Wireless Dual SSID with VLAN on RB2011 and RB951

ingtegration · September 11, 2015, 6:07am

I already have a bridged wireless network with 7 x RB951/RB751 hooked to a central RB2011. It has only one SSID right now, everything is bridged by the RB2011 and the users are able to roam. The RB2011 has the DHCP server and route to the rest of the network. This network is for private use.

Now i want to add a new SSID for public purpose. So i think the best way would be to use a second bridged SSID network and use 802.1Q trunk between the wireless routers and the RB2011 (we have only one ethernet cable for each wireless router).

I read many things on the WEB and this forum but didn’t managed to make it work until now. I saw people using configs that use the hardware switch chip features.
http://dl.faraznetwork.ir/Files/Mikrotik--Part6.pdf
See P.31

I saw other using only VLANs + Software bridge.
http://forum.mikrotik.com/t/vlan-trunking-between-rb2011-and-netgear-gs724t/63632/4

I saw configs on Mikrotik Wiki but there seems to have missing pieces and i can’t get it to work.
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Example_-_802.1Q_Trunking_with_Atheros_switch_chip_in_RouterOS_v6

For starters, RB951Ui-2HnD uses the Atheros8227 while RB2011 uses Atheros8327 (ether1-5+SFP1) AND Atheros8227 (ether6-10).
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

Has anybody come with a working setup for this?

ingtegration · September 11, 2015, 2:10pm

Ok, here is the hardware based version of the config

Taken from (P.31):
http://dl.faraznetwork.ir/Files/Mikrotik--Part6.pdf

RB951 ports:

For RB951 (trunk on port 5):

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3 master-port=ether2
set [ find default-name=ether4 ] name=ether4 master-port=ether2
set [ find default-name=ether5 ] name=ether5 master-port=ether2

/interface ethernet switch port
set 1 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=300 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=400 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure

/interface ethernet switch vlan
add ports=ether2,ether5 switch=switch1 vlan-id=200
add ports=ether3,ether5 switch=switch1 vlan-id=300
add ports=ether4,ether5 switch=switch1 vlan-id=400
add ports=ether5,switch1-cpu switch=switch1 vlan-id=99

/interface vlan
add interface=ether2 l2mtu=1594 name=vlan99 vlan-id=99

/ip address
add address=192.168.89.2/24 interface=ether1-gateway network=192.168.89.0
add address=192.168.88.1/24 interface=vlan99 network=192.168.88.0

In the "/interface ethernet switch port" section of the code, you see "set 1 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure" . The "set 1" correspond to the # of the switch port seen below (so set 1 is to set "ether 2"):

/interface ethernet switch port> print
Flags: I - invalid

NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID

0 ether1-gateway switch1 disabled leave-as-is 0
1 ether2 switch1 secure always-strip 200
2 ether3 switch1 secure always-strip 300
3 ether4 switch1 secure always-strip 400
4 ether5 switch1 secure add-if-missing 0
5 switch1-cpu switch1 secure leave-as-is 0

For RB2011 (trunk on port 9):

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7 master-port=ether6
set [ find default-name=ether8 ] name=ether8 master-port=ether6
set [ find default-name=ether9 ] name=ether9 master-port=ether6
set [ find default-name=ether10 ] name=ether10 master-port=ether6

/interface ethernet switch port
set 6 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=300 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=400 vlan-header=always-strip vlan-mode=secure
set 9 vlan-header=add-if-missing vlan-mode=secure
set 12 vlan-mode=secure

/interface ethernet switch vlan
add ports=ether6,ether9 switch=switch2 vlan-id=200
add ports=ether7,ether9 switch=switch2 vlan-id=300
add ports=ether8,ether9 switch=switch2 vlan-id=400

/interface vlan
add interface=ether9 l2mtu=1594 name=vlan99 vlan-id=99
add interface=ether9 l2mtu=1594 name=vlan200 vlan-id=200
add interface=ether9 l2mtu=1594 name=vlan300 vlan-id=300
add interface=ether9 l2mtu=1594 name=vlan400 vlan-id=400

/ip address
add address=192.168.88.2/24 interface=vlan99 network=192.168.88.0

[admin@RB2011_2] > /ping 192.168.88.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.88.1 timeout
1 192.168.88.1 timeout

You see, pinging from RB2011 to RB951 times out. What's wrong?