I have a RB750GL router configured with an access point connected to ether5 port. The access point has two SSIDs assigned to it, and each one 802.1q VLAN tags the packets with a unique VLAN ID (say 100 and 200) The access point also needs to send management and wireless controller packets that are untagged. Based on the Wiki’s and informative threads here, I have it configured and working with one exception which I’ll explain shortly. I created ether5 as a Trunk port by taking it off of the default Slave port setting; and creating vlan100 and vlan200 entries which are assigned to Interface ether5. I created unique address pools and created DHCP servers on the untagged ether5 interface, one for vlan100, and another DHCP server for vlan200. No Bridge was created as I do not want any VLANs to communicate with each other. I added a firewall rules to block the address subnets of the two vlans from forwarding to the untagged address subnet.
Everything works - the AP comes up, gets an untagged IP address, and finds and associates to a remote wireless controller. I connect a laptop to SSID1 and this traffic gets tagged with VLAN100 and it passes thru the Mikrotik. A second laptop on SSID2 gets tagged with VLAN200 and it can pass traffic/get to the internet. If I try to ping the other laptop of the AP itself, it fails - just as expected. NOW, if I pull out an Android smartphone or Apple tablet and connect to say SSID2 - it connects and gets tagged with VLAN200, just as expected. If I try to ping the laptop on SSID1 (which is in VLAN100) I can’t/it fails, again as it should. BUT if I try to ping the smartphone which has a different IP address subnet and is on VLAN200, it works!?!?
I just can’t figure out why laptop to laptop and smartphone to laptop VLAN segregation rules work correctly, but laptop in VLAN X with an IP address in subnet X can ping a smartphone in VLAN Y with subnet Y IP address??? I gave up and forced them not to see each other by adding an /ip firewall rule to DROP and forwarding packets from VLAN100 to VLAN200 and from VLAN200 to VLAN100, but I shouldn’t have to, correct? Thanks.
It is a bit hard to fully get your config right but if I read your story correct you have only blocked forwarding traffic from eiter VLAN to the untagged management segment. That means that VLAN to VLAN should work.
Probably is laptop to laptop traffic blocked by a firewall running on the laptop locally. Since your Apple / Android does not have a firewall it is pingable.
I suggest you build your firewall by explicitly allowing the desired traffic and end with a generic drop rule
/ip firewall filter
add chain=forward in-interface= src-address= out-interface=
add chain=forward in-interface= src-address= out-interface=
add chain=forward in-interface=ethr5 src-address= out-interface=
add chain=forward action=drop
Thanks for your thoughts and suggestions. Perhaps I misunderstood how the ROS implements VLANs, but I was under the impression that defining multiple VLANs to a port without creating a bridge would honor VLAN segregation (ie., the router would not route the VLAN traffic between them)? When I added a bridge and put the two VLANs in it, then I could see/ping any device in one vlan to the other (as expected). I like your config approach of explicitly forwarding the vlans to the WAN interface, and then forwarding drop everything else. I may try that as its a bit cleaner than my set of rules.
Hmm, just thought of something. Do you know of a way to make the vlan ID dynamic? (In other words, instead of specify vlan 100 forwards, and vlan 200 forwards, could it be a variable that it pulls in? This is because my AP can assign VLAN IDs dynamically which is a useful feature…)
I don’t think so. Also adding the VLAN interfaces to the routers config is not really dynamic.
So each VLAN that could be handled by your AP should also be created on the router’s interface and be used in the firewall rules.