need help with VLAN guest wireless on router and ap

Commissar · Sat Oct 03, 2020 3:29 pm

Hi, I bought 2 hAP ac², one if being used as router and gateway and the other is basically wireless switch.
Here is my network:

Untitled Diagram(1).png

ac2 switch (192.168.1.5) has following config:

# oct/03/2020 13:58:07 by RouterOS 6.47.4
# software id = DKTC-L90I
#

/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
    mode=ap-bridge ssid=123456789 station-roaming=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX frequency=auto installation=indoor mode=ap-bridge ssid=\
    123456789 station-roaming=enabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=HIDDENMANUALLY
/system identity
set name=MikroTik-ap

I used "wisp ap" preset for router (192.168.1.4) and added guest wifi following this guide:
https://www.marthur.com/networking/mikr ... wifi/2582/

Here is it's config export:

# oct/03/2020 13:38:07 by RouterOS 6.47.4
# software id = 8HNZ-7IBV
#

/interface bridge
add admin-mac=48:8F:5A:89:06:FD auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-vlan100
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name=HIDDENMANUALLY use-peer-dns=yes user=HIDDENMANUALLY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=123456789 station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=123456789 station-roaming=enabled wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:89:07:01 \
    master-interface=wlan1 multicast-buffering=disabled name=987654321 \
    security-profile=guest ssid=987654321 vlan-id=100 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=987654321 name=VLAN_987654321 vlan-id=100
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
add name=dhcp_pool1 ranges=192.168.100.150-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge-vlan100 name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-vlan100 interface=987654321
add bridge=bridge-vlan100 interface=VLAN_987654321
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.4/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.100.1/24 interface=bridge-vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:48:8f:5a:89:8:9 mac-address=\
    48:8F:5A:89:08:09 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.4 netmask=24
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.4 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=bridge-vlan100 out-interface=\
    bridge
add action=drop chain=forward in-interface=bridge out-interface=\
    bridge-vlan100
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=HIDDENMANUALLY
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What I would like to have at the end is this:
1. all PCs and laptops connected via ethernet and all wireless clients in wireless network 123456789 to see each other and have access to internet (this already works).
2. all clients in wireless network 987654321 to only see internet, not rest of the network, or each other. (also works, but only on router. I need wireless 987654321 on 192.168.1.5 too)

I created "guest" wireless network 987654321, but I do not know how to add same network to AP and connect it to router's DHCP.

Thanks for help

Commissar · Sun Oct 11, 2020 11:42 am

Cant believe my friend recommended Mikrotik, "it's the best router" he said, "and if you have a problem they help you on forum"

what a bullshit.

Sob · Sun Oct 11, 2020 12:52 pm

It's best router, relatively speaking, because compared to many other routers it's much more flexible. But it can be more demanding and also gives more options to user how to mess it up. And yes, there's helpful forum, where many people get help. Not all, for various reasons. Some questions are too vague, some are about something too complicated and not many people know the answer, some are so much clueless that it would require giving personal week long course to poster, etc. And some simply get overlooked, because there's many people asking, but not so many people who can answer.

In your case it should help to:

- move interface 987654321 as port from bridge-vlan100 to bridge
- move vlan interface VLAN_987654321 from 987654321 on bridge
- move everything (address, dhcp server) from bridge-vlan100 to VLAN_987654321
- delete bridge-vlan100

Router should survive this and it should work as before. Then add the same tagged wireless interface for guests bridged with everything else to AP. Don't add any address or dhcp there. Vlan should connect it with main router, and it should work the same, no matter to which AP you connect.

It may be even better to play some more with bridge vlan filtering (see manual or this popular thread), but this should work too.

CZFan · Sun Oct 11, 2020 6:38 pm

Cant believe my friend recommended Mikrotik, "it's the best router" he said, "and if you have a problem they help you on forum"

what a bullshit.

Cry me a river...

anav · Sun Oct 11, 2020 10:24 pm

Cant believe my friend recommended Mikrotik, "it's the best router" he said, "and if you have a problem they help you on forum"

what a bullshit.

Did a fly land on your head too?
If it looks like shit,
If it smells like shit,
and a fly lands on it....
Its shit.

Seriously, the forum responses are done without remuneration so don't expect instant responses for starters.
Second Sob provided you with excellent advice.
Many here are experienced IT professional, some like me just like to dabble and pretend they know what they are doing LOL.
Our goals are the same, guidance to help those understand their devices and to help get them up and running a. safely and b. efficiently.

I am not as patient as the professionals, and I am more blunt, but I will give you the benefit of the doubt as we all have a bad day! and I know
how frustrating dealing with routers can be!
So just be patient, and you will get to where you are going.

Read through carefully the link that SOB provided, it is what I used and I know relatively little and it helped me get through most of it.
It has examples for switches, for Access Points and for wifi routers.

sid5632 · Tue Oct 13, 2020 1:21 am

And move the IP address that's on ether2 onto the bridge (why's it even on ether2 in the first place, which isn't mentioned in the diagram?).
And create a firewall rule on the input chain that allows access from VLAN_987654321 otherwise its DHCP server isn't going to work.

Sob · Tue Oct 13, 2020 1:39 am

IP address on ether2 instead of bridge (which has it as member port) is common mistake, maybe it's there after upgrade from master port in old versions.

DHCP server uses raw sockets, IP firewall doesn't block it.

mszru · Wed Oct 14, 2020 10:46 pm

IP address on ether2 instead of bridge (which has it as member port) is common mistake, maybe it's there after upgrade from master port in old versions.

In my experience IP is removed from the bridge and set to ether2 after changing the defaults in Local Network section of the QuickSet. This bug is here for quite a while already...

need help with VLAN guest wireless on router and ap

need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Re: need help with VLAN guest wireless on router and ap

Who is online