VLAN filtering method with CAPsMAN

john4669 · October 29, 2021, 7:07pm

I have read this wonderful tutorial on Vlans http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I have a MIkroTik Audience which out of the box manages it’s own WiFi radios locally with CAPsMAN. I would like to implement Vlans similar to the “Router-Switch-AP (all in one)” example. As the Audience only has one Ethernet port for the LAN side, I will make that a trunk port which will connect to a Cisco switch. Implementing the trunk port is easy enough but I don’t know for sure how to add the CAPsMAN managed wireless interfaces using this method. I saw some CAPsMAN discussion in that post but am still lost.

I know I could just eliminate CAPsMAN but I want to keep it in case I buy a second Audience to link. Any ideas would be appreciated.

edited

mkx · October 29, 2021, 8:18pm

First you have to configure VLANs properly on bridge. After that configure capsman datapath with vlan-id=XY vlan-mode=use-tag, you’ll need one datapath per SSID. In /capsman configuration then merge SSID with corresponding datapath.

The remaining thing is to match /capsman manager interface setting on capsman with /interface wireless cap discovery-interfaces on CAP devices (they have to use VLAN interfaces belonging to same VID).

john4669 · November 3, 2021, 8:09pm

For some reason I didn’t get the email notification that you replied to my question. Must have went to spam. Sorry about that!

Will definitely try your suggestions. In the meantime decided to try baby steps and have a “lab” setup with an old RB951G-2HnD from work since I really ticked off the family by constantly breaking the internet

I’m tryign to make sure I have the fundamentals correct before I tackle Capsman and am having a basic problem with wlans as access ports. It was discussed here http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 as to whether wlan interfaces should be set using:
1.) “vlan-mode=use-tag”, “vlan-id=something” or
2.) It should be handled by the bridge by setting “ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged”.

The consensus is that number 2 is correct but it doesn’t work for me, only method 1 does. The symptom is that no dhcp address is obtained. Here are the pertinent sections exported:

/interface bridge
add name=vlan_bridge protocol-mode=none 

/interface bridge vlan
add bridge=vlan_bridge tagged=vlan_bridge vlan-ids=10
add bridge=vlan_bridge tagged=vlan_bridge vlan-ids=20

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=5 arp=reply-only band=2ghz-g/n \
    country="united states" default-forwarding=no disabled=no distance=\
    indoors frequency=2462 mode=ap-bridge ssid=EE_Dept station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:5E:CF:A5 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 ssid=\
    EE_Guest wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
  
 /interface vlan
add comment=Trusted interface=vlan_bridge name=VLAN10 vlan-id=10
add comment=Guest interface=vlan_bridge name=VLAN20 vlan-id=20

/ip address
add address=172.16.1.99/16 interface=ether1 network=172.16.0.0
add address=10.40.10.1/24 comment=Trusted interface=VLAN10 network=10.40.10.0
add address=10.40.20.1/24 comment=Guest interface=VLAN20 network=10.40.20.0

/ip pool
add name=pool_vlan10 ranges=10.40.10.2-10.40.10.254
add name=pool_vlan20 ranges=10.40.20.2-10.40.20.254

/ip dhcp-server
add address-pool=pool_vlan10 disabled=no interface=VLAN10 name=dhcp_vlan10
add address-pool=pool_vlan20 disabled=no interface=VLAN20 name=dhcp_vlan20

/ip dhcp-server network
add address=10.40.10.0/24 gateway=10.40.10.1
add address=10.40.20.0/24 gateway=10.40.20.1

/interface bridge port
add bridge=vlan_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether2 pvid=10
add bridge=vlan_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=10
add bridge=vlan_bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=20
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=vlan_bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=20

mkx · November 3, 2021, 8:37pm

Bridge doesn’t do any VLAN related stuff (e.g. tagging/untagging) if vlan-filtering=yes is not set on vlan-bridge.

john4669 · November 3, 2021, 8:51pm

Wow… I had intentionally not yet set

vlan-filtering=yes

because I hadn’t set up the appropriate firewall rules. I didn’t fully understand the consequences. It works now. Thanks!

mkx · November 3, 2021, 9:02pm

vlan-filtering has nothing to do with firewall. vlan-filtering is L2 (ethernet/VLAN) while firewall is mostly L3 (IP).

john4669 · November 3, 2021, 9:20pm

Fair enough. I guess more precisely I didn’t have Vlan aware firewall rules in place

edited