wAP vlan bridge issue

toxicfusion · March 23, 2019, 10:05pm

Hello,

I am using the new VLAN method when configuring an wAP ac. Setup is essentially same as the MikroTik router (which is working). I have mikrotik router with interface ports acting as trunk ports (vlan10 is untagged), and to downstream switches. Those switches are working. Also have older Ubiquiti Unifi AP’s attached to those downstream switches with the same SSID’s and vlans tagged and those are working… but the MikroTik wAP Ac is NOT. sad.

issue I’m having with the WAP, is the ether1 is untagged for vlan 10 (data), vlan-all-bridge is tagged. The primary vlan 10 (data), is working fine and clients connecting to this SSID are receiving IP address.

However, on the other SSID’s I have - no DHCP address is coming through to the WAP. I have the PVID set on the wlan interface that is within /bridge ports

I will post config when I’m back onsite.. forgot to pull it down locally. But perhaps someone can make a suggestion as to why the tagged SSID interfaces are not being untagged within the bridge interface for DHCP to work?

Here is example of the config.. this is 100% off my memory of what I can remember:
/bridge name=all-vlan-bridge

/bridge ports
add port=ether1 pvid=10
add=wlan1 pvid=10
add=wlan2 pvid=20
add=wlan3 pvid=40

/bridge ports vlan
add=ether1 untagged tagged=all-vlan-bridge
add wlan1 untagged tagged=all-vlan-bridge
add wlan2 untagged tagged=all-vlan-bridge
add wlan3 untagged tagged=all-vlan-bridge

/bridge
interface=all-vlan-bridge vlan-filtering=yes

/interface vlan
add vlan=10 name=vlan10-data
add vlan=20 name=vlan20-guestwifi
add vlan=40 name=vlan40-control4

/ip dhcp client
interface=vlan10-data

anav · March 24, 2019, 2:20am

Read through the appropriate examples in this excellent reference.
Then adjust your config accordingly.
If you are still having issue then post your config for review
/export hide-sensitive file=yourconfig

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

toxicfusion · March 25, 2019, 11:20pm

@anav. - help me before like you did before with suggestions? I’m 100% baffled here…

MikrotTik core router is working fine with bridge vlan filtering and the tagged/untagged. Unifi AP’s with SSID vlan tag assignment is working fine as well for the various SSID’s. But on the MikroTik WAP AC - is NOT. only SSID that is working is the private SSID that is the primary untagged vlan (vlan10-data).

below is config. I changed the clients name in SSID to “Private SSID”

# mar/25/2019 18:43:08 by RouterOS 6.43.13
# software id = THGH-I82S
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 824E089BD0FB
/interface bridge
add fast-forward=no name=all-vlan-bridge vlan-filtering=yes
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_sw2.p15 speed=100Mbps
/interface vlan
add interface=all-vlan-bridge name=vlan10-data vlan-id=10
add interface=all-vlan-bridge name=vlan20-GuestWifi vlan-id=20
add interface=all-vlan-bridge name=vlan40-Control4 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=WPA2-privatessid \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=Control4 \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge name=\
    wlan1-PrivateSSID security-profile=WPA2-oceanside ssid="Private SSID" \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=wlan2-PrivateSSID-5G security-profile=WPA2-oceanside ssid=\
    "Private SSID" wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=CE:2D:E0:E0:4B:85 master-interface=\
    wlan1-PrivateSSID multicast-buffering=disabled name=wlan3-GuestWifi ssid=\
    "GUEST FREE" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:E0:4B:86 \
    master-interface=wlan1-PrivateSSID multicast-buffering=disabled name=\
    wlan4-Control4 security-profile=Control4 ssid=OSGC4 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:E0:4B:84 \
    master-interface=wlan2-PrivateSSID-5G multicast-buffering=disabled name=\
    wlan5-Control4-5g security-profile=Control4 ssid=OSGC4 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=CE:2D:E0:E0:4B:87 master-interface=\
    wlan2-Private SSID-5G multicast-buffering=disabled name=wlan6-GuestWifi-5g \
    ssid="GUEST FREE" wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:E0:4B:88 \
    master-interface=wlan1-PrivateSSID multicast-buffering=disabled name=wlan7 \
    security-profile=Control4 ssid=MikroTik wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=all-vlan-bridge interface=wlan1-PrivateSSID pvid=10
add bridge=all-vlan-bridge interface=wlan2-PrivateSSID-5G pvid=10
add bridge=all-vlan-bridge interface=ether1_sw2.p15 pvid=10
add bridge=all-vlan-bridge interface=wlan3-GuestWifi pvid=20
add bridge=all-vlan-bridge interface=wlan4-Control4 pvid=40
add bridge=all-vlan-bridge interface=wlan6-GuestWifi-5g pvid=20
add bridge=bridge interface=wlan7
add bridge=all-vlan-bridge interface=wlan5-Control4-5g pvid=40
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1_sw2.p15 untagged=\
    wlan3-GuestWifi,wlan6-GuestWifi-5g vlan-ids=20
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1_sw2.p15 untagged=\
    wlan4-Control4,wlan5-Control4-5g vlan-ids=40
add bridge=all-vlan-bridge tagged=all-vlan-bridge untagged=\
    ether1_sw2.p15,wlan2-PrivateSSID-5G,wlan1-PrivateSSID vlan-ids=10
/interface list member
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan10-data
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=OutdoorAP-Bar
/system ntp client
set enabled=yes primary-ntp=192.168.3.254
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

toxicfusion · March 25, 2019, 11:41pm

haha.. wow - smh!

I was exhausted other night when I connected this WAP. The switchport it was connected to was WRONG. config was correct, but port on switch was also correct, but i had it in wrong port. as the switch numbering was not (1up, 2up) etc. normally 1-24 are top, 25-48 below.

all good! phew

anav · March 26, 2019, 12:45am

The only thing I didnt understand in your config was this line…
add bridge=all-vlan-bridge tagged=all-vlan-bridge untagged=
ether1_sw2.p15,wlan2-PrivateSSID-5G,wlan1-PrivateSSID vlan-ids=10

why is ether1 untagged here??
I’m assuming of course that ether 1 is the trunk port from the router or managed switch to the wap AND IS CARRYING the vlans (vlan 10 should not be untagged on the router side either if on a trunk port!)
(10 being home vlan, 20 being guest vlan, 40 being control vlan).

Here is what I think your bridge ports and interface vlans should look like…
/interface bridge port
add bridge=all-vlan-bridge interface=wlan1-PrivateSSID pvid=10 ingress filtering=yes frames-allowed-untagged and high priority
add bridge=all-vlan-bridge interface=wlan2-PrivateSSID-5G pvid=10 ingress filtering=yes frames-allowed-untagged and high priority
add bridge=all-vlan-bridge interface=ether1_sw2.p15 pvid=1 (keep this default setting and as well the bridge itself keeps its default pvid=1)
add bridge=all-vlan-bridge interface=wlan3-GuestWifi pvid=20 ingress filtering=yes frames-allowed-untagged and high priority
add bridge=all-vlan-bridge interface=wlan4-Control4 pvid=40 ingress filtering=yes frames-allowed-untagged and high priority
add bridge=all-vlan-bridge interface=wlan6-GuestWifi-5g pvid=20 ingress filtering=yes frames-allowed-untagged and high priority
add bridge=all-vlan-bridge interface=wlan5-Control4-5g pvid=40 ingress filtering=yes frames-allowed-untagged and high priority

/interface bridge vlan
add bridge=all-vlan-bridge tagged=ether1_sw2.p15 untagged=
wlan3-GuestWifi,wlan6-GuestWifi-5g vlan-ids=20
add bridge=all-vlan-bridge tagged=ether1_sw2.p15 untagged=
wlan4-Control4,wlan5-Control4-5g vlan-ids=40
add bridge=all-vlan-bridge tagged=all-vlan-bridge,ether1_sw2.p15 untagged=
wlan2-PrivateSSID-5G,wlan1-PrivateSSID vlan-ids=10

This also assumes all your devices are on VLAN10 (vlan10IPs assigned to wanip, managed switches etc… core LAN).

toxicfusion · March 26, 2019, 7:39pm

vlan10 on trunk port is set as native. switchport trunk native, rest are tagged.

yes, switches, core are all on vlan10 subnet - no mgmt (yet). Its relatively small network here in contrast. Didnt feel need to further complicate it by adding mgmt vlan

anav · March 26, 2019, 10:42pm

Thats fine, I have the same with my vlan 11…
Look at my rules…
I dont untag my core vlan, because all the etherports on my router that are access ports!
If I had one etherport that served a PC on the core lan that that bridge port would be untagged on a bridge interface vlan rule.
The only thing that is untagged by default is the bridge which retains its default pvid=1

/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=SOLAR-36 vlan-id=36
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VOIP_77 vlan-id=77
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=HomeBridge name=vlan11-home vlan-id=11

/interface bridge port
add bridge=HomeBridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=HomeBridge comment=defconf ingress-filtering=yes interface=ether3

/interface bridge vlan
add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=
30,36,40,45,100,200,666
add bridge=HomeBridge tagged=HomeBridge,ether3 vlan-ids=99,77,33
add bridge=HomeBridge tagged=HomeBridge,ether2,ether3 vlan-ids=11

Add the dynamic rule added by the router which you wont see in a config download (which bugs the heck out of me)
add bridge=Homebridge vlan-ids=1 {current untagged=Homebridge,eth2,eth3}