I’m trying to set up a wireless VLAN trunk using the MikroTik cAP AC. The configuration is as follows:
MikroTik cAP AC (Wireless AP) <— WLAN —> TP-Link CPE210 (Wireless Client) <— LAN —> MikroTik cAP AC
My goal is to have a VLAN trunk between the two MikroTik Routers, however, there must be a wireless connection and the receiver of the wireless signal must be the TP-Link CPE 210, forwarding the signal via LAN to the receiving MikroTik Router. The CPE210 should be able to handle VLAN transparently (meaning, if the WLAN signal has VLAN tags, they should be forwarded transparently).
I can connect both devices via LAN (tagged VLAN ID3, non-tagged VLAN ID1) and everything works fine. However, using WLAN, it seems to me that the MikroTik is not transmitting the VLAN tag where required.
Is this assumption right and how can I configure the MikroTik to transmit the VLAN ID3 tagged and ID1 non-tagged over WLAN?
Even if the way how the VLAN tags are transmitted would be compatible between Mikrotik and TP-Link, I’m afraid the 4-address format of the wireless frame, which you need for bridging, is not. 802.11 only specifies a 3-address frame format where the MAC address of the wireless receiver and the MAC address of the Ethernet recipient are assumed to be the same one for AP->STA frames, and the MAC address of the wireless sender is assumed to be the same as the MAC address of the Ethernet sender for the STA->AP frames, so a single protocol field is used for them. So if you cannot replace the TP-Link client by another Mikrotik, you’ll have to set up an EoIP tunnel between the Mikrotiks in order to bridge frames without losing information. Such a setup further complicates if you need that the LAN between the TP-link and the cAP AC is part of the bridge, as then the EoIP tunnel will be a port of a bridge it uses to send its transport packets, so you’ll have to set the MTU of the bridge manually and set the MTU of the EoIP interface to the same value, causing large payload frames to be sent using fragmented transport packets.
Because RouterOS uses proprietary extensions to the wireless protocol that allow it to be used for transparent bridging. Some other vendors do that too but there is no vendor that would have a compatibility agreement with Mikrotik, so Mikrotik devices only use air frames in the proprietary format when talking to other Mikrotik devices.
As I never had any use case for using VLAN tags alone, i.e. without MAC-transparent bridging, I never took the effort to find out whether 802.11 requires support of VLAN tagging. So I did a quick google search now and found this. Executive summary: No.
If your TP-link box is able to link an SSID at wireless client side to a VLAN tag on wired side and supports multiple virtual client interfaces sharing the same physical one (which would surprise me as it is again a very niche application), you can map each VLAN to an SSID if you need to transport just two or three VLANs. But the cAP ac at the left of your diagram will still see everything as coming from the MAC address of the TP-link, and it will be unable to send anything to any other MAC address than the one of the TP-link.
That’s why I wrote that EoIP is your only chance (unless you run RouterOS 7.x and can use VxLAN instead) to transparently interconnect bridges on the two cAP acs if the TP-link (or any other non-Mikrotik wireless client for that matter) has to stay in place. VPLS uses MPLS frames so I doubt a non-Mikrotik wireless gear would forward them, and L2TP-BCP is not compatible with VLAN filtering.
If you describe the use case more in detail some requirements may turn out to be absent, but for a generic case, that’s how it is.
Okay, thanks for this detailed reply. I just bought a MikroTik wAP ac (or rather bought it two months ago and now it was delivered) to replace the CPE 210 and it worked almost immediately
I’m kinda surprised (and if its true that MikroTik changes the ethernet frames transmitted depending on the receiver vendor with no configuration possible, i really don’t like that).
Just one or two questions if this setup is just working out of luck:
I use VLAN 1 for regular traffic (untagged), and VLAN 3 for special applications (tagged). The receiving station is configured, but the “VLAN filtering” checkbox is not enabled.
To clarify a little bit:
MikroTik cAP AC (Wireless AP, Device A) <— WLAN —> MikroTik wAP AC (Wireless Station, Device B) <— LAN —> MikroTik cAP AC (Wireless AP, Device C)
Device A:
A special WiFi Interface is configured, with VLAN 1 (no tag) as default configuration. Just under the “Bridge->VLANs” the VLAN 3 is added as tagged network to this wifi interface. VLAN filtering is enabled.
Device B:
The wifi is configured as station, and with VLAN 1 (no tag) as configuration. Just under “Bridge->VLANs” the VLAN 3 is added to the wifi interface and ether-port. VLAN filtering is not enabled.
First of all, vlan-filtering may be a slightly misleading name, but vlan-awareness may be equally misleading so I guess it can’t be helped. The thing is that this setting affects the way how the bridge handles the VLAN tags. With yes, the bridge respects them and can add/strip them on ingress/egress; with no, it completely ignores them, handling tagged and tagless frames exactly the same. So as long as you don’t want a bridge port to be an access one to a particular VLAN (i.e. adding the VLAN tag to ingress frames and stripping it from the egress ones) or limit the membership of ports in the VLANs, vlan-filtering does not need to be enabled to just allow tagged frames to flow through the bridge. The fact that you have added VLAN 3 as a permitted one to the wireless interface and the Ethernet one in configuration is simply ignored with vlan-filtering set to no.
Second, I never dove into the precise behavior too much, but I’d say that since the Mikrotik APs talk to non-Mikrotik clients in a way the latter ones can understand, and since the proprietary wireless frames are harmless in terms that they don’t affect the operation of non-Mikrotik devices, there is no need to be nervous about extra features to be supported among Mikrotik devices. Other vendors do exactly the same. However, the choice between the 3-MAC-address mode and the 4-MAC-address one is definitely not an autonomous decision of the device - to use the 4-MAC-address mode, you have to set the mode of the client wireless interface to station-bridge rather than mere station. The AP adjusts the frame format to the requirements of each individual client, so both types of clients can happily coexist on the same AP and SSID.
