am
19
You have to manually configure the wired part of CAP client before CAPsMAN takes over provisioning the wireless part. CAPsMAN only does what you currently have under /interface wireless …
For testing purposes you can configure wireless part manually and transition it to CAPsMAN later. As to the wired part: did you study (thoroughly) the VLAN bible ?
The wireless config shown in post #1 is almost fine (master wireless interfaces lack vlan-id=XX vlan-mode=use-tag and all wireless interfaces should be tagged member ports of bridge … tagged for corresponding VIDs that is).
It keeps driving me crazy, I don’t know what the issue is, I tried so many things. I’ve read the VLAN bible, understand all the VLANs, tagging, native VLAN, etc. etc. But still, something doesn’t make sense in my config.
I’ve connected the wAP device to a switch, that switch supports VLANs and 101 and 103 are configured with DHCP. When I connect the MacBook and configure VLAN on the MacBook I get the corresponding IP addresses assigned.
When connecting with an iPad/iPhone to the Mikrotik wifi I don’t get an IP address at all. I don’t understand why. Any suggestions on the following config:
# nov/03/2021 22:35:16 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: CAPsVLAN101, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/caps-man datapath
add arp=enabled bridge=bridge1 local-forwarding=yes name=DataPathVLAN101 \
vlan-id=101 vlan-mode=use-tag
add bridge=bridge1 local-forwarding=yes name=DatapathVLAN103 vlan-id=103 \
vlan-mode=use-tag
/caps-man configuration
add datapath=DataPathVLAN101 name=CAPsVLAN101 ssid=CAPsVLAN101
add datapath=DatapathVLAN103 name=CAPsVLAN103 ssid=CAPsVLAN103
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1_VLAN101 ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2_VLAN103 ranges=172.16.1.100-172.16.1.200
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4 Ghz CAPS Config" \
hw-supported-modes=gn master-configuration=CAPsVLAN101 name-format=\
prefix-identity name-prefix=CAP- slave-configurations=CAPsVLAN103
add action=create-dynamic-enabled comment="5 Ghz CAPS Config" disabled=yes \
hw-supported-modes=ac master-configuration=CAPsVLAN101 \
slave-configurations=CAPsVLAN103
/interface bridge port
add bridge=bridge1 interface=vlan101 multicast-router=disabled
add bridge=bridge1 interface=vlan103 multicast-router=disabled
add bridge=bridge1 interface=ether1 multicast-router=disabled
add bridge=bridge1 interface=dynamic multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
/interface wireless cap
#
set caps-man-addresses=192.168.0.216 discovery-interfaces=*3E enabled=yes \
interfaces=wlan1
/ip address
add address=192.168.88.1/24 disabled=yes interface=bridge1 network=\
192.168.88.0
add address=172.16.0.1/24 disabled=yes interface=vlan101 network=172.16.0.0
add address=172.16.1.1/24 disabled=yes interface=vlan103 network=172.16.1.0
/ip dhcp-client
add interface=vlan101
add interface=vlan103
add disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
