Community discussions

MikroTik App
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

VLAN setup - help needed

Sun Dec 30, 2018 4:42 pm

Hi All,
I've just purchased cAP ac and trying to configure it to my needs.

What I'm hoping to achieve is to have a AP with two distinct WiFi networks, each in each band (wlan1 in 2.4GHz, wlan2 in 5.0GHz), each having different security profiles (done) and connected to a different VLANs. The AP is behind a switch. The switch is connected to a router, which is also serving as a DHCP server for each VLAN.
The problem is that when I manage to have the wifi working as I expect, I don't have access to the AP. If I do have access to AP, I don't have both wlans working (only one assings correct DHCP adress, while the other is not).

So far, I tried using /interfaces configuration such that VLAN Mode is enabled (for both wlans) and VLAN ID is set to an appropriate value (e.g. for the sake of completeness: wlan1 is to be on VLAN ID 10, while wlan2 - VLAN ID 20).
I can have the wifi working (on both interfaces!) when I set PVID to the respecitve VLAN ID for each of the ports in the bridge port settings (i.e. wlan1 - PVID = 10, wlan2 - PVID=20). However, this seems to work only if both VLAN's are marked as "tagged" on the switch port connected to AP (that is the the switch between AP and the router). However, if both wlans work, I loose access to the AP itself (via ether1) - the AP itself should get an IP from the DHCP server from the VLAN ID 10, but is not reachable.

Alternativelly, I am able to access the AP (via ether1), but then I don't seem to have any IP assigned for a client on wlan1 (this happens when I set VLAN 10 as untagged on the switch - the switch between AP and the router). In this case wlan2 works (it has the switch port for VLAN 20 set as `tagged`), but wlan1 - does not.

What am I missing?
I don't consider myself an expert in networking, but I hope to learn something along the way.
Any help would be much appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Mon Dec 31, 2018 5:27 am

I have something similar.............. Hex Router, attached to one un-managed switch to a Cap AC#1 and through a managed switch to another Cap AC#2
On each cap, wlan1 is 2ghz on vlan
On each cap wlan2 is 5ghz Not on VLAN (house users)
On each cap I have a virtual WLAN running of WLAN2, these are on VLANS for guests.

ether2 is my trunk port on the hex
ether1 is my trunk port on both capACs

If you post your router config and your cap ac config I may be able to help you get there.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN setup - help needed

Mon Dec 31, 2018 9:22 am

What am I missing?
Probably most of VLAN config on both cAP and router (which type of device is it?).

As @anav suggested, post config (of both units) and give us some information about the managed switch (how you configured it).
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Mon Dec 31, 2018 2:59 pm

@all: thanks for your interests in helping me out!

The setup is:
router (ASUS RT-N66U with Tomato firmware) <===> switch (TP-Link TL-SG108E) <===> AP (MikroTik cAP ac)
Note: in my initial description I used VLAN ID 10 and 20, while in the actual (current) setup I use 10 and 11 (will probably change it when things settle - the ID's in themselves are not that relevant for the problem at hand). But, to stay on the same page, for now let's use 10 and 11(as you will see, there are also: 1 and 12).

@router
A screenshot of the VLAN config included in the attachement. The config has not been changed. I don't intend to change that unless necessary.
router_vlan_setup.png
@switch
While working on the setup, I play around with 802.1Q VLAN Configuration section, so this may have changed from my initial description (i.e. tagged/untagged ports for VLAN 1, 10 and 11).
The port 8 of the switch is the port connected to AP, while the rounter is on Port 1. The rest of the ports are used by other equipment in my network, but I guess this is not relevant for this setup. A screenshot (of the current config) included.
switch_vlan_setup.png
LAN PVID setttings:
Port 1: 1, Port 8: 10

@AP
Here things get changed most often, as I am playing around with the settings.
Since my initial post, I found and tried to follow Basic_VLAN_switching guide.
So far, no success, though to get the setup to work.
Here settings - I hope - relevant for the case.

/interface wireless (only VLAN-relevant settings)
0	name="wlan1" vlan-mode=use-tag vlan-id=11
1	name="wlan2" vlan-mode=use-tag vlan-id=10
/interface bridge port print
 #     INTERFACE                       BRIDGE                      HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether1                          bridge                      yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether2                          bridge                      yes    1     0x80         10                 10       none
 2 I   ;;; defconf
       wlan1                           bridge                            11     0x80         10                 10       none
 3 I   ;;; defconf
       wlan2                           bridge                            10     0x80         10                 10       none

/interface vlan print
 #   NAME                                         MTU ARP             VLAN-ID INTERFACE                                      
 0 R vlan1                                       1500 enabled               1 bridge                                         
 1 R vlan10                                      1500 enabled              10 bridge                                         
 2 R vlan11                                      1500 enabled              11 bridge                                         
/interface ethernet switch vlan print
 #   SWITCH                                                   VLAN-ID PORTS                                                  
 0   switch1                                                       10 ether1                                                 
 1   switch1                                                       11 ether1                                                 
 2   switch1                                                        1 ether1                                                 
                                                                      switch1-cpu                                            
/ip address print
 #   ADDRESS            NETWORK         INTERFACE                                                                            
 0 D 192.168.198.20/24  192.168.198.0   bridge                                                                               
 1   192.168.198.21/24  192.168.198.0   vlan1                                                                                
/interface ethernet switch port
 #   NAME                                   SWITCH                                   VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1                                 switch1                                  secure    add-if-missing            auto
 1   ether2                                 switch1                                  disabled  leave-as-is               auto
 2   switch1-cpu                            switch1                                  secure    leave-as-is               auto
That's about it. Currently not able to obtain IP neither from wlan0, nor from wlan1. I am able to connect to AP via ether1 on 192.168.198.21 (or on 20).

Hope the above helps. Let me know if more is needed. Thanks in advance!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN setup - help needed

Mon Dec 31, 2018 4:53 pm

A few things:
  • Don't use VLAN 1 in Mikrotik. Mostly it is synonimous for untagged, but you really don't want to mix tagged VLAN 1 and untagged, it makes mess of configuration.
  • Stay away from settings in /interface ether switch ... while it is still legitimate to configure VLANs there, the new way (/interface bridge vlan) is the recomended way to go. Remove any configuration you have in /interface ethernet switch ...
  • if you're going to have management access via some VLAN, you'll have to configure it properly.
Something like this (I'll just ignore VLAN ID 1 alltogether):
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 #connected to switch port 8
add bridge=bridge interface=ether2 #add VLAN settings as required, i.e. pvid=10 for  access port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10 # add untagged=ether2 if ether2 is access port for this VLAN
add bridge=bridge tagged=ether1,wlan2 vlan-ids=11
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
The example above assumes management access to mikrotik will be on vlan-10, so you have to add L3 setup (either static IP address ir DHCP client) to vlan-10 interface. If you actually want management access via some other VLAN, then adjust configuration accordingly. It is possible to throw untagged LAN on bridge into the mix, but I don'l like it and will not provide example.
N.B.: only add bridge as tagged member for particular VLAN(s) where bridge will run L3 traffic. Only for forwarding traffic between ether ports and wlans bridge doesn't have to be member of that VLAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Mon Dec 31, 2018 5:15 pm

Well whatever you setup on the TPLInk switch it should be trunk port to the capAC.
I cannot help with the tp switch or router in any detail.
When programming the capAC, I use winbox, use the safe mode near the top left when making any changes.

I will post my capAC setting so you can get a flavour.
Note that the default setup of the capAC is a great starting place and I had to adjust very few items. Checking quickset, the capAC is in AP WISP mode.
I use a bridge approach!

/interface bridge
add admin-mac=xx.xx.xx.xx.xx auto-mac=no comment=defconf name=\
yourbridgename vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
/interface vlan
add interface=yourbridgename name=Guests_WIFI-v200 vlan-id=200 (this vlan is for my AC guest wifi on vlan200 using a virtual WLAN off the main WLAN2)
add interface=yourbridgename name=Wifi_SDevices_cap2 vlan-id=45 (this vlan is for my 2.4Ghz main WLAN1 for smart devices)
/interface list (not required)
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=Hallway_wifi supplicant-identity="" wpa-pre-shared-key=\
....... wpa2-pre-shared-key=.........
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=devices_only supplicant-identity="" \
wpa2-pre-shared-key=.........
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
dynamic-keys name=HouseGuestsSecurity supplicant-identity="" \
wpa2-pre-shared-key=...............
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=canada disabled=no \
distance=indoors frequency=2442 mode=ap-bridge name=SmartDevices \
security-profile=devices_only ssid=Devices2 vlan-id=45 vlan-mode=use-tag \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee\
country=canada disabled=no mode=ap-bridge name=House5G \
security-profile=Hallway_wifi ssid=SmartPhones wireless-protocol=\
802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx \
master-interface=House5G multicast-buffering=disabled name=VisitorWIFI \
security-profile=HouseGuestsSecurity ssid=Guest_Wifi vlan-id=200 \
vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=yourbridgename comment=defconf interface=ether1 (ether2 is not connected so not used)
add bridge=yourbridgename comment=defconf interface=SmartDevices
add bridge=yourbridgename comment=defconf interface=House5G
add bridge=yourbridgename interface=VisitorWIFI trusted=yes
/interface bridge vlan
add bridge=yourbridgename tagged=SmartDevices,ether1 vlan-ids=45
add bridge=yourbridgename tagged=ether1,VisitorWIFI vlan-ids=200
/interface list member (not required but I put it anyway)
add interface=ether1 list=WAN
add interface=yourbridgename list=LAN
add interface=Wifi_SDevices_cap2 list=LAN
add interface=Guests_WIFI-v200 list=LAN
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
yourbridgename
/system clock
set time-zone-name=America/Halifax
/system leds settings
set all-leds-off=immediate
/system logging
add topics=wireless,debug
/system routerboard settings
set silent-boot=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Fri Jan 04, 2019 10:17 am

Hi @mkx, @anav!

Thank you! Your hints seem to solve my case. :)
I reset the AP to factory settings, then followed your guidance (@mkx).
I still had to to set "VLAN mode" and "VLAN ID" for both wlans. With this small adjustment it worked like a charm!
I also set the IP for one of the VLANs for management access.
Again, thank you efforts and your very helpful hints!

I am still planning to cleanup my VLANs a bit, so that no VLAN ID = 1 will be used. Need to find a time slot for that, though :)
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Fri Mar 08, 2019 2:53 pm

IMPORTANT UPDATE
After update to RouterOS 6.44 the config does not work anymore!
In an attempt to resolve the issue myself, I tried to reset the cAP and reconfigured following the guidance as given in the posts above.
So far, no luck... (not able to get IP from DHCP server)

So, here it is, again, the setup:
drawio__kielczow_network_diagram.png
The configuration of R1 and SW1 are exactly as described before (see there, no changes).
So far, my approach was:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=home ssid=home wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=office ssid=office wireless-protocol=802.11

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10
add bridge=bridge tagged=ether1,wlan2 vlan-ids=12

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
Questions:
For /interface wireless should I also set VLAN Mode and VLAN ID accordingly?
Should I add vlan-filtering=yes in /interface bridge (as indicated in https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless)?
Anything else I am missing?
What should be the correct cAP configuration for RouterOS version 6.44 and this setup?

I'll continue to experiment, but any suggestions to point me in the right direction would be most welcomed!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN setup - help needed

Fri Mar 08, 2019 3:35 pm

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=home ssid=home wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=office ssid=office wireless-protocol=802.11

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2

You either have to set vlan-mode and vlan-id on wireless interfaces in /interface wireless (let's say that's old school)

or

configure wireless interfaces as untagged access ports in /interface bridge config tree something like this:
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=10 interface=wlan1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=12 interface=wlan2
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan2 vlan-ids=12
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Fri Mar 08, 2019 4:19 pm

Almost there.
USE AP-WISP Mode.
Statically assign an IP on the vlan10 network.

Use bridge ports for ingress
Use interface bridge vlan for egress
Such that:
from
(1) /interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2
to
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-untagged ingress-filtering=yes priority tagged interface=wlan1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged ingress-filtering=yes priority tagged interface=wlan2 pvid=12

(2) from
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10
add bridge=bridge tagged=ether1,wlan2 vlan-ids=12
to
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wlan1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan2 vlan-ids=12

(3) from
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
to
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan12 vlan-id=12

(4) Missing Bridge definition
add bridge=bridge vlan-filtering=yes

(5) in winbox settings ensure you have ip services winbox list setup appropriately
(6) in tools ensure you have mac winbox server setup appropriately

@MKX two questions:
a. why are you tagging the bridge on the CapAC (for VLAN1)??? (okay I see for the unit to be manageble from the base vlan the basevlan has to be tagged on bridge.
b. why are you not tagging the bridge for both vlans on capac?? (nevermind)
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Fri Mar 08, 2019 5:41 pm

Thanks guys for the swift reply!

@mkx
If I go for any of the proposed approaches, I am able to obtain IP on both wlan1/wlan2 but the IP I get is always from the same pool (supposedly to be associated only with vlan10).
Of course the goal would be to have one IP pool dedicated for vlan10 and the other for vlan12.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Fri Mar 08, 2019 8:10 pm

Adibo post your latest config
/export hide-sensitive file=yourlatestconfig
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Fri Mar 08, 2019 8:38 pm

@anav:
Thanks! :)

I reset the cAP and followed your guidance.
Below the most recent config (small change: VLAN10 on wlan2, VLAN12 on wlan1 - should be irrelevant):
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=home ssid=home wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode= ap-bridge security-profile=office ssid=office wireless-protocol=802.11

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=12
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wlan2 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan1 vlan-ids=12

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan12 vlan-id=12
Still the same effect - I got the same IP, no matter if on wlan1 or wlan2.
...and since no solution seems to work, I'm wondering if this is a cAP related or rather router/switch issue...?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN setup - help needed

Fri Mar 08, 2019 9:00 pm

On cAP ac wlans are properly separated. What happens outside cAP ac is the matter if switch and R1 configs ...

If the screenshot of switch config is current, then you have a mess there. Example: port 8 is set as untagged member of multiple VLANs. That just can't work right ... if port 8 is indeed used to connect cAP ac, then it has to be tagged for VIDs 10 and 12.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Fri Mar 08, 2019 10:52 pm

MKX is usually correct! I see nothing wrong with your capac config.
Post your switch settings if you can.........
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Sat Mar 09, 2019 1:29 pm

OK, so let's have a look at other network elements.

@router:
2019-03-09__router__vlan__config.png
@switch:
2019-03-09__switch__vlan_config.png
2019-03-09__switch__pvid_config.png

Note: VLAN ID 12 is now replaced by VLAN 11, also at cAP;
(so we now have VLAN 10 and VLAN 11, instead of VLAN10 and VLAN12)

Observations:
  • I'm able to access cAP via its ether1 (so I get access to WebFig via wire)
  • I'm able to connect to cAP via wifi (wlan1 or wlan2) and obtain IP address (always from VLAN 10 DHCP pool), no Internet access though
  • If I change Port8@SW1 to "untagged" for VLAN 10, I get the Internet access when connected to cAP via wlan1 or wlan2 (but IP remains from VLAN10 DHCP pool, no matter if connected via wlan1 or wlan2)

Does it make any sense...?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Sat Mar 09, 2019 5:08 pm

My guess is that your TPLINK switch is not setup correctly.
Clearly
port8 is a trunk port that requires tagged 10,11
Port1 is a trunk port that requires tagged 10,11

The only other ports that require tagging of vlans 10,11 would be other trunk ports on the switch.
The only other ports that require untagging of vlans 10,11 would be access ports (to devices on the vlans that cannot assign vlans themselves like pcs or printers)

I would suggest deleting vlan=1 but if you cannot DONT TAG OR UNTAG any ports. You may just have to leave the setting of member of ports 1-8.
Port 8 GET RID OF PVID setting. There should be none its a trunk port.
Port 1 GET RID OF PVID setting. There should be none its a trunk port.

I gather ports 2-4 go to devices on vlan10 that are described above, pcs or printers on vlan10 right??
I gather ports 5-7 go to devices on vlan11 that are described above, pcs or printers on vlan11 right??
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Sat Mar 09, 2019 7:32 pm

Thanks for all the explanations! :)
What I've tried to do/clean in the meantime:
  • make "tagged" ports for trunk ports only
  • make "untagged" ports used for vlan-unaware equipment (no trunk ports)
Here is the updated setup (which seems to work!)

@switch
  • changed port tagging: tagged only trunk ports (1,8), rest is left untagged (@anav: yes, they're used for other devices in both vlan10 and vlan11, respectively)
  • could not delete vlan1 (delete is dissabled for vlan1)
  • set port8 as "non member" for vlan1 (the options are: untagged / tagged / not member), tagged member of vlan10 and vlan11
  • it's not possible not to assign any PVID to a port (no such option), so I assigned PVID 1 to Port8
Screenshot from 2019-03-09 17-59-24.png
Screenshot from 2019-03-09 18-00-25.png

@cAP

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=home ssid=home wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=office ssid=office wireless-protocol=802.11

/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf fast-forward=no name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=11
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=wlan2 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan1 vlan-ids=11

/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11

The above seems to work fine, meaning: an IP from correct DHCP pool is being assigned for both wlan1 and wlan2.
Can you confirm that the setup as above actually make sense?

One more thing, just to be certain:
how to assign IP to cAP, so that I have access to it (e.g. via WebFig)?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Sat Mar 09, 2019 7:52 pm

Well if it works it works dont touch it LOL.
Check the quickset settings.
It should show the capac has a lanip on the vlan10 subnet.
To ensure access, you would most likely have to be at a computer on the vlan10 subnet.

In capac settings......
(1) Go to IP Services
Ensure WINBOX allows connectivity to at least vlan10 subnet

(2) Go to TOOL - MAC SERVER
Allow the appropriate interface called capwinaccess which we will create below!

Since only the basic list is provided suggesting go to interface list and create a new one.
When you go to capac INTERFACE menu selection, select the second tab "interface lists"
There you will see the PLUS sign**** to add a new interface list member and the current lists are accessed by a box that says "Lists" to the right of the plus symbol.
Click on the Lists Box and from its PLUS sign create a new one - call it capwinaccess (do not include or exclude anything keep them blank and hit apply)

Then after hitting apply and okay you will see the choice capwinaccess, it should be available/visible.
Then go back one step to interface Lists TOP Menu tab choice (second from the left)
Hit the plus sign**** to add a new interface list members to available list choices!!

Select capwinaccess as the List choice
Select vlan10 as the Interface choice.
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Sun Mar 10, 2019 1:21 pm

Great and thanks!
So, when it works, it works :)
(I still intend to touch it and add another vlan for guest access, though)

I tried to follow your instructions for ensuring connectivity:
(1) Winbox connectivity seems there (winbox port accessible from external host when on vlan10, of course)
(2) I created capwinaccess, so the setup now inclues:
/interface list
add name=capwinaccess
/interface list member
add interface=vlan10 list=capwinaccess
but when I then go to QuickSet IP address is still empty.
Could the problem be that I also have defined for vlan10 in /ip addresses?

Another issue (related?) which I just found out about is that while attempting to check if there are any updates available (system package), I get
ERROR: could not resolve dns name
I tried to add google DNS in ip dns, but so far no effect.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN setup - help needed

Sun Mar 10, 2019 1:52 pm

Don't ever go back to QuickSet. It's not meant to deal with advanced setups such as yours (which includes VLANs).

Re updates: it has to do with DNS service, dedault route and/or firewall. Closely inspect all related settings (on your main router as well) and if you're not entirely sure they are right come back with a question.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: VLAN setup - help needed

Sun Mar 10, 2019 2:32 pm

Don't ever go back to QuickSet. It's not meant to deal with advanced setups such as yours (which includes VLANs).
AMEN ! amen and another AMEN. IMO QuickSet should NOT exist for Routers branded MikroTik .... for dummyTik yes or if QuickSet is used with a CAVEAT that ALL advanced functionality is now disabled :-) ... You cannot have your CAKE and Eat IT --- not in the MikroTik world of RouterOS :-)
 
adibo
just joined
Topic Author
Posts: 10
Joined: Sun Dec 30, 2018 4:12 pm

Re: VLAN setup - help needed

Sun Mar 10, 2019 2:46 pm

Guys, easy ;)
I only checked QuicSet (as suggested above), but I did not and do not have any intention to do any changes there!
All the changes were and are going to be made ONLY via WebFig or Terminal.
We are on the same page here! :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN setup - help needed

Sun Mar 10, 2019 3:33 pm

Guys, easy ;)
I only checked QuickSet (as suggested above), but I did not and do not have any intention to do any changes there!
All the changes were and are going to be made ONLY via WebFig or Terminal.
We are on the same page here! :)
Right on adibo!
So the question is what IP address does the capAC get?
It needs one!!
So I checked quickset, hahahaha
and it has under BRIDGE settings...... my lanip for the capac.
Set to get dhcp automatically, address source any,
I checked my IP address setting and it has a dynamic setting of my capac lanip and associated network associated to my bridge.
I think it was defaulted to ether2 for some strange reason in the past and it looks like I disabled that....

As far as DNS.
I have allow in-interface-list=LAN access to port 53 udp and tcp on input chain
I have allow remote dns in IP DNS with several standard dns servers noted google, opendns etc........
I have each dhcp-server network set to having both the gateway and dns server the same.
Thus each user should get sent to the router to get DNS which is getting if from your list.........
Not sure why you are not getting any??
Oh right you are not using MT router, my bad............. NO friggen idea LOL.

Who is online

Users browsing this forum: robertkjonesjr, UkRainUa and 38 guests