Community discussions

MikroTik App
 
an0o0nym
just joined
Topic Author
Posts: 2
Joined: Sat Feb 20, 2021 1:00 am

hAP ac2 setup with VLAN

Sun Feb 21, 2021 3:44 am

Helo there,
I have received my hAP ac2 recently. I spent most of my time since then reading through MT wiki pages and browsing through this forum in order to learn more about VLAN configuration. I've read the must-read topics on this forum such as viewtopic.php?t=143620. However still I need some explanation on few matters as most of those configurations I've found on MT wiki are for multi-device setup.

What I am trying to achieve is to set up a very simple home network using VLAN for isolation purposes:
  • eth1 connected to ISP modem
  • eth2 for management
  • wlan-home (5GHz) with VID=10
  • wlan-guests (5GHz) with VID=30
  • wlan-iot (2.4GHz) with VID=20

mkx wrote at viewtopic.php?t=145402 that hAP ac2 has a powerful CPU thus one should go for vlan-filtering (bridge) approach and that there may be some instabilities when using VLANs with a switch-chip configuration. On the other hand hAP ac2 is marked as a device on MT wiki that supports switch-chip VLAN filtering.

So if I understood correctly what mkx wrote - here comes my first questions:
1. Are those 'instabilities' still the case? As some time has passed by since Feb 2019 (when that answer was posted).
2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all?

Another thing is that I am trying to set-up WLANs which according to the MT wiki page do not support switch-chip functionality either way:
Warning: Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched, this does not affect Wireless interfaces as traffic through them cannot be offloaded to the switch chip either way.
Source: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

3. Is there a way to walk around that limitation (other than buying a separate AP an connecting it to one of hAP ac2 physical ports)? Can I still use somehow switch-chip functionality with built-in WLANs interfaces of hAP ac2 or I am "doomed" for Bridge VLAN filtering without switch-chip capabilities?

I am most probably missing some general knowledge about how WLANs interfaces and switch-chip [don't]work together. But there are not stupid questions, ey? :)

Looking through the forum as well as through MT wiki I found few examples where eth1 is part of a bridge together with all other ports.
4a. Should the eth1 be part of a bridge for simple VLAN setup scenario as outlined at the beginning of this post?
4b. When would I want/don't want eth1 to be part of a bridge with all other ports?

Few closing questions:
5a. Do I need a bridge for each and every VLAN ? Some people tend to suggest single-bridge setup?
5b. When and why would I want to use single-bridge vs multi-bridge (1 bridge per VLAN) setup?

By inspecting RouterSwitchAP.rsc from viewtopic.php?t=143620 I can see the main CPU port (BR1) being added to the VLAN table.
# L3 switching so Bridge must be a tagged member
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]

6. Is it required to add CPU port for vlan-filtering to work? I believe I also saw somewhere configuration examples which do not add CPU port to the VLAN table. Is it mainly for management purposes here? OR is it for allowing DHCP servers etc. to be accessible from those individual VLANs ? Does it expose access to the device from those VLANs?
7. Some of configuration examples use eth1 as a tagged port for all VLANs. IF eth1 in my case is link to ISP modem. Should I also use that eth1 as tagged port for all my VLANs or I should rather use CPU port to allow for Bridge VLAN filtering?

Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac2 setup with VLAN

Sun Feb 21, 2021 2:14 pm

For a simple home network, I wouldnt bother about switch chip method, far too complicated.
you could have been up and run using pCUNITEs examples yesterday!
Give it a try and see your results.

Then use this guide for switch chip and see the results, and which you like better.........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: hAP ac2 setup with VLAN

Sun Feb 21, 2021 2:53 pm

2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all?

Another thing is that I am trying to set-up WLANs which according to the MT wiki page do not support switch-chip functionality either way:

3. Is there a way to walk around that limitation (other than buying a separate AP an connecting it to one of hAP ac2 physical ports)? Can I still use somehow switch-chip functionality with built-in WLANs interfaces of hAP ac2 or I am "doomed" for Bridge VLAN filtering without switch-chip capabilities?

I am most probably missing some general knowledge about how WLANs interfaces and switch-chip [don't]work together. But there are not stupid questions, ey? :)
Using the switch chip to reduce CPU load only applies to traffic between ethernet ports attached to the switch chip, the block diagram https://i.mt.lv/cdn/product_files/RBD52 ... 180323.png shows the arrangement. Any interfaces with a software driver (WLAN, encapsulations such as GRE, IPIP, L2TP, etc.) always use the CPU, as does any traffic which is routed (LAN to WAN, or between VLANs).

Looking through the forum as well as through MT wiki I found few examples where eth1 is part of a bridge together with all other ports.
4a. Should the eth1 be part of a bridge for simple VLAN setup scenario as outlined at the beginning of this post?
4b. When would I want/don't want eth1 to be part of a bridge with all other ports?
It depends if the Mikrotik is acting as a bridge with the ISP device providing all of the routing, NAT, DHCP, etc. or if the Mikrotik itself is providing this functionality.

5a. Do I need a bridge for each and every VLAN ? Some people tend to suggest single-bridge setup?
5b. When and why would I want to use single-bridge vs multi-bridge (1 bridge per VLAN) setup?
Using a single bridge, and using the VLAN-aware functionality to support multiple VLANs, is the preferred option. You can use one bridge per VLAN, it was the only way before the VLAN-aware funtionality was introduced, but there are many potential pitfalls https://wiki.mikrotik.com/wiki/Manual:L ... figuration.

6. Is it required to add CPU port for vlan-filtering to work? I believe I also saw somewhere configuration examples which do not add CPU port to the VLAN table. Is it mainly for management purposes here? OR is it for allowing DHCP servers etc. to be accessible from those individual VLANs ? Does it expose access to the device from those VLANs?
No. VLAN filtering between ports will work without the bridge itself added to the bridge VLAN statements, it is only required if traffic to/from a particular VLAN has to interact with services on the Mikrotik - routing, DHCP, DNS, etc.

7. Some of configuration examples use eth1 as a tagged port for all VLANs. IF eth1 in my case is link to ISP modem. Should I also use that eth1 as tagged port for all my VLANs or I should rather use CPU port to allow for Bridge VLAN filtering?
See earlier comments regarding point 4.
 
an0o0nym
just joined
Topic Author
Posts: 2
Joined: Sat Feb 20, 2021 1:00 am

Re: hAP ac2 setup with VLAN

Mon Feb 22, 2021 9:40 pm

First of all thank you for your responses.

I took an advice of @anav and set up the VLANs according to pcunites examples. Obviously it took me several attempts to make it all working. The biggest problem though that I had was that i did set vlan-mode=use-tag AND vlan-id=<some_vlan_id> (I believe this is because I was sweating this manual for quite some time: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless). This was driving me crazy as I was getting
received deauth: sending station leaving (3)
errors in the Logs.

I read other topics about deauth error on Mikrotik forum and how to fix it. It was pretty depressing experience finding out topics with similar problem that seem to exist for quite a few years now and where people claim that this problem is "not fixed". At that point I was almost ready to think that I may have to find some other device.

However I did try step-by-step approach where I started off from scratch using default configuration. At first it turned out that I am able to connect to WLAN! Now it only could get better. So I started to change the settings according to pcunites RouterSwitchAP.rsc example configuration. And hey, guess what... at 3 A.M. I was ready to toss Mikrotik out of my window. I was not able to spot the difference.

In the morning, totally hopeless, I gave it one last attempt. I found out that after enabling vlan-mode=use-tag I started to see received deauth: sending station leaving (3) in the Logs again! SUCCESS! Now after 87934651083012094 attempts I knew RouterSwitchAP.rsc already by heart...so I finished the configuration accordingly, at the end it still kept working!

So thank you @anav for [somehow] convincing me to take one more go at pcunites examples (I won't try the switch chip video tutorial any time soon though! :-D ). AND thank you @tdw for explaining me the substantive part which helped me to go through the configuration with enough knowledge to understand what I am doing!

I have one more question though:

It depends if the Mikrotik is acting as a bridge with the ISP device providing all of the routing, NAT, DHCP, etc. or if the Mikrotik itself is providing this functionality.

I want Mikrotik itself to provide all the functionaliity. I set the ISP device into the modem mode. In the VLAN table I set tagged=bg_main (CPU port of a bridge) for all VLANs. I also so set up DHCP client on that eth1 port AND did NOT add eth1 to the bridge. Does this sounds alright more or less?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ac2 setup with VLAN

Mon Feb 22, 2021 9:44 pm

To answer small or large questions, I need to see the config LOL

/export hide-sensitive file=anynameyouwish
 
SisiMtikEnth
just joined
Posts: 1
Joined: Thu Sep 02, 2021 12:37 am

Re: hAP ac2 setup with VLAN

Fri Sep 10, 2021 1:08 am

First of all, thanks for each and everyone in the community helping each other in some form or another to get through their difficulties.

I'm very new to MT and has gone through many pages and videos to get VLAN setup done on my ac2. But, with many lost hours, I mean weeks, still at point zero not knowing what to do. I tried pcunites example RouterSwitchAP as is without changing anything except the isp settings. This is to get the thing working so I could tweak to suit my situation. However, every time I hit the last command, router get disconnected from winbox and no way of getting back regardless of wlans or what ether port I'm using. Non of the connections give me an IP. Really frustrating. This is one last try before throwing the hAP to the bin.

All what I'm trying to achieve is;
Office - ether 2 - vlan20
Home - ether 3 - vlan30
IOT - ether 4 - vlan40 [this would go through GS108E switch to separate connections to CCTV (to be on vlan40) and xbox,tv (to be on vlan30)]
wlan for IOT - vlan40
wlan for Guest - vlan50

If above is not practical, value your opinion.

I wanted to use MT mainly to seperate the Office setup, CCTV and other devices from each other. Also, being working from home under lock-downs, would like to use another router with more/easy parental control (eg. Asus AC86U) to distribute Wifi to Home network. This router would be connected to ether 3 giving vlan30 to separate network from other (vlan20 & vlan40). Again, much appreciate your opinion.

Questions;
1. What could I have been doing wrong when testing RouterSwitchAP setup? [at the moment hAP is plugged to PC ether 5 and ether 1 is plugged to another router giving internet on 192.168.0.10. Once I get things working, I will connect ether1 directly to ISP modem (modem function only).]
2. What modifications should I be doing to customise the RouterSwitchAP to match with my scenario?
 
KeV
just joined
Posts: 1
Joined: Fri Mar 18, 2022 5:05 pm

Re: hAP ac2 setup with VLAN

Sat Mar 19, 2022 11:42 pm

Oh man, feel your pain. Instead of using the cpu for forwarding I configured my hap ac2 for hardware based switching using the Atheros8327 and did finally manage to make it work. . The key is a tiny footnote on this wiki page:

Note: QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the default-vlan-id property to determine which ports are access ports. The vlan-header is set to leave-as-is and cannot be changed while the default-vlan-id property should only be used on access ports to tag all ingress traffic.

I use this thing mainly as a satellite switch that is trunked to my main CRS3X switch on eth1 because the wireless performance is incredibly awful. Lack of wave 2 support, I guess. In fact I have an old 802.11ac router in bridge mode plugged into one of the ports assigned to vlan 3 to support all my IOT over wireless on a their own vlan. Works much better than the built in wireless.

Anyway, this is my switch and bridge config for the next person (or my future self) that undertakes this journey. Again, this is what a config looks like that takes advantage of the switch chip on the hap ac2. This switch supports two vlans for me and is trunked to my main switch over the eth1 port. I also have some vlans defined on the software bridge. One is to support an ip on my admin lan. I believe the wireless bridging to vlans is via the switch chip as well. To confirm this, I just ran torch on the bridge interface(vlan1) and trunk interfaces while pushing some wireless traffic through the hap ac2 and I don't see anything in torch other than broadcast traffic coming from the wireless client. When you have hw switching enabled, torch doesn't work because the cpu doesn't see the directly forwarded traffic, so I conclude that wireless is forwarded by the hardware and not the cpu.

SWITCH PORT DETAILS
[admin@sw3] /interface ethernet switch port> print detail 
Flags: I - invalid 
 0   name="ether1" switch=switch1 vlan-mode=fallback vlan-header=add-if-missing default-vlan-id=auto 

 1   name="ether2" switch=switch1 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=3 

 2   name="ether3" switch=switch1 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=1 

 3   name="ether4" switch=switch1 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=1 

 4   name="ether5" switch=switch1 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=3 

 5   name="switch1-cpu" switch=switch1 vlan-mode=secure vlan-header=leave-as-is default-vlan-id=
BRIDGE VLAN DETAILS

/interface bridge> print
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=---------------- protocol-mode=rstp fast-forward=no 
     igmp-snooping=no auto-mac=no admin-mac=--------------- ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 
     vlan-filtering=no dhcp-snooping=no 
========================================
[admin@sw3] /interface bridge vlan> print detail
Flags: X - disabled, D - dynamic 
 0   bridge=bridgeLocal vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged="" 

 1   bridge=bridgeLocal vlan-ids=3 tagged="" untagged="" current-tagged="" current-untagged="" 

 2   bridge=bridgeLocal vlan-ids=88 tagged="" untagged="" current-tagged="" current-untagged="" 

 3   bridge=bridgeLocal vlan-ids=30 tagged="" untagged="" current-tagged="" current-untagged="" 
 
 =======================================
[admin@sw3] /interface vlan> print detail 
Flags: X - disabled, R - running 
 0 R name="vlan3 - guest" mtu=1500 l2mtu=1594  arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off 
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=3 interface=bridgeLocal use-service-tag=no 

 1 R name="vlan88 - admin" mtu=1500 l2mtu=1594  arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off 
     loop-protect-send-interval=5s loop-protect-disable-time=5m vlan-id=88 interface=bridgeLocal use-service-tag=no


Who is online

Users browsing this forum: SMARTNETTT and 44 guests