VLAN Configuration !HELP!

lmichael · Thu Nov 29, 2018 1:52 pm

Hi Guys,

i got a CCR1009-8G-1S-1S+ and two RBwAPG for free, so i decided to build a homenetwork. I have to say im not the specialist of networks and now im on a spot where i get stuck.

Maybe i start what i have already done, what works..
Update to 6.43.4
On eth1 is the WANport, it gets a IP from the Internet-Router
I created one bridge, in this bridge are the ports eth2 - eth8 with a DHCP Server 192.168.0.1/24
On eth5 and eth 6 the two AP are connected and controlled by CAPsMAN
Firewall has the default configuration
Firewall NAT

Now i want to seperate the ports in different VLANs, the two APs should work with all 3 VLANs and it would be best if it would work with CAPsMAN
VLAN10 "trusted" 192.168.10.1/24 Port:2-4 and APs
VLAN20 "untrusted" 192.168.20.1/24 Port:7-8 and APs
VLAN30 "Guest-WLAN" 192.168.20.1/24 APs

Where do i start to configure? The interfaces, the vlans in the bridge? Im lost

I looked a few videos and read some forum articles, i think i have to config the bridge and not the switch?
Do i need still the one bridge and the dhcp with 192.168.0.1?

Im very thxful for all informations you can give me and maybe someone can guide me through this, i dont want just a how to, i also want to understand this

Greetings
Michael

Jotne · Thu Nov 29, 2018 4:23 pm

On what parts do you like this nett? 192.168.0.1/24

Make a drawing, it makes it easier to understand what to do,

lmichael · Thu Nov 29, 2018 6:36 pm

I thought, i need a "default Network 192.168.0.1 / VLAN1"

In my case i dont need this "default VLAN"

Here is a drawing where you can see how the configuration should look like at the end. https://ibb.co/v42nVG5

In the meanwhile i configured the ports: wan ether 1, vlan10 ether 2-4 and vlan20 ether7-8. But i have no idea how i should configure the W-Lan and the two ports ether 5 and 6 to get it to work with CAPsMAN

One other question, when i connect my computer now to one of the VLAN ports 10 or 20, i get per DHCP the correct adress and winbox also show me now the 10.1 or 20.1 as the adress for the router, but i cant connect with ip, just with the mac.
Maybe a missconfiguration?

WeWiNet · Thu Nov 29, 2018 7:24 pm

Be aware lot (if not all) videos still show the way of doing VLANs before the 6.xx change when it was migrated
to bridge.
Look at the Wiki page to use the right method (not the Videos

.

You mention 3 IP address ranges/DHCP servers on your CCR but only one bridge? So DHCP are sitting where?
Normally you put on DHCP on the bridge.

Can you ping the IP of the router?

Jotne · Thu Nov 29, 2018 8:27 pm

Some like this using 6.41+ RouterOS

/interface bridge
add name=Bridge1 vlan-filtering=yes

/interface vlan
add  interface=Bridge1 name=VLAN10 vlan-id=10
add  interface=Bridge1 name=VLAN20 vlan-id=20
add  interface=Bridge1 name=VLAN30 vlan-id=30

/interface bridge port
add bridge=Bridge1 interface=ether2 pvid=10
add bridge=Bridge1 interface=ether3 pvid=10
add bridge=Bridge1 interface=ether4 pvid=10
add bridge=Bridge1 interface=ether7 pvid=20
add bridge=Bridge1 interface=ether8 pvid=20
add bridge=Bridge1 interface=wlan1 pvid=30

/interface bridge vlan
add bridge=Bridge1 tagged=Bridge1 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=Bridge1 tagged=Bridge1 untagged=ether7,ether8 vlan-ids=20

/ip pool
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200
add name=DHCP-vlan30 ranges=192.168.30.100-192.168.30.200

/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0

/ip dhcp-server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=7d  name=DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=7d  name=DHCP-vlan20
add address-pool=DHCP-vlan30 disabled=no interface=VLAN30 lease-time=7d  name=DHCP-vlan30

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1

anav · Thu Nov 29, 2018 9:54 pm

Hi Jotne, a few possible typos

/ip pool
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200
add name=DHCP-vlan10 ranges=192.168.30.100-192.168.30.200

/ip address
add address=192.168.10.1/24 interface=VLAN20 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN20 network=192.168.20.0

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1

anav · Thu Nov 29, 2018 10:00 pm

You only need 2 vlans, the trusted vlan is your bridge lan, and runs on the default pvid of 1. It is much easier to let this one work under the default.
I recently had a managed switch that reset to defaults during a power outage (I had forgotten to save the config to flash). The end result is all my vlans didnt work but all the traffic on all non vlan networks (which means all vlanid=1) and connected computers still worked. Not that you will run into that issue but for trusted members you dont need to create a vlan...... the Vlans are for the untrusted LOL.

In addition it simplifies the rest of your rules........

anav · Thu Nov 29, 2018 11:11 pm

Here is how I would set it up.
Assumptions 2 radios in your APs (using one radio for normal personal use, the second radio will run two VLAN, one on the main radio and the other on a virtual radio.
Not using APs for any wired connections to other devices but that could be added easily.

The Main Router config:

/Interface list
Lan
Wan

/Interface list members
Lan=Bridgehome
Lan=vlan10 (guest wifi)
Lan=vlan20 (untrusted users)
Wan=eth1

/interface bridge
add name=Bridgehome vlan-filtering=yes

/interface vlan
add interface=Bridgehome name=VLAN10 vlan-id=10
add interface=Bridgehome name=VLAN20 vlan-id=20

/interface bridge port
add bridge=Bridgehome interface=ether2
add bridge=Bridgehome interface=ether3
add bridge=Bridgehome interface=ether4
add bridge=Bridgehome interface=ether5 (trunk type port to AP1)
add bridge=Bridgehome interface=ether6 (trunk type port to AP2)
add bridge=Bridgehome interface=ether7 pvid=20 ingress filtering=yes (untrusted users)
add bridge=Bridgehome interface=ether8 pvid=20 ingress filtering=yes (untrusted users)

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20

/ip pool
add name=DHCP-home ranges=192.168.0.100-192.168.0.200
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200

/ip address
add address=192.168.0.1/24 interface=Bridgehome network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1

/ip dhcp-server
add address-pool=DHCP-home disabled=no interface=Bridgehome lease-time=7d name=Home_Server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=7d name=DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=7d name=DHCP-vlan20

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For WIFI, I am going to use one RADIO for the trusted house_users
I am going to use the second Radio for Guest WIFI (vlan10)
I am going to create a virtual AP from the second radio for Untrusted Wifi. (vlan20)
(repeat for second AP but use different naming conventions so you dont get confused)

Access Point Config:

/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes

/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guests vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20

/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20

/interface wireless (assuming 2 radio device)
set [ find default-name=wlan1 ] band=Xghz-b/gn/ac? country=? disabled=no \
distance=indoors frequency=? mode=ap-bridge name=RadioA\
security-profile=family_profile ssid=HouseWifi \
wireless-protocol=802.11 wps-mode=disabled

set [ find default-name=wlan2 ] band=xghz-? country=? disabled=no \
distance=indoors frequency=? mode=ap-bridge name=RadioB1 \
security-profile=guest_profile ssid=Guest_Wifi vlan-id=10 \
vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled

add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx.xx:xx \
master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
security-profile=untrusted_profile ssid=Untrusted-wifi vlan-id=20 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

Jotne · Thu Nov 29, 2018 11:16 pm

@anav
Fixed my typos.
No problem using same DNS server IP for all nett.

lmichael · Fri Nov 30, 2018 10:19 am

Thx to all for your help, i will try the config from anav today, specially the wifi part looks very interesting and i hope i can make it to run.

mkx · Fri Nov 30, 2018 3:29 pm

This part by @anav is not as secure as it might seem:

/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20

Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge's point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don't do egress filtering. So proper configuration would have two lines:

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20

And, to be on the safe side, add vlan-mode=no-tag to the rest of settings for RadioA ... the command is used to change settings and you don't want vlan-mode to keep different setting from previous config.

lmichael · Fri Nov 30, 2018 4:16 pm

So i tested the configuration..A big thx to anav, but i have some question and i have problems to geht the wlan run

The vlan configuration for the ports of the router works, the trusted ports get now a 192.168.0.x ip, untrusted a 192.168.20.0 and the ports 5 and 6 "where the Aps are connected" get the 192.168.0.x

The AP get also a 192.168.0.x
When i connect to the HouseWifi i get a 192.168.0.x This works
But when i connect the Guest i get no IP.
The Untrusted wifi connects shortly and then kick me.

Here are the Configs in the GUI
https://ibb.co/FzgCtMh
https://ibb.co/jbgFxYb
https://ibb.co/CstHQFs

If you need other information just ask, i will do my best.

lmichael · Fri Nov 30, 2018 4:34 pm

I changed the /interface bridge vlan like in the commend from mkx, but it makes no difference, i get no ip in the guestwifi and it disconnects me immediatly from the untrusted wifi

mkx · Fri Nov 30, 2018 8:47 pm

This part on main router IMHO also needs a change:

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20

.
Change it to

/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20

In case you wont be able to get it working, create export of configuration (open a terminal window from Winbox and run command /export hide-sensitive) and paste it here in code environment (the same as my suggestion about configuration above). Do it on both main router and on AP, it's not entirely clear which device is showstopper.

anav · Fri Nov 30, 2018 11:26 pm

This part by @anav is not as secure as it might seem:

/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)

/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20
Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge's point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don't do egress filtering. So proper configuration would have two lines:
Code: Select all
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20
And, to be on the safe side, add vlan-mode=no-tag to the rest of settings for RadioA ... the command is used to change settings and you don't want vlan-mode to keep different setting from previous config.

Much thanks MKX,
I will admit I was a bit unsure on that /interface bridge vlan setting as, I wasnt quite sure on how to deal with no untagged members, like a standard switch.
In other words not sure how the mikrotik APs handle the equivalent to (bridge port pvid=10, ingress-filtering = yes).
I thought it was correct to set AP radio to Vlan=tag due to this ref:
https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

I also now see the blunder of putting both vlans 10,20 on same bridge rule.........
To me what you have is a more accurate approximation of what we do for untagging on switches and keeps the vlans apart in the mind of the bridge (yes its alive

)

anav · Fri Nov 30, 2018 11:30 pm

This part on main router IMHO also needs a change:
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20
.
Change it to
Code: Select all
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20
In case you wont be able to get it working, create export of configuration (open a terminal window from Winbox and run command /export hide-sensitive) and paste it here in code environment (the same as my suggestion about configuration above). Do it on both main router and on AP, it's not entirely clear which device is showstopper.

Awesome, I see where I went wrong here.......... one must be careful on a per VLAN basis on how to assign bridge tagging and untagging.
I am trying to combine in the wrong way.

Jotne · Fri Nov 30, 2018 11:43 pm

I will admit I was a bit unsure on that /interface bridge vlan setting as, I wasnt quite sure on how to deal with no untagged members, like a standard switch.

From what I have learned here to not get into any problem, make one line for each VLAN.
Even if you can add more VLAN to one Bridge VLAN, its better to avoid it to not get into problems.

anav · Fri Nov 30, 2018 11:44 pm

So my setup on my capAC is as follows
/interface vlan
add interface=bridgeHallway name=Guests_WIFI-v200 vlan-id=200
add interface=bridgeHallway name=Wifi_SDevices_cap2 vlan-id=45

RadioA - is my Devices Radio (uses vlan45)
RadioB - is my House Wifi
VirtualRadioB - is my guest-wif (uses vlan200)

/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf interface=ether2
add bridge=bridgeHallway comment=defconf interface=DevicesHallway
add bridge=bridgeHallway comment=defconf interface=Hallway5G
add bridge=bridgeHallway interface=VisitorWIFI trusted=yes
/interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,VisitorWIFI,ether1 vlan-ids=\
45,200

Are you saying my capAC bridge rule should be........
/

interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200

????????????????????

NEXT QUESTION = no tag
How else do we tell the capAC to apply vlan tags to the incoming packets from devices using that radio? How else do we tell the capAC to do ingress-filtering and strip the packets when egressing the radio back to the device???

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=canada disabled=no \
    distance=indoors frequency=2442 mode=ap-bridge name=DevicesHallway \
    security-profile=devices_only ssid=Remotedevices vlan-id=45[b] vlan-mode=use-tag[/b] \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-Ceee country=canada disabled=no mode=ap-bridge name=Hallway5G \
    security-profile=Hallway_wifi ssid=HouseSmartPhones wireless-protocol=\
    802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=Hallway5G multicast-buffering=disabled name=VisitorWIFI \
    security-profile=HouseGuestsSecurity ssid=Guests  vlan-id=200 \
   [b] vlan-mode=use-tag [/b]wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

mkx · Sat Dec 01, 2018 5:41 pm

What I'd experiment with is to remove bridgeHallway "port" from the list of vlan members if RB itself doesn't have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the "port personnality" ... and if there's no vlan interface on bridge port, bridge port doesn't have to be member of vlan port members ...

VLANs on wireless are different than on ethernet. Wireless per standard does not say much (or even anything) about VLANs, hence wlan ports can only be access ports (not trunk nor hybrid). So settings on wifi interface, the way @anav has it, are the way to go. It's the same as setting pvid on ether port and setting same ether port as untagged member of vlan on bridge. Just make sure vlan settings on corresponding bridge match settings on wifi ... and wifi shoukd be tagged member of vlan on bridge.

Well, the above is not "whole truth and nothing but the truth" (and God doesn't help me here). If wifi is used as a PtP or PtMP, then it can be configured to carry VLAN-tagged frames. In this case it behaves as a dumb switch and both sides have to be configured for proper ingress filtering.

lmichael · Sat Dec 01, 2018 7:38 pm

Hello MKX, i changed the bridge vlan, but i have still the same problems with the AP

Im very happy to see that someone cares about to make my config run, if we really get it to work i will make a own how-do thread with the config and a graphik, to help others who are also not so good in networks like i am and wants a homelan like this..

Here the config of the Router:

/interface bridge
add name=Bridgehome vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=Bridgehome name=VLAN10 vlan-id=10
add interface=Bridgehome name=VLAN20 vlan-id=20
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-home ranges=192.168.0.100-192.168.0.200
add name=DHCP-vlan10 ranges=192.168.10.0-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.0-192.168.20.200
/ip dhcp-server
add address-pool=DHCP-home disabled=no interface=Bridgehome lease-time=1w name=\
    Home_Server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=1w name=\
    DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=1w name=\
    DHCP-vlan20
/interface bridge port
add bridge=Bridgehome interface=ether2
add bridge=Bridgehome interface=ether3
add bridge=Bridgehome interface=ether4
add bridge=Bridgehome interface=ether5
add bridge=Bridgehome interface=ether6
add bridge=Bridgehome ingress-filtering=yes interface=ether7 pvid=20
add bridge=Bridgehome ingress-filtering=yes interface=ether8 pvid=20
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 untagged=ether7,ether8 \
    vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 vlan-ids=10
/interface list member
add interface=Bridgehome list=Lan
add interface=VLAN10 list=Lan
add interface=VLAN20 list=Lan
add interface=ether1 list=Wan
/ip address
add address=192.168.0.1/24 interface=Bridgehome network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set silent-boot=no

lmichael · Sat Dec 01, 2018 7:50 pm

And here the AP config

/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
    mode=ap-bridge name=RadioB1 ssid=Guest_Wifi vlan-id=10 vlan-mode=use-tag \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=01:00:00:00:00:00 \
    master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
    ssid=Untrusted-Wifi vlan-id=20 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
    distance=indoors frequency=auto mode=ap-bridge name=RadioA \
    security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
    disabled
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2
add bridge=BridgeAP1-Port5 interface=ether1
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2 vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no

anav · Sat Dec 01, 2018 8:01 pm

What I'd experiment with is to remove bridgeHallway "port" from the list of vlan members if RB itself doesn't have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the "port personnality" ... and if there's no vlan interface on bridge port, bridge port doesn't have to be member of vlan port members ...

Hi Mkx are you referring specifically to remove this this line because no vlans run through (except default vlanid=1)
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=Hallway5G (no vlans associated with this WLAN)

OR these entries in blue??
/interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200

anav · Sat Dec 01, 2018 8:04 pm

1. Your Router config thus far looks great but you dont show your firewall rules!!!

2. AP config, as per my question to MKX, it may be that this line is not required??
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA (as there is no VLAN running on it).

3. I would say you are missing ether1 (incoming trunk type port from router)
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,VirtualRadioB2 vlan-ids=20

lmichael · Sat Dec 01, 2018 9:15 pm

1. Your Router config thus far looks great but you dont show your firewall rules!!!

I have no rules yet, because i want to exclude the firewall of the problems i have, but the firewall questions will come later when the vlanconfig works

3. I would say you are missing ether1 (incoming trunk type port from router)
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,VirtualRadioB2 vlan-ids=20

Very nice, now my guestwifi works and give me a 192.168.10.x address

But the problems with the untrusted network still exists, i see the ssid but i cant connect to it

anav · Sat Dec 01, 2018 9:50 pm

Hmmm, nothing I can spot that would prevent that?? Hopefully fresh eyes from another will help out.!

lmichael · Sat Dec 01, 2018 10:38 pm

I got it, the vlan 20 on Untrusted_Wifi runs now.

What i have done.. i deleted the virtual Radio from Wifi-Interfaces and from the Bridge Ports.
Then i make a new Virtual Radio, make a new port on the bridge and there i change the PVID from 1 to 20 and the Frame Types to admit only VLAN tagged.

The only question i have is, why the RadioB1 works in the vlan 10 with PVID on default 1 and frametype all and the virtual just runs with PVID 20 and frame type admit only VLAN tagged???

anav · Sat Dec 01, 2018 11:26 pm

Please post your AP config, so I can study it!!
Have to go for a swim now but can look at it later.
I want to compare to what I have to see what is going on!

PS, what versions of firmware are you running on the router and the AP??

lmichael · Sat Dec 01, 2018 11:49 pm

Here the config of the AP

/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
    distance=indoors frequency=auto mode=ap-bridge name=RadioA \
    security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
    mode=ap-bridge name=RadioB1 security-profile=House ssid=Guest_Wifi vlan-id=\
    10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
    master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
    security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=ether1
add bridge=BridgeAP1-Port5 frame-types=admit-only-vlan-tagged interface=\
    VirtualRadioB2 pvid=20
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1,ether1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2,ether1 \
    vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no

The firmware on the router and ap are 6.43.4

anav · Sun Dec 02, 2018 2:03 am

I see what you have done to get it to work on the /interface bridge port settings!!

BUT, can you see the inconsistency??
Why didnt you have to do that for RadioB as well which is also is a WLAN running in a VLAN???

Could it be something different about Virtual WLANs?
Funny thing is my setup is two capACs and all I have is the following and it works just fine.

/interface bridge port
add bridge=bridgeHallway comment=defconf interface=ether1
add bridge=bridgeHallway comment=defconf interface=ether2
add bridge=bridgeHallway comment=defconf interface=DevicesHallway
add bridge=bridgeHallway comment=defconf interface=Hallway5G (mkx I think is saying delete this line because there are no vlans running on it (pvid=1 works by default).
add bridge=bridgeHallway interface=VisitorWIFI trusted=yes

In your case possibly this line is redundant but lets wait for mkx feedback (ps you should go in to your post and delete that mac address assuming its for real)
add bridge=BridgeAP1-Port5 interface=RadioA

+++++++++++++++++++++++++++++

As you can see I do nothing special for my Devices hallway (2.4G) Radio on vlan xxx, nor do I do anything for the Virtual WLAN 5Ghz (running off Hallway5G) in terms of its vlan yy.
I IS CONFUSED!

mkx · Sun Dec 02, 2018 10:54 am

What I'd experiment with is to remove bridgeHallway "port" from the list of vlan members if RB itself doesn't have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the "port personnality" ... and if there's no vlan interface on bridge port, bridge port doesn't have to be member of vlan port members ...
Hi Mkx are you referring specifically to remove this this line because no vlans run through (except default vlanid=1)
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=Hallway5G (no vlans associated with this WLAN)

OR these entries in blue??
/interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200

The second one. But this change should not affect the way things work, it would just tidy-up the setup (in case my thinking about it being unnecessary prooves true).

The first one is needed to give Hallway5G L2 connectivity, regardless if it's native or VLAN. If it was removed from bridgeHallway, the wifi interface would need L3 configueation .

mkx · Sun Dec 02, 2018 11:05 am

Two things hurt my eyes:

Here the config of the AP

/interface wireless
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:7D:55:82 \
    master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
    security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=BridgeAP1-Port5 frame-types=admit-only-vlan-tagged interface=\
    VirtualRadioB2 pvid=20

The first one might be an issue but depends on config of the rest of wireless interfaces: MAC addresses of physical and all virtual APs sharing same radio have to be different.

Second one: interface VirtualRadioB2 is tagged (due to vlan-mode=use-tag) and it should be configured as bridge member port as such - i.e. remove "pvid=20" from the config oine show above.

Short explanation: pvid setting on port member of a bridge takes care of tagging frames on ingress if the ingress frame is not tagged. If the ingress frame is already tagged, it won't change it. Similar reasoning is about frame-types setting: if pvid was not set, then your setting would drop untagged frames (i.e. if wifi interface didn't have vlan-mode=use-tags set).

lmichael · Sun Dec 02, 2018 12:04 pm

I changed the mac address and i put the pvid back to 1, also frame type to admit all.. and it works

so at the end it was the same mac address what was one of the problems i had.

Here is maybe the final config of the ap, pls have a look on it if i have to change something else, if everything is ok i will close this post as solved.. thx a lot

/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
    distance=indoors frequency=auto mode=ap-bridge name=RadioA \
    security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
    mode=ap-bridge name=RadioB1 security-profile=House ssid=Guest_Wifi vlan-id=\
    10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=7a:xx:xx:xx:xx:xx \
    master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
    security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=ether1
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1,ether1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2,ether1 \
    vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no

mkx · Sun Dec 02, 2018 2:01 pm

To spare reading: any MAC address, whose first two digits are similar to x2, x6, xA or xE, is fine to use. In @lmichael's case, address 6E:3B:6B:7D:55:82 is fine with regard to this criteria, but it seems it was not unique in his L2 network.
Once I'll have to check if it's fine to use locally administered MAC address as administrative MAC address on a bridge....

.
I checked today and bridge seems to happily accept a locally administered MAC address as administrative MAC. Some parts of RB might need a kick after the change ... PPPoE client, for example, had to be disabled and enabled again, or else it could not authenticate with PPPoE server.

anav · Sun Dec 02, 2018 5:59 pm

Thanks MKX for clearing it all up and to the OP for being patient with newbie me also trying to help.

As to not requiring the bridge to be tagged on the AP devices, I do admit that it works just fine without them in the rules as you pointed out.
Are we to assume that by ipso facto default (by design). Mikrotik AP Devices have the following logic

a. All vlans are automatically considered as PVID on the radio they are on and ingress filtering applied (key is in wireless line to have vlan-mode=use-tag).
Can one conclude that vlan-mode=use-tag is equivalent on a router to:
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10 ingress filtering=yes?? OR just
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10??
(assuming a router ethport attached on eth3 to a computer that you want on vlan10).

b. The bridge on a mickrotik AP does not required to be tagged on /interface bridge vlan rules as it is assumed that it already is???
Thus add bridge bridge=bridge1 tagged=eth2,RADIO vlan-id=20 on an AP device is equivalent to
bridge=bridge1 tagged=bridge1, eth2, vlan-id=20 on a router device??

Or am I wrong to think of this as AP specific and its RADIO specific.
In other words for every /Interface bridge vlan rule that contains a tagged radio, does not require a tagged bridge???

mkx · Sun Dec 02, 2018 7:41 pm

a. All vlans are automatically considered as PVID on the radio they are on and ingress filtering applied (key is in wireless line to have vlan-mode=use-tag).
Can one conclude that vlan-mode=use-tag is equivalent on a router to:
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10 ingress filtering=yes?? OR just
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10??
(assuming a router ethport attached on eth3 to a computer that you want on vlan10).

While all of VLAN logics for ether ports is configured on bridge, it's not for all other ports. When other ports are made members of a bridge, bridge only performs ingress and egress filtering but not tagging or untagging, that's up to that port to do (if it can). So, for wifi devices (ports), using vlan-mode=use-tags vlan-id=XY is same as setting pvid on ether port (ingress tagging) and making that port untagged member of vlan (egress untagging).
A side note: for ether ports, on ingress, first port tags untagged frames if it has pvid set. Only after that bridge performs ingress filtering if configured for it, and it sees only tagged frames when port has pvid set. On egress bridge performs filtering and untagging (if port is configured as untagged member of that VLAN). pvid setting doesn't matter here.

Syntactically one could configure ingress-filtering on interfaces that can only carry untagged frames and are configured to do tagging on ingress, but that wouldn't bring any additional security (but could break things if whole configuration wouldn't match). It does make sense to perform ingress filtering on interface/port that can act as trunk ... so that remote side can not inject frames with VLAN tags that are not supposed to ingress through that particular interface/port. wifi interface can carry VLAN-tagged frames, so it does make sense to enable ingress filtering on it.

If a device/port doesn't know anything about VLANs (e.g. PPPoE or VPN or ...) and should become member of a vlan group, one has to play with vlan interfaces. Example of having pppoe interface member of VLAN ID=42:

/interface bridge
add name=bridge comment="Common bridge, all VLANs tagged"
add name=bridge42 comment="VLAN42 untagged"
/interface vlan
add interface=bridge name=vlan42 vlan-id=42 comment="VLAN42 on bridge"
/interface bridge port
add bridge=bridge42 interface=vlan42
add bridge=bridge42 interface=pppoe1-out

In this case vlan interface does tagging/untagging when packet traverses this kind of interface.
.

b. The bridge on a mickrotik AP does not required to be tagged on /interface bridge vlan rules as it is assumed that it already is???
Thus add bridge bridge=bridge1 tagged=eth2,RADIO vlan-id=20 on an AP device is equivalent to
bridge=bridge1 tagged=bridge1, eth2, vlan-id=20 on a router device??

Note that bridge in ROS has twin personallity:

bridge in a sense of ethernet switch, but unlike ethernet switch it's capable of grouping interfaces of different L1 technologies
L2 interface that can act as any other L2 interface, just like e.g. ether port

So when you configure bridge ports, bridge vlan-filtering, etc. you're configuring first personnality ... except when it's mentioned on the right side of equal sign of tagged= or untagged=, in that case you're configuring the second personnality. You're also configuring the second personnality when you're configuring vlan interfaces on top of it (e.g. with /interface vlan add interface=bridge name=vlanX vlan-id=X) or when you're configuring L3 stuff on it (including DHCP which is somewhere between L2 and L3).

Jotne · Mon Dec 03, 2018 8:29 am

If a device/port doesn't know anything about VLANs (e.g. PPPoE or VPN or ...) and should become member of a vlan group, one has to play with vlan interfaces. Example of having pppoe interface member of VLAN ID=42:

Would this be the same as VLAN setup against Ethernet interface on RouterOS<6.41?

mkx · Mon Dec 03, 2018 9:12 am

If a device/port doesn't know anything about VLANs (e.g. PPPoE or VPN or ...) and should become member of a vlan group, one has to play with vlan interfaces. Example of having pppoe interface member of VLAN ID=42:
Would this be the same as VLAN setup against Ethernet interface on RouterOS<6.41?

Hmmm ... I guess so. I've been using bridge as dumb switch in ROS<6.41 and I've configured VLAN speciffic stuff in /interface ethernet switch config sub-tree for ethernet interfaces. I've never used more than one bridge on my single switch-chip devices to span different ether ports that were members of same vlan. In that case, bridge did not have any vlan filtering functionality so I had to be extra careful to have all member interfaces properly configured. Switch chip has its own filtering functionality (vlan-mode in /interface ethernet switch port), wireless interfaces as well, vlan interfaces by definition.
But then, if I was using some device with less capable (read: shitty) switch chip, I might have ended up using multiple bridges, one per VLAN. In that case configuration probably would have looked a lot like the one referred above.

anav · Tue Dec 04, 2018 7:53 pm

Good reminder to keep in mind, that there is layer3, the router and layer2, vlans and the bridge and that vlan interfaces have strange powers.
Just have to figure out how to bottle mkx vlan knowledge into an APP.

lmichael · Wed Dec 05, 2018 11:05 am

Thx again to all for the help, you helped me a lot to understand how vlans and ap´s work on a bridge.

Who is online