WLAN AP, different VLANs for different SSIDs hap ax3

CyberTDefender · May 15, 2024, 12:19am

Dear all,

starting a new topic.
TL;DR

Setup:
Local network connected to ISP via a firewall
Firewall is capable of VLAN tagging
Configured two additional VLANs on firewall
VLAN 198; untrusted WLAN clients, no access to LAN, only Internet access
VLAN 70: semi trusted WLAN clients. Access from LAN and access to Internet

LAN is not tagged, management via ether5

ether1 is connected to a trunk port on the network switch with VLANs 70 and 198 configured for the trunk

Target:
Have one SSID for VLAN 198 on both radios
have another SSID for VLAN 70 on both radios

Firewall has a DHCP server configured on both VLAN interfaces(192.168.70.253 and 192.168.198.254)
Initially tried to configure DHCP servers on the hap, but didn’t succeed.
Configured DHCP-relays, but still not working.

Current Status:
I can connect to the untrusted WLAN, but only if I configure a static IP. DHCP not working

Semi-trusted AP (SSID=IOT, VLAN=70) doesn’t seem to be able to connect to the Internet.

ARP table on the hAP doesn’t show the gateways connected, although I have Internet access:

/ip/arp> print detail
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published; C - complete
 0 DC address=192.168.98.40 mac-address=38:D5:47:B0:39:46 interface=ether5 published=no status="reachable"

 1 D  address=192.168.98.11 interface=ether5 published=no status="failed"

 2 DC address=192.168.98.201 mac-address=00:25:90:A1:CD:0F interface=ether5 published=no status="stale"

 3 D  address=192.168.70.254 interface=bridge1 published=no status="failed"

 4 D  address=192.168.198.254 interface=bridge1 published=no status="failed"

 5 DC address=192.168.98.2 mac-address=00:86:9C:55:AD:13 interface=ether5 published=no status="stale"

ARP table on the firewall for VLAN 198:

show arp ethernet1/4.198

maximum of entries supported :      3000
default timeout:                    1800 seconds
total ARP entries in table :        3
total ARP entries shown :           3
status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port              status   ttl
--------------------------------------------------------------------------------
ethernet1/4.198   192.168.198.10  ba:e9:ef:11:91:c2 ethernet1/4         c      154
ethernet1/4.198   192.168.198.20  5e:43:55:d7:fc:72 ethernet1/4         c      1796
ethernet1/4.198   192.168.198.90  b8:27:eb:d1:32:6d ethernet1/4         c      1076

.10 and .20 are WLAN clients having access to the Internet
.90 is a different device not related to the current setup questions

Open questions after a lot of RTFM:

Why DHCP is not working?
If I understood the manual correctly, a bridge needs to have an IP for VLAN switching to work. But in which VLAN I assign this IP?
Is my thinking correct about setting up different SSIDs for different VLANs?
I saw some statements about the hAP being in AP mode or router mode. Am I in AP mode and how do I switch to router mode if that is needed?

Current config

# 2024-05-15 01:58:28 by RouterOS 7.14.3
# software id = 016R-KMTY
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether5 ] comment=mgmt
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=MikroTik-328170 \
    datapath.vlan-id=198 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Switzerland .mode=ap .ssid=MikroTik-328170 \
    datapath.vlan-id=198 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
/interface vlan
add interface=ether1 name=trusted vlan-id=70
add interface=ether1 name=untrusted vlan-id=198
/interface wifi
add configuration.mode=ap .ssid=IOT datapath.bridge=bridge1 .vlan-id=70 \
    disabled=no mac-address=7A:9A:18:32:81:70 master-interface=wifi1 name=\
    IOTWLAN1 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
add configuration.mode=ap .ssid=IOT datapath.bridge=bridge1 .vlan-id=70 \
    disabled=no mac-address=7A:9A:18:32:81:71 master-interface=wifi2 name=\
    IOTWLAN2 security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=trusted pvid=\
    70 trusted=yes
add bridge=bridge1 interface=untrusted pvid=198
add bridge=bridge1 interface=wifi1 pvid=198
add bridge=bridge1 interface=wifi2 pvid=198
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge1 tagged=trusted,*10,*11,bridge1 vlan-ids=70
add bridge=bridge1 tagged=untrusted,wifi1,wifi2,bridge1 vlan-ids=198
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.198.253/24 interface=untrusted network=192.168.198.0
add address=192.168.98.91/24 interface=ether5 network=192.168.98.0
add address=192.168.198.1/24 interface=wifi1 network=192.168.198.0
add address=192.168.198.2/24 interface=wifi2 network=192.168.198.0
add address=192.168.70.253/24 interface=trusted network=192.168.70.0
add address=192.168.70.1/24 interface=IOTWLAN1 network=192.168.70.0
add address=192.168.70.2/24 interface=IOTWLAN2 network=192.168.70.0
/ip dhcp-relay
add dhcp-server=192.168.70.254 disabled=no interface=*C local-address=\
    192.168.70.3 name=DHCPRelaytrust1
add dhcp-server=192.168.70.254 disabled=no interface=*D local-address=\
    192.168.70.4 name=DHCPtrust2
add dhcp-server=192.168.198.254 disabled=no interface=wifi1 local-address=\
    192.168.198.3 name=DHCPuntrust1
add dhcp-server=192.168.198.254 disabled=no interface=wifi2 local-address=\
    192.168.198.4 name=DHCPuntrust2
/ip dhcp-server network
add address=192.168.198.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=\
    192.168.198.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.70.254 pref-src=192.168.70.253 routing-table=main \
    suppress-hw-offload=no vrf-interface=ether1
/ip service
set ssh address=192.168.98.0/24


/routing rule
add action=lookup disabled=no dst-address=0.0.0.0/0 interface=untrusted \
    routing-mark=main src-address=192.168.198.0/24 table=main
add action=lookup disabled=no dst-address=0.0.0.0/0 interface=trusted \
    routing-mark=main src-address=192.168.70.0/24 table=main
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no

Thanks and Regards,
Andreas

CyberTDefender · May 15, 2024, 12:28am

One more open question:

the two different SSIDs and corresponding VLANs need different default routes

network 192.168.70.0/24 needs default route via gateway 192.168.70.254
network 192.168.198.0/24 needs default route via gateway 192.168.198.254

How to correctly configure this?

Thanks and Regards,
Andreas