Vlan wifii network - no internet access

jBrdka · April 9, 2020, 12:01pm

Hello, I got Mikrotik RB3011 router and 2 unifi access points.
In Mikrotik config, via winbox, I’ve created 2 bridges (one for every AP) with different ip pools. On eth1 I got connection with main router from my ISP. Eth2-5 are bound to bridge1 and eth6-10 for bridge2. I got simple switch on each eth2 and eth6. On each switch AP is connected. To this moment everything is working fine, no problems with wifii broadcasted by AP’s, full speed, good range and full internet access.
BUT I also created two vlans on bridge1 and both are broadcasted by AP1, which is connected to switch in eth2, broadcasting network from bridge1. I can connect any device to both vlans, but everytime I got “No internet access” message. Also ip given to devices connected to vlan wifii is out of any pool I created. (eg. Pool for bridge1 is 192.168.88.2-254, for vlan1 is 10.0.2.2-254).
I tried reconfiguring, changeing things and nothing works. I run out of ideas. Here’s my config:

# apr/09/2020 13:07:19 by RouterOS 6.42.12
# software id = B95V-SKA9
#
# model = RouterBOARD 3011UiAS
# serial number = B88D0AC2AA20
/interface bridge
add admin-mac=xxxx auto-mac=no comment=defconf name=\
    "bridge - biuro"
add name="bridge - mieszkanie"
/interface vlan
add interface="bridge - biuro" name="vlan-mieszkanie 1" vlan-id=10
add interface="bridge - biuro" name="vlan-mieszkanie 2" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="pool mieszkanie" ranges=10.0.1.2-10.0.2.254
add name="pool mieszkanie 1" ranges=10.0.2.2-10.0.2.254
add name="pool mieszkanie 2" ranges=10.0.3.2-10.0.3.254
add name=dhcp ranges=192.168.88.2-192.168.88.254
add name=vpn ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface="bridge - biuro" name=defconf
add address-pool="pool mieszkanie 1" disabled=no interface="vlan-mieszkanie 1" \
    name=dhcp-mieszkanie1
add address-pool="pool mieszkanie 2" disabled=no interface="vlan-mieszkanie 2" \
    name=dhcp-mieszkanie2
add address-pool="pool mieszkanie" disabled=no interface="bridge - mieszkanie" \
    name=dhcp1
/ppp profile
add local-address=10.0.1.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge="bridge - biuro" comment=defconf interface=ether2
add bridge="bridge - biuro" comment=defconf interface=ether3
add bridge="bridge - biuro" comment=defconf interface=ether4
add bridge="bridge - biuro" comment=defconf interface=ether5
add bridge="bridge - mieszkanie" comment=defconf interface=ether6
add bridge="bridge - mieszkanie" comment=defconf interface=ether7
add bridge="bridge - mieszkanie" comment=defconf interface=ether8
add bridge="bridge - mieszkanie" comment=defconf interface=ether9
add bridge="bridge - mieszkanie" comment=defconf interface=ether10
add bridge="bridge - biuro" comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=* use-ipsec=yes
/interface list member
add comment=defconf interface="bridge - biuro" list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="bridge - mieszkanie" list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=10.0.2.1/24 interface="vlan-mieszkanie 1" network=10.0.2.0
add address=10.0.3.1/24 interface="vlan-mieszkanie 2" network=10.0.3.0
add address=10.0.1.1/24 interface="bridge - mieszkanie" network=10.0.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 gateway=10.0.1.1
add address=10.0.2.0/24 gateway=10.0.2.1
add address=10.0.3.0/24 gateway=10.0.3.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=ether1 in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=vpn src-address=10.0.10.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/lcd
set time-interval=hour
/ppp secret
add name=vpn-kurpiowska password=* profile=vpn service=pptp
add name=vpn password=*
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Zacharias · April 9, 2020, 1:56pm

What i see in your config does not really look like a correct implementation of VLANs in any way
Here you will find a really nice example of “Router-Switch-AP (all in one)” http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · April 10, 2020, 12:28am

To simplify I dont see the need for two bridges when one will do.
When you say an ether port is connected to a simple switch what do you mean… an un-managed switch?
Why hook a managed device the Access Point, to an un-managed switch and not to the router directly?
Are there any other devices off this switch like PCs, printers (not vlan smart)??

No point in discussing config until the requirements/use cases are understood as well as the physical equipment at play

jBrdka · April 10, 2020, 6:58am

Thank you all for answers.

The thing that I want to achieve is:

one bridge for owners home, for private network with access point in home and switch for local devices,
one bridge for office, where are one AP broadcasting office wifii, some printers and PC’s plugged to switch,
two vlans, broadcasted by AP in office, for access in two separated flats for rent.

Most important thing is to separate devices in owners home, office and in both flats.

Zacharias · April 10, 2020, 9:03am

Did you take a look at the VLAN article i posted earlier ?
Am sure there you will find all the answers you need…

anav · April 10, 2020, 11:02am

thanks jB, thats a good start…
Can you draw a network diagram to show how things are physically connected.
Also you didnt indicate if the switch was managed or unmanaged.
The details are important to help you get to a working config.

jBrdka · April 10, 2020, 12:03pm

Thats the connections.
I just made a reset to default settings on the Cisco switch and it’s working fine, except that vlan. I haven’t managed anything on that switch.

Maybe should I try to connect AP from the office directly to Mikrotik router? Does it matter in any way?

Zacharias · April 10, 2020, 1:20pm

Maybe should I try to connect AP from the office directly to Mikrotik router? Does it matter in any way?

Maybe you should study about VLANs…

anav · April 10, 2020, 2:49pm

Hi jB, yes in general one should always go from trunk port to trunk port if possible (managed device to managed device).
It not only simplifies but is better security.
For example, in the office or guest scenario, anybody can stick in a device (that is vlan aware) into an unmanaged switch and read the vlan traffic.
Normally thats a big no no in a corporate setting. However if this is a home, home office scenario that is extremely unlikely to occur and thus the risk is not considered high.
I would state that getting managed switches is the best solution unless its really easy for you to wire those APs directlly to the router.

To assist in the config, one needs to know more about the use cases.

How many groups of users are there.
home user? (assume admin spends most time here).
Guest user? (people coming over to your house that want to use wifi - seems likely everybody these days)
Office users?
Which of the above groups need wifi access.
Which of the above groups need internet access.
You have two APs for example who do they serve??
How do you want to use wlans, 2.4ghz, 5ghz.
Do you have smart devices that need wifi??