Cisco AP Autonomout Mode VLAN issue on one VLAN

chribonn · Wed Feb 03, 2021 1:51 pm

Hello,

I've configured my Mikrotik with 2 active VLANS. The main VLAN, ID=10 and the guest VLAN (ID=20)

Ether1 is connected to the WAN and Ether2 is connected to a CISCO-AP in autonomous mode.

On the Mikrotik everything is working perfectly.

The Cisco-AP has a static IP (within the main VLAN range) and the gateway points to the of the main VLAN. The Cisco replicates the SSIDs of the Mikrotik with identical VLAN IDs.

My problem is that I am able to connect when I connect to the internet via the main VLAN (id=10), but not with the Guest VLAN (id=20). The device connects but is not able to exit to the internet?

I am posting my configs below:Thank you for any guidance in resolving the problem.

Cisco


!
! Last configuration change at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
! NVRAM config last updated at 22:11:53 +0100 Mon Jan 25 2021 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-AP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
clock timezone +0100 1 0
no ip source-route
no ip cef
ip name-server 192.168.0.1
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name GUEST_VLAN vlan 20
dot11 vlan-name SOHO_VLAN vlan 10
!
dot11 ssid SOHO-AP
   vlan 10
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii 7 ********************************8
!
dot11 ssid GUEST-AP
   vlan 20
   authentication open 
   authentication key-management wpa version 2
   wpa-psk ascii 7 ******************************
!
!
!
no ipv6 cef
!
!
username admin privilege 15 secret 5 *********************
username administrator privilege 15 password 7 ******************************8
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 10 mode ciphers aes-ccm 
 !
 encryption vlan 20 mode ciphers aes-ccm 
 !
 ssid SOHO-AP
 !
 ssid GUEST-AP
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio0.10
 encapsulation dot1Q 10 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 10 mode ciphers aes-ccm 
 !
 encryption vlan 20 mode ciphers aes-ccm 
 !
 ssid SOHO-AP
 !
 ssid GUEST-AP
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 packet retries 128 drop-packet
 channel dfs
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.10
 encapsulation dot1Q 10 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10 native
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 spanning-disabled
 no bridge-group 20 source-learning
!
interface BVI1
 mac-address xxxx.yyyy.zzzz
 ip address 192.168.16.252 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
!
ip default-gateway 192.168.16.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http timeout-policy idle 120 life 300 requests 200
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
no cdp run
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
sntp server pool.ntp.org
sntp broadcast client
end

Mikrotik

# feb/03/2021 12:31:39 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN lease-time=7h \
    name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
    gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.180 \
    dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chri remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=conn remote-address=192.168.16.241 \
    service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

tdw · Wed Feb 03, 2021 2:35 pm

Having frame-types=admit-only-untagged-and-priority-tagged for ether2 isn't appropriate for a hybrid port

anav · Wed Feb 03, 2021 5:19 pm

why are you using this proxy setting thingy......... ????
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10

Incomplete setup - I see vlan interface and address for base but thats it!!
Dont see pool for vlan99
Dont see dhcp server,
Dont see dhcp server network

so you have three WLANs per radio ON THe Mikrotik router.
a SOHO (main wlan), and two virtual WLANs, base and Guest-AP
assuming 3 vlans are applicable.

Without an active base vlan the cisco has no valid managment IP address??

Your bridge port setup is strange.
All WIFI connections are access ports and thus we should see this for wlan1 and wlan2 as well.
In addition it appears etherports 3 and 4 are both SOHO to PCs or other not smart devices (cannot read vlan tags). Correct??
Finally ether 2 is also setup as an access port by your definition here and really you want a trunk port to pass vlan 10 and vlan 20 to the CISCO for wifi and 99 for management.

add bridge=BR1 interface=ether2 frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=wlan1-admin pvid=99 ??? needs ---> frame-types=admit-only-untagged-and-priority-tagged
add bridge=BR1 interface=wlan2-admin pvid=99 ??? needs ---> frame-types=admit-only-untagged-and-priority-tagged

As for Bridge vlan setup.......it seems correct.

tdw · Wed Feb 03, 2021 7:02 pm

@anav The Cisco AP on ether2 is configured with VLAN10 untagged & VLAN20 tagged so frame-types=admit-only-vlan-tagged isn't appropriate either

chribonn · Wed Feb 03, 2021 8:55 pm

Hello Everyone,

Thank you for your inputs. Sadly I did not take a backup of my config while doing changes (apologies) and I ended messing up.

I restored from my backup and the config I am inserting has the following behaviour:

From Mikrotik, both SOHO-AP and GUEST-AP work without problems
From the Cisco-AP, the SOHO-AP works, GUEST-AP does not work.

Let me try my best to answer some questions raised.

The script originated from the reference listing for VLANS in the WIKI. I made a modification to allow OpenVPN access from two clients (who inherit an IP from the SOHO range). The ARP entry was to address the inability of these OpenVPN clients to access the resources. OpenVPN is working well.

I would like clients that connect to the GUEST-AP from the Cisco to be able to access the internet limiting to that VLAN.

Sorry for the trouble. I will backup before making changes.

# feb/03/2021 19:37:22 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=GUEST-AP
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=*A pvid=99
add bridge=BR1 interface=*B pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=*A,*B vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
    gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.180 \
    dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chribonn remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=connie remote-address=192.168.16.241 \
    service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

chribonn · Thu Feb 04, 2021 10:26 am

@anav The Cisco AP on ether2 is configured with VLAN10 untagged & VLAN20 tagged so frame-types=admit-only-vlan-tagged isn't appropriate either

Hi,

My observations seem to agree with your observation. What I would like to achieve is the following:

Miktorik router stays behaving as it is while the Cisco allows VLAN'ed traffic depending on which SSID one connects to. On the Mikrotik there is defined VLAN ID=99 (BASE_VLAN). From my understanding of the script this is a backbone VLAN and I can observe traffic on it. Should it be defined on the Cisco?

Responding to some observations/question:

ether3 and ether4 will not be serving devices on any VLAN other than ID=10

I've removed the Wireless interfaces associated with ID=99. They were disabled.

I will try to sort it and will share the BACKEDUP incremental changes either way :-).

Regards

chribonn · Thu Feb 04, 2021 12:03 pm

Hello,

These are some changes I made from within Winbox and how each change altered the configuration.

Changed ether2 from 'admit-only-untagged-and-priority-tagged' to 'admit-only-vlan-tagged'

(001)

add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10

Changed to:

(002)

add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2 pvid=10

SOHO-AP from Cisco : KO
GUEST-AP from Cisco: OK

-------------------------

Moved ether2 from untagged to tagged on all VLANS

(002)

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    *************
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik wpa2-pre-shared-key=*************
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik wpa2-pre-shared-key=**************

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10

/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chribonn password=*************** \
    remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=connie password=\
    ************** remote-address=192.168.16.241 \
    service=ovpn

Changed to:

(003)

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
				   
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=ether3,ether4,wlan1,wlan2 vlan-ids=\
    10

/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
																   
    chribonn remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=connie remote-address=192.168.16.241 \
																			  
    service=ovpn

SOHO-AP from Cisco : KO (Device was reporting that it could not obtain IP address)
GUEST-AP from Cisco: OK

I am able to go back to the configurations 001, 002 and 003.

chribonn · Mon Feb 08, 2021 4:04 pm

Hi @tdw, @anav

Sorry for not getting back on this topic. I tried assimilating what was being stated and have modified the configuration to eliminate VLAN ID=99. My problem is that I don't have a Mikrotik to experiment with (have one ordered but with Covid no one knows when it will arrive) which means that when I screw up I bring down my network!

Since my last posting I've:

Removed VLAN 99. I prefer to have administrative function merged into VLAN 10.

Each VLAN has it's own DNS rather than sharing a common one.

The setup is working although the original topic of not being able to access VLAN 20 through the Cisco AP still remains as I did not change anything.

@tdw pointed out that frame-types=admit-only-vlan-tagged could not work because ether2 is configured with VLAN10 untagged & VLAN20 tagged.

My needs are that a device connecting on the Cisco would, depending on the SSID (SOHO or GUEST) be restricted to the particular VLAN. Stressing that my understanding on this topic is basic, I think that modifying ether2 so that only tagged VLAN traffic is the right way. I'm assuming that in this scenario the VLAN ID to devices connected to the Cisco would automatically initiate from the Cisco itself.

I would greatly appreciate any guidance to modify the included script to do that.

Thanks

# feb/08/2021 14:38:18 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=SOHO-AP
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=GUEST-AP
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=10.0.20.1 gateway=\
    10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.16.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.180 \
    dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chri remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=conn remote-address=192.168.16.241 \
    service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

mkx · Mon Feb 08, 2021 4:35 pm

@tdw pointed out that frame-types=admit-only-vlan-tagged could not work because ether2 is configured with VLAN10 untagged & VLAN20 tagged.

My needs are that a device connecting on the Cisco would, depending on the SSID (SOHO or GUEST) be restricted to the particular VLAN. Stressing that my understanding on this topic is basic, I think that modifying ether2 so that only tagged VLAN traffic is the right way. I'm assuming that in this scenario the VLAN ID to devices connected to the Cisco would automatically initiate from the Cisco itself.

Nothing will be done automatically by neither Cisco nor Mikrotik, they will do exactly what they are configured with and to make whole thing work, both configurations have to match. IMHO having both VLANs tagged between Cisco and MT is the right way to go. However if you want to go with least amount of changes, you should make ether2 access port for VLAN 10 while keeping it tagged for VLAN 20 (current setup, as @TDW noted, blocks tagged frames from ingressing ether2):

/interface bridge port
set [ find interface=ether2 ] frame-types=any

If you'd go with tagged only via ether2, you'd have to change a few things on Cisco as well ...

chribonn · Mon Feb 08, 2021 4:44 pm

@tdw pointed out that frame-types=admit-only-vlan-tagged could not work because ether2 is configured with VLAN10 untagged & VLAN20 tagged.

My needs are that a device connecting on the Cisco would, depending on the SSID (SOHO or GUEST) be restricted to the particular VLAN. Stressing that my understanding on this topic is basic, I think that modifying ether2 so that only tagged VLAN traffic is the right way. I'm assuming that in this scenario the VLAN ID to devices connected to the Cisco would automatically initiate from the Cisco itself.
Nothing will be done automatically by neither Cisco nor Mikrotik, they will do exactly what they are configured with and to make whole thing work, both configurations have to match. IMHO having both VLANs tagged between Cisco and MT is the right way to go. However if you want to go with least amount of changes, you should make ether2 access port for VLAN 10 while keeping it tagged for VLAN 20 (current setup, as @TDW noted, blocks tagged frames from ingressing ether2):
Code: Select all
/interface bridge port
set [ find interface=ether2 ] frame-types=any

Hello @mkx,

I prefer to go with the opinion of an expert :-)

Can you please help me in that direction?

Thank you

mkx · Mon Feb 08, 2021 4:46 pm

Can you please help me in that direction?

I already did ... either copy-paste the code to terminal window or change setting through GUI. I'm not fluent in ciscogibberish, so I couldn't guide you towards all-tagged setup.

chribonn · Mon Feb 08, 2021 4:51 pm

Can you please help me in that direction?

I already did ... either copy-paste the code to terminal window or change setting through GUI. I'm not fluent in ciscogibberish, so I couldn't guide you towards all-tagged setup.

Thank you @mkx - I misunderstood that the solution you shared was the one you would not have done :-).

I will try it later and report back.

Regards

mkx · Mon Feb 08, 2021 5:05 pm

I did not write that the solution shared was a no-go (I wouldn't post it at all, I'd let somebody else do it), I just wrote my opinion about the right (best) solution. But that's only my opinion and surely not everybody agrees.

tdw · Mon Feb 08, 2021 6:21 pm

My experiences with Cisco APs, albeit some years ago on 1230 series, was that they didn't particularly like a fully tagged setup so I used managment to the BVI interface untagged. Their newer APs may be better.

chribonn · Mon Feb 08, 2021 7:10 pm

Hi,

I got a syntax error. Should it be "admit all" in the GUI?

[admin@RouterSwitchAP] /interface bridge port> set [ find interface=ether2 ] frame-types=any
syntax error (line 1 column 43)                                                                                              ^

For my own education, with the admit all change above and the following:

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE

Thanks for the help.

I tried with this modification. On the Cisco SOHO-AP SSID appears and is functional. GUEST-AP does not. On the Mikrotik I have no issues.

Thanks

mkx · Mon Feb 08, 2021 7:23 pm

Right you are, it should be admit-all ... which is default and thus is not shown in your configuration export.

Regarding GUEST-AP: I don't see anything wrong in hAP lite configuration, tagged frames with VID=20 should pass it. If GUEST-AP on hAP lite works fine, then I would suspect configuration on Cisco. As I already mentioned I don't know cisco so I don't know if the configuration is fine or not (and if not, what is wrong).

chribonn · Mon Feb 08, 2021 10:02 pm

Right you are, it should be admit-all ... which is default and thus is not shown in your configuration export.

Regarding GUEST-AP: I don't see anything wrong in hAP lite configuration, tagged frames with VID=20 should pass it. If GUEST-AP on hAP lite works fine, then I would suspect configuration on Cisco. As I already mentioned I don't know cisco so I don't know if the configuration is fine or not (and if not, what is wrong).

Dear @mkx,

A decided to power cycle everything and I think everything is working as expected. Tomorrow I will be trying everything and will report back. I am hopeful that the matter is resolved.

Thanks

chribonn · Tue Feb 09, 2021 4:44 pm

Dear All,

I confirm that it works. Thank you. I marked the topic as solved.

I must admit that my lack of network knowledge, prevents me from appreciating how traffic flows on Ether2 and why there isn't a complete mess on this port. My reasoning was that like BR1 this is a multi-VLAN channel and therefore all traffic should have been forced into this mode.

I also want to thank @mkx for your comments: an unintended consequence of your comment is that you helped me clean up the settings. I had been thinking of trimming out ID=99 but your observations made me bite the bullet :-)

Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]

Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

[SOLVED] Re: Cisco AP Autonomout Mode VLAN issue on one VLAN

Who is online