Hi there,
I have a RB4011 with several cAP acs and I am using those devices to separate my network into different VLANs. All ports used of the RB4011 are configured as trunk ports connected to a managed switch. I built one bridge in the RB4011 containing all used physical ether-ports (except the WAN-port) and the cAP interfaces managed by CAPsMAN. The traffic between the different networks is filtered by the firewall.
Is it okay and best practice to use one big bridge for all networks or is there a better solution regarding performance, speed or security?
In the bridge configuration is the "Settings" button which leads to the parameters "Use IP Firewall" and "Use IP Firewall for VLAN". The wiki says "Send bridged VLAN traffic to also be processed by IP/Firewall." - I don't really understand that. Both parameters are inactive (default), but nevertheless traffic is filtered by the IP firewall. What are these additional parameters for?
Best regards,
cyb
Re: One bridge for VLANs or multiple?
Since you will use VLANs only one Bridge must be used...
Finally, IP Firewall filters Layer 3 Traffic...
The Bridge Firewall will filter Layer 2 Traffic... So all depends on what you want to achieve...
Finally, IP Firewall filters Layer 3 Traffic...
The Bridge Firewall will filter Layer 2 Traffic... So all depends on what you want to achieve...
Re: One bridge for VLANs or multiple?
But I could have used smaller bridges and could have bridged them to one bridge. So I made it right intuitively?
What would be an advantage of filtering Layer 2 traffic? Would it be better (performance) to filter traffic from VLAN A to VLAN B already on L2?
Best regards,
cyb
What would be an advantage of filtering Layer 2 traffic? Would it be better (performance) to filter traffic from VLAN A to VLAN B already on L2?
Best regards,
cyb
Re: One bridge for VLANs or multiple?
No. An interface can only be a member of one bridge, bridges can not be members of other bridges.
An old way of bridging VLANs was to create VLAN interfaces on ethernet ports, create a bridge per VLAN ID and attach the respective VLANs to bridges. This has various pitfalls, see https://wiki.mikrotik.com/wiki/Manual:L ... figuration
VLAN A to VLAN B traffic is inherently layer 3. You would use layer 2 filtering on traffic in the same VLAN between interfaces, port isolation or split horizon may be better - it depends what you are attempting to achieve.
An old way of bridging VLANs was to create VLAN interfaces on ethernet ports, create a bridge per VLAN ID and attach the respective VLANs to bridges. This has various pitfalls, see https://wiki.mikrotik.com/wiki/Manual:L ... figuration
VLAN A to VLAN B traffic is inherently layer 3. You would use layer 2 filtering on traffic in the same VLAN between interfaces, port isolation or split horizon may be better - it depends what you are attempting to achieve.
Re: One bridge for VLANs or multiple?
That sounds a bit confusing to me........No. An interface can only be a member of one bridge, bridges can not be members of other bridges.
An old way of bridging VLANs was to create VLAN interfaces on ethernet ports, create a bridge per VLAN ID and attach the respective VLANs to bridges. This has various pitfalls, see https://wiki.mikrotik.com/wiki/Manual:L ... figuration
VLAN A to VLAN B traffic is inherently layer 3. You would use layer 2 filtering on traffic in the same VLAN between interfaces, port isolation or split horizon may be better - it depends what you are attempting to achieve.
VLAN traffic inherently is already filtered at layer 2 from other vlans or subnets, (even if on the same bridge). However the router will still route between them at layer 3 and thus firewall rules are needed to stop unwanted traffic between the vlans (at layer 3).
The easiest and cleanest way to do this is simply put a drop all else rule at the end of the forward firewall filter chain.
Re: One bridge for VLANs or multiple?
That sounds a bit confusing to me........
VLAN traffic inherently is already filtered at layer 2 from other vlans or subnets, (even if on the same bridge). However the router will still route between them at layer 3 and thus firewall rules are needed to stop unwanted traffic between the vlans (at layer 3).
The easiest and cleanest way to do this is simply put a drop all else rule at the end of the forward firewall filter chain.
That's what I said
VLAN A to VLAN B traffic is inherently layer 3.
And I went on to clarify that if you wished to firewall / isolate traffic in the same VLAN e.g. between VLAN10 on ether2 and VLAN10 on ether3 there are various options depending on what the requirement is
You would use layer 2 filtering on traffic in the same VLAN between interfaces, port isolation or split horizon may be better - it depends what you are attempting to achieve.
Re: One bridge for VLANs or multiple?
Perhaps LOL, You speak like a MT nerd trainer (MTCNA certified) , while I speak like a layperson (MTUNA self-certified). There is no inherent layer 3 traffic from vlans, any traffic from vlans is due to the inherent nature of routers to try to route traffic as requested. In other words, vlan traffic on a switch doesnt inherently talk to other vlans, so its independent of vlans.That sounds a bit confusing to me........
VLAN traffic inherently is already filtered at layer 2 from other vlans or subnets, (even if on the same bridge). However the router will still route between them at layer 3 and thus firewall rules are needed to stop unwanted traffic between the vlans (at layer 3).
The easiest and cleanest way to do this is simply put a drop all else rule at the end of the forward firewall filter chain.
That's what I saidVLAN A to VLAN B traffic is inherently layer 3.
And I went on to clarify that if you wished to firewall / isolate traffic in the same VLAN e.g. between VLAN10 on ether2 and VLAN10 on ether3 there are various options depending on what the requirement isYou would use layer 2 filtering on traffic in the same VLAN between interfaces, port isolation or split horizon may be better - it depends what you are attempting to achieve.
If it aint clear to me, (the litimus test of noobs) then its probably not clear for folks just starting out.
Re: One bridge for VLANs or multiple?
Ah okay. That was the way I saw in several tutorials and that's why I was quite a little confused that my configuration seemed to be so "simple". But it seems it does not have any negative effects (performance, security), so I am gladAn old way of bridging VLANs was to create VLAN interfaces on ethernet ports, create a bridge per VLAN ID and attach the respective VLANs to bridges. This has various pitfalls, see https://wiki.mikrotik.com/wiki/Manual:L ... figuration
Ok, that's not relevant for me, so I can leave the bridge as it is.You would use layer 2 filtering on traffic in the same VLAN between interfaces
That made it even clearer to me, thank you. I have that "drop all else" rule at the end of input and forward chains, so it seems to be clean.VLAN traffic inherently is already filtered at layer 2 from other vlans or subnets, (even if on the same bridge). However the router will still route between them at layer 3 and thus firewall rules are needed to stop unwanted traffic between the vlans (at layer 3).
The easiest and cleanest way to do this is simply put a drop all else rule at the end of the forward firewall filter chain.
Best regards,
cyb
Re: One bridge for VLANs or multiple?
@cyb, May I ask if you hook up your cAP ac to the managed switch and have CAPsMAN on the router (RB4011) ? The reason I ask is that I tried to configure the similar setup in the past few days but failed. I have CCR1009+CRS328P+ 7 cAP ac. I want to have 2 SSID for Work and Guest respectively with vlan ID 10 and VLAN ID20. But some how, The WiFI doesn't work well, either it is not stable ( lost internet connection from time to time) or it is extremely slow. Do you mind post your configuration on the RB4011 regarding Vlan and CAPsMAN, as well as your configuration on the AP ? I just want to see what I missed in the configuration. BTW, I set up the network according to the wiki (https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs) and guideline by pcunite in the forum.
Many thanks in advance !
Many thanks in advance !
Re: One bridge for VLANs or multiple?
That's how they are configured, yes.May I ask if you hook up your cAP ac to the managed switch and have CAPsMAN on the router (RB4011) ?
I can do that for sure. I just connected cAP ac and CAPsMAN with the vlan100-mgmt.Do you mind post your configuration on the RB4011 regarding Vlan and CAPsMAN, as well as your configuration on the AP ?
Here is the cAP ac config
Code: Select all
/interface bridge
add name=br protocol-mode=none pvid=100 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(12dBm), SSID: w1, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=8 country=germany ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: w1, CAPsMAN forwarding
set [ find default-name=wlan2 ] country=germany ssid=MikroTik
/interface vlan
add interface=br name=vlan100-mgmt vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=br frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=br tagged=br,ether1 vlan-ids=100
/interface wireless cap
#
set bridge=br caps-man-addresses=192.168.100.254 discovery-interfaces=\
vlan100-mgmt enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.100.251/24 interface=vlan100-mgmt network=192.168.100.0
/ip cloud
set update-time=no
/ip dns
set servers=192.168.100.254
/ip route
add distance=1 gateway=192.168.100.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=10022
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=cap01
/system leds settings
set all-leds-off=immediate
/system ntp client
set enabled=yes primary-ntp=192.168.100.254
/tool bandwidth-server
set enabled=no...and most of the router config:
Code: Select all
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=ch1
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=ch6
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=ch11
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5180 name=ch36
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5200 name=ch40
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5220 name=ch44
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5240 name=ch48
/interface bridge
add dhcp-snooping=yes name=br-lan-wlan protocol-mode=none pvid=50 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
/interface vlan
add interface=br-lan-wlan name=vlan10-intern-srv vlan-id=10
add interface=br-lan-wlan name=vlan20-intern-clt vlan-id=20
add interface=br-lan-wlan name=vlan30-kino vlan-id=30
add interface=br-lan-wlan name=vlan40-iot vlan-id=40
add interface=br-lan-wlan name=vlan50-gast vlan-id=50
add interface=ether10 name=vlan77-wan vlan-id=77
add interface=br-lan-wlan name=vlan100-mgmt vlan-id=100
/caps-man datapath
add bridge=br-lan-wlan name=dp-w1 vlan-id=30 vlan-mode=use-tag
add bridge=br-lan-wlan name=dp-w2 vlan-id=40 vlan-mode=use-tag
add bridge=br-lan-wlan name=dp-w3 vlan-id=50 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name="GN only - no B rates" supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec-w1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec-w2
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=sec-w3
/caps-man configuration
add country=germany datapath=dp-w1 installation=indoor mode=ap name=cfg-w1 rates="GN only - no B rates" security=sec-w1 ssid=w1
add country=germany datapath=dp-w2 installation=indoor mode=ap name=cfg-w2 rates="GN only - no B rates" security=sec-w2 ssid=w2
add country=germany datapath=dp-w3 installation=indoor mode=ap name=cfg-w3 rates="GN only - no B rates" security=sec-w3 ssid=w3
/caps-man interface
add channel=ch1 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:62:1F master-interface=none name=cap01-2,4-w1 radio-mac=\
C4:AD:34:98:62:1F radio-name=C4AD3498621F
add channel=ch1 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:62:1F master-interface=cap01-2,4-w1 name=cap01-2,4-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch1 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:62:20 master-interface=cap01-2,4-w1 name=cap01-2,4-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:62:20 master-interface=none name=cap01-5-w1 radio-mac=\
C4:AD:34:98:62:20 radio-name=C4AD34986220
add channel=ch36 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:62:21 master-interface=cap01-5-w1 name=cap01-5-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch36 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:62:22 master-interface=cap01-5-w1 name=cap01-5-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch6 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:65:7B master-interface=none name=cap02-2,4-w1 radio-mac=\
C4:AD:34:98:65:7B radio-name=C4AD3498657B
add channel=ch6 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:65:7B master-interface=cap02-2,4-w1 name=cap02-2,4-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch6 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:65:7C master-interface=cap02-2,4-w1 name=cap02-2,4-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch40 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:65:7C master-interface=none name=cap02-5-w1 radio-mac=\
C4:AD:34:98:65:7C radio-name=C4AD3498657C
add channel=ch40 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:65:7D master-interface=cap02-5-w1 name=cap02-5-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch40 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:65:7E master-interface=cap02-5-w1 name=cap02-5-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch11 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:66:42 master-interface=none name=cap03-2,4-w1 radio-mac=\
C4:AD:34:98:66:42 radio-name=C4AD34986642
add channel=ch11 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:66:42 master-interface=cap03-2,4-w1 name=cap03-2,4-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch11 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:66:43 master-interface=cap03-2,4-w1 name=cap03-2,4-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch44 configuration=cfg-w1 disabled=no l2mtu=1600 mac-address=C4:AD:34:98:66:43 master-interface=none name=cap03-5-w1 radio-mac=\
C4:AD:34:98:66:43 radio-name=C4AD34986643
add channel=ch44 configuration=cfg-w2 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:66:44 master-interface=cap03-5-w1 name=cap03-5-w2 \
radio-mac=00:00:00:00:00:00 radio-name=""
add channel=ch44 configuration=cfg-w3 disabled=no l2mtu=1600 mac-address=C6:AD:34:98:66:45 master-interface=cap03-5-w1 name=cap03-5-w3 \
radio-mac=00:00:00:00:00:00 radio-name=""
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=vlans-dhcp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_dhcp30-kino ranges=192.168.30.101-192.168.30.120
add name=pool_dhcp40-iot ranges=192.168.40.101-192.168.40.120
add name=pool_dhcp50-gast ranges=192.168.50.101-192.168.50.120
/ip dhcp-server
add address-pool=pool_dhcp30-kino disabled=no interface=vlan30-kino name=dhcp30-kino
add address-pool=pool_dhcp40-iot disabled=no interface=vlan40-iot name=dhcp40-iot
add address-pool=pool_dhcp50-gast disabled=no interface=vlan50-gast name=dhcp50-gast
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan100-mgmt
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-w1 slave-configurations=cfg-w2,cfg-w3
/interface bridge port
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 pvid=10
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3 pvid=30
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4 pvid=50
add bridge=br-lan-wlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=br-lan-wlan tagged=br-lan-wlan,ether1 vlan-ids=10
add bridge=br-lan-wlan tagged=br-lan-wlan,ether2 vlan-ids=20
add bridge=br-lan-wlan tagged=br-lan-wlan,ether3 vlan-ids=30
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=40
add bridge=br-lan-wlan tagged=br-lan-wlan,ether4 vlan-ids=50
add bridge=br-lan-wlan tagged=br-lan-wlan,ether5 vlan-ids=100
/interface list member
add interface=br-lan-wlan list=LAN
add interface=vlan77-wan list=WAN
add interface=vlan30-kino list=vlans-dhcp
add interface=vlan40-iot list=vlans-dhcp
add interface=vlan50-gast list=vlans-dhcp
/ip address
add address=192.168.10.254/24 interface=vlan10-intern-srv network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20-intern-clt network=192.168.20.0
add address=192.168.30.254/24 interface=vlan30-kino network=192.168.30.0
add address=192.168.40.254/24 interface=vlan40-iot network=192.168.40.0
add address=192.168.50.254/24 interface=vlan50-gast network=192.168.50.0
add address=192.168.77.254/24 interface=vlan77-wan network=192.168.77.0
add address=192.168.100.254/24 interface=vlan100-mgmt network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.30.0/24 dns-server=192.168.30.254 gateway=192.168.30.254
add address=192.168.40.0/24 dns-server=192.168.40.254 gateway=192.168.40.254
add address=192.168.50.0/24 dns-server=192.168.50.254 gateway=192.168.50.254
/ip dns
set allow-remote-requests=yes servers=192.168.77.1
/ip route
add distance=1 gateway=192.168.77.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=10022
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=router02
/system ntp client
set enabled=yes primary-ntp=192.168.77.1
/system ntp server
set enabled=yes manycast=no
/tool bandwidth-server
set enabled=no
Re: One bridge for VLANs or multiple?
Thank you, @cyb ! It is of great help. I am now comparing mine and yours to see what I missed.
Re: One bridge for VLANs or multiple?
@cyb, I have a question on your config of cAP ac :
I guess you connect your cAP ac to switch via eth1. so eth1 is a trunk port for W1, W2, W3 and Vlan100-mgmt, then why you assign PVID100 to eth1 and the bridge ?
Thank you !
____________
/interface bridge
add name=br protocol-mode=none pvid=100 vlan-filtering=yes
/interface vlan
add interface=br name=vlan100-mgmt vlan-id=100
/interface bridge port
add bridge=br frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=br tagged=br,ether1 vlan-ids=100
/interface wireless cap
#
set bridge=br caps-man-addresses=192.168.100.254 discovery-interfaces=\
vlan100-mgmt enabled=yes interfaces=wlan1,wlan2
___________________________________________
Here below is my config on the cAP ac, but somehow it doesn't work well if I turn on vlan filtering feature. (vlan99 is the management vlan in my setup).
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface bridge port
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
/interface wireless cap
set bridge=bridge1 discovery-interfaces=bridge1 interfaces=wlan1,wlan2 \
static-virtual=yes
I guess you connect your cAP ac to switch via eth1. so eth1 is a trunk port for W1, W2, W3 and Vlan100-mgmt, then why you assign PVID100 to eth1 and the bridge ?
Thank you !
____________
/interface bridge
add name=br protocol-mode=none pvid=100 vlan-filtering=yes
/interface vlan
add interface=br name=vlan100-mgmt vlan-id=100
/interface bridge port
add bridge=br frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=br tagged=br,ether1 vlan-ids=100
/interface wireless cap
#
set bridge=br caps-man-addresses=192.168.100.254 discovery-interfaces=\
vlan100-mgmt enabled=yes interfaces=wlan1,wlan2
___________________________________________
Here below is my config on the cAP ac, but somehow it doesn't work well if I turn on vlan filtering feature. (vlan99 is the management vlan in my setup).
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface bridge port
add bridge=bridge1 interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
/interface wireless cap
set bridge=bridge1 discovery-interfaces=bridge1 interfaces=wlan1,wlan2 \
static-virtual=yes
Re: One bridge for VLANs or multiple?
The problem is setting discovery-interface=bridge1 ... I'm guessing that you don't have any IP config on interface bridge1, only on vlan interface? The thing is that cap needs L2 communication with capsman over discovery-interface ... and likely your current setup doesn't offer such communication.
Re: One bridge for VLANs or multiple?
@mkx. I did find that if I use discovery-interface=bridge1, and turn on vlan filtering, the AP is not stable from time to time, sometimes the AP lost connection to the CAPsMAN, So in your opinion, it is better to use discovery-interface=vlan99 or to use ether1 ? ( BTW, I set a dhcp client on vlan99, so it will get IP address from router). It puzzled me for quite a while, and the wiki didn't mention it. I set up the CAP according to the wiki: https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
Re: One bridge for VLANs or multiple?
The guide you linked doesn't show full config of capsman device, could be it does support connections over untagged.
AFAIK cap devices talk with capsman through discovery-interface (cap devices) and /caps-man manager interface interface (capsman) ... I'm not sure they can in your case ...
AFAIK cap devices talk with capsman through discovery-interface (cap devices) and /caps-man manager interface interface (capsman) ... I'm not sure they can in your case ...
Re: One bridge for VLANs or multiple?
As far as I understand the traffic is sent from cAP to CAPsMAN encapsulated with a special CAPsMAN header using in my case VLAN 100 for all traffic (w1/w2/w3 each in a different VLAN). So it is a trunk port, yes, but only for VLAN100. CAPsMAN "unwraps" the packets and routes the VLAN30/40/50 packages to their destination.I guess you connect your cAP ac to switch via eth1. so eth1 is a trunk port for W1, W2, W3 and Vlan100-mgmt, then why you assign PVID100 to eth1 and the bridge ?
Who is online
Users browsing this forum: Google [Bot] and 71 guests