/interface bridge
add name=Bridge1 vlan-filtering=yes
/interface vlan
add interface=Bridge1 name=VLAN10 vlan-id=10
add interface=Bridge1 name=VLAN20 vlan-id=20
add interface=Bridge1 name=VLAN30 vlan-id=30
/interface bridge port
add bridge=Bridge1 interface=ether2 pvid=10
add bridge=Bridge1 interface=ether3 pvid=10
add bridge=Bridge1 interface=ether4 pvid=10
add bridge=Bridge1 interface=ether7 pvid=20
add bridge=Bridge1 interface=ether8 pvid=20
add bridge=Bridge1 interface=wlan1 pvid=30
/interface bridge vlan
add bridge=Bridge1 tagged=Bridge1 untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=Bridge1 tagged=Bridge1 untagged=ether7,ether8 vlan-ids=20
/ip pool
add name=DHCP-vlan10 ranges=192.168.10.100-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.100-192.168.20.200
add name=DHCP-vlan30 ranges=192.168.30.100-192.168.30.200
/ip address
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=7d name=DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=7d name=DHCP-vlan20
add address-pool=DHCP-vlan30 disabled=no interface=VLAN30 lease-time=7d name=DHCP-vlan30
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1
Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge's point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don't do egress filtering. So proper configuration would have two lines:/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20
./interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20
Much thanks MKX,This part by @anav is not as secure as it might seem:
Conceptual problem with highlited configuration statement is that all mentioned interfaces will be, from bridge's point of view, members of both VLANs. Which leaves proper VLAN separation to be done by individual bridge members, but those AFAIK don't do egress filtering. So proper configuration would have two lines:/interface bridge port
add bridge=BridgeAP1-Port5 interface=ether2 (assuming wired from Router)
add bridge=BridgeAP1-Port5 interface=RadioA (will be your personal wifi)
add bridge=BridgeAP1-Port5 interface=RadioB1 (will be for vlan10 -guests)
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2 (will be for vlan20 -untrusted)
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioA,RadioB1,VirtualRadioB2 vlan-ids=10,20
And, to be on the safe side, add vlan-mode=no-tag to the rest of settings for RadioA ... the command is used to change settings and you don't want vlan-mode to keep different setting from previous config.Code: Select all/interface bridge vlan add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,RadioB1 vlan-ids=10 add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth2,VirtualRadioB2 vlan-ids=20
Awesome, I see where I went wrong here.......... one must be careful on a per VLAN basis on how to assign bridge tagging and untagging.This part on main router IMHO also needs a change:./interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome untagged=ether7,ether8, vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10,20
Change it to
In case you wont be able to get it working, create export of configuration (open a terminal window from Winbox and run command /export hide-sensitive) and paste it here in code environment (the same as my suggestion about configuration above). Do it on both main router and on AP, it's not entirely clear which device is showstopper.Code: Select all/interface bridge vlan add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 vlan-ids=10 add bridge=Bridgehome tagged=Bridgehome,eth5,eth6 untagged=eth7,eth8 vlan-ids=20
From what I have learned here to not get into any problem, make one line for each VLAN.
I will admit I was a bit unsure on that /interface bridge vlan setting as, I wasnt quite sure on how to deal with no untagged members, like a standard switch.
interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=canada disabled=no \
distance=indoors frequency=2442 mode=ap-bridge name=DevicesHallway \
security-profile=devices_only ssid=Remotedevices vlan-id=45[b] vlan-mode=use-tag[/b] \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
20/40/80mhz-Ceee country=canada disabled=no mode=ap-bridge name=Hallway5G \
security-profile=Hallway_wifi ssid=HouseSmartPhones wireless-protocol=\
802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
master-interface=Hallway5G multicast-buffering=disabled name=VisitorWIFI \
security-profile=HouseGuestsSecurity ssid=Guests vlan-id=200 \
[b] vlan-mode=use-tag [/b]wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge
add name=Bridgehome vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=Bridgehome name=VLAN10 vlan-id=10
add interface=Bridgehome name=VLAN20 vlan-id=20
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP-home ranges=192.168.0.100-192.168.0.200
add name=DHCP-vlan10 ranges=192.168.10.0-192.168.10.200
add name=DHCP-vlan20 ranges=192.168.20.0-192.168.20.200
/ip dhcp-server
add address-pool=DHCP-home disabled=no interface=Bridgehome lease-time=1w name=\
Home_Server
add address-pool=DHCP-vlan10 disabled=no interface=VLAN10 lease-time=1w name=\
DHCP-vlan10
add address-pool=DHCP-vlan20 disabled=no interface=VLAN20 lease-time=1w name=\
DHCP-vlan20
/interface bridge port
add bridge=Bridgehome interface=ether2
add bridge=Bridgehome interface=ether3
add bridge=Bridgehome interface=ether4
add bridge=Bridgehome interface=ether5
add bridge=Bridgehome interface=ether6
add bridge=Bridgehome ingress-filtering=yes interface=ether7 pvid=20
add bridge=Bridgehome ingress-filtering=yes interface=ether8 pvid=20
/interface bridge vlan
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 untagged=ether7,ether8 \
vlan-ids=20
add bridge=Bridgehome tagged=Bridgehome,ether5,ether6 vlan-ids=10
/interface list member
add interface=Bridgehome list=Lan
add interface=VLAN10 list=Lan
add interface=VLAN20 list=Lan
add interface=ether1 list=Wan
/ip address
add address=192.168.0.1/24 interface=Bridgehome network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Vienna
/system routerboard settings
set silent-boot=no
/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
mode=ap-bridge name=RadioB1 ssid=Guest_Wifi vlan-id=10 vlan-mode=use-tag \
wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=01:00:00:00:00:00 \
master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
ssid=Untrusted-Wifi vlan-id=20 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
distance=indoors frequency=auto mode=ap-bridge name=RadioA \
security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
disabled
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2
add bridge=BridgeAP1-Port5 interface=ether1
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2 vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no
Hi Mkx are you referring specifically to remove this this line because no vlans run through (except default vlanid=1)What I'd experiment with is to remove bridgeHallway "port" from the list of vlan members if RB itself doesn't have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the "port personnality" ... and if there's no vlan interface on bridge port, bridge port doesn't have to be member of vlan port members ...
I have no rules yet, because i want to exclude the firewall of the problems i have, but the firewall questions will come later when the vlanconfig works1. Your Router config thus far looks great but you dont show your firewall rules!!!
Very nice, now my guestwifi works and give me a 192.168.10.x address3. I would say you are missing ether1 (incoming trunk type port from router)
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,RadioB1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,eth1,VirtualRadioB2 vlan-ids=20
/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
distance=indoors frequency=auto mode=ap-bridge name=RadioA \
security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
mode=ap-bridge name=RadioB1 security-profile=House ssid=Guest_Wifi vlan-id=\
10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx \
master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=ether1
add bridge=BridgeAP1-Port5 frame-types=admit-only-vlan-tagged interface=\
VirtualRadioB2 pvid=20
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1,ether1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2,ether1 \
vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no
The second one. But this change should not affect the way things work, it would just tidy-up the setup (in case my thinking about it being unnecessary prooves true).Hi Mkx are you referring specifically to remove this this line because no vlans run through (except default vlanid=1)What I'd experiment with is to remove bridgeHallway "port" from the list of vlan members if RB itself doesn't have any role in it. Rationale: with HW-centric VLAN configuration, switchX-cpu had to be member of vlan group if there was wifi interface member of same VLAN (otherwise RBs CPU did not see the traffic of that VLAN). With modern bridge implementation, having all ether ports and wlan interfaces member of same bridge, I guess that adding bridge itself to the list of member ports is actually adding the "port personnality" ... and if there's no vlan interface on bridge port, bridge port doesn't have to be member of vlan port members ...
/interface bridge port
add bridge=bridgeHallway comment=defconf interface=Hallway5G (no vlans associated with this WLAN)
OR these entries in blue??
/interface bridge vlan
add bridge=bridgeHallway tagged=bridgeHallway,DevicesHallway,ether1 vlan-ids=45
add bridge=bridgeHallway tagged=bridgeHallway,VisitorWIFI,ether1 vlan-ids=200
The first one might be an issue but depends on config of the rest of wireless interfaces: MAC addresses of physical and all virtual APs sharing same radio have to be different.Here the config of the APCode: Select all/interface wireless add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:7D:55:82 \ master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \ security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \ wds-cost-range=0 wds-default-cost=0 wps-mode=disabled /interface bridge port add bridge=BridgeAP1-Port5 frame-types=admit-only-vlan-tagged interface=\ VirtualRadioB2 pvid=20
/interface bridge
add name=BridgeAP1-Port5 vlan-filtering=yes
/interface vlan
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Guest vlan-id=10
add interface=BridgeAP1-Port5 name=Wifi-VLAN_Untrusted vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=House supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=austria disabled=no \
distance=indoors frequency=auto mode=ap-bridge name=RadioA \
security-profile=House ssid=HouseWifi wireless-protocol=802.11 wps-mode=\
disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=auto \
mode=ap-bridge name=RadioB1 security-profile=House ssid=Guest_Wifi vlan-id=\
10 vlan-mode=use-tag wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=7a:xx:xx:xx:xx:xx \
master-interface=RadioB1 multicast-buffering=disabled name=VirtualRadioB2 \
security-profile=House ssid=UntrustedWifi vlan-id=20 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=BridgeAP1-Port5 interface=RadioA
add bridge=BridgeAP1-Port5 interface=RadioB1
add bridge=BridgeAP1-Port5 interface=ether1
add bridge=BridgeAP1-Port5 interface=VirtualRadioB2
/interface bridge vlan
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,RadioB1,ether1 vlan-ids=10
add bridge=BridgeAP1-Port5 tagged=BridgeAP1-Port5,VirtualRadioB2,ether1 \
vlan-ids=20
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=BridgeAP1-Port5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=AP1
/system routerboard settings
set silent-boot=no
.To spare reading: any MAC address, whose first two digits are similar to x2, x6, xA or xE, is fine to use. In @lmichael's case, address 6E:3B:6B:7D:55:82 is fine with regard to this criteria, but it seems it was not unique in his L2 network.
Once I'll have to check if it's fine to use locally administered MAC address as administrative MAC address on a bridge....
While all of VLAN logics for ether ports is configured on bridge, it's not for all other ports. When other ports are made members of a bridge, bridge only performs ingress and egress filtering but not tagging or untagging, that's up to that port to do (if it can). So, for wifi devices (ports), using vlan-mode=use-tags vlan-id=XY is same as setting pvid on ether port (ingress tagging) and making that port untagged member of vlan (egress untagging).a. All vlans are automatically considered as PVID on the radio they are on and ingress filtering applied (key is in wireless line to have vlan-mode=use-tag).
Can one conclude that vlan-mode=use-tag is equivalent on a router to:
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10 ingress filtering=yes?? OR just
- add bridge=Bridge1 interface=ether2 untagged=eth3 pvid=10??
(assuming a router ethport attached on eth3 to a computer that you want on vlan10).
/interface bridge
add name=bridge comment="Common bridge, all VLANs tagged"
add name=bridge42 comment="VLAN42 untagged"
/interface vlan
add interface=bridge name=vlan42 vlan-id=42 comment="VLAN42 on bridge"
/interface bridge port
add bridge=bridge42 interface=vlan42
add bridge=bridge42 interface=pppoe1-out
Note that bridge in ROS has twin personallity:b. The bridge on a mickrotik AP does not required to be tagged on /interface bridge vlan rules as it is assumed that it already is???
Thus add bridge bridge=bridge1 tagged=eth2,RADIO vlan-id=20 on an AP device is equivalent to
bridge=bridge1 tagged=bridge1, eth2, vlan-id=20 on a router device??
Would this be the same as VLAN setup against Ethernet interface on RouterOS<6.41?If a device/port doesn't know anything about VLANs (e.g. PPPoE or VPN or ...) and should become member of a vlan group, one has to play with vlan interfaces. Example of having pppoe interface member of VLAN ID=42:
Hmmm ... I guess so. I've been using bridge as dumb switch in ROS<6.41 and I've configured VLAN speciffic stuff in /interface ethernet switch config sub-tree for ethernet interfaces. I've never used more than one bridge on my single switch-chip devices to span different ether ports that were members of same vlan. In that case, bridge did not have any vlan filtering functionality so I had to be extra careful to have all member interfaces properly configured. Switch chip has its own filtering functionality (vlan-mode in /interface ethernet switch port), wireless interfaces as well, vlan interfaces by definition.Would this be the same as VLAN setup against Ethernet interface on RouterOS<6.41?If a device/port doesn't know anything about VLANs (e.g. PPPoE or VPN or ...) and should become member of a vlan group, one has to play with vlan interfaces. Example of having pppoe interface member of VLAN ID=42: