I’ve recently switched to Mikrotik. I was under the impression that I was quite capable, but setting up VLANs (which I’ve never done before) on my Mikrotik Chateau has rid me of that notion.
The situation:
-Two devices (Chateau AX and cAP AX)
-3 SSID’s (2,4 and 5 GHz trusted, 2,4 GHz untrusted)
2 networks/VLANs (one for trusted devices, one for untrusted devices)
Adding the cAP made it necessary to use VLANs. Because of my failure to to properly set up my device I’m running a simple setup (not shown below) without VLANs and the untrusted SSID disabled/not provisioned to the cAP.
My main issue with the config is that DHCP isn´t working. After this is fixed my next challenge will be to create a trunk interface.
Could someone check my config and tell me what I’m doing wrong with regards to DHCP and what other settings I’ve butchered/made less safe in my quite lengthy diagnostic process?
A really broken config was here. Removed it in order to prevent someone using it. Nothing to be learned from this, except to reboot more often
I’m using ether3 as a standalone with DHCP until the config is complete
You should not set PVID in wifi bridge ports since you’ve configured them to handle VLAN tags by wifi driver.
Also you shoild add wifi interfaced as tagged members of respective VLANs.
Bridge_Trusted intertace doesn’t have to be member of LAN interface list … rather all the VLAN interfaces have to be (interface list membership isn’t “inherited” … and interfaces seen by ROS are the ones eith IP address assigned or DHCP client bound).
Hmmm. I just restored the above config and almost nothing is working. Perhaps there’s a lesson there for me to reboot the device more often. I’ll start over and report back. Thanks for your advice. The PVID in the wifi bridge ports is mandatory btw. I hope that doesn´t cause any problems.
PVID might be mandatory but it’s customary not to set it explicitly on trunk (tagged-only) bridge ports … and to set frame-types=allow-only-vlan-tagged on those ports. The end result is that PVID is set to default value of 1 and that setting is completely ignored by bridge as no untagged frames are allowed on ingress.
So I’ve been at it (getting the cAP to work) again for hours, with zero effect. I’ve reverted back to the working config below with CAPsMAN (and in effect the cAP AX) disabled.
What should I config with regards to ether5 and the WiFi settings to achieve the following sitation:
3 SSID’s provisioned at the cAP AX, 2 trusted, 1 untrusted (this should be done).
The trusted networks at the cAP AX in vlan10, untrusted in vlan20 (just like the local SSIDs)
The rest of the config is working for my needs and I would rather not change it up if I don´t have to at this point.
Why are you using the capax as a router.
All the router stuff should be done on the chateau and the capax as an ap/switch ??
If this is the chateaux then… concur the simple approach works and should be the starting point…
Will stick to one trusted vlan and one untrusted vlan. Note all smart devices should get their IP address on the trusted vlan.
Dont need LAN and VLAN so got rid of VLAN but added TRUSTED to interface lists. Used to ensure only the admin can access devices for config purposes.
To that note we need a firewall address list to identify which devices on the trusted vlan, are the admins for better security.
Made it clear your OffBridge access, damn good idea as the best place to do the config!!
The main issue is your CONFIG is CONFUSED. You call vlan10 trusted but then assign it
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=TrustedNetwork5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=UnTrustedNetwork2.4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=TrustedNetwork2.4 pvid=20
NOTE: This is a perfect example where experienced users have no clue in terms of what new users need. Sure the router dynamically creates untagging on bridge ports with a PVID, but its far better when learning to manually insert the full set of /interface bridge vlan rules. A. it tells the reader the admin understands the process and B. it enables a cross-check between /interface bridge ports and /interface bridge vlans telling a consistent and coherent story.
In this case if the admin had manually inserted the full /interface bridge vlan config it would have been perhaps clearer the issues noted in /interface bridge ports!!
Disable iPV6 services if not required and if so then remove all noise of ipv6 address lists and firewall rules save. /ipv6 filter
add chain=input action=drop
add chain=forward action=drop
++++++++++++++++++++++++++++++++++++++++++++++++
/interface ethernet set [ find default-name=ether3 ] name=OffBridge3 /interface list
add comment=defconf name=WAN
add comment=defconf name=LAN add name=TRUSTED/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10 disabled=yes comment=“being used as off bridge configuring”
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=TrustedNetwork5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=UnTrustedNetwork2.4 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=TrustedNetwork2.4 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
Thanks for getting back to me again. All routing is done on the Chateau; the config is the Chateau config. I haven´t done anything with the cAP except resetting it to CAP mode (which works in the VLAN-less backup config I have).
Edit: Thanks for your additional reply. You correctly identified a new mess I created by switch the master and slave WiFi-SSIDs on 2.4 GHz. I fixed the config on that part; the rest will unfortunately have to wait till tomorrow.
Edit2:
I unexpectly did have some time for this. Based on your feedback I
Removed the empty interface list LAN and renamed VLAN tot LAN while I was there. I didn´t add the TRUSTED interface list because I don´t have any ethernet ports left and I want to keep this config as simple as possible. I understand that I’m taking a risk with this on multiple levels (e.g. less secure, higher choice to lock myself out).
[I didn´t understand this feedback]
I fixed the issue before dinner (thanks, my wife was just complaining that the Sonos stopped working. ) and have also just added the full set of rules.
Might do so in the future. Thanks for pointing this out.
CAPAC, same concept using offbridge on etherport 2.
ALso I always wire the capac on ether2 to a spot where I can at least plug in a laptop, could be a closet etc… emerg config when the capac is very hard to reach etc.
Where you set the cap address statically to 192.168.1.xx
…
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=OffBridge2
/interface wifi
{ AS REQUIRED }
/interface vlan
add comment="Management VLAN10" interface=bridge name=vlan-trusted vlan-id=10
/interface list
add name=TRUSTED
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk from chateau"
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10 { example only }
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=20 { example only }
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wifi1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wifi2 vlan-ids=20
/interface list member
add interface=vlan-trusted list=TRUSTED
add interface=OffBridge2 list=TRUSTED
/ip address
add address=192.168.33.1/30 interface=OffBridge2 network=192.168.33.0
add address=192.168.1.XX interface=vlan-trusted network=192.168.1.0
/ip dns
set server=192.168.1.2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Do I understand correctly that your suggestion is to manually change the config of the CAP? I thought the whole point of CAPSMAN was not to do this. I guess I misunderstood? Will be back tomorrow to give this a more thorough read.
I dont use capsman because its too difficult and a headache for me. I use what works.
Capsman is better if you do it successfully as it allows for better handoff between APs, I could care less in my own house.
This will get you setup and working, and then you can implement capsman and whatever else at your own leisure…
Thanks for your assistance! I have succesfully implemented a 2 VLAN network with 3 SSIDs (2 trusted, 1 untrusted). I couldn´t help myself and also tried to get CAPsMAN working, but that/I destroyed my config again. Like you said: this is working great. Thanks again!
I’ve reverted back to the working config below with CAPsMAN (and in effect the cAP AX) disabled.
) and have also just added the full set of rules.