vlans and wifi with two separate internet routers

Hello,

I’ve dabbled a bit with Mikrotik equipment over the years, but am far from competent with it.

I have been using a system with SXT LTE, RBS260GSP and two wAP AC for several years and it has been working very well.

However, I am now adding Starlink, which will become the primary internet connection.

I wish to keep the Starlink in router mode - so that I can take advantage of the extra wifi coverage that it gives.

Next, I would like to have the wAPs extend the starlink wifi, but also continue to serve a wifi net for the LTE - in case of any issues with starlink I can switch over to it.

Here is a schematic of what I had in mind:

I have spent over a week now trying to understand how to configure it, but am still very uncertain - primarily with the vlan configuration.

Here’s what I’ve come up with for the wAPs (based on the “AccessPoint.rsc” from this VLAN thread http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1):

###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Access Point
# Web:			http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS:		6.47.10
# Date:			February 17, 2023
# Notes:		Start with a reset (/system reset-configuration)
# Thanks:		mkx, sindy
# Modified for starlink/LTE system - 2023-09-17
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="wAP_ac_1"


#######################################
# VLAN Overview
#######################################

# 10 = starlink + mgmt
# 20 = LTE


#######################################
# WIFI Setup
#######################################

# Same wireless security profile for all wifi nets
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="mypassword"

# starlink SSID (starlink 2G) wAP_ac_1 channel 1 (2412) wAP_ac_2 ch 11 (2462) starlink ch 6
/interface wireless set [ find default-name=wlan1 ] country=kenya frequency=2412 ssid=starlink mode=ap-bridge disabled=no name=starlinkWlan wireless-protocol=802.11

# starlink5G SSID (starlink 5G) wAP-ac_1 freq=5540, wAP_ac_2 freq=5500 starlink ch38 80Mhz
/interface wireless set [ find default-name=wlan2 ] country=kenya frequency=5540 channel-width=20/40mhz-Ce ssid=starlink5G frequency=auto mode=ap-bridge disabled=no name=starlink5GWlan wireless-protocol=802.11

# LTE SSID
/interface wireless add name=LTEWlan ssid=LTE master-interface=LTEWlan disabled=no

#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# starlink, LTE VLAN
add bridge=BR1 interface=starlinkWlan pvid=10
add bridge=BR1 interface=starlink5GWlan pvid=10
add bridge=BR1 interface=LTEWlan pvid=20

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1

# egress behavior
/interface bridge vlan

# TO DO - Confirm bridge tagging needed in order to access management interface?
# Switch Trunk. L2 switching only, Bridge as tagged member on starlink vlan 10
add bridge=BR1 tagged=BR1, ether1     vlan-ids=10
add bridge=BR1 tagged=ether1     vlan-ids=20


#######################################
# IP Addressing & Routing
# Note static IP addresses on starlink/mgmt vlan 10:
# 192.168.1.1 = starlink router/gateway
# 192.168.1.20 = RB260 switch
# 192.168.1.19 = wAP_ac_1
# 192.168.1.18 = wAP_ac_2
#######################################

# LAN facing AP's Private IP address on starlink vlan10
/interface vlan add interface=BR1 name=starlink_vlan vlan-id=10
/ip address add address=192.168.1.19/24 interface=starlink_vlan

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.1.1


#######################################
# IP Services
#######################################

# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=starlinkWlan]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=starlink5GWlan]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=LTEWlan]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from starlink_vlan, the MGMT network
/interface list add name=starlink
/interface list member add interface=starlink_vlan list=starlink
/ip neighbor discovery-settings set discover-interface-list=starlink
/tool mac-server mac-winbox set allowed-interface-list=starlink
/tool mac-server set allowed-interface-list=starlink


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

And this is how I see the RBS260GSP SwOS configuration:

RBS260GSP

Ports:
1 = starlink, vlan10
2 = mgmt laptop, vlan10
3 = SXT LTE, vlan20
4 = wAP_ac_1, vlan10, vlan20
5 = wAP_ac_2, vlan10, vlan20

SwOS settings:

General tab:

• Static 192.168.1.20
• Independent VLAN Lookup = enabled

Link tab:

• defaults

VLAN tab:

• Port 1 (starlink)

VLAN mode = strict
VLAN receive = any
default VLAN ID = 10
Force VLAN ID = enabled
VLAN header = leave as is

• Port 2 (laptop)

VLAN mode = strict
VLAN receive = any
default VLAN ID = 10
Force VLAN ID = enabled
VLAN header = leave as is

• port 3 (LTE)

VLAN mode = strict
VLAN receive = any
default VLAN ID = 20
Force VLAN ID = enabled
VLAN header = leave as is

• ports 4,5 (wAPs)

VLAN mode = strict
VLAN receive = only tagged
(default VLAN ID = 10)
Force VLAN ID = disabled
VLAN header = leave as is

VLANs tab:

• vlan id 10 = IVL enabled; “leave as is” = P1,P2,P4,P5; “not a member” = P3
• vlan id 20 = IVL enabled; “leave as is” = P3,P4,P5; “not a member” = P1,P2

Would this work? I be most grateful for any feedback.

In either way I would change the RB260GSP for a router.

Thanks erlinden. What would be your concerns about my proposed set up?

With a router you can handle the failover automatically, only challenge is disabling wireless on the Starlink router when it’s link is down. Any way to replace the starlink router with a Mikrotik? Then you can keep the switch.

Hi erlinden.
ok I see. Automatic failover would be nice, but not essential for me. I’d prefer to avoid investing in another router for now.

(But to answer your question, yes, I understand one can bypass the Starlink router and use eg Mikrotik, though it does mean that starlink’s wifi can’t be used and also - though I’m not very sure - I think the starlink app can’t be used or at least has limited features. I’d need to check on this)

Anyone have any suggestions where I might best hire someone to help me work through this? Upwork?

The RB260 configuration is almost entirely incorrect. From factory reset:
VLAN tab
Set Default VLAN ID Port1-> 10, Port2 → 10, Port3 → 20
VLANs tab
Add VLAN ID 10, set Port1 → always strip, Port2 → always strip, Port4 → add if missing, Port5 → add if missing
Add VLAN ID 20, set Port3 → always strip, Port4 → add if missing, Port4 → add if missing
VLAN tab (again)
Set VLAN Mode Port1-5 → strict
(see https://wiki.mikrotik.com/wiki/SwOS/RB250-RB260-VLAN-Example)

It’s very difficult to see errors in the RouterOs configurations commands which haven’t been applied, an actual /export is much more useful.

Thanks tdw for having a look. It all seems to be working now, thanks to your corrections.

However, as a side note, I took my config from this here:
https://help.mikrotik.com/docs/display/SWOS/CSS106+%28RB260%29+series+Manual#CSS106(RB260)seriesManual-TrunkandAccessPorts
Which has quite a different approach. Unfortunately, most of the setting explanations baffle me, so I can’t figure out why that one didn’t work and yours did.
It is the story of my Mikrotik experience - it suddenly starts working after trying this and that and I really couldn’t say why! I guess one really needs to have network engineering training, it’s not for enthusiasts.

There may be two methods which work, the example on the new help pages now being suggested over the example in the old wiki. The difference appears to be VLANs port memberships set to ‘leave as is’ and the VLAN ‘VLAN Receive’ set to ‘only tagged’/‘only untagged’, I suspect the issue with your original config may have been enabling ‘Force VLAN ID’ on some ports.

(Hi tdw,
Sorry I didn’t even realise myself when I responded to you, but by the time I came to trying it, I had in fact decided to follow the new help article trunk and access ports example, and not as per the config in my opening post. Quite possible of course that I mis-entered something. In any case, at least it is working now following your advice!)