Community discussions

MikroTik App
 
tomhoover
just joined
Topic Author
Posts: 2
Joined: Tue Jan 07, 2020 4:05 pm

hap ac2: can't get access port based vlans to work

Sat Dec 12, 2020 6:48 pm

I have a pfSense router that serves as my firewall, DHCP server, etc. It is connected to a trunk port on my CRS328-24P-4S+RM. I've been using a regular consumer-grade Netgear Orbi mesh system for wireless access, and have now begun the process of switching over to MikroTik APs. My current system setup is as follows:

CRS328 (port24) <-- pfSense <-- Internet
       (port 1) --> Netgear Orbi wireless AP
       (port 14) --> hAP ac2
       (port 16) --> cAP AC

Once I get the hap/cap APs working the way I want, I'll be removing the Orbi system.

What works:

  • The management IP on the CRS328 is set manually to 10.10.5.2, and the hap/cap both successfully receive their management IPs via DHCP thru the CRS328 from the pfSense router (10.10.5.3 and 10.10.5.5, respectively).
  • I am successfully using VLANs on the CRS328. For example, connecting to port 1 on the CRS328 assigns VLAN ID 10, and then obtains an IP address from the pfSense router in the 10.10.10.x range. Connecting to port 2 assigns VLAN ID 20, and obtains an IP address from the pfSense router in the 10.10.20.x range.
  • I setup CAPsMAN to control the wireless radios on the hap/cap. It sets up three SSIDs (home, guest, IoT) and successfully assigns the appropriate VLAN ID to connected devices (10, 40 or 60, respectively). These connected devices receive an appropriate IP address from the pfSense router (10.10.10.x, 10.10.40.x or 10.10.60.x, respectively).

What doesn't work:

I decided to use the "extra" ports on the hap ac2 to hardwire some of my IoT devices. In an attempt to do so, I performed the following on the hap:

/interface vlan add interface=bridge name=5_Mgmt vlan-id=5
/interface vlan add interface=bridge name=10_LAN vlan-id=10
/interface vlan add interface=bridge name=40_Guest vlan-id=40
/interface vlan add interface=bridge name=50_Cameras vlan-id=50
/interface vlan add interface=bridge name=60_IoT vlan-id=60
/interface vlan add interface=bridge name=80_DMZ vlan-id=80
/interface vlan add interface=bridge name=vlan20 vlan-id=20
/interface vlan add interface=bridge name=vlan30 vlan-id=30
/interface vlan add interface=bridge name=vlan70 vlan-id=70

/interface bridge port add bridge=bridge interface=ether2 pvid=10
/interface bridge port add bridge=bridge interface=ether3 pvid=40
/interface bridge port add bridge=bridge interface=ether4 pvid=50
/interface bridge port add bridge=bridge interface=ether5 pvid=60

While the virtual wireless interfaces on the hap assign the appropriate VLAN tag (per the SSID used to connect), and then the appropriate IP address is issued to the device by pfSense, connecting to the wired ether2 thru ether5 ports on the hap do not result in the device receiving an IP address.

CRS328 config (everything appears to work):

# dec/12/2020 09:29:44 by RouterOS 6.46.8
# software id = QTAM-F7D4
#
# model = CRS328-24P-4S+
# serial number = A3A40AF81D7A
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch1 tx-power=15
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch6 tx-power=15
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11 tx-power=15
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5745 name=Ch149_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5765 name=Ch153_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5785 name=Ch157_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5805 name=Ch161_20M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180 name=Ch38_40M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5220 name=Ch46_40M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5745 name=Ch151_40M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5785 name=Ch159_40M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5180 name=Ch42_80M
/caps-man channel add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5745 name=Ch155_80M
/interface bridge add admin-mac=74:4D:28:CE:42:BB auto-mac=no comment=defconf name=bridge
/interface bridge add admin-mac=74:4D:28:CE:42:BC auto-mac=no name=bridge_vlan vlan-filtering=yes
/interface vlan add interface=bridge_vlan name=5_Mgmt vlan-id=5
/interface vlan add interface=bridge_vlan name=10_LAN vlan-id=10
/interface vlan add interface=bridge_vlan name=vlan20 vlan-id=20
/interface vlan add interface=bridge_vlan name=vlan30 vlan-id=30
/interface vlan add interface=bridge_vlan name=40_Guest vlan-id=40
/interface vlan add interface=bridge_vlan name=50_Cameras vlan-id=50
/interface vlan add interface=bridge_vlan name=60_IoT vlan-id=60
/interface vlan add interface=bridge_vlan name=80_DMZ vlan-id=80
/interface vlan add interface=bridge_vlan name=vlan70 vlan-id=70
/caps-man datapath add bridge=bridge_vlan client-to-client-forwarding=no local-forwarding=no name=home vlan-id=10 vlan-mode=use-tag
/caps-man datapath add bridge=bridge_vlan client-to-client-forwarding=no local-forwarding=no name=guest vlan-id=40 vlan-mode=use-tag
/caps-man datapath add bridge=bridge_vlan client-to-client-forwarding=yes local-forwarding=no name=IoT vlan-id=60 vlan-mode=use-tag
/caps-man rates add basic=6Mbps name="GN Only - No B rates" supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=home
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=guest
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=IoT
/caps-man configuration add channel=Ch1 country="united states3" datapath=home mode=ap name=home2-ch1 rates="GN Only - No B rates" security=home ssid=home
/caps-man configuration add channel=Ch36_20M country="united states3" datapath=home mode=ap name=home5-ch36 security=home ssid=home
/caps-man configuration add channel=Ch6 country="united states3" datapath=home mode=ap name=home2-ch6 rates="GN Only - No B rates" security=home ssid=home
/caps-man configuration add channel=Ch40_20M country="united states3" datapath=home mode=ap name=home5-ch40 security=home ssid=home
/caps-man configuration add channel=Ch11 country="united states3" datapath=home mode=ap name=home2-ch11 rates="GN Only - No B rates" security=home ssid=home
/caps-man configuration add channel=Ch38_40M country="united states3" datapath=home mode=ap name=home5-ch38 security=home ssid=home
/caps-man configuration add channel=Ch42_80M country="united states3" datapath=home mode=ap name=home5-ch42 security=home ssid=home
/caps-man configuration add channel=Ch44_20M country="united states3" datapath=home mode=ap name=home5-ch44 security=home ssid=home
/caps-man configuration add channel=Ch46_40M country="united states3" datapath=home mode=ap name=home5-ch46 security=home ssid=home
/caps-man configuration add channel=Ch48_20M country="united states3" datapath=home mode=ap name=home5-ch48 security=home ssid=home
/caps-man configuration add channel=Ch149_20M country="united states3" datapath=home mode=ap name=home5-ch149 security=home ssid=home
/caps-man configuration add channel=Ch151_40M country="united states3" datapath=home mode=ap name=home5-ch151 security=home ssid=home
/caps-man configuration add channel=Ch153_20M country="united states3" datapath=home mode=ap name=home5-ch153 security=home ssid=home
/caps-man configuration add channel=Ch155_80M country="united states3" datapath=home mode=ap name=home5-ch155 security=home ssid=home
/caps-man configuration add channel=Ch157_20M country="united states3" datapath=home mode=ap name=home5-ch157 security=home ssid=home
/caps-man configuration add channel=Ch159_40M country="united states3" datapath=home mode=ap name=home5-ch159 security=home ssid=home
/caps-man configuration add channel=Ch161_20M country="united states3" datapath=home mode=ap name=home5-ch161 security=home ssid=home
/caps-man configuration add datapath=guest name=guest security=guest ssid=guest
/caps-man configuration add datapath=IoT hide-ssid=yes name=IoT security=IoT ssid=IoT
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man access-list add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-85..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man access-list add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-120..-86 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man access-list add action=accept allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-85..-10 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=40 vlan-mode=use-tag
/caps-man access-list add action=reject allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-120..-86 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=40 vlan-mode=use-tag
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface add interface=ether14
/caps-man manager interface add interface=ether16
/caps-man manager interface add interface=bridge_vlan
/caps-man provisioning add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=g identity-regexp=cap-1 master-configuration=home2-ch1 name-format=prefix-identity name-prefix=2.4GHz-
/caps-man provisioning add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=g identity-regexp="^[c|h]ap[0-9]*-ch1-ch" master-configuration=home2-ch1 name-format=prefix-identity name-prefix=2.4g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac identity-regexp=hap-1 master-configuration=home5-ch40 name-format=prefix-identity name-prefix=5GHz-
/caps-man provisioning add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=g identity-regexp=hap-1 master-configuration=home2-ch6 name-format=prefix-identity name-prefix=2.4GHz-
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac identity-regexp=cap-1 master-configuration=home5-ch36 name-format=prefix-identity name-prefix=5GHz-
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch36" master-configuration=home5-ch36 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch38" master-configuration=home5-ch38 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=g identity-regexp="^[c|h]ap[0-9]*-ch6-ch" master-configuration=home2-ch6 name-format=prefix-identity name-prefix=2.4g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" hw-supported-modes=g identity-regexp="^[c|h]ap[0-9]*-ch11-ch" master-configuration=home2-ch11 name-format=prefix-identity name-prefix=2.4g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch40" master-configuration=home5-ch40 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch42" master-configuration=home5-ch42 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch161" master-configuration=home5-ch161 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch159" master-configuration=home5-ch159 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch157" master-configuration=home5-ch157 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch155" master-configuration=home5-ch155 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch153" master-configuration=home5-ch153 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch151" master-configuration=home5-ch151 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch149" master-configuration=home5-ch149 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch48" master-configuration=home5-ch48 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch46" master-configuration=home5-ch46 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/caps-man provisioning add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" hw-supported-modes=ac identity-regexp="^[c|h]ap[0-9]*-ch[0-9]+-ch44" master-configuration=home5-ch44 name-format=prefix-identity name-prefix=5g slave-configurations=guest,IoT
/interface bridge port add bridge=bridge_vlan comment="Drobo (vlan 10)" frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=10
/interface bridge port add bridge=bridge_vlan comment="FreeNAS (vlan 5)" frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=5
/interface bridge port add bridge=bridge_vlan comment="trunk to pvhost1" interface=ether11
/interface bridge port add bridge=bridge_vlan comment="vlan 5 direct access port" interface=ether12 pvid=5
/interface bridge port add bridge=bridge_vlan comment="trunk to pvhost2" interface=ether13
/interface bridge port add bridge=bridge_vlan comment="trunk to hAP ac2 (hap1)" interface=ether14 pvid=5
/interface bridge port add bridge=bridge_vlan comment="trunk to pvhost3" interface=ether15
/interface bridge port add bridge=bridge_vlan comment="trunk to cAP ac (cap1)" interface=ether16 pvid=5
/interface bridge port add bridge=bridge_vlan comment="BlueIris (vlan 10)" frame-types=admit-only-untagged-and-priority-tagged interface=ether17 pvid=10
/interface bridge port add bridge=bridge_vlan interface=ether18
/interface bridge port add bridge=bridge_vlan interface=ether19
/interface bridge port add bridge=bridge_vlan interface=ether20
/interface bridge port add bridge=bridge comment="LAN to tp-link switch" hw=no interface=ether21
/interface bridge port add bridge=bridge_vlan interface=ether22
/interface bridge port add bridge=bridge comment="LAN port on pfSense" hw=no interface=ether23
/interface bridge port add bridge=bridge_vlan interface=sfp-sfpplus1
/interface bridge port add bridge=bridge_vlan interface=sfp-sfpplus2
/interface bridge port add bridge=bridge_vlan interface=sfp-sfpplus3
/interface bridge port add bridge=bridge_vlan interface=sfp-sfpplus4
/interface bridge port add bridge=bridge_vlan comment="vlan 10 direct access port" interface=ether1 pvid=10
/interface bridge port add bridge=bridge_vlan comment="vlan 20 direct access port" interface=ether2 pvid=20
/interface bridge port add bridge=bridge_vlan comment="vlan 30 direct access port" interface=ether3 pvid=30
/interface bridge port add bridge=bridge_vlan comment="vlan 40 direct access port" interface=ether4 pvid=40
/interface bridge port add bridge=bridge_vlan comment="vlan 50 direct access port" interface=ether5 pvid=50
/interface bridge port add bridge=bridge_vlan comment="vlan 60 direct access port" interface=ether6 pvid=60
/interface bridge port add bridge=bridge_vlan comment="vlan 70 direct access port" interface=ether7 pvid=70
/interface bridge port add bridge=bridge_vlan comment="vlan 80 direct access port" interface=ether8 pvid=80
/interface bridge port add bridge=bridge_vlan comment="trunk to pfSense" interface=ether24
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface bridge vlan add bridge=bridge_vlan comment=vlan20 tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=20
/interface bridge vlan add bridge=bridge_vlan comment=vlan30 tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=30
/interface bridge vlan add bridge=bridge_vlan comment=40_Guest tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=40
/interface bridge vlan add bridge=bridge_vlan comment=50_Cameras tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=50
/interface bridge vlan add bridge=bridge_vlan comment=60_IoT tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=60
/interface bridge vlan add bridge=bridge_vlan comment=vlan70 tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=70
/interface bridge vlan add bridge=bridge_vlan comment=80_DMZ tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=80
/interface bridge vlan add bridge=bridge_vlan comment="10_LAN -- must tag bridge_vlan for WinBox to work via MAC address thru port 1 (vlan10)" tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=10
/interface bridge vlan add bridge=bridge_vlan comment="5_Mgmt -- must tag bridge_vlan for WinBox to work via 10.10.5.2 IP address" tagged=bridge_vlan,ether11,ether13,ether15,ether24 vlan-ids=5
/ip address add address=192.168.5.2/24 interface=bridge network=192.168.5.0
/ip address add address=10.10.5.2/24 interface=5_Mgmt network=10.10.5.0
/ip dns set servers=1.1.1.1
/ip route add distance=1 gateway=192.168.5.1
/system clock set time-zone-name=America/Chicago
/system identity set name=crs328
/system package update set channel=long-term
/system routerboard settings set boot-os=router-os
/tool romon set enabled=yes

cAP AC config (everything appears to work):

# dec/12/2020 09:30:12 by RouterOS 6.46.8
# software id = 7VD1-329F
#
# model = RBcAPGi-5acD2nD
# serial number = B9330B44F2BF
/interface bridge add admin-mac=C4:AD:34:4B:52:BE auto-mac=no name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(13dBm), SSID: home, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless
# managed by CAPsMAN
# channel: 5745/20-Ce/ac(27dBm), SSID: home, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=ether2
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface wireless cap
#
set certificate=CAP-C4AD344B52BE discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client add disabled=no interface=bridge
/system clock set time-zone-name=America/Chicago
/system identity set name=cap1-ch1-ch151
/system package update set channel=long-term
/tool romon set enabled=yes

hAP ac2 config (wireless works, wired doesn't):

# dec/12/2020 09:30:04 by RouterOS 6.46.8
# software id = 3BMX-JH4N
#
# model = RBD52G-5HacD2HnD
# serial number = C6140CD2FDDC
/interface bridge add admin-mac=48:8F:5A:67:86:BD auto-mac=no name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(13dBm), SSID: home, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik station-roaming=enabled
/interface wireless
# managed by CAPsMAN
# channel: 5785/20-Ce/ac(28dBm), SSID: home, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik station-roaming=enabled
/interface vlan add interface=bridge name=5_Mgmt vlan-id=5
/interface vlan add interface=bridge name=10_LAN vlan-id=10
/interface vlan add interface=bridge name=40_Guest vlan-id=40
/interface vlan add interface=bridge name=50_Cameras vlan-id=50
/interface vlan add interface=bridge name=60_IoT vlan-id=60
/interface vlan add interface=bridge name=80_DMZ vlan-id=80
/interface vlan add interface=bridge name=vlan20 vlan-id=20
/interface vlan add interface=bridge name=vlan30 vlan-id=30
/interface vlan add interface=bridge name=vlan70 vlan-id=70
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/user group set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=ether2 pvid=10
/interface bridge port add bridge=bridge interface=ether3 pvid=40
/interface bridge port add bridge=bridge interface=ether4 pvid=50
/interface bridge port add bridge=bridge interface=ether5 pvid=60
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/interface wireless cap
#
set certificate=CAP-488F5A6786B8 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client add disabled=no interface=bridge
/system clock set time-zone-name=America/Chicago
/system identity set name=hap1-ch6-ch159
/system package update set channel=long-term
/tool romon set enabled=yes
 
tdw
Long time Member
Long time Member
Posts: 640
Joined: Sat May 05, 2018 11:55 am

Re: hap ac2: can't get access port based vlans to work

Wed Dec 16, 2020 6:04 am

Your management VLAN (ID=5) is untagged on the interfaces to the cAP and hAP ac2 so can be accessed directly without requiring VLAN interfaces on those devices.

If you look at the bridge VLANs in Winbox connected to the cAP you will see bridge plus ether1 and/or ether2 as Current Untagged members of VLAN 1 - this is the default PVID of the bridge and interfaces, note the ethernet interfaces only appear if they are connected.

The same happens on the hAP, but as you don't have any /interface bridge vlan definitions any tagged traffic will be blocked. You don't require any /interface vlan definitions, these are only required if the device itself requires access to the VLANs, so remove
/interface vlan add interface=bridge name=5_Mgmt vlan-id=5
/interface vlan add interface=bridge name=10_LAN vlan-id=10
/interface vlan add interface=bridge name=40_Guest vlan-id=40
/interface vlan add interface=bridge name=50_Cameras vlan-id=50
/interface vlan add interface=bridge name=60_IoT vlan-id=60
/interface vlan add interface=bridge name=80_DMZ vlan-id=80
/interface vlan add interface=bridge name=vlan20 vlan-id=20
/interface vlan add interface=bridge name=vlan30 vlan-id=30
/interface vlan add interface=bridge name=vlan70 vlan-id=70

and add
/interface bridge vlan add bridge=bridge comment="10_LAN" tagged=bridge,ether1 vlan-ids=10
/interface bridge vlan add bridge=bridge comment=vlan20 tagged=bridge,ether1 vlan-ids=20
/interface bridge vlan add bridge=bridge comment=vlan30 tagged=bridge,ether1 vlan-ids=30
/interface bridge vlan add bridge=bridge comment=40_Guest tagged=bridge,ether1 vlan-ids=40
/interface bridge vlan add bridge=bridge comment=50_Cameras tagged=bridge,ether1 vlan-ids=50
/interface bridge vlan add bridge=bridge comment=60_IoT tagged=bridge,ether1 vlan-ids=60
/interface bridge vlan add bridge=bridge comment=vlan70 tagged=bridge,ether1 vlan-ids=70
/interface bridge vlan add bridge=bridge comment=80_DMZ tagged=bridge,ether1 vlan-ids=80


You also need to include ether14 on the CRS (connected to the hAP) as a tagged member of the same VLANs on the CRS
 
tomhoover
just joined
Topic Author
Posts: 2
Joined: Tue Jan 07, 2020 4:05 pm

Re: hap ac2: can't get access port based vlans to work

Mon Dec 28, 2020 10:38 pm

@tdw,

Thank you so much for the detailed reply. Your solution is exactly what I needed, and your explanation as to the "why" was very helpful in my understanding of my configuration mistake. Thanks again for the response!

Who is online

Users browsing this forum: Google [Bot], rzto and 60 guests