Vlan configuration issue

charifch · March 9, 2022, 3:16pm

Good morning,
I am running into a very weird problem. I have setup my mikrotik router with 2 vlans and I am using Port 2 to send the vlans to another building throug ethernet cable. In that building there is an unmanaged switch that distributes to 2 levell. In each of these levels, I have a TPlink multi ssip AP (that deals with vlans)… Please see picture attached.
When I configure the multi ssid AP with vlan 10 and vlan 100 and connect to vlan100 wirelessly everything works fine except I dont see Iot devices connected to the unmanaged switch (NAS). If I replace in tplink multi ssid ap the vlan 100 number by vlan 1, I still get the same IP address and then I can see the NAS, printer …etc.
For wired clients plugged to the managed switch likemy PC, everything works fine also, and it can ping the NAs also.
Here is my config if you can please have a look and tell me what I am doing wrong.
Many thanks
Image link: https://domaineschefchaouni.synology.me:5001/d/s/nnVs746pQeZ0OeLrG1jGpKKHUm7TqvLv/hwoXCx7ePtCAx-PbvAdXkL392ZDB0tIz-cr7gsFX8Wgk

/ip pool
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=dhcp_pool2 disabled=no interface=BR1 name=defconf
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN

add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=100
add bridge=BR1 tagged=BR1 untagged=ether5,ether2 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=e1f10fac4c39.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    !192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5000 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=80 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5006 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=6690 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5001 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=16881 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=32400 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10

404Network · March 9, 2022, 3:35pm

YOu should be using a managed switch in the other building…

charifch · March 9, 2022, 3:54pm

Well…thank you for your reply which is a natural one, but costy as we have unmanaged switches that do work fine. I would just like ton understand shy I have to input vlan 1 in the AP instead of 100 in order to be able to ping the vlan100 devices plugged in the unmanaged switches.

mkx · March 9, 2022, 4:09pm

The config you’re showing is a trimmed … as things are often broken due to some unexpected setting it is fair to people willing to help to publish complete setup, not only the part you think it’s important …

The quoted part says that router strips VLAN tags on egress for both VLAN ID 10 and 100 (the later is implicit untagged member of said VLAN in vlan section shown above). And adds VLAN tag to untagged frames on ingress with VID 100.

So if you configure AP to use tagged VLAN 100, it won’t accept packets from router since they will be untagged. And many vendors (including MT with default setup) use VLAN ID 1 as a placeholder for untagged …

If you struggle (it seems you do) with VLAN setup, then study this tutorial.

BTW, using dumb switches isn’t really breaking your LAN, but doesn’t help either.

charifch · March 10, 2022, 3:46pm

Thank you very much for your reply.
Are you basiclly saying that there is nothing wron with this configuration and I just have to use vlan 1 in my AP configuration if I want to tage the vlan 100 coming from mikrotik?

Thanks

404Network · March 10, 2022, 4:39pm

Hmm, okay lets ignore the unmanaged switch then and assume it is FULLY capable of passing vlan tags, I would never assume this and thus why not advising use of unmanaged switch.
However if you are going to send both vlans to the switch then dont send them untagged. SEND THEM TAGGED, and hopefully the APs will also get them and handle them appropriately
If the unmanged switch cannot handle vlan tags, then you are stuck to using a single subnet in that other building.

EXAMPLE…
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,untagged=ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2 vlan-ids=10

tdw · March 10, 2022, 5:19pm

No! The OP has untagged devices attached to the unmanaged switch, the main network should remain untagged on the connection from the Mikrotik to the switch.

Whilst piggybacking a tagged network on top of this setup is not ideal, as all the regular attached devices will receive the VLAN-encapsulated packets, it will usually work as most unmanaged switches will pass all ethertypes, including 802.1Q VLAN.

The AP should connect its main SSID to untagged traffic and the secondary SSID to the tagged traffic with the appropriate VLAN ID.

404Network · March 10, 2022, 6:40pm

Okay understood!

ONLY ONE untagged subnet can be sent from the Mikrotik device.
SO what you are saying is that ETHER2 is a hybrid port and VLAN100 is the one that other devices on the switch need access to…

EXAMPLE…
/interface bridge port
add bridge=BR1 in-interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2 vlan-ids=10

mkx · March 10, 2022, 7:49pm

The last config snippet by @404Network makes sense.

charifch · March 14, 2022, 4:37pm

Hi guys,
I have changed a bit the config as suggested. Every item which connects to one of SSIDs gets its ip and access to the internet like it should but you can access the NAS only if you put vlan 1 instead of 100 in the vlan configuration AP. Any tought why is it behaving like that?

Thanks a lot

anav · March 14, 2022, 4:42pm

Two scenarios.
A. the NAS is vlan capable in which case it should be able to read the vlan traffic.

B. More likely its not a smart device and thus will ONLY be able to see the untagged subnet which is that associated with vlan100.

C. The only device that will be able to read vlan10 is any smart device attached to the unmanaged switch,

E. Where the heck is vlan1 coming from ???

charifch · March 15, 2022, 3:12pm

Hi Anav thank you for your help but:

NAS gets the correct IP address on vlan 100 and connects to the internet and everything works great. It is the wirelessly connected devices on the AP that do not see it.
Wirelss connencted devices (phones / laptops…etc) gets the correct subnet according to the ssid they connect to with no worries.
The vlan 1 in mikrotik is normally the one attached to BR1 but bizarrely, when used in AP it points to vlan100. When we use vlan100 in AP config, we get .0.x address but we don’t see the NAS. When we use vlan1 in AP config, we still get 0.x address but we do see the NAS.
I am lost
Thanks

anav · March 15, 2022, 4:42pm

Of course, you are setting up the access point incorrectly.
Once past the MT, there is no VLAN100 its a basic flat subnet available and hiding in that traffic is also vlan10 which only vlan aware devices will see and can make use of.
So dont declare vlan100 on the Access point, doesnt exist external to it.

Start with that subnet for the WLAn associated , and then add vlan10 after and attach it to the required WLAN…

charifch · March 16, 2022, 5:57pm

Thank you so I have used 1 as vlan for the “mikrotik vlan 100” in the AP configuration, and it seems to see the rest of the network now.
Regarding the ehter 2 or ether 3 ports, they are defaulted to 0.x adress as per config, but when I attach an aP to one of these ports, it happens that some applications have trouble running (but most work). Is it related to the untagged vs tagged traffic?
Example: if I connect on the AP with my phone on vlan 1 (0.xaddress) everything works except let’s say one application that communicate with the outside world (like a remote surveillance site). But if i connect on vlan 10 on that AP, this same application works. As vlan10 traffic is tagged, i suspect this is causing the problem but just wondering.

Here is the config:

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5 untagged=ether2,ether3 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0

anav · March 16, 2022, 6:56pm

Change this
/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
to this
/interface bridge port
add bridge=BR1 interface=ether2 pvid=100

Buckeye · March 16, 2022, 7:36pm

It would help if you explained what the “some applications” are that “have trouble running”, and what the symptoms are. We are not mind readers.

My guess is that it is more likely to be an issue with a firewall (possibly on the device you are connecting to) that doesn’t want to talk to a device outside its subnet, or that there is some protocol that expects to be on the same broadcast domain (mDNS) etc.

But you haven’t posted a complete config. I see nowhere that you have /interface vlan add …

If you want help, make it as easy as possible for the people trying to help. That means providing a network diagram, complete export, and an example of the error messages you are getting.

Read these two threads:
NEW USER POSTING FOR ASSISTANCE
Getting the most out of this forum

charifch · March 18, 2022, 10:14am

Thank you very much Anav for your answer. Removing the ingress option apparently did not help. What I notice is that the issue happens ont ether 3 APs (which are only on vlan100) and on ether 2 vlan 100 APs (on vlan10 it works).
Do you have an idea why ? MAny thanks

anav · March 18, 2022, 11:21am

My guess is the unmanaged switch is not fully capable of transmitting vlan tags in such a way that this all works…
Other than that paste the lastest config of the router and the AP please.

tdw · March 18, 2022, 11:39am

Unlikely. The OP states it is working with VLAN 10 which is tagged, but not with untagged traffic.

anav · March 18, 2022, 1:23pm

Have to see the configs in any case in their current state.