Winbox - I see all VLANS

dima1002 · October 24, 2022, 5:35pm

Hello,

I see every access point in all VLANs in the Winbox. Why?

Here is the configuration of an access point

/interface bridge
add name=BRIDGE protocol-mode=none
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(17dBm), SSID: DM, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ce/ac/P(21dBm), SSID: DM, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GAST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVATE interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=PHONE interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=100 vlan-mode=secure
set 3 default-vlan-id=100 vlan-mode=secure
set 4 default-vlan-id=99 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BRIDGE interface=ether1
add bridge=BRIDGE interface=ether2
add bridge=BRIDGE interface=ether3
add bridge=BRIDGE interface=ether4
add bridge=BRIDGE interface=ether5
add bridge=BRIDGE interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=500
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=200
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=300
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=400
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=1000
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=900
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=800
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=700
add independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=600
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=99
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=100
/interface wireless cap
# 
set bridge=BRIDGE discovery-interfaces=VLAN_99,VLAN_100 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add interface=VLAN_99
add interface=VLAN_100
/ip dns
set allow-remote-requests=yes

mkx · October 24, 2022, 6:27pm

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

This says that neighbour discovery works over any interface which is not dynamic … VLAN interfaces are not dynamic as you statically created them. So ND is allowed from (almost) anywhere.

dima1002 · October 24, 2022, 6:40pm

I would like to continue using the Neighbors. Just per vlan. How can you configure it then?

osc86 · October 24, 2022, 7:09pm

add name=BRIDGE protocol-mode=none

your vlan config is incomplete, add vlan-filtering=yes to your bridge config and depending on your setup also frame-types=admit-only-vlan-tagged

dima1002 · October 24, 2022, 8:01pm

VLAN filtering is only available with CRS3XXX, but I have a Mikrotik 962 HAP AC

Here is the table:
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_Offloading

or am I not understanding something here?

mkx · October 25, 2022, 6:25am

What do you mean “per vlan”? If you want discovery only for certain vlans, then create interface list and add only VLAN interfaces you want to enable ND … then change the setting I pointed out to use the new interface list.
If something else is on your mind, then explain what troubles you more concisely.

dima1002 · October 25, 2022, 6:31am

When I start Winbox, I see the same access point 5 times because it has 5 VLANs.
If I am in the company VLAN, I only want to see the IP addresses or MAC addresses of the access point from the company network.
What does the winbox actually have to do with neighbors?
Under /ip/neighbours, it’s ok if I see the access point 5 times, but not in the winbox.

mkx · October 25, 2022, 5:33pm

If your PC is connected to trunk port, then you’ll see neighbour advertisements on all VLANs because most windows NIC drivers strip off VLAN tags on ingress and you see ND also on VLANs that your PC should ignore … you won’t be able to (MAC) connect to devices via most (if not all) MAC addresses because switch expects frames tagged with correct VID but drivers of NICs don’t add tags (connectivity via IP is a completely different beast, it might or might not work, depends on routing and firewall rules).

You also see devices on multiple VLANs because MT devices are configured to be discoverable on all devices. I already explained how to limit discovery only to subset of interfaces (VLANs), ideally you should limit discovery only to management interface (VLAN).

BRW, winbox uses same neighbour discovery to list MT devices …