Community discussions

MikroTik App
 
lasjak
just joined
Topic Author
Posts: 12
Joined: Thu Mar 12, 2020 9:05 pm

Problem with obtaining IP while connecting to WiFi set up with VLAN

Sat Mar 21, 2020 12:40 am

Hello,

I am trying to set up wireless networks that will be separated using VLANs. After following VLAN tutorial, I had found on this forum, I thought I will be able to configure new SSID "clck" on a separate VLAN. The issue is my devices don't obtain IP while connecting to this network.
My goal for now is to have a default network (and WiFi) without VLAN tags + the new WiFi network ("clck) belonging to VLAN.
This seems to be fairly simple configuration, but I am new to networking and not 100% sure what I am doing :)

I have attached configuration of my router and AP (they're separate). What am I missing there?

Thanks for any help!
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Sat Mar 21, 2020 2:50 pm

Your router setup is in error.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.1.1/24 interface=clck_vlan network=192.168.1.0

makes no sense as you attached the vlan to the bridge.

Please decide why you have two subnets and the disconnects.
Suggest you create vlan10 and put the 192.168.1.0 network as that vlan and reconfig your network.

Not sure what ref you used but it sure wasnt this one - the gold standard.
viewtopic.php?f=13&t=143620

Once you fixed up the router, then we can move on to the AP..........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Sat Mar 21, 2020 5:37 pm

For the AP, I would use a different bridge name just to keep things distinct in the mind when reviewing configs.

Confused by the purpose of this line??
add mac-address=CE:2D:E0:FB:35:40 master-interface=wlan_2g name=iot ssid=sh-iot vlan-id=10 wds-default-bridge=bridge wps-mode=\
disabled

and by these lines.........
/interface wireless
add disabled=no hide-ssid=yes mac-address=CE:2D:E0:FB:35:3F master-interface=wlan_2g name=clck_2g security-profile=clck_security \
ssid=clck vlan-id=20 wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=CE:2D:E0:FB:35:41 master-interface=wlan_5g name=clck_5g security-profile=clck_security \
ssid=clck vlan-id=20 wds-default-bridge=bridge wps-mode=disabled

Highly suggest you read the ref in my first post for both the router config and the separate AP config.
Then will have a look at a new revamped config.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
lasjak
just joined
Topic Author
Posts: 12
Joined: Thu Mar 12, 2020 9:05 pm

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Sun Mar 22, 2020 8:30 pm

anav, thank you for taking time and reviewing my configs. I will reconfigure my devices from scratch with more meaningful interface names.

Before I start though, I need to ask if it makes sense to have the base network without any VLAN tags and have it isolated from VLAN traffic. I assume firewall rules can make this happen.
I am asking, because I have read my devices don't support hardware acceleration for VLAN traffic, and I would like to avoid performance hit connected with it at least for some of the traffic.

After taking a look at router config from the topic you referenced (Switch with a separate router (RoaS) example) I can see there is something similar done with addresses as in my configuration:
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24

Does it make sense there because all subnets are on VLAN?
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Mon Mar 23, 2020 4:34 am

anav, thank you for taking time and reviewing my configs. I will reconfigure my devices from scratch with more meaningful interface names.

Before I start though, I need to ask if it makes sense to have the base network without any VLAN tags and have it isolated from VLAN traffic. I assume firewall rules can make this happen.
I am asking, because I have read my devices don't support hardware acceleration for VLAN traffic, and I would like to avoid performance hit connected with it at least for some of the traffic.

After taking a look at router config from the topic you referenced (Switch with a separate router (RoaS) example) I can see there is something similar done with addresses as in my configuration:
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24

Does it make sense there because all subnets are on VLAN?
There are many ways to configure things, my base lan is also a vlan ( i have many vlans ). Yes to your question..... assuming BR1 is the bridge.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
lasjak
just joined
Topic Author
Posts: 12
Joined: Thu Mar 12, 2020 9:05 pm

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Tue Mar 24, 2020 1:19 am

I have updated both router's and AP's configuration. There are 3 subnets:
- the default one (base) that is not a VLAN (192.168.0.X)
- guest VLAN (192.168.20.X)
- iot VLAN (192.168.30.X)
VLANs should be completely separated and only connect to the Internet.

After my changes, I cannot connect to any of the VLAN ssids when security profile is set (on the default wlan interfaces for 2g and 5g I have profiles with security mode = none). When I have set security mode to none I was able to connect to VLAN network, but I was also able to ping 192.168.20.1 while being connected to 30.X network. Connection to the Internet works fine.

What should I modify in configuration to fix these issues?
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Tue Mar 24, 2020 4:20 am

There are a few issues I see in both configs.
The problem I have is that it is not clear what ports are connected to what, and if your base vlan is supposed to be on the access point at all.
There is no home wifi??

(1) Router config.
Looks like two vlans on the bridge
You assign the bridge the responsibility of handing out DHCP and thus the base LAN is on the bridge.
/ip dhcp-server
add address-pool=default_pool disabled=no interface=bridge_r name=default_dhcp
All ports except ether1 are on the bridge.
ETHER5 is the trunk port to the access point.

Error:
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=192.168.0.0

Need to be changed to bridge_r !!

(2) Firewall forward chain rules............
There is nothing stopping vlan to vlan traffic from being routed at Layer 3 or from LAN to vlans and vice versa!!!!
You need to have probably four rules...........
- vlan a to vlan b drop
- vlan b to vlan a drop.
both vlans to LAN drop
LAN to both vlans drop

I prefer this way
One rule at the end that states
add chain=forward action=drop comment="Drop all else!"
Any traffic not explicitly allowed above this rule will be dropped cold.

(3) I also note you are missing LAN to WAN traffic firewall rule in the forward chain. You do have the VLANs but you also need LAN.

(4). Need to turn on vlan filtering after making the above changes!!
/interface bridge
add admin-mac=C4:AD:34:44:04:D5 auto-mac=no comment=defconf name=bridge_r ???????????? missing!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Tue Mar 24, 2020 4:42 am

AP - Your wireless setup is confusing.
It seems like the intent is to have a 5G network that is your home wifi??
The other chain 2G is for guest wifi.
The virtual wifi off of the 2G is for iot devices.
Looks like eth1 is the trunk port attached to the router.
Looks like the home lan could be on eth2

(1) Where is the virtual 2g wlan bridgeport setting?
/interface bridge port
add bridge=bridge_ap comment=defconf interface=ether2
add bridge=bridge_ap comment=defconf interface=wlan_2g
add bridge=bridge_ap comment=defconf interface=wlan_5g
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=iot_wlan_2g pvid=30
add bridge=bridge_ap ingress-filtering=yes interface=ether1
add bridge=bridge_ap frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=guest_wlan_2g pvid=20
What it could look like........... (remove ingress filtering from wlans)
/interface bridge port
add bridge=bridge_ap interface=ether1 ingress-filtering=yes {trunk port from router}
add bridge=bridge_ap interface=ether2 comment=defconf
add bridge=bridge_ap interface=guest_wlan_2g frame-types=admit-only-untagged-and-priority-tagged pvid=20
add bridge=bridge_ap interface=interface=iot_wlan_2g frame-types=admit-only-untagged-and-priority-tagged pvid=30
add bridge=bridge_ap comment=defconf interface=wlan_5g


(2) /ip address
add address=192.168.0.5/24 interface=ether2 network=192.168.0.0
I am assuming this is the IP address of the access point, but the interface is ether1 I......... (from your config its ether1 that is the trunk port)
So replace with ether1

(3) /ip dhcp-client - DISABLE THIS............
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
lasjak
just joined
Topic Author
Posts: 12
Joined: Thu Mar 12, 2020 9:05 pm

Re: Problem with obtaining IP while connecting to WiFi set up with VLAN

Wed Mar 25, 2020 12:22 am

I have made changes you suggested and additionally removed most /ip entries from AP config, as it seems they are not needed. There are also changes to the wireless - you have pointed out I forgot about my home wifi, which is true. I created all wireless interfaces which I would like to use.

I still have issue with DHCP server visibility (?) from VLAN networks. IP is not being assigned when I try to connect to VLAN wireless. Is this a configuration problem on the router side?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: schishti and 42 guests