wifiwave2 vAPs and vlan

RouterOS Wireless Networking
1

Hi,

I’m running a my home network with a few APs managed via CAPsMAN so far. I have my main network connected to my primary wifi but also two other vAP wifi networks which should be separated from my internal network (guest and iot).
For that I’ve been using CAPsMAN forwarding to manage filtering and routing on my central router.

Now I’ve got my first AX device using wifiwave2 and since a mixed operation is currently not supported as well as CAPsMAN forwarding is gone I want to separate those additional wifi networks using VLANs and I’m always confused about VLAN in general.

I mainly looked at those two documents
https://help.mikrotik.com/docs/display/ROS/WifiWave2
https://help.mikrotik.com/docs/display/ROS/CAPsMAN+with+VLANs
to get an idea how that should be done.

So what I currently have is:

 1 name="eg-2g-guest" mac-address=4A:A9:8A:EA:C9:D9 arp-timeout=auto master-interface=eg-2g 
   configuration.mode=ap .ssid="MikroTik-EAC9D9's Guests" .country=Germany 
   security.authentication-types=wpa2-psk,wpa3-psk .encryption="" .passphrase="*******" 
   datapath.bridge=bridge .client-isolation=yes .vlan-id=20 
   channel.width=20mhz

Where the bridge is just the default bridge on the ax3 and vlan-filtering for it is “off” as described in the manual “A bridge vlan-filtering can be disabled if additional VLAN managing and controlling is not needed.”
So the bridge is

0 I ether2       bridge  yes     1  0x80             10                  10  none   
1 I ether3       bridge  yes     1  0x80             10                  10  none   
2 I ether4       bridge  yes     1  0x80             10                  10  none   
3 I ether5       bridge  yes     1  0x80             10                  10  none   
4 I eg-5g        bridge          1  0x80             10                  10  none   
5 I eg-2g        bridge          1  0x80             10                  10  none   
6 I eg-2g-guest  bridge         20  0x80             10                  10  none   
7   ether1       bridge  yes     1  0x80             10                  10  none

From that setup I would assume that the vlan tags are persisted everywhere within the bridge and the associated interfaces (ether1 is where the central router is connected (via another simple switch).

On the central router side I tried to apply the same logic as I’m already using for another vlan connection:
[

admin@MikroTik] > /interface/vlan/print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME            MTU  ARP      VLAN-ID  INTERFACE    
0 R vlan-ffgw      1500  enabled       11  ether3-Office
1 R vlan-freifunk  1500  enabled       10  ether3-Office
2 R vlan-guest     1500  enabled       20  ether3-Office

Where ether3 is the interface where the AP is connected to.
vlan-guest is then assigned as port to the bridge-guest (which is what I already used for the CAPsMAN forwarded traffic):

20     vlan-guest        bridge-guest         20  0x80             10                  10  none

Now the thing is: It does not work. When I connect a client to eg-2g-guest it is not established. My assumption is because it does not receive any DHCP answer from bridge-guest but maybe it could also be something else but not exactly sure how to find out. I’m pretty sure it’s related to the setup above which is probably wrong but I’m running out of idea what it might be.

Any pointers?

2

Disclaimer: I’m running wifiwave2 on AC device (Audience) and I’m restricting VLAN config to (vlan-enabled) bridge on that device, and it works well for ever since I installed wifiwave2 driver (back in 7.1 times). So I don’t follow VLAN features of wifiwave2 closely.

From forum posts I’ve got an impression that VLAN handling “native to wifiwave2 driver” is currently somehow broken. People reported issues with capsman2 provisioned interfaces. Since capsman2 is tightly coupled with wifiwave2 driver, it could well be that wifiwave2 driver is broken in this aspect. So you may want to dive into abyss of vlan-enabled bridge on your AX device to make things work.

3

wifiwave2 using VLAN: no problem. I have AX3 and AX2 setup with all this in place.

Wifiwave2 on capsman using VLAN: might become tricky… key point being that (for now) one has to disable VLAN filtering on AP bridge.
For devices purely used as AP, it will work from capsman.

But once you also want to add some ether-ports to that VLAN setup, that’s were the complexity starts.
I have been toying with it quite a bit on 7.8 and raised a support ticket for it. Disabling VLAN filtering on bridge was the answer then (as well as message that it’s being worked on).
Tried it again using 7.10, same status.
It could be there is a proper way to do it, then I haven’t found it yet (and it certainly is not yet documented from what I could see).

4

Is this only when you plan to use other ports in VLAN ? Because i didn’t disable VLAN filtering on caps bridge and im using VLANs on virtual wifi interfaces.

5

Quick follow-up.
I think I solved my problem and apparently my set up was about right.

But $SOMETHING created bridge firewall rules and dropped forwarding for the eg-2g-guest interface within the bridge. Actually I’m sure I didn’t do this. So something automatic within ROS thought it might be a good idea based on something I did before.

   [admin@hap-ax-eg] > /interface/bridge/filter/pr
    Flags: X - disabled, I - invalid, D - dynamic
    0 chain=forward action=drop in-interface=eg-2g-guest
    1 chain=forward action=drop out-interface=eg-2g-guest

In case anyone knows where that was coming from, please let me know.