VLAN between Non-wireless router w/ WAP

simsrw73 · November 13, 2021, 12:04am

I’m lacking the correct terminology to find documentation/tutorials that I need. I have a non-wireless router (hEX S) and two wireless APs (Audience & wAP). I’ve played around with them a ton and learned a lot about basic configuration & security. Now I’m trying to learn about VLANs to add guest vlan and a separate vlan for my IOT devices. All the tutorials and documentation that I’m finding on here, YouTube, Udemy, etc. show how to do this when the router is also a wireless AP. Could someone tell me what language I’m missing to find the right documentation? Point me towards docs/tutorials?

Another huge problem I’ve had overall is that a lot of the docs/how-tos/videos I find are great about showing the steps and maybe explaining some of the pieces but horrible about explaining the theory and concepts and big-picture of how all the steps fit together, etc. Is there a good reference, course, that will help me here?

Thanks.

anav · November 13, 2021, 3:39am

YEs, please read carefully this excellent guide on vlans and has examples for your setup as well.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

simsrw73 · November 19, 2021, 8:58pm

Thanks for the pointer, but I’m still not getting it. I’ve worked through training courses on Udemy, watched I-don’t-know-how-many videos on YouTube, poured through the docs and posted on other forums. I cannot figure this out. Or even figure out where it is I’m supposed to go to learn this. I’ve been through dozens of variations and different approaches and still cannot get my head around configuring VLANs. Up until this, I thought I was making great progress on learning MikroTik. Now I just feel stupid.

With all the variations I’ve tried, I’m not sure these are even in a sane state, but I would be grateful if someone would take a look at my configs and tell me where I’m failing.

hEX S (RB760iGS)
https://gist.github.com/simsrw73/0ca645becbe0a2605caa05ab7397153e

Audience (RBD25G-5HPacQD2HPnD)
https://gist.github.com/simsrw73/c719cc1b1e240ac585d88deff4a0e094

Extremely grateful for any pointers here.

Sob · November 19, 2021, 11:02pm

Vlans can be slightly confusing, because it’s both a way to have tagged packets (to carry multiple separate networks over same link) and a way to configure switch (or have switch-like behaviour using software bridge). If should help to understand which is which.

The first one is simple:

/interface vlan
add name=vlan10 vlan-id=10 interface=ether1
add name=vlan11 vlan-id=11 interface=ether1

It will give you two ethernet-like interfaces on top of ether1. You can connect e.g. managed switch and use it to connect devices to these two networks. Router should have IP addreses assigned to vlan10 and vlan11 to be able to communicate with devices in those networks.

Then there’s the ether one, when you want same vlans on multiple physical interfaces. For start, assume that router is going to behave only as L2 switch and won’t be communicating with devices in vlans. There will be uplink on ether1 with two tagged vlans and then one untagged port for each vlan. The config is still relatively simple:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=11
add bridge=bridge1 interface=ether3 pvid=12
/interface bridge vlan
add bridge=bridge1 vlan-ids=11 tagged=ether1 untagged=ether2
add bridge=bridge1 vlan-ids=12 tagged=ether1 untagged=ether3

For this, no “/interface vlan” is needed. Neither is bridge itself (bridge1) listed as tagged or untagged in “/interface bridge vlan”.

Often you want to combine both, and that’s where people get lost. But it’s still not difficult, just remember few things:

when router should participate in given vlan, it needs “/interface vlan” for it (*)
once you have bridge, you no longer work with individual physical interfaces included in bridge, so vlan interface should use interface=bridge1 (and not interface=etherX, as you have in one config)
because bridge itself now serves as switch port (sort of), for each such vlan interface you need tagged=bridge1 in “/interface bridge vlan” for given vlan id

(*) It’s not entirely true, which can cause extra confusion. If you need the router to be part of only one vlan, you can add IP address directly to bridge1 and add untagged=bridge1 in “/interface bridge vlan”. So you have two ways to get same result. Of course you can always add vlan interface anyway (on top of bridge1) and list it as tagged, and just forget about adding address directly to bridge1.

anav · November 20, 2021, 2:42am

Sob has been away for awhile so he is rusty and not usually prone to long complicated stories

The long and short of it is that a configuration will fall out naturally from a well thought out design.
Meaning, you need to articulate your use cases without any discussion of the config.
What singular individuals/devices and what groups of individual/devices will you be managing.
What do they need to do, and what should they not be able to do.
(Includes you as the admin, IOT devices, guest wifi, work PCs, kids are examples of different groups or individuals.)

Once you figure out the requirements, then the design, type how many vlans and their relationships (via firewalls will be clear).
Add to this a network diagram to see the physical components that make up your network will be the last bit of information before a design/config.

simsrw73 · November 20, 2021, 4:09pm

I am utterly confused and don’t know how to learn this stuff. I have worked as a professional programmer, fluent in over half a dozen programming languages. I’ve learned in a few weeks to build IOT devices with microcontrollers and design simple circuits. But I cannot find any solid docs or relevant tutorials to understand this. Well over two weeks trying to wrap my head around one topic: VLANs, and I’m stuck. I am not stupid. I am not unwilling to put in time to learn, but this is a mess. I don’t know where to turn if I can’t get help here. I want to learn this.

I have a router (hEX S). It’s attached to a switch (CRS112, soon to be replaced with at CRS328-24P), that I want to ignore for the moment, and a couple of APs (Audience & hAP AC) on eth4 & eth5. For the moment, while I learn, without bringing down the rest of my network, I want to add VLANs on the two APs, through the router, to give restricted guest access (VLAN101) and access to IoT devices (VLAN107) & Cameras (VLAN459).

I think I understand trunking, that eth4 & eth 5 on the router will be trunk ports to carry the VLANs, and eth2 on the APs, likewise. I think I understand that I should be using Bridge VLAN Filtering to do this. But then there seems to be a ton of ways to create VLANs and they are all mixed up in my head at this point. If I use Bridge VLAN filtering, how do I set up DHCP for each VLAN? Do I create a separate Bridge for each network? And how do I configure the APs to get the tagged virtual interface traffic back to the router?

mkx · November 20, 2021, 4:28pm

Did you read document linked by @anav in post #2 above? That document explains how VLANs are done in RouterOS in depth. Until you understand that document you probably won’t be able to configure whatever you want to have done … or at least you won’t understand why things are done in certain way.

Sob · November 20, 2021, 5:18pm

I’ll repeat myself, just understand that there’s two things, vlans as separate interfaces that create tagged packets, and bridge vlan filtering as a way to configure switch/bridge.

I personally like examples in manual (https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering), as they are short and obvious. First two:

VLAN Example #1 (Trunk and Access Ports)
VLAN Example #2 (Trunk and Hybrid Ports)

are just to configure switch/bridge, router doesn’t do any routing, and it doesn’t otherwise communicate with devices in those vlans. Then the third one:

VLAN Example #3 (InterVLAN Routing by Bridge)

is what you need. Compare it with #1 and #2 and you’ll find extra “/interface vlan” interfaces, which is what allows router to participate in those vlans, that’s where you attach addresses or dhcp server.

simsrw73 · November 20, 2021, 6:04pm

Yeah. Working though that again this morning borked my entire network. I can no longer access any of my equipment. Something similar happened on a previous attempt, but I got through, with RoMON, IIRC, but this time I’ve locked myself out of everything. In process of resetting…

anav · November 20, 2021, 6:54pm

Okay,
When you reset, the defaults should be there, access on ether2, wan defaults to ether1… all ports on the bridge except ether1
Not sure for your device but thats typical.

Before embarking on the bridge and vlans.

take the last port, ether8 for example.
Rename it. ether8-emerg under interface settings
Remove it from the bridge. (remove it from bridge ports)
Go to IP addresses and give ether8-emerg an IP address of 192.168.5.2 with network of 192.168.5.0
Go to interface list members and add
/interface list members
add interface=ether8-emerg list=LAN

NOW whenever you screw up the bridge or vlans, you wont need to reset, just set your latpop/pc with ipv4 ip address of 192.168.5 and attach via ethernet cable via ether8 and you will have access to the router via winbox. Or in fact you can do all your setup from here once done and not be affected by bridge noise…

Also hope you are using safe mode box available at the top of winbox.
It should be selected, after about 5 seconds, if there is no burp you can uncheck it to make an edit permanent, and then CHECK it again so it protects you from the next change if it burps.

anav · November 20, 2021, 6:56pm

Basically.
IF you want help, do the preliminary leg work of providing a nice network diagram
showing the ports and what they are connected too.

If you can differentiate the different groups of devices/users that you require to be on each port even better (you can have multiple users going over a single port as they will be travelling on different vlans)!!

simsrw73 · November 24, 2021, 7:32pm

I’m trying to get the most minimal configuration possible working. I just have PC, hEX S router & CRS113 switch, setting aside the Audience & wAP AC for now.

On the router & switch, I have default configuration (I can do this part manually and at least feel comfortable with basic configuration, but I’ve reset enough times that I’m just sticking with default.)

On the router, I disabled all firewall rules, added a new bridge and moved ether3 to it, made it a trunk port, and connected it to my switch.

# Just the changes; complete export below

/interface bridge
add name=bridge-trunks vlan-filtering=yes

/interface bridge port
add bridge=bridge-trunks interface=ether3

/interface bridge vlan
add bridge=bridge-trunks tagged=bridge-trunks,ether3 vlan-ids=99
add bridge=bridge-trunks tagged=bridge-trunks,ether3 vlan-ids=101
add bridge=bridge-trunks tagged=bridge-trunks,ether3 vlan-ids=107

/interface vlan
add interface=bridge-trunks name=vlan99-base vlan-id=99
add interface=bridge-trunks name=vlan101-guest vlan-id=101
add interface=bridge-trunks name=vlan107-iot vlan-id=107

/ip address
add address=192.168.99.1/24 interface=vlan99-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan101-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan107-iot network=192.168.107.0

/ip pool
add name=pool-base ranges=192.168.99.2-192.168.99.254
add name=pool-guest ranges=192.168.101.2-192.168.101.254
add name=pool-iot ranges=192.168.107.2-192.168.107.254

/ip dhcp-server
add address-pool=pool-base disabled=no interface=vlan99-base name=dhcp-base
add address-pool=pool-guest disabled=no interface=vlan101-guest name=dhcp-guest
add address-pool=pool-iot disabled=no interface=vlan107-iot name=dhcp3-iot

/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
add address=192.168.101.0/24 dns-server=8.8.8.8 gateway=192.168.101.1
add address=192.168.107.0/24 dns-server=8.8.8.8 gateway=192.168.107.1

/ip neighbor discovery-settings
set discover-interface-list=all

/tool mac-server
set allowed-interface-list=all

On the switch, I added a new bridge and moved ether1 & 2 to it, made them trunk ports, and connected it to my router.

# Just the changes; complete export below

/interface bridge
add name=bridge-trunks vlan-filtering=yes

/interface vlan
add interface=bridge-trunks name=vlan99-base vlan-id=99
add interface=bridge-trunks name=vlan101-guest vlan-id=101
add interface=bridge-trunks name=vlan107-iot vlan-id=107

/interface bridge port
add bridge=bridge-trunks interface=ether1
add bridge=bridge-trunks interface=ether2

/interface bridge vlan
add bridge=bridge-trunks tagged=bridge-trunks,ether1,ether2 vlan-ids=99
add bridge=bridge-trunks tagged=bridge-trunks,ether1,ether2 vlan-ids=101
add bridge=bridge-trunks tagged=bridge-trunks,ether1,ether2 vlan-ids=107

/ip neighbor discovery-settings
set discover-interface-list=all

/tool mac-server
set allowed-interface-list=all

With my PC plugged in to the router, ether2, I can access the router, but loose connection to the switch when I enable bridge filtering. What am I doing wrong?

hEx S Complete
https://gist.github.com/simsrw73/0ca645becbe0a2605caa05ab7397153e
CRS112 Complete
https://gist.github.com/simsrw73/5b397883f831fa5ba690331a85f68a45

simsrw73 · November 24, 2021, 11:57pm

I’m sure it’s the management vlan stuff that’s blowing me up. I’ve read and reread all the posts here and the docs referred, but I’m still not getting my head around it. I very much appreciate all the help and I know it’s pointing me in the right direction, but not enough for me to wrap my head around it. Probably painfully obvious to everyone else, but I really need help. I can get some connection by moving ether2 over to the new bridge-trunks, but then a lot more gets broken. I’m just missing something very basic. I can’t even get a very minimal config working.

Sob · November 25, 2021, 12:25am

I don’t see how there’s connection to switch in the first place. You have three tagged vlans between router’s ether3 and switch’s ether1. Router is configured to access them, has dhcp server for each, that all looks fine. Switch has same tagged vlans on its ether1 and ether2, that’s fine too. But there’s nothing else (with IP address) in those vlans, neither switch or any other device.

Only IP address for switch can come from dhcp client on interface “bridge”, but that’s not connected anywhere. But if you add (as a test) three more dhcp clients to vlan99-base, vlan101-guest, vlan107-iot, they all should get correct IP address. If you’d want some other device connected to switch to get IP address from router’s dhcp server, you’d have to connect it to ether2, but device itself would need to use tagged packets (and regular devices don’t do that).

What you probably want is something like (on switch):

/interface bridge port
add bridge=bridge-trunks interface=ether1
add bridge=bridge-trunks interface=ether2 pvid=99
add bridge=bridge-trunks interface=ether3 pvid=101
add bridge=bridge-trunks interface=ether4 pvid=107
/interface bridge vlan
add bridge=bridge-trunks tagged=bridge-trunks,ether1 untagged=ether2 vlan-ids=99
add bridge=bridge-trunks tagged=bridge-trunks,ether1 untagged=ether3 vlan-ids=101
add bridge=bridge-trunks tagged=bridge-trunks,ether1 untagged=ether4 vlan-ids=107

Then device connected to ether2 will be in base vlan, ether3 in guest vlan, and ether4 in iot vlan.