wAP vlan trunk to RB

RouterOS Beginner Basics
1

Hi all

I have following hardware :
1 x MikroTik RB3011UiAS-RM that I use as main router and DHCP server for all the VLANs
1 x MikroTik wAP ac access point for WiFi.
1 x D-Link unmanaged PoE switch 8-port
1 x TP-Link managed switch

VLAN5 : 192.168.5.0/24 Main network
VLAN6 : 192.168.6.0/24 Testing
VLAN168 : 192.168.168.0/24 Videosurveillance
VLAN255 : 192.168.255.0/27 Guest WiFi

With the ‘wAP ac’ I want to have a WiFi guest & main network (2 VLANs). There is a cable between the wAP ac and the D-Link switch which powers the wAP ac and then a cable between the D-Link switch and the RB.

How can I configure the wAP ac guest/main VAP as VLANs with the RB?

DHCP of RB needs to be used.

The main network is wlan1+2
Guest network : wlan1----wlan3-guest & wlan2----wlan4-guest

On the wAP ac :
I configured 2 bridges with each their respective VLAN.
On ether1 I added vlan5 & 255.

RB3011UiAS-RM code:

# feb/12/2018 00:36:33 by RouterOS 6.41.1

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge-local
add fast-forward=no name=bridge-vlan5 pvid=5
add fast-forward=no name=bridge-vlan6 pvid=6
add fast-forward=no name=bridge-vlan168 pvid=168
add fast-forward=no name=bridge-vlan255 pvid=255

/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:1C:77:8C name=ether1-wan1
set [ find default-name=ether10 ] poe-out=off poe-priority=0 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp1 ] disabled=yes

/interface vlan
add interface=ether2 name=vlan5 vlan-id=5
add interface=ether2 name=vlan6 vlan-id=6
add interface=ether2 name=vlan168 vlan-id=168
add interface=ether2 name=vlan255 vlan-id=255

/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
add exclude=LAN name=discover

/ip pool
add name=pool-vlan5 ranges=192.168.5.101-192.168.5.199
add name=pool-vlan168 ranges=192.168.168.11-192.168.168.99
add name=pool-vlan6 ranges=192.168.6.11-192.168.6.249
add name=pool-vlan255 ranges=192.168.255.1-192.168.255.29

/ip dhcp-server
add address-pool=pool-vlan5 disabled=no interface=bridge-vlan5 lease-time=17w1d name=dhcp-vlan5
add address-pool=pool-vlan6 disabled=no interface=bridge-vlan6 lease-time=1d10m name=dhcp-vlan6
add address-pool=pool-vlan255 disabled=no interface=bridge-vlan255 lease-time=1d10m name=dhcp-vlan255
add address-pool=pool-vlan168 disabled=no interface=bridge-vlan168 lease-time=1d10m name=dhcp-vlan168

/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-vlan5 hw=no interface=ether3
add bridge=bridge-vlan5 hw=no interface=ether4
add bridge=bridge-vlan5 hw=no interface=ether5
add bridge=bridge-vlan5 hw=no interface=ether6
add bridge=bridge-vlan5 hw=no interface=ether7
add bridge=bridge-vlan5 hw=no interface=ether8
add bridge=bridge-vlan5 hw=no interface=ether9
add bridge=bridge-vlan5 hw=no interface=ether10
add bridge=bridge-local hw=no interface=sfp1
add bridge=bridge-vlan5 interface=vlan5 pvid=5
add bridge=bridge-vlan6 interface=vlan6 pvid=6
add bridge=bridge-vlan255 interface=vlan255 pvid=255
add bridge=bridge-vlan168 interface=vlan168 pvid=168

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface list member
add interface=ether1-wan1 list=WAN
add interface=bridge-local list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=bridge-local list=discover

/ip address
add address=192.168.0.253/24 interface=ether1-wan1 network=192.168.0.0
add address=192.168.255.30/27 comment=VLAN255 interface=vlan255 network=192.168.255.0
add address=192.168.6.254/24 comment=VLAN6 interface=vlan6 network=192.168.6.0
add address=192.168.5.254/24 comment=VLAN5 interface=vlan5 network=192.168.5.0
add address=192.168.168.254/24 comment=VLAN168 interface=vlan168 network=192.168.168.0

/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1-wan1

/ip dhcp-server network
add address=192.168.5.0/24 comment="Network VLAN5 General" dns-server=192.168.5.254 gateway=192.168.5.254 ntp-server=192.168.5.254
add address=192.168.6.0/24 comment="Network VLAN6 Testing" dns-server=192.168.6.254 gateway=192.168.6.254 ntp-server=192.168.6.254
add address=192.168.168.0/24 comment="Network VLAN168 Camera's" dns-server=192.168.168.254 gateway=192.168.168.254 ntp-server=192.168.168.254
add address=192.168.255.0/27 comment="Network VLAN255 Guest WiFi" dns-server=192.168.255.30 gateway=192.168.255.30 ntp-server=192.168.255.30

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=209.244.0.3,8.8.8.8,209.244.0.4,8.8.4.4,212.224.255.252,212.224.255.254

/ip dns static
add address=192.168.5.254 name=router

/ip firewall address-list
add address=192.168.5.0/24 list=Internal
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons
add address=192.168.255.0/27 list=Internal
add address=192.168.168.0/24 list=Internal
add address=192.168.6.0/24 list=Internal

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=reject chain=forward comment="Blocked websites list : Block all" connection-mark=blocked_websites_conn protocol=tcp reject-with=tcp-reset
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block Roque DHCP server" dst-port=68 protocol=udp src-address-list=!Internal src-port=67
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all from WAN" connection-state="" in-interface-list=WAN
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=yes src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=yes jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=yes jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=yes dst-address-list=bogons
add action=add-src-to-address-list address-list=Bittorrent_users address-list-timeout=17w1d chain=forward comment="Identify Bittorrent users" disabled=yes layer7-protocol=bittorrent

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Blocked websites" layer7-protocol=blockedwebsites new-connection-mark=blocked_websites_conn passthrough=yes protocol=tcp src-address-list=Internal

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1-wan1 src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN src-address=192.168.168.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN src-address=192.168.255.0/27

/ip route
add distance=1 gateway=192.168.0.1

/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan1 request=address
2

Nobody?

3

If I uderstand you right, you’re asking about how to configure VAP to become kind of wireless access port, member of particular VLAN?

Something like this:

/interface wireless
set wlan1 band=2ghz-g/n channel-width=20/40mhz-eC country=slovenia disabled=no \
    frequency=2472 frequency-mode=regulatory-domain mode=ap-bridge \
    security-profile=profile_main ssid=ssid_main vlan-id=5 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no master-interface=wlan1 ssid=ssid_guest \
    security-profile=profile_guest vlan-id=255 vlan-mode=use-tag wps-mode=disabled

There are some more settings available for both “real” and virtual AP. The main VLAN related options are vlan-id and vlan-mode.

If you have all the interfaces between wireless chip on wAP and RB3011 properly configured for trunk VLAN connections, then any DHCP request et. al. should teansparently arrive from wireless clients to RB3011’s CPU.

4

There’s an unmanaged PoE switch powering the wAP that is between the wAP and the RB.
It also powers some IP camera’s which will be in the same VLAN5 (untagged) as the wAP, but wAP is VLAN5+255.

What would be the best practise to take into consideration or setup on the wAP & RB?

wAP ETH1 — Switch – RB ETH10

5

In theory unmanaged switch could be VLAN-transparent… VLAN tagged packets are still valid ethernet frames. Older switches may have problems with VLAN packets because of their slightly larger size (1504 bytes VS 1500 bytes for plain ethernet). Newer switches mostly don’t have such problems. You’ll have to try and see how your PoE switch behaves.

As the packets from devices, directly hooked to the PoE switch, will be untagged, you have two possibilities:

  1. Have all VLAN5 untagged between RB3011 and wAP. You have to deal with untagged packets in RB3011 and in wAP.
  2. If you’re lucky, then your surveilance cameras can be configured to use VLAN tagging …

There’s third possibility: have VLAN5 traffic partly tagged (between wAP and RB) and partly untagged (between PoE-hooked devices and RB). Unfortunately this is AFAIK not possible … it is not possible to configure a VLAN to be both tagged and untagged on same ethernet port.
A possible workaround would be to employ a “helper” VLAN on RB, say VLAN 1005 … untagged traffic (originating from PoE-hooked devices) would be mapped to that helper VLAN. Then you would create two VLAN devices on the RB bridge, one for VLAN5 and one for VLAN1005. Then you would create a secondary bridge to bridge theese two vlan devices.

Probably it’s easier and more straight-forward to go with possibility number 1.