Wireless VLAN Bridge No Internet Access

RouterOS Wireless Networking
1

I have a issue and it probably something simple but need someone else to take a look.

What I am trying to do is setup the RB751U-2HnD to have 2 SSID's with one on VLAN 10 and the other on VLAN 20.

The local network when wired in works just fine.

Take a look and let me know what I am missing?

may/08/2013 15:07:42 by RouterOS 6.0rc14

/interface bridge
add l2mtu=1594 name=bridge-VLAN10
add l2mtu=1594 name=bridge-VLAN20
add l2mtu=1598 name=bridge-local

/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local

/ip neighbor discovery
set ether1-gateway discover=no

/interface vlan
add interface=ether2-master-local l2mtu=1594 name=vlan10-PrivateWireless
vlan-id=10
add interface=ether2-master-local l2mtu=1594 name=vlan20-GuestWireless
vlan-id=20

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys wpa-pre-shared-key=36D402201FF1 wpa2-pre-shared-key=\

add authentication-types=wpa-psk eap-methods=passthrough group-ciphers=tkip
management-protection=allowed mode=dynamic-keys name=CVACWLAN
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=
****!
add authentication-types=wpa-psk eap-methods=passthrough group-ciphers=tkip
management-protection=allowed mode=dynamic-keys name=CVACGuestWLAN
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=
****!

/interface wireless
set 2 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=
indoors hide-ssid=yes ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=
ap-bridge security-profile=WLAN1 ssid=WLAN1
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:53:6F:92 master-interface=
wlan1 name=GuestWireless security-profile=GWLAN ssid=Guest
wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:53:6F:91 master-interface=
wlan1 name=PrivateWireless security-profile=PWLAN ssid=Private
wds-cost-range=0 wds-default-cost=0

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m

/ip pool
add name=default-dhcp ranges=10.110.1.100-10.110.1.200
add name=GuestWL ranges=172.16.101.100-172.16.101.200
add name=PrivateWL ranges=10.110.11.100-10.110.11.200

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
add address-pool=GuestWL disabled=no name=GuestWL
add address-pool=PrivateWL disabled=no name=PrivateWL

/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-VLAN20 interface=GuestWireless
add bridge=bridge-VLAN20 interface=vlan20-GuestWireless
add bridge=bridge-VLAN10 interface=PrivateWireless
add bridge=bridge-VLAN10 interface=vlan10-PrivateWireless

/ip address
add address=10.110.1.254/24 comment="default configuration" interface=
bridge-local network=10.110.1.0
add address=.../28 comment="Outside IP" interface=ether1-gateway
network=...
add address=10.110.11.254/24 comment="Private Wireless" interface=
bridge-VLAN10 network=10.110.11.0
add address=172.16.101.254/24 comment="Guest Wireless" interface=
bridge-VLAN20 network=172.16.101.0

/ip dhcp-server network
add address=10.110.1.0/24 comment="default configuration" dns-server=
208.67.222.222 gateway=10.110.1.254
add address=10.110.11.0/24 comment="Private Wireless" dns-server=
208.67.222.222 gateway=10.110.1.254
add address=172.16.101.0/24 comment="Guest Wireless" dns-server=
208.67.222.222 gateway=172.16.101.254

/ip firewall filter
add action=drop chain=input in-interface=ether1-gateway protocol=icmp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=
ether1-gateway
add chain=forward comment="default configuration" connection-state=
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration"
connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway

/ip route
add distance=1 gateway=... (Outside Route)

2

You have your vlans on ether2 but have ether2 in a bridge. Try setting your vlans interface to the bridge ether2 is in (bridge-local).

3

Well yes that will work but it gives out the 10.110.1.* address

I would like to keep the network separate especially the guest network.

So doing that defeats the purpose of my goal unless I am missing something.

/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=GuestWireless
add bridge=bridge-local interface=vlan20-GuestWireless
add bridge=bridge-local interface=PrivateWireless
add bridge=bridge-local interface=vlan10-PrivateWireless

4

You had your bridges correct the first time. Don’t put everything in the same bridge. Change your vlans interface in /interface vlan interface to bridge-local

5

Okay I changed it check the following.
I won’t be able to test till morning.

/interface vlan
add interface=bridge-local l2mtu=1594 name=vlan10-PrivateWireless vlan-id=10
add interface=bridge-local l2mtu=1594 name=vlan20-GuestWireless vlan-id=20

/interface bridge port
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-VLAN20 interface=GuestWireless
add bridge=bridge-VLAN20 interface=vlan20-GuestWireless
add bridge=bridge-VLAN10 interface=PrivateWireless
add bridge=bridge-VLAN10 interface=vlan10-PrivateWireless

6

That’s what I was talking about.

Let me know if it works.

7

Thanks “cbrown”

That was the fix appreciate the assistance on this.

8

No problem. I’m glad you got it working.

9

Hi cbrown,

It worked for me also. Please can you advise me on this question?:

I have cisco switches from both sides (ethernet & wireless), which use native vlan id=1 (untagged) for management.

Is there any way to allow untagged native vlan id=1 pass through bridge-local?

If i create another vlan with id=1 then it is tagged and there is no communication.
Trying 3 days without solution. Any help would be greatly appreciated.
Andreas K.

PS: I could change the management vlan on switches but if there is a workaround with ROS it would be the best solution