I have a working network with VLANs for Guest and Work already - without any Mikrotik components. Our router is DHCP server and seperates Guest and Work vlans. Guest wifi is allowed only to access internet. Work wifi has access to our LAN - so far so normal.
Now I want to test and configure MikroTik cAP ac with this constellation. I did the configuration of the cAP access point via webconfig in the wireless section only. The configuration for the wlan1 and wlan2 interfaces (2ghz and 5ghz) is the same, so I write the configuration for one of the interfaces only.
Work wifi - wlan1 wireless interface
Mode: ap bridge
SSID: Work
Security profile: profile-work
WPS Mode: disabled
Country: germany
Frequency Mode: regulatory-domain (this is demanded, because of germany)
VLAN mode: use tag
VLAN ID: 10
Guest wifi - virtual interface
Master Interface: wlan1 wireless interface
Mode: ap bridge
SSID: Guest
Security Profile: profile-guest
WPS Mode: disabled
VLAN Mode: use tag
WLAN ID: 15
The result is that Work wifi works perfectly. The clients receive an ip address and can connect to LAN and or internet. Whereas Guest wifi can’t connect internet. My mobile connects to Guest wifi and receives an ip address by our router, but it can’t connect the internet. My ubuntu laptop isn’t assigned an ip address at all.
Issue is probably not in the wifi setup part. Where is the DHCP server for the VLAN ID=15? Where does that VLAN connect to, compared to the VLAN ID=10.
VLAN15 and VLAN10 have their DHCP server both from our firewall. The firewall has one network interface which is designated for these VLANs only.
An already existing installation with an AccessPoint from Lancom works without any problems. Which means that the configuration of VLAN and DHCP on the firewall should be correct.
I will now reset the MikroTik cAP ac completely and do my desired configuration again. Possibly I have inserted errors, which I overlook now.
I reseted and reconfigured the cAP ac, but still it shows the same result - successfull connection with SSID Work, but no connection with SSID Guest.
As I wrote in my first post I already have configured an Access Point from Lancom which works successfully in the same constellation of VLAN and Wifi Work and Guest. So I don’t think the configuration of the DHCP server on our router shoutd be the problem.
/interface bridge port
add bridge=bridge interface=vlan2ghz-gast
add bridge=bridge interface=vlan5ghz-gast
And then you probably need to do something with VLAN setup, curently cAP is configured as dumb switch without any idea about VLANs … wlan interfaces themselves deal with VLAN tags, bridge interface as well (by the way of vlan interfaces, BTW using vlan with VID=1 probably masks some problems away because it’s default setting in many places, but you never know where packets are tagged and where they’re not). But the big problem is ether1, currently it’s implicitly all-tagged trunk interface. Good practice is to explicitly configure VLANs on bridge, have a look at this tutorial to see how that’s done in ROS.
The tutorial for Acess Points describes nearly exact my situation. Except for I want to configure two VLANs only (work and guest) and want to use ether1 as the trunk port. Ether1 should also have a fixed IP address from LAN, which I can use to configure the Access Point. From VLAN work and guest it should not be allowed to configure the AP. In difference to the tutorial where an additional and third VLAN is used to allow configuration of the AP.
This my configuration:
### VLAN Overview
# 10 = BLUE Work
# 15 = GREEN Guest
### 99 = BASIS VLAN i want to leave out
### Wifi setup
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="blue password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="green password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no
### Bridge
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
### Access Ports
# ingress behavior
/interface bridge port
# Blue, Green VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=15
# egress behavior
/interface bridge vlan
# Blue, Green VLAN
add bridge=BR1 untagged=wlan1 vlan-ids=10
add bridge=BR1 untagged=wlan2 vlan-ids=15
### Trunk Ports
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASIS_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=15]
# The following step I left out, because I don't want use the third VLAN 99
# add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
### IP Addressing & Routing
# LAN facing AP's Private IP address on a BASIS_VLAN
# /interface vlan add interface=BR1 name=BASIS_VLAN vlan-id=99
# /ip address add address=192.168.0.3/24 interface=BASIS_VLAN
# Instead of the two previous steps I want a fixed IP address for ether1
/ip address add address=10.10.0.68/24 interface=ether1
# The Router's IP this AP will use
/ip route add distance=1 gateway=10.10.0.254
### VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
### MAC Server settings
# Ensure only visibility and availability from BASIS_VLAN, the MGMT network
/interface list add name=BASIS
# /interface list member add interface=BASIS_VLAN list=BASIS
# Instead of previous step I want to add ether1 to the interface list BASIS
/interface list member add interface=ether1 list=BASIS
/ip neighbor discovery-settings set discover-interface-list=BASIS
/tool mac-server mac-winbox set allowed-interface-list=BASIS
/tool mac-server set allowed-interface-list=BASIS
### Turn on VLAN mode
# Up to this last step, the AP works as desired, i.e. two separate VLANs are published via WiFi.
# As soon as I activate the last step, no more IP addresses are distributed over the VLANs and the AP is also not reachable over the fixed IP address.
/interface bridge set BR1 vlan-filtering=yes
What is wrong with my changes to the original configuration?
Peter
Problems start here as you can see highlighted the entries dont belong in wifi settings!!
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan2ghz-intern security-profile=
profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5ghz-intern security-profile=
profile-intern ssid=WIFI@in vlan-id=10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6B master-interface=wlan2ghz-intern multicast-buffering=disabled name=vlan2ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15
vlan-mode=use-tag wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:85:FC:6C master-interface=wlan5ghz-intern multicast-buffering=disabled name=vlan5ghz-gast security-profile=profile-Gast ssid=WIFI@gast vlan-id=15
vlan-mode=use-tag wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
… MISSING PVID settings etc, that need to be here NOT in the wlan definitions!!
Remember this informs the router on INGRESS so that the router knows what to do with incoming packets (like assign or tag them with vlanXX for access ports)
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 (trunk port no tagging/pvid required but good idea to use ingress filtering here)
add bridge=bridge comment=defconf interface=wlan2ghz-intern**???** pvid=XX and the bit about accepting priority and untagged frames
add bridge=bridge comment=defconf interface=wlan5ghz-intern**???** pvid=YY and the bit about accepting priority and untagged frames
Finally Totally need Bridge VLAN settings to handle the egress part of VLAN
ex from my capac
/interface bridge vlan
add bridge=bridgeHallway tagged=ether1 untagged=DevicesHallway vlan-ids=45 (my main 2ghz WLan)
add bridge=bridgeHallway tagged=ether1 untagged=VisitorWIFI vlan-ids=200 (my virtual 5ghz WLAN
add bridge=bridgeHallway tagged=ether1,bridgeHallway untagged=Hallway5G \ (my main 5ghz WLan)
Thanks, anav. Your hint to configure “vlan-mode=no-tag” in wifi settings has almost led me to the goal. Now I can connect to the WiFis successfully. BUT it’s not possible to manage the cAP via the IP address which I have assigned to ether1.
I have changed my config due to the Tutorial for Access Points - see my previous post #8.
Here is my current configuration:
(some comments are refering to differences I did to the tutorial’s config)
(for simplicity, the configuration only includes the 2Ghz wifi)
# WLAN Netze erstellen
/interface wireless security-profiles
add name=prof_intern authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-intern
add name=prof_gast authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-gast
/interface wireless
# kein VLAN mit no-tag setzen
set [find default-name=wlan1] name=wlan2ghz-intern ssid=MICK@in security-profile=prof_intern frequency=auto mode=ap-bridge disabled=no
add name=vlan2ghz-gast ssid=MICK@gast security-profile=prof_gast master-interface=wlan2ghz-intern mode=ap-bridge disabled=no
/interface bridge
# turn off VLAN mode while config
add name=BR1 protocol-mode=none vlan-filtering=no
# Access Ports
# ingress
/interface bridge port
add bridge=BR1 interface=wlan2ghz-intern pvid=10
add bridge=BR1 interface=vlan2ghz-gast pvid=15
# egress
/interface bridge vlan
add bridge=BR1 untagged=wlan2ghz-intern vlan-ids=10
add brdige=BR1 untagged=vlan2ghz-gast vlan-ids=15
#Trunk Port(s)
# ingress
/interface bridge port
add bridge=BR1 interface=ether1
# egress
/interface bridge vlan
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=15]
# add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
# LAN facing AP's Private IP address on a BASIS_VLAN
# /interface vlan
# add interface=BR1 name=BASIS_VLAN vlan-id=99
# /ip address
# add address=192.168.0.3/24 interface=BASIS_VLAN
# I want to access via ether1 with fixed IP
/ip address
add 10.10.0.68/24 interface=ether1
/ip route
add distance=1 gateway=10.10.0.254
# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2ghz-intern]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=vlan2ghz-gast]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
# MAC Server Security
/interface list
add name=BASIS
/interface list member
# available from BASIS_VLAN only
# add interface=BASIS_VLAN list=BASIS
# I want this from ether1 only
add interface=ether1 list=BASIS
/ip neighbor discovery-settings
set discover-interface-list=BASIS
/tool mac-server mac-winbox
set allowed-interface-list=BASIS
/tool mac-server
set allowed-interface-list=BASIS
# Turn on VLAN mode
/interface bridge
set BR1 vlan-filtering=yes
As soon as I turn on vlan-filtering I can’t access the cAP-ac anymore via its fixed IP address. BUT wlan1 and wlan2 are working successfully the way I wished for.
What is the final step of the configuration which allows to manage the cAP via the IP address I have assigned to ether1?
In other words I didnt create an extra vlan 99, the capac is on my homevlan
/ip address
add address=192.168.0.xxx/24 interface=homevlan network=192.168.0.0
/tool mac-server mac-winbox
set allowed-interface-list=capwin
winbox is also enabled..... allowed access is the homevlan.
Reviewing your setup, you should be able to access the capac
if the IP address of the capac is a legit IP on the VLAN99 network.
If so, the capac seems fine, do you vlan99 configured on the main router??
After another look, I think the problem is here....... You are missing interface member assignment.
/interface list member
available from BASIS_VLAN only
add interface=BASIS_VLAN list=BASIS
I want this from ether1 only
add interface=ether1 list=BASIS
I am not sure if its necessary to associate ether1 to the Basis list, BUT you should associate the vlan99 with the basis list.
add interface=BASIS_VLAN list=BASIS
If this doesnt work (then change ether1 to LAN or WAN list as well but I dont think that matters, its the missing association that I believe is key.
@anav
Sorry for not getting back to you on your last reply. I put the cAPac aside for over a year now. However, now I want to try again.
/interface wireless security-profiles
add name=prof_intern authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-intern
add name=prof_gast authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=pw-gast
/interface wireless
set [find default-name=wlan1] name=wlan2ghz-intern ssid=MICK@in security-profile=prof_intern frequency=auto mode=ap-bridge disabled=no
add name=vlan2ghz-gast ssid=MICK@gast security-profile=prof_gast master-interface=wlan2ghz-intern mode=ap-bridge disabled=no
/interface bridge
# turn off VLAN mode while config
add name=BR1 protocol-mode=none vlan-filtering=no
# Access Ports
# ingress
/interface bridge port
add bridge=BR1 interface=wlan2ghz-intern pvid=10
add bridge=BR1 interface=vlan2ghz-gast pvid=15
# egress
/interface bridge vlan
add bridge=BR1 untagged=wlan2ghz-intern vlan-ids=10
add brdige=BR1 untagged=vlan2ghz-gast vlan-ids=15
#Trunk Port(s)
# ingress
/interface bridge port
add bridge=BR1 interface=ether1
# egress
/interface bridge vlan
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=15]
/ip address
add 10.10.0.68/24 interface=ether1
/ip route
add distance=1 gateway=10.10.0.254
# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2ghz-intern]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=vlan2ghz-gast]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
# MAC Server Security
/interface list
add name=BASIS
/interface list member
add interface=ether1 list=BASIS
/ip neighbor discovery-settings
set discover-interface-list=BASIS
/tool mac-server mac-winbox
set allowed-interface-list=BASIS
/tool mac-server
set allowed-interface-list=BASIS
# Turn on VLAN mode
/interface bridge
set BR1 vlan-filtering=yes
As I wrote already, as soon as I activate vlan-filtering=yes in the last step I can’t access the cAPac anymore, but wifi for intern and gast with VLAN works as wished.
Our company’s LAN on ether1 has no VLAN ID or better it has the default VLAN ID=1 for no VLAN is configured. Do I have to create pvid=vlan-id=1 as bridge port or bridge vlan?
I thought first your answer is my enlightment, but the cAPac tells me there is no difference if I configure ether1 or bridge BR1 for IP address and as member of this interface list. The result is the same,as soon as vlan filtering is activated on bridge BR1 I can’t access the cAPac anymore, but Wifi intern and Wifi gast are working as whished.
OK, so ether1 is supposed to allow only tagged frames on ingress. Which VLAN (10 or 15) is supposed to allow management access? As it is now, RB can be accessed over ether1 using untagged access.
None of the vlan should allow management access. I want to access the cAPac by the IP address assigned to ether1 and which is member of our Ethernet LAN without vlan (or the default vlan=1).
Post your current config just to be sure we see what device is running. Execute /export hide-sensitive file=anynameyouwish, fetch the resulting file, open it with text editor and copy-paste contents here inside [__code] [/code] environment. What you posted so far is series of commands you are supposed to execute, but doesn’t show exact result (because end result depends on previous state of configuration).
However:
interfaces, which are made ports of bridge, should not be directly used for anything else. While ROS doesn’t barf on that, it’s incorrect never the less. If port is bridged, then whatever L3 config made on it isn’t exclusive to that port any more because on L2 it becomes member of bridged/switched network.
So you really should move your IP address to BR1 and all other references of ether1 (e.g. interface list membership) should be moved to BR1.
you have to allow also untagged frames on ingress for ether1. So your config should look something like
# Allow ingress packets WITH and WITHOUT tags on Trunk Ports or else untagged management via ether1 won't work.
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-all [find interface=ether1]
Note that in this case, both BR1 interface and ether1 will use (implicit default) value of PVID=1.
Thanks mkx, finally, finally it works! Now I use the IP for the bridge BR1 and to allow ingress-filtering for frame-types=admin-all on ether1 did the trick.
This is my final configuration:
I edited the configuration on state of the default config for 192.168.88.1. So I could remove a few config lines which were obsolete and without any effect. But can I delete the firewall rules as well and without any effect?
Since the device is not border gateway and assuming management access via untagged is trusted, you can safely disable/remove all firewall rules. Or to be on the safe side leave the rules for chain=input …
I’m wondering if this setting is needed:
/ip dns
set > allow-remote-requests=yes > servers=10.10.10.254
If this device is nowhere mentioned as DNS resolver for your untagged network, then you should set allow-remote-requests=no just to be on the safe side.
The device isn’t border gateway so I disabled allow-remote-requests and I removed the firewall rules with chain=forward only.
Unfortunately I notice that I still can access the device’s webconfig by it’s IP address and this is allowed from each network segment. That means I can access the webconfig from Wifi@gast, from Wifi@intern and LAN. LAN is wished to but especially Wifi@gast shouldn’t be allowed to. From Wifi@gast ping at the IP address isn’t allowed, but when gast user enters the right IP address he will access cAPac’s webcfg.
Is it possible to prohibit access to the device from Wifi@gast?
