Community discussions

MikroTik App
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

VLANs with hybrid ports, trunks and 2 different WiFi networks

Tue Apr 06, 2021 1:23 am

Hello!

I'm trying to set up two hap ac2 routers to work together:
- "router" - which is connected to the internet uplink and is the main control centre and firewall, connects to the "basement" on ether4
- "basement" - which connected to the "router" by trunk-hybrid port, connects to the "router" on ether1

The general idea is to have "router" produce several VLANs: "main" one for all my private matchines, "service" one (for extra-secure hosts), "guest" and one called "not" (Network of things). Each "guest" and "not" vlans has their own 2.4GHz wifi networks.

The wifi for "main" vlan is done by external access-point, which is vlan-unaware and has a switch built-in. And to that switch I'll connect my home-assistant host, which needs to reach the "main", untagged vlan and "not" which is tagged (and in consequence, hidden from the external access point, albeit still switched by it).

I've managed to setup the "router" and it seems to work properly: when I'm connecting to trunk port, my native interface obtains proper "main" IP from DHCP, but when I add a vlan 103 interface to it, it's being given a "not" IP, so that part works perfectly. Hosts connected to different vlans on this router can ping each other (i.e. host 10.0.0.53 connected via external AP can ping 10.3.0.50 connected to "not" wifi).

However, on the other end, in the "basement" - I'm able to ping the "router" via the vlan-100 interface, however I cannot ping anything else. Seems like I messed something in the trunk configs. The "basement" still has the factory-default IP 192.168.88.1, which I plan to remove and use 10.0.0.10 there, but I cannot use it until the VLANs are working properly (I really wish that hap ac2 has a serial-console... Today, I spend 15h+ with this and every couple of tries I ended up chopping the branch I was sitting on...)

Attached you'll find my "router" and "basement" configurations. I apologize about the "router" config being messy with multiple stuff disabled, I'm yet to clean it up once I have everything working together.
router_sensitive_hidden.rsc
basement_vlans_broken.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Mon Apr 12, 2021 6:05 pm

Router: (WLAN2) remove wireless entry vlan-mode=use tag and vlan identification. It should be NO tag and default of vlan1 left there
Router: VLANs should be associated with the Bridge when making the vlans, and not with the WLANs.
Router: One dhcp pool per subnet, you have overlapping pools and Its not clear why, Use different subnets if you need to separate users.
Router: Bridge port setting are wrong, its for ports NOT VLANSs (wlans are wifi ports and are okay, you should have two wlans based on wifi settings).
Router: Bridge vlan settings. what is this interface untagged=wlan-not ?? Its not defined in your wireless settings for WLAN2??

AP/Switch: Cannot pvid ether1-uplink with PVID:100 in bridge port and then in bridge vlan settings, have it as tagged port for vlan100. Same with ethertrunk3!
AP/Switch: Cannot have bridge port for ether2, with no PVID setting and then Untag it in bridge vlan settings for vlan xxx.
AP/Switch: Not clear what intentions are for wlans in this config
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 1:31 am

Thank you very much for involving yourself in my mess! :)

I will take another approach this weekend, however I do have some questions, just to clear things up, I hope you don't mind:

Router: (WLAN2) remove wireless entry vlan-mode=use tag and vlan identification. It should be NO tag and default of vlan1 left there
The
wlan2
is disabled, I don't need 5GHz for those networks. Or did you mean
wlan-not
(and by
vlan1
the
vlan-not-103-wifi
?) If that's the case, what about the
wlan-guest
?


Router: VLANs should be associated with the Bridge when making the vlans, and not with the WLANs.
Ok, so now all the VLANs will have the "Interface" set to
bridge
, I will do that.


Router: One dhcp pool per subnet, you have overlapping pools and Its not clear why, Use different subnets if you need to separate users.
The overlapping pools are defined, because I wanted to use one pool for DHCP (that should start with host .50) and another pool to use for firewall setting (I'm yet to find how firewall can use them). Or in any other case, when I want to refer to all IP Pool, with non-DHCP, statically assigned hosts as well.


Router: Bridge port setting are wrong, its for ports NOT VLANSs (wlans are wifi ports and are okay, you should have two wlans based on wifi settings).
Ok, so I will remove all of the vlan interfaces from Bridge -> Port.


Router: Bridge vlan settings. what is this interface untagged=wlan-not ?? Its not defined in your wireless settings for WLAN2??
The
wlan-not
is one of the two WiFi networks that I want to set up. It's the one that should connect only to vlan with ID
103
. (the other one being
wlan-guest
that connects to vlan with ID
101
)


AP/Switch: Cannot pvid ether1-uplink with PVID:100 in bridge port and then in bridge vlan settings, have it as tagged port for vlan100. Same with ethertrunk3!
I'm not sure what you mean. The
ether1-uplink
is set to
PVID:100
in Bridge -> VLANs?? Where? By being "untagged". I want this connection, to natively connect to the 10.0.0.0/24 network (i.e.
vlan-main-100
), in case I need to connect vlan-unaware host there. What should I do here? Set PVID to 1? Won't this effectively add another VLAN to my home network configuration?


AP/Switch: Cannot have bridge port for ether2, with no PVID setting and then Untag it in bridge vlan settings for vlan xxx.
Yeah, this is due to the biggest issue I'm having, when working with this equipment. I was using
ether2
to connect to the machine (via winbox). And when I messed with this, I was cutting myself off from the device itself, so I was unable to "undo" my mistake (I was forced to do too many factory resets to be brave enough :)). I hope, when I configure this whole setup properly, this won't happen. How should I set up this interface? I expect to only have vlan with id 100 here.


AP/Switch: Not clear what intentions are for wlans in this config
The intention, is to produce the same two WiFi's as the
router
. One is the guest one, with SSID "pipkarybenka" and connecting to the vlan with ID 101. The other is the network-of-things one, with SSID "not" and connecting to the vlan with ID 103. I want my smart devices to be in the same network, no matter if they use one or the other access point.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 2:25 am

Please use this as great reference!
viewtopic.php?f=23&t=143620

Your intentions are not clear but what is clear is that you need to read the reference LOL.
Also, do not overlap subnets and pools etc.

Clearly articulate what you need users to be able to do and there are much cleaner ways to design the config.
Create VLAN for each segmented group.
For example you may have three access points with different SSIDs for guests, but its still ONE vlan (guest_vlan).
Normally this vlan would only have internet access only.
IN fact most vlans should have only internet access and the exceptions are the allow rules, like access to a shared printer for example.
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 11:41 am

Hi!

I did read it and I did try to follow the reference design there, but my case is quite different from the examples.

Here are the networks I want to have in my home:
- "main" vlan, with ID 100, pool 10.0.0.0/24
- "guest" vlan, with ID 101, pool 192.168.1.0/24, with SSID "pipkarybenka" being spread from both devices
- "not" vlan, with ID 103, pool 10.3.0.0/24, with SSID "not" being spread from both devices
- "service" vlan, with ID 102, pool 10.2.0.0/24

The physical ports should look like so:
- router@ether1 - uplink to the internet
- router@ether2 - untagged "main", all of the other tagged
- router@ether3 - untagged "main", nothing else
- router@ether4 - downlink to the basement, untagged "main", all of the other tagged
- router@ether5 - untagged "main", all of the other tagged
- basement@ether1 - uplink do the router
- basement@ether2 - untagged "main", nothing else
- basement@ether3 - untagged "main", all of the other tagged
- basement@ether4 - untagged "guest", nothing else
- basement@ether5 - untagged "service", nothing else

I think I will be able to make this work, with all the hints you gave me so far, but I'm lost in the WiFi part.

Would you mind checking out my previous post?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 2:46 pm

Hi shalak,
I am curious as to the need for all the hybrid ports? Will help figure out config as its not clear to me you understand MT networking
(case in point direct link between two MT devices (why is router ether4 different from basement ether1)

For example what are these connected to as hybrid ports are rare and for specific uses ?????
router: ether2, ether4, ether5,
basement: ether3,
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 3:04 pm

Hi shalak,
I am curious as to the need for all the hybrid ports? Will help figure out config as its not clear to me you understand MT networking
(case in point direct link between two MT devices (why is router ether4 different from basement ether1)

For example what are these connected to as hybrid ports are rare and for specific uses ?????
router: ether2, ether4, ether5,
basement: ether3,


Ok, so there are several reasons for the hybrid ports
- first is basically the fallback - in case something goes bad with the router configuration, I want to be able to reach its configuration panel with vlan-unaware host by connecting to the ether port and it should give me the access to itself via the "main" vlan
- the router@ether4 currently goes straight to basement, but in near future, there will be a ROUTERBOARD RB750GR3 HEX in between the "router" and "basement" - the switch will take a router as an uplink, the basement as a downlink and one of the other ports on it should have "main" vlan (to connect a PC). I don't have the switch in my hands yet, unfortunately. Until then, I'll be manually reconnecting the cable between the PC and basement (PC is vlan-unaware)
- the case for router@ether5 is that it's connected to a vlan-unware access point (WiFi6-capable Asus GT-AX11000), that also has built-in switch, to which I'll connect my Home Assistant server (which needs access to at least the "main" vlan and the "not" vlan, but more might be needed in future)
- the router@ether2 - currently it won't be used, it goes to the other floor - I want this to be easily configured for whatever purpose in future.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 5:03 pm

Okay your reasoning is flawed.
There is no issue with management of smart devices using vlans and not having to think you need to pass untagged traffic between devices to do so.

I understand the angst if something goes wrong with the configuration.
What I do on my devices is put one port OFF the bridge, and on its own ethernet, if that rare instance occurs.
In that way I take my laptop to the router plug into that ethernet port and access the router easy peasy.
This is applicable to any MT router, and any MT router acting as a switch or any MT access point (aka any device using the bridge format) -
For straight switches and access points from other brands this does not apply.

For this particular case........ The device can only be given one stream of untagged traffic, it is not capable of reading vlans so not quite sure what you expect???
The case for router@ether5 is that it's connected to a vlan-unaware access point (WiFi6-capable Asus GT-AX11000), that also has built-in switch, to which I'll connect my Home Assistant server

Now it can be treated as a hybrid port but you are assuming one thing:
a. that the switch in the asus will pass along ALL frames fully intact to your server device. This is not guaranteed as ethernet frames containng vlan tags are not always read and passed on by dummy devices!!!
b. Second important point is that if the switch does indeed pass that on, then you have created A huge security hole, because anyone can tap into that switch and read the vlan traffic. Not even sure there is not some trick for someone to get on the wifi network of the asus and get into the vlan traffic from there.........

In other words, unless you have VOIP phones or a unifi controller which requires and expects hybrid traffic you should avoid it at all costs.
For 99% of your reasons above it is not required, for the smart device you wish to attach to the AP, the quick and dirty clean way and smart way is to get a small managed switch and setup is trunk port to the router, trunk port to the smart device and untagged port to the access point, aka a 5 port managed smart switch.
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 5:44 pm

Okay your reasoning is flawed.
There is no issue with management of smart devices using vlans and not having to think you need to pass untagged traffic between devices to do so.
What smart devices are you talking about? The Mikrotiks in my network? Or the actual smart-home appliances I will be connecting to the "not" wifi?


I understand the angst if something goes wrong with the configuration.
What I do on my devices is put one port OFF the bridge, and on its own ethernet, if that rare instance occurs.
In that way I take my laptop to the router plug into that ethernet port and access the router easy peasy.
This is applicable to any MT router, and any MT router acting as a switch or any MT access point (aka any device using the bridge format) -
For straight switches and access points from other brands this does not apply.
That would mean, that I have to leave one of the ports of the device unused and they come in short supply in hap ac2 :(


For this particular case........ The device can only be given one stream of untagged traffic, it is not capable of reading vlans so not quite sure what you expect???
The case for router@ether5 is that it's connected to a vlan-unaware access point (WiFi6-capable Asus GT-AX11000), that also has built-in switch, to which I'll connect my Home Assistant server

Now it can be treated as a hybrid port but you are assuming one thing:
a. that the switch in the asus will pass along ALL frames fully intact to your server device. This is not guaranteed as ethernet frames containng vlan tags are not always read and passed on by dummy devices!!!
b. Second important point is that if the switch does indeed pass that on, then you have created A huge security hole, because anyone can tap into that switch and read the vlan traffic. Not even sure there is not some trick for someone to get on the wifi network of the asus and get into the vlan traffic from there.........
About "The device can only be given one stream of untagged traffic" - well, I want only one vlan per physical port to be untagged, if my configuration shows something different, it's a mistake

About point "a)" - argh... I was hoping that the 802.1q encapsulation is agnostic to vlan-unaware devices, that it's encapsulated inside the "data" portion of the frame :( Well, I guess I won't know until I try this weekend.

About point "b)" - tap into the switch? Well, if they have physical access, they could tap in any of the router ports that is beside the asus, so the risk is the same. When it comes to the trick you mention - the Asus is producing the WiFi for "main", so it's the admin-level-access network of my home anyway, so it's an acceptable increase of the risk
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 6:43 pm

To understand your config would then need a diagram to match it up against.
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 7:42 pm

To understand your config would then need a diagram to match it up against.

Here it is:

Screenshot 2021-04-15 at 18.40.18.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 7:54 pm

Assuming then
wifi-guest users should be on guest-vlan
wifi-not users should be on not-vlan
everything else is home van??
are there wired guest or not users??
any other groups you need to segregate??

Home users should be on home-vlan (includes wifi main ), home asistant, gaming pc, media centre, (one of the ether ports on the HP (there are four but not way to know what for??)
All smart devices should get an IP from the home-vlan being the managment vlan??
ASUS, home asist (assuming its a smart device), vrrrom, basement hapac possibly one port on the HP proliant.

The hp proliant is the unknown here in how it functions and purpose .

Non vlan aware devices include, asus, media centre, gaming pc, hp proliant???
Vlan aware devices include both hap acs, hom assist, vrroom, hp proliant???
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 8:19 pm

Assuming then
wifi-guest users should be on guest-vlan
wifi-not users should be on not-vlan
everything else is home van??
are there wired guest or not users??


Home users should be on home-vlan (includes wifi main ), home asistant, gaming pc, media centre, (one of the ether ports on the HP (there are four but not way to know what for??)
All smart devices should get an IP from the home-vlan being the managment vlan??
ASUS, home asist (assuming its a smart device), vrrrom, basement hapac possibly one port on the HP proliant.

The hp proliant is the unknown here in how it functions and purpose .
- wifi-guest users should be on quest-vlan (101)
- wifi-not users should be on not-vlan (103)
- gaming pc, media center, wifi-main users should be in main-vlan (100) - they should get IP from 10.0.0.0/24
- there are no wired "guest" or "not" users at the moment
- all smarthome devices (like vacuum cleaner, IP cameras, LED bulbs with WiFi support) should connect to "wifi-not", i.e. vlan 103 (this network will have no access to the internet, only to LAN) - they should get IPs from 10.3.0.0/24
- my house guests will connect to the wifi-guest, i.e. vlan 101 (this network will have only access to the internet, no LAN access), will be getting IPs from 192.168.1.0/24
- home assistant should have access to two networks: "main" (10.0.0.0/24) and "not" (10.3.0.0/24)
- HP Proliant server is a homelab, with various features (NAS, media-server, reverse-proxy, some hobby web projects - those on the "main" network. But there are various cases, like setting up a Factorio server for LAN parties: guests will connect to wifi-quest and server will be able to be hosted in the vlan 101). I want this machine to be able to connect to anything, but I wanted to have one "vlan-main"-only connection in case something goes bad with network configuration. The iLO interface, being the special case, I want to keep separated for security reasons (so I'm able to whitelist in firewall only certain machines to be able to reach it) - it will be connected to the "service" vlan (102) (10.2.0.0/24)
- currently, the "main" network is the management network for all the Mikrotik devices. At this point I'm too afraid of losing access to those by using dedicated management vlan. Once I'm fully aware and familiar of how Mikrotik devices work and how the network is operating, I will rework the Mikrotik-management to be on "service" vlan, just like Proliant's iLO interface.



Non vlan aware devices include, asus, media centre, gaming pc, hp proliant???
Vlan aware devices include both hap acs, hom assist, vrroom, hp proliant???
vlan aware devices:
- both hap acs, vrroom-routerboard (I hope), home assitant, one of the interfaces of hp proliant
vlan unaware devices:
- asus, media centre, gaming pc, 3 interfaces of hp proliant
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 8:36 pm

Too funny, just figuring out now that not means no internet access LOL.
Thats interesting all my smart devices require access to the cloud.

Kewl so the only outlier is a direct line to the hp for vlan102.
This can easily be controlled by firewall rules as that HP connection will be given an IP address in the vlan102 subnet.
Assuming you will have a PC on the main subnet,

Forward filter rule
add action=accept chain=forward comment="admin access to HP" \
in-interface=one-bridge source-address-list=adminaccess out-interface=vlan102

/ip firewall address (assuming statically assigned addresses )
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop list=adminaccess
add address=ip of admin smartphone list=adminaccess

Both the way, I use the same firewall address list in my config to allow admin access to the router on the input chain and in the forward chain to access all other vlans!
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 8:57 pm

Too funny, just figuring out now that not means no internet access LOL.
Thats interesting all my smart devices require access to the cloud.
:D The "not" stands for "Network of Things" (as opposed to "Internet of Things" :P). I want to keep my smart-home completely cloud-free, hence the configuration I want to achieve. Truth be told, most devices require could to fully operate, it's hard to find those offering all their features without cloud - I was forced to buy not-the-latest vacuum cleaner, just because the latest version did not allow custom OS modification (Xiaomi S55 was the last one that can currently be powered by Valetudo)

Kewl so the only outlier is a direct line to the hp for vlan102.
This can easily be controlled by firewall rules as that HP connection will be given an IP address in the vlan102 subnet.
Assuming you will have a PC on the main subnet,

Forward filter rule
add action=accept chain=forward comment="admin access to HP" \
in-interface=one-bridge source-address-list=adminaccess out-interface=vlan102

/ip firewall address (assuming statically assigned addresses )
add address=ip of admin desktop list=adminaccess
add address=ip of admin laptop list=adminaccess
add address=ip of admin smartphone list=adminaccess

Both the way, I use the same firewall address list in my config to allow admin access to the router on the input chain and in the forward chain to access all other vlans!
Thank you! I will start with firewall rules after I solve the issues I have currently. If you don't mind - can you point me in the right direction when it comes to the wifi networks? Those should be 2.4GHz-only, so I cannot use wlan2 in any of the hap acs. I assume I'll have to create a virtual wlan interface on wlan1. Then the "original" wlan1 is going to spread the wifi-guest, for vlan-101. And the virtual wlan interface, will produce wifi-not, for vlan-103. How should I configure bridge and interfaces? (I already know that all the vlans should be connected to the same bridge - and I assume I don't need more than one bridge configured in both of my mikrotiks?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Thu Apr 15, 2021 9:10 pm

Correct, one bridge per mt device is the norm.
Read through this reference.....
viewtopic.php?f=23&t=143620
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Mon Apr 26, 2021 10:59 pm

Correct, one bridge per mt device is the norm.
Read through this reference.....
viewtopic.php?f=23&t=143620
Hello! I managed to move forward :) Thank you very much for your help! (and for the final nudge to go through the reference post :P)

I got everything configured and almost all ports behave like I need them to. However, there's one port that still doesn't work properly. It's on a the hap ac2 that works as a switch - it's the ether2, running as acces port for vlan 100. The trunk ports both provide the vlan 100 with no issues though (I connected a vlan-aware host and it managed to grab the IP address from DHCP on it's eth0.100 interface). The ports ether4 and ether5 connect to the vlans 102 and 103, respectively.

Below is the configuration, I do not get why the ether2 doesn't allow accessing the vlan 100 (it has pvid 100 and is added to BR1). Here's the config, do you see what's the issue?
# jan/02/1970 01:59:52 by RouterOS 6.48.1
# software id = 6NMY-BUNR
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00CA4CD3D
/interface bridge add admin-mac=48:8F:5A:27:57:EC auto-mac=no name=BR1 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] name=ether1-uplink-trunk
/interface ethernet set [ find default-name=ether2 ] name=ether2-main
/interface ethernet set [ find default-name=ether3 ] name=ether3-trunk
/interface ethernet set [ find default-name=ether4 ] name=ether4-service
/interface ethernet set [ find default-name=ether5 ] name=ether5-not
/interface vlan add interface=BR1 name=vlan-main-100 vlan-id=100
/interface list add name=MAIN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=guest-security-profile supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=not-security-profile supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=main-security-profile supplicant-identity=MikroTik
/interface wireless set [ find default-name=wlan1 ] frequency=auto mode=ap-bridge security-profile=guest-security-profile ssid=guest
/interface wireless add mac-address=4A:8F:5A:27:57:F0 master-interface=wlan1 name=wlan1-not security-profile=not-security-profile ssid=not
/interface wireless set [ find default-name=wlan2 ] frequency=auto mode=ap-bridge security-profile=main-security-profile ssid="main 5GHz"
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2-main pvid=100
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4-service pvid=102
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5-not pvid=103
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=100
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=101
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1-not pvid=103
/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-uplink-trunk
/interface bridge port add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3-trunk
/ip neighbor discovery-settings set discover-interface-list=all
/ip settings set ip-forward=no
/interface bridge vlan add bridge=BR1 tagged=BR1,ether1-uplink-trunk,ether3-trunk untagged=wlan2 vlan-ids=100
/interface bridge vlan add bridge=BR1 tagged=ether1-uplink-trunk,ether3-trunk untagged=wlan1 vlan-ids=101
/interface bridge vlan add bridge=BR1 tagged=ether1-uplink-trunk,ether3-trunk vlan-ids=102
/interface bridge vlan add bridge=BR1 tagged=ether1-uplink-trunk,ether3-trunk untagged=wlan1-not vlan-ids=103
/interface list member add interface=vlan-main-100 list=MAIN
/interface list member add interface=ether1-uplink-trunk list=LAN
/interface list member add interface=ether2-main list=LAN
/interface list member add interface=ether3-trunk list=LAN
/interface list member add interface=ether4-service list=LAN
/interface list member add interface=ether5-not list=LAN
/ip address add address=10.0.0.10/24 interface=vlan-main-100 network=10.0.0.0
/ip route add distance=1 gateway=10.0.0.1
/ip service set telnet disabled=yes
/ip service set ftp address=10.0.0.0/8 disabled=yes
/ip service set www address=10.0.0.0/8
/ip service set ssh address=10.0.0.0/8
/ip service set api address=10.0.0.0/8 disabled=yes
/ip service set api-ssl address=10.0.0.0/8 disabled=yes
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=basement
/system ntp client set enabled=yes server-dns-names=europe.pool.ntp.org
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Tue Apr 27, 2021 12:08 am

Okay I see this......

The question I have is where does vlan100 originate from...........
In other words why are you defining vlan100 here at all. I think this is the issue
/ip address add address=10.0.0.10/24 interface=vlan-main-100 network=10.0.0.0

I noted you defined vlan100 as you should all the vlans on the hapac as being given a vlan number and with interrface BR1
I am assuming you only showed vlan100 with the proper vlan assignment as its the problem child.
I think if you get rid of that address entry, it should start working.

OTHER SMALL ITEMS.

I would change this from
/interface bridge vlan add bridge=BR1 tagged=BR1,ether1-uplink-trunk,ether3-trunk untagged=wlan2 vlan-ids=100
TO
/interface bridge vlan add bridge=BR1 tagged=BR1,ether1-uplink-trunk,ether3-trunk untagged=wlan2,eth2-main vlan-ids=100

(note: it should not be needed to add wlan2 or eth2 untagged as the bridge should do it automatically but I like to visually map to my bridge ports).


This I would probably modify to simplify
From
/interface list member add interface=vlan-main-100 list=MAIN
/interface list member add interface=ether1-uplink-trunk list=LAN
/interface list member add interface=ether2-main list=LAN
/interface list member add interface=ether3-trunk list=LAN
/interface list member add interface=ether4-service list=LAN
/interface list member add interface=ether5-not list=LAN

TO
/interface list member add interface=BR1 list=LAN
vlan-main-100 list=MAIN
 
User avatar
shalak
newbie
Topic Author
Posts: 41
Joined: Sat Aug 24, 2019 11:47 am

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Tue Apr 27, 2021 1:47 am

Okay I see this......
As it turned out, it started to work by itself! Must've been some caching issue, maybe I was too eager to simply wait for some tables to timeout.

Oh, and I put the IP there, because I need this switch to have an IP for mgmt access.

Thank you for your tips, I really appreciate all your help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs with hybrid ports, trunks and 2 different WiFi networks

Tue Apr 27, 2021 5:00 am

Okay I see this......
As it turned out, it started to work by itself! Must've been some caching issue, maybe I was too eager to simply wait for some tables to timeout.

Oh, and I put the IP there, because I need this switch to have an IP for mgmt access.

Thank you for your tips, I really appreciate all your help!
true dat, I forgot LOL. Glad its working!!

Who is online

Users browsing this forum: morphema and 38 guests