VLAN considerations along with CapsMan

RouterOS General
1

Folks,
In case there are 3 devices:
1.) Main router
2.) CAP
3.) HAP (with wifi)

Both CAP and HAP are setup as CAP, and managed by CAPSMAN on Main router.
Moreover, HAP’s all eth ports are put into its local bridge.

In capsman, I have created multiple configurations, so now both CAP and HAP are broadcasting with 2 SSIDs on their 5GHz interface:
1.) Home
2.) Guest

In the main router, capsman added all wifi interfaces dynamically, but they don’t attached to the main router’s bridge directly (however as both CAP and HAP are connected onto the eth2 and eth3 ports of the main router respectively, their wifi interfaces become part of main router’s lan indirectly).

So now, I wished to segregate “Guest” wifi with separate VLAN:

  1. I added a “guest vlan” interface to the bridge in the main router (Is this good, or I should have created a virtual bridge with CAP’s and HAP’s eth ports?)
  2. In bridge’s properties “vlan filtering” is turned off, and no vlan associations has been made (although I could have selected caps-wifi interfaces it felt like a bad idea as they sometimes got provisioned and changes their names). (Am I right here?)
  3. In capsman I added a datapath with the bridge and the VLAN ID

I wish to emphasize, that my configuration works, and I have watched and read many videos and articles, manuals.

With VLANs, there are usually dozens of use-cases, so it’s rather hard to navigate yourself especially if you have a little bit more specific situation.

Questions:
1.) guest vlan interface to main bridge, OR create a new virtual bridge with only eth ports that contains caps? Isn’t it a general bad practice to add a vlan to the bridge if we know exactly that only 2 ports can be in that particular vlan?
2.) shall/can I avoid manual interface to bridge tagging (in bridge’s “VLANs” properties) in case I use datapath with capsman because it is doing that for me behind the curtains?
3.) Shall I use bridge’s “vlan filtering”?


Thank you!

2

Hi!

I would always go for VLANs in terms of network segmentation, as it is well-known, as safe as seperate bridges if configured properly and also quite faster in the most setups (hardware offloading is only available on one bridge at a time).

Not sure if I got this question right, but unless you are using MVRP you are required to configure the trunk-ports for switch up-/downlinks, because egress/ingress filtering can not work otherwise.

However when using new CAPsMAN with “old” Wi-Fi 5 ac devices (and the “new” wifi-qcom-ac" driver package), you have to make the VLAN configuration on the WiFi APs directly since configuration by CAPsMAN is not supported. In my opinion, this is absolutely disappointing if you want to use the new CAPsMAN with existing hardware. See: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Lostfeatures

Yes. There are some nasty sources of error when it comes to RouterOS and VLANs, but once you understand the principle, it’s actually quite simple.


If you run into problem during setup a config dump would be helpful…

3

What I wanted to ask here, if you would add a new "caps-bridge" bridge with only eth2 and eth3 (where my cap and hap are attached to) .. or just use the default bridge (that contains all ports) to add the VLAN?


That's not affecting me here, all devices are new AX devices (CAP AX and HAP AX2).

Thank you

4

Folks,

I’m trying to (correctly) setup VLANs with CapsMan.

L009 - Main router
Cap AX - Wifi AP

There is a Wifi config of “test”, for which I have added a new datapath and set to the configuration in capsman (VLAN of 20).
Also, I added a VLAN interface with id of 20, for bridge (in L009).
I have also added VLAN in bridge section: bridge=bridge, vlan-ids=20, tagged=bridge. (No untagged as of now - only wifi)
Obviously I have created a DHCP server too, and I assigned an IP for the VLAN.

Now, when I connect to wifi with my computer:
1.) it CAN connect
2.) it GOT IP from DHCP with correct values
3.) it can not ping anything from wan (result: general failure).

What should I do to allow WAN access for the newly created VLAN clients?

5

Can you share your configs? Both sides…

6

Sure:

This is for the main router (without Wifi, but managing Caps):

# 2024-08-19 22:23:00 by RouterOS 7.15.1
# software id = 3WEH-9T0S
#
# model = L009UiGS
# serial number = HG309G954BR
/interface bridge
add admin-mac=DD:EE:FF:AA:BB:CC auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether7 ] comment="Mgmt port"
set [ find default-name=ether8 ] name=ether8_cap poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ether1_wan use-peer-dns=yes user=XXX
/interface vlan
add interface=bridge name="guest - vlan20" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="contains wireless ap interfaces" name=WIFI
/interface wifi datapath
add bridge=bridge comment="VLAN20 - Guest" disabled=no name=default-guest vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=default1
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=default2
/interface wifi configuration
add channel.band=2ghz-n disabled=no hide-ssid=no mode=ap name=default1-2.4 security=default1 ssid=MikroTik1
add channel.band=5ghz-ax disabled=no hide-ssid=no mode=ap name=default1-5 security=default1 ssid=MikroTik1
add channel.band=5ghz-ax datapath=default2 disabled=no hide-ssid=no mode=ap name=default2-5 security=default2 ssid=MikroTik2
/ip pool
add name=default1 ranges=192.168.1.100-192.168.1.199
add comment="Pool for Guests" name=default2 ranges=192.168.20.100-192.168.20.199
/ip dhcp-server
add address-pool=default1 interface=bridge lease-time=10m name=defconf
add address-pool=default2 interface="guest - vlan20" name=default2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8_cap internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=14336
/ipv6 settings
set max-neighbor-entries=7168
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_wan list=WAN
add interface=ether4 list=WIFI
add interface=ether8_cap list=WIFI
add interface="guest - vlan20" list=LAN
/interface wifi capsman
set enabled=yes package-path=/packages require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=default1-5 slave-configurations=default2-5 supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=default1-2.4
/ip address
add address=192.168.1.1/24 comment="trusted devices" interface=bridge network=192.168.1.0
add address=192.168.20.1/24 comment="guest devices" interface="guest - vlan20" network=192.168.20.0
add address=10.0.0.1/24 comment="Mgmt access" interface=bridge network=10.0.0.0
add address=10.0.0.1 comment="Mgmt access" interface=ether7 network=10.0.0.1
/ip dhcp-client
add comment=defconf interface=ether1_wan
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system identity
set name=MikroTik-Main
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This is one of the CAPs:

# 2024-08-19 22:19:40 by RouterOS 7.15.1
# software id = 7D73-3HZX
#
# model = cAPGi-5HaxD2HaxD
# serial number = HGA09QP3V9J
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf name=bridge
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: MikroTik-1, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: MikroTik-1, channel: 2412/n/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridge enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridge
/system identity
set name=MikroTik-CAP
/system note
set show-at-login=no

I really hope you’ll see some misconfiguration(s), because this thing starts driving me crazy. Users connected to MikroTik1 wlan can see:
-MikroTik (main) router’s admin via winbox
-LAN clients
-Web

User on MikroTik2 (guest) got VLAN20, and can see:
-MikroTik (main) router’s admin via winbox
-NO LAN clients (OK)
-NO WAN!! (PROBLEM)

Thank you!

7

So you are not using VLANs at all, you just created VLAN interface and that’s it. For VLANs to work properly, you need to use them for all traffic or not use them.

For the naming, don’t be too “creative”. Right now, you have 3 different things named same, just because you “couldn’t” stay with default names
default2
default2
default2
now guess what is what…

To the topic.. You will need two or three VLANs, it depends if you want to have network devices on different VLAN then users.

Let’s say that you will crete 3 VLANs, 10 for network infrastructure, 20 for users and 30 for guests.

On main router you need to create VLAN interfaces
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30

Then you need the pools
add name=pool10 ranges=192.168.10.100-192.168.10.199 (not needed if you will use static IP for CAPs and other network devices)
add name=pool20 ranges=192.168.20.100-192.168.20.199
add name=pool30 ranges=192.168.30.100-192.168.30.199

Then you need DHCP server binded to VLANs
add address-pool=pool10 interface=vlan10 lease-time=1d name=dhcp10 (..again, not need if static IPs are used)
add address-pool=pool20 interface=vlan20 lease-time=1d name=dhcp20
add address-pool=pool30 interface=vlan30 lease-time=8h name=dhcp30

Then bridge ports, you need to decide what ports will be used as trunk and what ports will be used as access. End devices like PCs need access ports, switches and CAPs need trunks.
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
(ether2 is used as trunk and ehter3 as access port for VLAN10)
(It’s wise to omit one port, f.e. ether7 so you will be able to connect over MAC if you fck up…)

Then bridge vlans, here you need to tag or untag the VLANs.
add bridge=bridge tagged=bridge,ether2 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
(again ether2 is trunk, so it’s tagged on all VLANs, ether3 is access port for vlan10 so it’s untagged for VLAN 10)

Do not forget about IPs
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0

…and interface list members
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN


and then for CAPs you need to create VLAN interface so you can bind the IP of the device to it
add interface=bridge name=vlan10 vlan-id=10

enable DHCP client (if you have DHCP server for VLAN 10)
add interface=vlan10

and again bridge ports
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
(ether1 is trunk and connects to main router, ehter2 access port)

and bridge vlans
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30


…and after all this, you need to enable vlan-filtering on the bridges, otherwise it wont be used

8

Thanks a ton!

Will definitely try these later today.
I kindof like to idea to have a dedicated subnet and VLAN for CAPs and other network devices. But in this case I’m gonna lose the ability to manage it from my computer (which will be communicating via a different VLAN)?

How are these network devices usually managed?
1.) Via a separated PC running in the same VLAN10? Or
2.) Temporary PC plugged into a non-VLAN port?
3.) Temporary firewall rule allowing it to be managed from other VLANs?

Thank you!

9

You will not lose anything… So don’t worry about it… By default traffic is forwarded between VLANs and you have to deny it if you want with firewall rules…

10

One disadvantage of this config, @neki, is that you have to manually adjust the CAPs (as they expect to be able to reach the CAPsMAN untagged by default).
As far as I know, you can’t enable bridge VLAN filtering on ax devices. Only on ac devices, using the wifi-qcom-ac driver, this is supported.

11

I run network with AX cAPs and vlan filtering works flawlessly, but yes, you have to adjust settings of the CAPs…

Anyway, what would you suggest?

12

By using hybrid ports to the CAPs, one can leave them in defaults CAPS Mode. Only identity can be adjusted (if wanted).

13

Folks, I really appreciate your help.

As I’m rather beginner in VLANs, I first wish to dedicate an interface (ether7) for management (in case anything bad happens):

I used this link: https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-UntaggedaccesswithVLANfiltering

Management access configuration / Untagged access with VLAN filtering:

/interface vlan
add interface=bridge name=MGMT vlan-id=10
/ip address
add address=10.0.0.1/24 interface=MGMT
/interface bridge port
set [find interface=ether7] pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether7 vlan-ids=10
/interface bridge set bridge vlan-filtering=yes

Now, I plug my computer to ether7, and it acquires IP from the default DHCP server (as ether7 is actually part of the bridge and I still have DHCP on the bridge).

Q1: Is it desired to use my “main” bridge here with MGMT vlan config? Or shall I create a completely separated bridge for ether7 to be used as mgmt port?
Q2: My desire is to set my computer manually an IP of 10.0.0.X, and let it login with winbox via 10.0.0.1 (on ether7 as vlan10), how can I achieve this? I tried to allow input access for ether7 (fails, as it’s a slave interface of the bridge), also tried to allow input for MGMT (vlan interface), but it’s not working, I can’t login with winbox.

How am I supposed to use this mgmt interface in case I won’t get IP from the DHCP when some problem arises in my config?

Thank you!

14

One bridge per device…

Did you add MGMT to LAN interface list? If not, you are probably blocked by firewall…

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
15

My “accept” rule was preceeding this drop rule on input chain. But now I got rid of bridged eth7, so now eth7 is not part of the bridge. MAC telnet and even MAC Winbox works perfectly on eth7 (without any IP assignment).

16

Folks, there was a tiny but important step here which we all missed, and which caused my computer not reaching the WAN:

It didn’t acquired default gateway from the TIK! In DHCP I forgot to add networks for the DHCP servers. That’s an important detail, without that, networking won’t work.

17

One more question: when I turn on “bridge vlan filtering”, shall I set PVID to 10, or I can leave it on 1, and shall I set “Frame types” to “admit only VLAN tagged”?

My bet:
“admit only VLAN tagged” on CAPs, and “admit all” on Main router (as it has access ports with end-devices).

Can you please confirm?

18

Base article to truly understand my answer that follows: http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

Setting of properties pvid and frame-types are settings for the router-facing port of the switch.

19

I validated this one, and agree with it 100%. Once I change "admit all" to "only tagged" on the trunk port of CAP AX, it drops all wifi interfaces, and marks with red that it's not accessing the CapsMan.

20

Literally, 1min after writing this question, I found the article you’ve linked, but wished to keep it here as this might be useful for others.

Thank you!