The tutorial for Acess Points describes nearly exact my situation. Except for I want to configure two VLANs only (work and guest) and want to use ether1 as the trunk port. Ether1 should also have a fixed IP address from LAN, which I can use to configure the Access Point. From VLAN work and guest it should not be allowed to configure the AP. In difference to the tutorial where an additional and third VLAN is used to allow configuration of the AP.
This my configuration:
### VLAN Overview
# 10 = BLUE Work
# 15 = GREEN Guest
### 99 = BASIS VLAN i want to leave out
### Wifi setup
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="blue password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="green password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no
### Bridge
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
### Access Ports
# ingress behavior
/interface bridge port
# Blue, Green VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=15
# egress behavior
/interface bridge vlan
# Blue, Green VLAN
add bridge=BR1 untagged=wlan1 vlan-ids=10
add bridge=BR1 untagged=wlan2 vlan-ids=15
### Trunk Ports
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASIS_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=15]
# The following step I left out, because I don't want use the third VLAN 99
# add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
### IP Addressing & Routing
# LAN facing AP's Private IP address on a BASIS_VLAN
# /interface vlan add interface=BR1 name=BASIS_VLAN vlan-id=99
# /ip address add address=192.168.0.3/24 interface=BASIS_VLAN
# Instead of the two previous steps I want a fixed IP address for ether1
/ip address add address=10.10.0.68/24 interface=ether1
# The Router's IP this AP will use
/ip route add distance=1 gateway=10.10.0.254
### VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
### MAC Server settings
# Ensure only visibility and availability from BASIS_VLAN, the MGMT network
/interface list add name=BASIS
# /interface list member add interface=BASIS_VLAN list=BASIS
# Instead of previous step I want to add ether1 to the interface list BASIS
/interface list member add interface=ether1 list=BASIS
/ip neighbor discovery-settings set discover-interface-list=BASIS
/tool mac-server mac-winbox set allowed-interface-list=BASIS
/tool mac-server set allowed-interface-list=BASIS
### Turn on VLAN mode
# Up to this last step, the AP works as desired, i.e. two separate VLANs are published via WiFi.
# As soon as I activate the last step, no more IP addresses are distributed over the VLANs and the AP is also not reachable over the fixed IP address.
/interface bridge set BR1 vlan-filtering=yes
What is wrong with my changes to the original configuration?
Peter