Hi,
I’m not sure my wording is fully accurate and that I got the concept of VLAN on bridges correctly. Please bear with me. I’ve read multiple pages from wiki (here, here, and here) and searched the web but I still don’t know the best way to do it.
In this scenario, I am using a hAP lite. On ether2 I connected a Ubiquiti AP with 4 WLANs, each with its own VLAN ID. Additionally, the wlan of the hAP lite is used. The Ubiquiti AP’s LAN is configured as DHCP client. Each VLAN (1,2,4,6) got its own subnet from hAP lite. WLAN of hAP lite WLAN should get VLAN-ID 6.
Firewall rules will take care of some restrictions. VLANs are working fine but I had to deactivate VLAN6.
Problem
The LAN connection between ether2 and Ubiquiti is untagged and I cannot figure out how to tell the hAP lite to tag all untagged traffic on ether2 without using VLAN filtering. The Ubiquiti should be in VLAN6.
Workaround
My workaround now is to deactivate VLAN6 and assign its subnet directly to the bridge. This way the untagged traffic on ether2 is assign to subnet 6. And because I want all hAP lite wlan clients in vlan6, I deactivated the pvid tagging and simply added the wlan port to the bridge. This way local wlan and ether2 are slaves of the bridge and “inherit” the DHCP settings etc.
Question
Is it possible to assign VLAN-ID to the untagged traffic on ether2? I read that the bridge works as master but I could not figure out how to set a “default VLAN-ID” for it.
Although my config seems to work, I’d like to make it more consistent, i.e. use vlanX interfaces for firewall rules etc. It feels like I’m missing a major configuration point here.
I appreciate any help to understand how it should be done or what I got wrong.
Thanks a lot & best
That’s how its configured now:
/interface bridge
add admin-mac=6C:3B:6B:62:58:3C auto-mac=no comment=defconf fast-forward=no name=bridge
/interface bridge port
# I guess pvid here is useless
add bridge=bridge comment=defconf interface=ether2 pvid=6
add bridge=bridge comment=defconf interface=wlan
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan2 vlan-id=2
add interface=bridge name=vlan4 vlan-id=4
add disabled=yes interface=bridge name=vlan6 vlan-id=6
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.6.0/24 gateway=192.168.6.1
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
add address=192.168.6.1/24 interface=bridge network=192.168.6.0
add address=192.168.6.1/24 disabled=yes interface=vlan6 network=192.168.6.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.6.0/24 gateway=192.168.6.1
/ip dhcp-server
add address-pool=pool1 disabled=no interface=vlan1 name=vlan1
add address-pool=pool2 disabled=no interface=vlan2 name=vlan2
add address-pool=pool4 disabled=no interface=vlan4 name=vlan4
add address-pool=pool6 disabled=no interface=bridge name=vlan6
# disabled
add address-pool=pool6 interface=vlan6 name=vlan6
/interface wireless
# vlan-id is set but VLAN mode is "no tag" at the moment
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=germany disabled=no distance=indoors frequency=2462 \
frequency-mode=regulatory-domain mode=ap-bridge name=wlan rx-chains=0 ssid=VAP tx-chains=0 vlan-id=6 \
wireless-protocol=802.11 wps-mode=disabled