Hello togehter,

I am planning to transfer from a AVM Internet Router to a Mikrotik System. I have to ensure, that the telephone function of the two AVM DECT station still will work and are integrated into the Mikrotik system. The DECT station can not be integrated into the Mikrotik DHCP adresses. It needs to get the IPadress from the internet router directly. A sepearate cabeling would be an extreme effort as the cabling is already existing.

The plan is described in the attachment.

I do not understand, how I can use VLAN on the Ether2 at the Main router as an seperate input, which I can transfer through the two other Mikrotik CAPS clients so that I have at the last CAPS client get the connection and IP adress at Ether 3.

I would be very happy for any helpful comment / hint.

Best regards Michael

So you are saying you have two cables coming into the internet router and they will be used to insert into the mikrotik router?
OR
Are you saying that you will keep the internet router and will have two cables coming from it to the mikrotik router??
OR
Are you saying that there will only be one cable coming from some modem that is just upstream to the internet router which will be coming into the Mikrotik on one cable.
If its the latter, do you know if the signals are coming over in vlans ( internet vlanXXX and telephone YYY ) or perhaps just the telephone in a vlan YYY ??)

Yes, there will be two cables from the Internet router (which I will keep) to the Mikrotik Main. One is for the “normal” Internet Conection and the other one will use a separate adresse space, which should be tunneld by a VLAN to Mikrotik1 and Mikrotik2 to the DECT telefone station.

So VLAN 20 is for the “normal” internet, I assume? And the DHCP server for it would be the Mikrotik?

Yes, VLAN 20 is for the normal communication and the DHCP server is the Mikrotik. For the special other subject I will use another VLAN ID and the DHCP-Server will be the internet Router.

Ok then, first you’ll create a bridge with all ethernet ports except ether1 in it (for the config I’ll assume all ports are ether1-5), then create a VLAN interface for VLAN 20 and configure IP addresses and DHCP settings for it. After that you’ll fill in the Bridge VLAN table and enable vlan-filtering. Overall, the config should look something like this:

/interface bridge add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2 pvid=200
add bridge=bridge1 interface=ether3 pvid=20
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=ether5

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/ip address add address=170.205.42.1/24 interface=VLAN20 network=175.205.42.0

/ip pool add name=dhcp_pool ranges=170.205.42.2-170.205.42.254

/ip dhcp-server network add network=170.205.42.0/24 dns-server=170.205.42.1 gateway=170.205.42.1

/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20
add bridge=bridge1 tagged=ether5 vlan-ids=200

/interface bridge set bridge1 vlan-filtering=yes

A side question - why do you use a public IP (170.x.x.x) for LAN?

I would like to acess some IPs from the outside of my home network via certificates.

Cat is on the right track for sure ( except he mixes up the 175 with 170 on several lines of the config ) and agree stick to private IPs within the router, there are ways to ensure external access to your LAN etc, without such drastic ideas.
That requirement is secondary and can be dealt with after with an appropriate vpn selection and config.
I am a bit confused on the the setup though.

Can we assume the internet is coming in to the MK as a plain subnet on ether1 and no vlan tags.?
Can we assume the telephone is coming into the MK as a plain subnet on ether5 and no vlan tags??

If the latter case (telephone) is correct then a good idea to assign it a vlan and move it through the various devices as a vlan and then untag it when it needs to hit the DECT.
If the latter case is incorrect it comes already tagged, then we simply carry it directly to the DECT etc…

So Option 1 - Both basic subnets, no tags.

/interface bridge add name=bridge1 vlan-filtering=yes  { add the =yes part after the rest of the config is done }

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20
/interface vlan add interface=bridge1 name=VLAN200 vlan-id=200 { need to  create this as it doesnt exist yet  }

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether2 pvid=200
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether2  vlan-ids=200

/ip address add address=10.205.42.1/24 interface=VLAN20 network=10.205.42.0
/ip pool add name=dhcp_pool ranges=10.205.42.2-10.205.42.254
/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20
/ip dhcp-server network add network=10.205.42.0/24 dns-server=10.205.42.1 gateway=10.205.42.1

…

So Option 2 - Telephone already comes into MT already tagged.

/interface bridge add name=bridge1 vlan-filtering=yes   { add the =yes part after the rest of the config is done }

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether5,ether2  vlan-ids=200

/ip address add address=10.205.42.1/24 interface=VLAN20 network=10.205.42.0
/ip pool add name=dhcp_pool ranges=10.205.42.2-10.205.42.254
/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool interface=VLAN20
/ip dhcp-server network add network=10.205.42.0/24 dns-server=10.205.42.1 gateway=10.205.42.1

For option 1 I disagree that there is a need for a VLAN200 interface because the VLAN should operate only on L2, no L3 needed. That’s why I omitted it from my config

Understood, however since the vlan didnt exist yet (from source), I thought it was necessary??
Perhaps I am wrong, as your logic is also valid, will ask a friend…

Although it “doesn’t exist from source” as you refer to it, it does get introduced by being set as vlan-id in /interface bridge vlan and/or pvid in /interface bridge port, depending on the role of the port, and the VLAN tag begins being added/stripped after enabling vlan-filtering

Yes, and if one thinks about a trunk port coming in with vlan20, it can be then untagged to a port and no definition required for the transfer of such traffic through the bridge.
What is being done is the reverse and thus your setup would seem to the correct one, not required to define.

Cat 100% correct, no need for vlan interface identification and no need to involve bridge in tagging thusly.

/interface vlan add interface=bridge1 name=VLAN20 vlan-id=20

/interface bridge port
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether2 pvid=200
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether3 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=ether4 pvid=20
add bridge=bridge1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether5  untagged=ether3,ether4  vlan-ids=20
add bridge=bridge1 tagged=ether5  untagged=ether2  vlan-ids=200

Thank you very much for your support. Unfortunately I actually can not access my Mikrotik aAP ac2. I resetted the router, but I can not login neither with admin and no password as well as with admin and my old password.

I tried the followiing things without success:

Using Reset Button
RouterBOARD devices are fitted with a reset button which has several functions:
• Loading the backup RouterBOOT loader
Hold this button before applying power, and release it after three seconds since powering, to load the backup boot loader. This might be necessary if the device is not operating because of a failed RouterBOOT upgrade. When you have started the device with the backup loader, you can either set RouterOS to force backup loader in the RouterBOARD settings or have a chance to reinstall the failed RouterBOOT from a “.fwf” file (total of 3 seconds)
• Resetting the RouterOS configuration
Hold this button until the LED light starts flashing, and release the button to reset RouterOS configuration to default.
• Enabling CAPs mode
To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more seconds, LED turns solid, release now to turn on CAPs mode. It is also possible to enable CAPs mode via the command line, to do so run the command “/system reset-configuration caps-mode=yes”;
• Starting the RouterBOARD in Netinstall mode
Or keep holding the button for 5 more seconds until the LED turns off, then release it to make the RouterBOARD look for Netinstall servers. You can also simply keep the button pressed until the device shows up in the Netinstall program on Windows.

Before I have solved this issue, I can not test your suggestions.

Best regards

Michael

Newer models like hAP ac² should have a random password by default which is on the sticker that is on the box, hidden on the router

Thank you very much. Your post solved an issue, where I already spend 3 hours.

I still have issues and maybe I did not explain everything clear enough.
Mikrotik Main shall provide the Internet access via Ethernet 1 from the Internet Router.
Therfore Ethernet 1 is a DHCP Client of the Internet Router. After this a firewall and NAT is put at bridge (192.168.88.1/22).
From this pool all other Mikrotik-Router (CAPS-client) shall get their IP-adresses.
For the internal configuration/administration should be VLAN20 with address pool 170.205.42.254/24 used. All CAPS clients (following Mikrotik Router) should receive via VLAN20 there addresses.

Following your suggestions the following was happening:
I made with all routers a factory reset
With the installation of the VLAN200 via Ethernet 2 of the Mikrotik Main all clients receive there DHCP addresses from the internet router. No Cable client gets an address from the pool 192.168.88.0/22. I would like, that all clients of the network of the pool 192.168.88.0/22 gets there addresses. Only the DECT station should receive there address from the address pool of the internetrouter via VLAN200. (192.168.178.0/24). These address area shall only used from Mikrotik main and the DECT station.

The function VLAN20 shall only be used to reach the other routers via an ethernet port from the Mikrotik Main.

When I enter “/ip dhcp-server add name=dhcp_VLAN20 address-pool=dhcp_pool1 interface=VLAN20”
I get the message failure: “can not run on slave interface”

What is my mistake and the solution?

No ideas unless you post your config and for one cap as well.

Thank you, for your help.

meanwhile we can localize the issue to a smaller issue.

The DHCP address distribution to the 192.168.88.0/22 is working as well als the forwarding of the VLAN20. All Router get via VLAN20 their IP-Adress and can be connected.

I get also the VLAN200 connect between the main router and the other Mikrotik Router.

The remaining issue is, that I can not put the input from the ethernet2 into the VLAN200 on the main router. I just like to tunnel the ethernet2 from the internet router without any address change or anything else through the VLAN200 to the other router. In fact it should simulate an additional "software" cable between the Ethernet 2 of internet router and the Ethernet 1 of the DECT station.

Or last findings are that we do not get a DHCP-client address on ethernet3 from Mikrotik 2 from the internet router.

The config of the main router looks like this:

\

2024-07-13 10:04:02 by RouterOS 7.15.1

software id = 4NJK-U7CA

model = RBD52G-5HacD2HnD

serial number = xxxxxx

/interface bridge
add admin-mac=D4:01:C3:09:B1:E0 auto-mac=no comment=defconf name=bridge
add comment=VLANTEST frame-types=admit-only-vlan-tagged name=bridge_vlan
pvid=200 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-09B1E4 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MikroTik-09B1E4
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
set [ find default-name=ether2 ] comment="DHCP Client DECT"
set [ find default-name=ether5 ] comment="Output f\FCr alles"
/interface vlan
add comment="VLAN Verwaltung" interface=ether5 name=vlan20 use-service-tag=
yes vlan-id=20
add interface=ether5 name=vlan_200_out vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=VLAN name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add comment=Heimnetz name=dhcp_pool_Network ranges=
192.168.88.2-192.168.91.254
add comment=Verwaltung name=dhcp_pool_router ranges=
170.205.42.1-170.205.42.253
/ip dhcp-server
add address-pool=dhcp_pool_Network interface=bridge name=dhcp1
add address-pool=dhcp_pool_router interface=vlan20 name=dhcp2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment="Standard Output" frame-types=
admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan

ether2,vlan_200_out not a bridge port

add bridge=bridge_vlan tagged=ether2 untagged=vlan_200_out vlan-ids=200
/interface detect-internet
set internet-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=VLAN
/ip address
add address=192.168.88.1/22 comment=defconf interface=bridge network=
192.168.88.0
add address=170.205.42.254/24 comment=Verwaltungspool interface=vlan20
network=170.205.42.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=170.205.42.0/24 gateway=170.205.42.254
add address=192.168.88.0/22 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-Main-Heber
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN