VLAN for Wireless SSID headache

applix · March 29, 2016, 9:13am

Dear Community !

Im currently struggling with VLAN in my lab (i am new to this) and i hope someone can point me in the right direction (I’ve read several posts on this topic and apparently cant figure out how it should work

Heres my current setup:

MT 2011 with port 5 & 6 bridged, where Ports SFP,1,2,3,4 are slave to eth5 and 7,8,9 are slave to eth6.
Eth 10 (which is my WAN Port). is set to “none” and has the internet modem attached to it.

A Win2012R2 DNS/DHCP/Domaincontroller is set up and attached to eth3, which dishes out DHCP for network 192.168.2.0/24 (works without problem). I do NOT want to use mikrotiks internal DHCP/DNS in this case.

An Access Point is attached to eth1 with a single SSID, works also OK and gets Ip from DHCP.

Now i want to set up a second SSID for Guest access and thats where VLAN comes into play and the trouble starts :
What im trying to achieve is the following:

“Internal” Clients should get IP from the 192.168.2/24 network, have access to all ressources, and be able to surf the net (which is what works).

Clients connected to the “guest” SSID should be directed to the mikrotik hotspot and be able to login there with username/pass.

I took the following steps so far:

I defined a second scope on the windows DHCP Server 192.168.20.10 - 192.168.20.20 which should be the IP range for VLAN20 (the guest network vlan ID).

I defined a second SSID on the AP an set to VLAN ID 20. Then i set the interface eth1 where the AP is connected to to “none” so that its not part of the lan-bridge anymore (which of course breaks internet access).

Next, i added a VLAN interface to physical eth1, labelled it VLAN20 and set the VLANID 20 for it.
Then, i set up an address for the VLAN20 interface of 192.168.20.1/24.
I then defined a DHCP relay for the VLAN20 interface and point this to 192.168.2.10 (which is my windows DCHP/DNS).

Now my Questions:

*) are my previous steps correct ? how to move on from there ?
*) i assume that i have to set up a firewall rule to pass traffic between the 192.168.2.0/24 and 192.168.20.0 networks?
*) what about the “untagged” traffic ?

I am aware that i am serously lacking some of the imortant basics here…could someone pls assist ?

Thanks and best regards

Andreas

pukkita · March 29, 2016, 12:04pm

I assume you haven’t set up the hotspot yet.

Have you tried connecting to the VirtualAP? do stations get their IPs fine?

If so, next step would be creating the hotspot over the VLAN20 interface, you have to add udp ports 67 and 68 to the walled garden IP configuration as allowed to let the DHCP traffic pass between hotspot resticted connections and your DHCP server relay - DHCP server.

Packets coming from VirtualAP registered stations should already come tagged (check VLAN mode is use service tag)

applix · March 29, 2016, 12:58pm

Hello pukkita!

Thanks for your reply!

You are right, i havent set up a hotspot yet. Currently my test client gets a 169…adress (it cant reach the dhcp although dhcp proxy is set up on vlan 20), thats where i am stuck now). I will try your “walled garden” approach and report back !
“service tag” is currently not checked (couldnt find out what it should do).

regards,

Andreas

pukkita · March 29, 2016, 2:38pm

Have a look at http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#VLAN_tagging

That will make all virtual AP connected clients traffic to come tagged, and be able to reach the vlan 20.

In case you aren’t a aware, you have a very helpful tool for troubleshooting already buil-in on ROS, check

Tools > Torch http://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools#Torch_.28.2Ftool_torch.29

and

Tools > Packet Sniffer http://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer