VLAN and AP

Hello Mikrotik lovers,

I have been managing a few interconnected Mikrotik devices in my company for a few years now (I have routers, switches, APs, etc…)
But one issue I have never really been able to solve is VLANs. Indeed, I have the need to be able to have guests users on my network using both ethernet and wifi.
I have been able to successfuly do that using VLANs but I never really managed to have it really stable when it comes to wifi (latencies during handshake, impossibily to see other computers in the subnet).
To fix that once and for all, I have decided to create a simple setup to understand what is going on, but I am still stuck.

My test setup is as follows:
Router > Switch > AP

The router has a specific DHCP server for VLAN-tagged (40) packets.
The switch bidges a specific port through VLAN 40
The AP is a really dumb AP (all ports are bridged together, no firewall, nothing else than the interfaces and the bridge)

Today, the situation is as follows:

• If I connect the AP to a non-vlan-tagged port of the switch, it works as it should. (IP from main DHCP + access to internet)
  
  
  
• If I connect the AP to a vlan-tagged port of the switch, then when I try connecting to it over wifi, I do get an IP address in the guest subnet, but it takes time to connect and I end up having no internet access.
  
  
  
• If instead connect my computer directly over ethernet on the same port, it works as it should (IP from guest DHCP + access to internet).
  
  
  
• If I connect the AP directly on the main router on a port that is in the guest bridge, it works as it should (IP from guest DHCP + access to internet).

If you have any guesses on what could be the source of my problem, don’t hesitate to tell me. Maybe the MTU?

Thank you for your help!

Here is the configuration of the router:

[admin@Main-Router] /interface/vlan> print terse
0 R name=vlan40 mtu=1500 l2mtu=1576 mac-address=C4:AD:34:91:28:D3 arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=40 interface=sfp-sfpplus1 use-service-tag=no

[admin@Main-Router] /interface/bridge> print terse
1 R name="main-bridge" mtu=1500 actual-mtu=1500 l2mtu=1580 arp=enabled arp-timeout=auto mac-address=C4:AD:34:91:28:D3 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m  priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 
2 R name="guest-bridge" mtu=auto actual-mtu=1500 l2mtu=1576 arp=enabled arp-timeout=auto mac-address=C4:AD:34:91:28:D3 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

[admin@Main-Router] /ip/dhcp-server> print terse
0 name=main-dhcp interface=main-bridge lease-time=10m address-pool=main-dhcp authoritative=yes use-radius=no lease-script=
1 name=guest-dhcp interface=guest-bridge lease-time=10m address-pool=guest-dhcp authoritative=yes use-radius=no lease-script=

[admin@Main-Router] /interface/bridge/port> print terse
0 interface=sfp-sfpplus1 bridge=main-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
1   interface=ether1 bridge=main-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
2   interface=vlan40 bridge=guest-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=disabled fast-leave=no

Here is the configuration of the switch:

[admin@Sub-switch] /interface/vlan> print terse      
0 R name=vlan40 mtu=1500 l2mtu=1588 mac-address=C4:AD:34:8A:55:2B arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=40 interface=sfp-sfpplus1 use-service-tag=no

[admin@Sub-switch] /interface/bridge> print terse
0 R comment=defconf name=main-bridge mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:34:8A:55:13 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=C4:AD:34:8A:55:13 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
1 R name=guest-bridge mtu=auto actual-mtu=1500 l2mtu=1588 arp=enabled arp-timeout=auto mac-address=C4:AD:34:8A:55:2A protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
	 
[admin@Sub-switch] /interface/bridge/port> print
0 interface=sfp-sfpplus1 bridge=main-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
1 H interface=ether1 bridge=main-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
2 H interface=ether2 bridge=guest-bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

And the configuration of the AP:

[admin@AP] /interface/bridge> print terse
0 R name=bridge1 mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled arp-timeout=auto mac-address=48:A9:8A:E3:3C:26 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

[admin@AP] /interface/bridge/port> print terse
0   interface=ether1 bridge=bridge1 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
1 I interface=ether2 bridge=bridge1 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
2   interface=wifi1 bridge=bridge1 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
3 I interface=wifi2 bridge=bridge1 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no

Much more readable configuration is shown using command “export” … only rarely some things are missing (such as dynamic addresses, etc.). Please provide those exports.

Hi mkx,

Thank you for your swift reply.
I did not do export as I did not want to extract my whole complex configuration.
So I took an old hAP ac lite and an hEX on which I recreated my configuration… and this time it works!
I am really confused there… So here is the configuration I have running on the repoduced setup:

Router configuration

[admin@main-router] > export
# 2023-11-30 17:23:21 by RouterOS 7.12.1
# software id = BE9P-L0P1
#
# model = RB750Gr3
# serial number = 8AFF081C7CCF
/interface bridge
add name=guest-bridge
add name=main-bridge
/interface vlan
add interface=ether2 name=vlan60 vlan-id=60
/ip pool
add name=main-dhcp-pool ranges=192.168.50.2-192.168.50.200
add name=guest-dhcp-pool ranges=192.168.60.2-192.168.60.200
/ip dhcp-server
add address-pool=main-dhcp-pool interface=main-bridge name=main-dhcp-server
add address-pool=guest-dhcp-pool interface=guest-bridge name=guest-dhcp-server
/port
set 0 name=serial0
/interface bridge port
add bridge=main-bridge interface=ether2
add bridge=main-bridge interface=ether3
add bridge=main-bridge interface=ether4
add bridge=main-bridge interface=ether5
add bridge=guest-bridge interface=vlan60
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.50.1/24 interface=main-bridge network=192.168.50.0
add address=192.168.60.1/24 interface=guest-bridge network=192.168.60.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.50.0/24 gateway=192.168.50.1 netmask=24
add address=192.168.60.0/24 gateway=192.168.60.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Switch configuration

[admin@switch] > export
# 2023-11-30 17:22:10 by RouterOS 7.12.1
# software id = H28J-T3ZN
#
# model = RB952Ui-5ac2nD
# serial number = 924D0947E307
/interface bridge
add name=guest-bridge
add name=main-bridge
/interface vlan
add interface=ether1 name=vlan60 vlan-id=60
/interface bridge port
add bridge=main-bridge interface=ether1
add bridge=main-bridge interface=ether2
add bridge=main-bridge interface=ether3
add bridge=main-bridge interface=ether4
add bridge=guest-bridge interface=ether5
add bridge=guest-bridge interface=vlan60
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-client
add interface=main-bridge

If you see anything funky there, just tell me, but I will keep on digging to spot the differences on my production environment…

More information on the issue:

When I connect to the AP, I get an IP address everything looks OK, but I have to wait around 10 minutes to have the internet. Any idea?

DFS, a.k.a radar detection. On certain channels AP is required to listen full 10 minutes before it can start to transmit.

The VLAN setup is funky. You really should be using single bridge, have a look at this tutorial. In particular, use of ether1 (interconnect interface) is not fine.

Ok, thank you very much for that, I will do tests on my lab setup to reproduce that and get back to you with my updated setup.
I really thought that using multiple bridges allowed for more security/clearly separating the two networks.
(noting to do with DFS, i have actually disabled it to be sure, the network is visible and I can connect to it, it’s just that it takes time to get functional routing for some reason).

About ether1, to me an interface is an interface, is there anything special about it or is it a convention?

When mentioning ether1 I meant config you have. Having it as bridge port of main-bridge in principle includes tagged traffic as well, even though you have the vlan interface attached to ether1 port. If you had vlan filtering enabled, then you could filter tagged frames from entering main-bridge, but you don’t.

Bridge with vlan-filtering enabled is at least as good at separating L2 networks as are separate bridges.

Another reason for getting delayed connectivity (but should be in order of seconds) is xSTP. When no stations are connected to wireless AP, its interface is idle and bridge port is “not running”. When first station connects to AP, interface transitions to “running” and bridge port to active. At this moment xSTP checks for possible loops, during detection phase no traffic can pass. The best way to avoid this nuisance is to set disable-running-check=yes on each wireless interface.

Great, thank you for all these details and interesting insights!
I have tested the suggested config on my lab and ended-up applying it on my production environment this evening, and it was tedious! (I have 1 router and 7 switches).
Everything seems to be running smoothly and I don’t seem to have the issue I described anymore, it connects quickly and no more lag to get internet access.

Also, my network is now way more secure! I used to have my main network available by default (no vlan) and the guest with vlan. Now I have one vlan for my main network, one vlan for my guest network and one vlan for my network administration. Also, it makes firewalling simpler, so again, thank you.

I still have one side effect from this new configuration: My IPBX cannot communicate with my IP phones anymore.
The IPBX and the phones are all running static IP addresses. I know it is not ideal, my whole network is DHCP-based with reservations, but it is proprietary hardware from alcatel and it does not properly handle DHCP.
The IPBX is plugged directly on the router (on a VLAN 30 port), the phones are plugged to edge switches on VLAN 30 ports.
It used to work when my main network was vlan-free, but now that it is under VLAN 30 it does not.

The DHCP network behind VLAN 30 is 10.1.0.1/16 with the following pool: 10.1.0.1-10.1.3.250
The IPBX IP address is 10.1.4.1, the phones are all set on subsequent IPs (10.1.4.2-10.1.4.60)
The phones are plugged to non-manageable switches, these switches are plugged to VLAN 30 ports of an edge manageable switch.

I will play around with it on monday, but any idea would help

As long as ports on edge managed switches are set as access ports[*], it should work fine.

[*] In Mikrotik parlance. This means they are set to be untagged on wire side snd PVID (default VLAN ID) set to 30. Exactly the same as if one of phones is connected to the very same port on edge managed switch.

And make sure the IP PBX box is properly working with VLAN 30 as well. Either leave IP PBX box set in VLAN-unaware manner and configure port on switch the same way as for phones. Or configure IP PBX box to work on VLAN 30 and set switch port as trunk (tagged only) with VID 30 allowed in both directions (ingress and egress).

All good, my setup is now 100% up and running and all my users are happy.

Thank you again @mkx for your help and advices