Community discussions

MikroTik App
 
an0o0nym
just joined
Topic Author
Posts: 2
Joined: Sat Feb 20, 2021 1:00 am

hAP ac2 setup with VLAN

Sun Feb 21, 2021 3:44 am

Helo there,
I have received my hAP ac2 recently. I spent most of my time since then reading through MT wiki pages and browsing through this forum in order to learn more about VLAN configuration. I've read the must-read topics on this forum such as viewtopic.php?t=143620. However still I need some explanation on few matters as most of those configurations I've found on MT wiki are for multi-device setup.

What I am trying to achieve is to set up a very simple home network using VLAN for isolation purposes:
  • eth1 connected to ISP modem
  • eth2 for management
  • wlan-home (5GHz) with VID=10
  • wlan-guests (5GHz) with VID=30
  • wlan-iot (2.4GHz) with VID=20

mkx wrote at viewtopic.php?t=145402 that hAP ac2 has a powerful CPU thus one should go for vlan-filtering (bridge) approach and that there may be some instabilities when using VLANs with a switch-chip configuration. On the other hand hAP ac2 is marked as a device on MT wiki that supports switch-chip VLAN filtering.

So if I understood correctly what mkx wrote - here comes my first questions:
1. Are those 'instabilities' still the case? As some time has passed by since Feb 2019 (when that answer was posted).
2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all?

Another thing is that I am trying to set-up WLANs which according to the MT wiki page do not support switch-chip functionality either way:
Warning: Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched, this does not affect Wireless interfaces as traffic through them cannot be offloaded to the switch chip either way.
Source: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

3. Is there a way to walk around that limitation (other than buying a separate AP an connecting it to one of hAP ac2 physical ports)? Can I still use somehow switch-chip functionality with built-in WLANs interfaces of hAP ac2 or I am "doomed" for Bridge VLAN filtering without switch-chip capabilities?

I am most probably missing some general knowledge about how WLANs interfaces and switch-chip [don't]work together. But there are not stupid questions, ey? :)

Looking through the forum as well as through MT wiki I found few examples where eth1 is part of a bridge together with all other ports.
4a. Should the eth1 be part of a bridge for simple VLAN setup scenario as outlined at the beginning of this post?
4b. When would I want/don't want eth1 to be part of a bridge with all other ports?

Few closing questions:
5a. Do I need a bridge for each and every VLAN ? Some people tend to suggest single-bridge setup?
5b. When and why would I want to use single-bridge vs multi-bridge (1 bridge per VLAN) setup?

By inspecting RouterSwitchAP.rsc from viewtopic.php?t=143620 I can see the main CPU port (BR1) being added to the VLAN table.
# L3 switching so Bridge must be a tagged member
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]

6. Is it required to add CPU port for vlan-filtering to work? I believe I also saw somewhere configuration examples which do not add CPU port to the VLAN table. Is it mainly for management purposes here? OR is it for allowing DHCP servers etc. to be accessible from those individual VLANs ? Does it expose access to the device from those VLANs?
7. Some of configuration examples use eth1 as a tagged port for all VLANs. IF eth1 in my case is link to ISP modem. Should I also use that eth1 as tagged port for all my VLANs or I should rather use CPU port to allow for Bridge VLAN filtering?

Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac2 setup with VLAN

Sun Feb 21, 2021 2:14 pm

For a simple home network, I wouldnt bother about switch chip method, far too complicated.
you could have been up and run using pCUNITEs examples yesterday!
Give it a try and see your results.

Then use this guide for switch chip and see the results, and which you like better.........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
tdw
Forum Veteran
Forum Veteran
Posts: 706
Joined: Sat May 05, 2018 11:55 am

Re: hAP ac2 setup with VLAN

Sun Feb 21, 2021 2:53 pm

2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all?

Another thing is that I am trying to set-up WLANs which according to the MT wiki page do not support switch-chip functionality either way:

3. Is there a way to walk around that limitation (other than buying a separate AP an connecting it to one of hAP ac2 physical ports)? Can I still use somehow switch-chip functionality with built-in WLANs interfaces of hAP ac2 or I am "doomed" for Bridge VLAN filtering without switch-chip capabilities?

I am most probably missing some general knowledge about how WLANs interfaces and switch-chip [don't]work together. But there are not stupid questions, ey? :)
Using the switch chip to reduce CPU load only applies to traffic between ethernet ports attached to the switch chip, the block diagram https://i.mt.lv/cdn/product_files/RBD52 ... 180323.png shows the arrangement. Any interfaces with a software driver (WLAN, encapsulations such as GRE, IPIP, L2TP, etc.) always use the CPU, as does any traffic which is routed (LAN to WAN, or between VLANs).

Looking through the forum as well as through MT wiki I found few examples where eth1 is part of a bridge together with all other ports.
4a. Should the eth1 be part of a bridge for simple VLAN setup scenario as outlined at the beginning of this post?
4b. When would I want/don't want eth1 to be part of a bridge with all other ports?
It depends if the Mikrotik is acting as a bridge with the ISP device providing all of the routing, NAT, DHCP, etc. or if the Mikrotik itself is providing this functionality.

5a. Do I need a bridge for each and every VLAN ? Some people tend to suggest single-bridge setup?
5b. When and why would I want to use single-bridge vs multi-bridge (1 bridge per VLAN) setup?
Using a single bridge, and using the VLAN-aware functionality to support multiple VLANs, is the preferred option. You can use one bridge per VLAN, it was the only way before the VLAN-aware funtionality was introduced, but there are many potential pitfalls https://wiki.mikrotik.com/wiki/Manual:L ... figuration.

6. Is it required to add CPU port for vlan-filtering to work? I believe I also saw somewhere configuration examples which do not add CPU port to the VLAN table. Is it mainly for management purposes here? OR is it for allowing DHCP servers etc. to be accessible from those individual VLANs ? Does it expose access to the device from those VLANs?
No. VLAN filtering between ports will work without the bridge itself added to the bridge VLAN statements, it is only required if traffic to/from a particular VLAN has to interact with services on the Mikrotik - routing, DHCP, DNS, etc.

7. Some of configuration examples use eth1 as a tagged port for all VLANs. IF eth1 in my case is link to ISP modem. Should I also use that eth1 as tagged port for all my VLANs or I should rather use CPU port to allow for Bridge VLAN filtering?
See earlier comments regarding point 4.
 
an0o0nym
just joined
Topic Author
Posts: 2
Joined: Sat Feb 20, 2021 1:00 am

Re: hAP ac2 setup with VLAN

Mon Feb 22, 2021 9:40 pm

First of all thank you for your responses.

I took an advice of @anav and set up the VLANs according to pcunites examples. Obviously it took me several attempts to make it all working. The biggest problem though that I had was that i did set vlan-mode=use-tag AND vlan-id=<some_vlan_id> (I believe this is because I was sweating this manual for quite some time: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless). This was driving me crazy as I was getting
received deauth: sending station leaving (3)
errors in the Logs.

I read other topics about deauth error on Mikrotik forum and how to fix it. It was pretty depressing experience finding out topics with similar problem that seem to exist for quite a few years now and where people claim that this problem is "not fixed". At that point I was almost ready to think that I may have to find some other device.

However I did try step-by-step approach where I started off from scratch using default configuration. At first it turned out that I am able to connect to WLAN! Now it only could get better. So I started to change the settings according to pcunites RouterSwitchAP.rsc example configuration. And hey, guess what... at 3 A.M. I was ready to toss Mikrotik out of my window. I was not able to spot the difference.

In the morning, totally hopeless, I gave it one last attempt. I found out that after enabling vlan-mode=use-tag I started to see received deauth: sending station leaving (3) in the Logs again! SUCCESS! Now after 87934651083012094 attempts I knew RouterSwitchAP.rsc already by heart...so I finished the configuration accordingly, at the end it still kept working!

So thank you @anav for [somehow] convincing me to take one more go at pcunites examples (I won't try the switch chip video tutorial any time soon though! :-D ). AND thank you @tdw for explaining me the substantive part which helped me to go through the configuration with enough knowledge to understand what I am doing!

I have one more question though:

It depends if the Mikrotik is acting as a bridge with the ISP device providing all of the routing, NAT, DHCP, etc. or if the Mikrotik itself is providing this functionality.

I want Mikrotik itself to provide all the functionaliity. I set the ISP device into the modem mode. In the VLAN table I set tagged=bg_main (CPU port of a bridge) for all VLANs. I also so set up DHCP client on that eth1 port AND did NOT add eth1 to the bridge. Does this sounds alright more or less?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6136
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac2 setup with VLAN

Mon Feb 22, 2021 9:44 pm

To answer small or large questions, I need to see the config LOL

/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: No registered users and 60 guests