vlan public private networks

sb1349 · March 15, 2012, 6:50pm

I am trying to setup a wifi access point that has both a public and private network using vlans. Here is what i have so far.

rb411a
wlan 1 has no ssid
virtual ap on wlan1 with ssid private
virtual ap on wlan1 with ssid public

vlan private on eth1 vlanid1
vlan public on eth1 vlanid2

bridge1 with virtual ap private and vlan private
bridge2 with virtual ap public and vlan public

eth1 is supposed to trunk into a port on a cisco switch which sends the public out to the internet and the private back to the network but i am not able to see either network when connected over wifi to either ssid

this is what i followed to get this setup
http://wiki.mikrotik.com/wiki/802.1q_Trunk_extension_over_Wireless_P2P_Link

cbrown · March 15, 2012, 7:22pm

What is the problem you are having?

sb1349 · March 15, 2012, 7:26pm

no access to either vlan

cbrown · March 15, 2012, 7:29pm

From where? Give me more details. It wouldn’t hurt to see your configuration either.

sb1349 · March 15, 2012, 7:55pm

if I connect to either virtual ap and I can see and communicate with the ap but cannot get to any traffic to pass to the other side of the ap.

interface
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU MAX-L2MTU

0 R ether1 ether 1526 1526 1526
1 wlan1 wlan 1500 2290
2 guest wireless wlan 1500 2290
3 R guest eth vlan vlan 1500 1522
4 R data eth vlan vlan 1500 1522
5 R br1 bridge 1500 1522
6 data wireless wlan 1500 2290
7 R br2 bridge 1500 1522

bridge

0 R name="br1" mtu=1500 l2mtu=1522 arp=enabled mac-address=00:0C:42:90:E2:2E protocol-mode=stp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m

1 R name="br2" mtu=1500 l2mtu=1522 arp=enabled mac-address=00:0C:42:90:E2:2E protocol-mode=stp priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m

bridge port

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 data eth vlan br1 0x80 10 none
1 I data wireless br1 0x80 10 none
2 guest eth vlan br2 0x80 10 none
3 I guest wireless br2 0x80 10 none

vlan

NAME MTU ARP VLAN-ID INTERFACE

0 R guest eth vlan 1500 enabled 99 ether1
1 R data eth vlan 1500 enabled 1 ether1

wireless

0 name="wlan1" mtu=1500 mac-address=00:0C:42:90:E2:2F arp=enabled interface-type=Atheros AR5212
mode=ap-bridge ssid="" frequency=2437 band=2ghz-b/g channel-width=20mhz scan-list=default
wireless-protocol=unspecified antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=master wireless interface compression=no

1 name="guest wireless" mtu=1500 mac-address=02:0C:42:90:E2:2F arp=enabled
interface-type=virtual-AP master-interface=wlan1 ssid="guest" wds-mode=disabled
wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=guest

2 name="data wireless" mtu=1500 mac-address=02:0C:42:90:E2:30 arp=enabled
interface-type=virtual-AP master-interface=wlan1 ssid="network" wds-mode=disabled
wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=private

sb1349 · March 15, 2012, 8:01pm

this should be a little easier to read

interface 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                  TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ether1                                                ether             1526  1526       1526
 1     wlan1                                                 wlan              1500  2290
 2     guest wireless                                        wlan              1500  2290
 3  R  guest eth vlan                                        vlan              1500  1522
 4  R  data eth vlan                                         vlan              1500  1522
 5  R  br1                                                   bridge            1500  1522
 6     data wireless                                         wlan              1500  2290
 7  R  br2                                                   bridge            1500  1522

bridge

 0  R name="br1" mtu=1500 l2mtu=1522 arp=enabled mac-address=00:0C:42:90:E2:2E protocol-mode=stp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 

 1  R name="br2" mtu=1500 l2mtu=1522 arp=enabled mac-address=00:0C:42:90:E2:2E protocol-mode=none priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 

bridge port
 #    INTERFACE                                  BRIDGE                                 PRIORITY  PATH-COST    HORIZON
 0    data eth vlan                              br1                                        0x80         10       none
 1 I  data wireless                              br1                                        0x80         10       none
 2    guest eth vlan                             br2                                        0x80         10       none
 3 I  guest wireless                             br2                                        0x80         10       none

vlan

 #    NAME                               MTU ARP        VLAN-ID INTERFACE                           
 0 R  guest eth vlan                    1500 enabled         99 ether1                              
 1 R  data eth vlan                     1500 enabled          1 ether1   


wireless

 0    name="wlan1" mtu=1500 mac-address=00:0C:42:90:E2:2F arp=enabled interface-type=Atheros AR5212 
      mode=ap-bridge ssid="" frequency=2437 band=2ghz-b/g channel-width=20mhz scan-list=default 
      wireless-protocol=unspecified antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none 
      wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=master wireless interface compression=no 

 1    name="guest wireless" mtu=1500 mac-address=02:0C:42:90:E2:2F arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 ssid="guest" wds-mode=disabled 
      wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes 
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=guest 

 2    name="data wireless" mtu=1500 mac-address=02:0C:42:90:E2:30 arp=enabled 
      interface-type=virtual-AP master-interface=wlan1 ssid="network" wds-mode=disabled 
      wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes 
      default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=private

reverged · March 16, 2012, 4:26am

vlan 1 is tagged or untagged on your Cisco? It will egress eth1 tagged.

A simple test would be to put an IP on each bridge in the correct subnet and try to access upstream elements.
Ping from Winbox is an easy test.
Then you can confirm the wired portion is correct.

sb1349 · March 16, 2012, 1:46pm

Vlan1 is tagged on the cisco and the port is trunked

interface Vlan1
 ip address 10.1.8.253 255.255.255.0
!
interface Vlan99
 ip address 10.2.8.254 255.255.255.0
 ip access-group 120 in
 no ip redirects
 no ip proxy-arp

interface FastEthernet0/24
 description AP
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,99
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 spanning-tree portfast
 service-policy input AutoQoS-Police-CiscoPhone
!

Feklar · March 16, 2012, 5:48pm

Change the PVID of the port on the Cisco to some VLAN that doesn’t exist, or change your private VLAN to something other than 1. The Cisco will return packets untagged for it’s PVID on a port (annoying setting that they do).

As to why VLAN 99 is not working, do you have to assign a static IP or is it supposed to work via DHCP? We would need more information on that part of the setup to help. You can run torch on ether1 of the 411 and choose VLAN as one of the options to see if things are leaving tagged and coming back tagged properly.

sb1349 · June 13, 2012, 8:49pm

I have a static address setup on there and can see the arp request go out with vlan 99 but do not see a reply coming back on vlan 99.

CelticComms · June 13, 2012, 10:18pm

Both bridges are set to auto-mac and have ended up with the same MAC address. I suggest forcing them to be different in case that is part of the problem.

sb1349 · June 14, 2012, 1:40pm

I have taken this down to the most basic config. Right now I have a rb411 with 2 vlans 1 & 99 both attached to eth1. To test this setup to see if I can communicate there is a dhcp client on both. On the cisco switch there are three vlans 1, 20, and 99 and all three run dhcp servers. The port that I am connected to is setup as a trunk port and there are no restrictions on what vlans are able to run on the port. If i run torch I am able to see the packets leave but not any replys to the dhcp request.