Community discussions

MikroTik App
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Help configuring admin vlan on cAP ac  [SOLVED]

Mon Aug 16, 2021 6:02 pm

I have a cAP AC which I have attempted to tag VLAN traffic. It is mostly successful and I have read all of the guides I can find but I think I'm missing or glossing over something very basic.

My Requirements:
  • VLAN3 should be able to communicate with switch on tagged ether1 trunk and will get its IP from the DHCP server. (Working)
    VLAN3 should be able to access the cAP AC admin interface through either Winbox, Web, or SSH. (Not Working)
    VLAN6 should be able to communicate with the switch on tagged ether1 trunk and will get its IP from the DHCP server (Working)
    VLAN4 out of scope for this issue.
Observations:
  • When connected to CASSA50 virtual wireless interface, the dhcp request is passed to the switch over the VLAN and my dhcp server provides an IP. DNS, internet access, etc. all work as expected.
    Connection fails to any IP assigned to cAP AC, when connected to CASSA50.
    Connection fails to any IP assigned to cAP AC from switch or any device on the network
    As a test, I disabled all firewall rules. Problem persists. This leads me to believe the problem is not related to firewall rules.
I'm assuming that I'm missing something very simple in my bridge configuration. Any help you can provide is apprecitaed.

My config:
# aug/15/2021 09:50:55 by RouterOS 6.48.3
# software id = I321-0PC8
#
# model = RBcAPGi-5acD2nD
# serial number = E2830EE0106F
/interface bridge
add admin-mac=2C:C8:1B:B4:A6:4B auto-mac=no comment=defconf name=bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    name=bridgev pvid=6 vlan-filtering=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=Family supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=Admin \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
    indoor mode=ap-bridge security-profile=Admin ssid=CASSWAP124 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=Admin ssid=\
    CASSWAP150 wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4F \
    master-interface=wlan2 multicast-buffering=disabled name=CASSA50 \
    security-profile=Admin ssid=CASSA50 vlan-id=3 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4D \
    master-interface=wlan1 multicast-buffering=disabled name=CASSF24 \
    security-profile=Family ssid=CASSF24 vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4C \
    master-interface=wlan2 multicast-buffering=disabled name=CASSF50 \
    security-profile=Family ssid=CASSF50 vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4E \
    master-interface=wlan1 multicast-buffering=disabled name=CASSG24 \
    security-profile=Guest ssid=CASSG24 vlan-id=4 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
/ip pool
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=Admin ssid=\
    CASSWAP150 wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4F \
    master-interface=wlan2 multicast-buffering=disabled name=CASSA50 \
    security-profile=Admin ssid=CASSA50 vlan-id=3 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4D \
    master-interface=wlan1 multicast-buffering=disabled name=CASSF24 \
    security-profile=Family ssid=CASSF24 vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4C \
    master-interface=wlan2 multicast-buffering=disabled name=CASSF50 \
    security-profile=Family ssid=CASSF50 vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:B4:A6:4E \
    master-interface=wlan1 multicast-buffering=disabled name=CASSG24 \
    security-profile=Guest ssid=CASSG24 vlan-id=4 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgev interface=ether1
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSF50 pvid=6
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSF24 pvid=6
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSG24 pvid=4
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSA50 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgev tagged=ether1,CASSF50,CASSF24 vlan-ids=6
add bridge=bridgev tagged=ether1,CASSG24 vlan-ids=4
add bridge=bridgev tagged=ether1,CASSA50 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.15/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.6.15 interface=bridgev network=192.168.6.0
add address=192.168.4.15 interface=bridgev network=192.168.4.0
add address=192.168.3.15 interface=bridgev network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Thu Aug 19, 2021 1:07 am

As a follow-up question, should I be using the original bridge for the vlan traffic? Or should I create a secondary bridge like I have done with bridgev?

Thanks in advance for any guidance you all can provide.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Thu Aug 19, 2021 5:01 am

The capac should have its address from the vlan3 subnet.
viewtopic.php?f=23&t=143620
covers Access point setup.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: Help configuring admin vlan on cAP ac

Thu Aug 19, 2021 2:39 pm

If you want two DHCP clients on the same device, make sure both are not set to add the default route. Also, if you are tagging traffic outbound for management interface, this is normally done with vlan interfaces assigned to the bridge that includes ether1 (your uplink). The DHCP clients would then be assigned to the vlan interface (s).

The link anav posted could cover this though.

If this was just a simple cap config managed by an external capsman, the full config is probably around 20-30 lines.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Thu Aug 19, 2021 3:57 pm

Here is an example of one of my capac setups.
The salient points are the following:
a. I use ether2 as an emergency access in case somthing screws up on the bridge and I have to be able to access the router.
Hence why ether2 is part of capwin (management access) and the winbox users list not shown.
b. home vlan is also the management vlan in my case and thus the capac has to have the bridge tagged for the home vlan (even if the home vlan didnt have any wifi outputs).
c. I prefer to show the vlan bridge filter rules for untagged ports but not mandatory.
d. I put in a route to the gateway of the home vlan, this helps ensure I can access the device from anywhere on the home network via winbox and the capac can access all the services it needs.
e. vlans are not used in the wireless part of the config
# model = RBcAPGi-5acD2nD
/interface bridge
add name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=cerv49 vlan-id=29
add interface=bridgegym name=homeVlan vlan-id=19
add interface=bridgegym name=mediaVlan vlan-id=60
/interface list
add name=WAN
add name=LAN
add name=capwin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=media_Security \
    supplicant-identity="" wpa2-pre-shared-key=xxxxxx
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=home_Security \
    supplicant-identity="" wpa-pre-shared-key=yyyyyyy wpa2-pre-shared-key=\
    yyyyyyyy
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    group-key-update=24m mode=dynamic-keys name=Cerv_key supplicant-identity=\
    "" wpa2-pre-shared-key=zzzzzzzzz
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=\
    20/40/80mhz-Ceee country=canada disabled=no frequency=5500 mode=ap-bridge \
    name=homeWLan rate-set=configured security-profile=home_Security \
    skip-dfs-channels=all ssid=Home_Gym wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada \
    disabled=no frequency=2437 mode=ap-bridge name=mediaWlan rate-set=\
    configured security-profile=media_Security skip-dfs-channels=all ssid=\
    Entertainment station-roaming=enabled supported-rates-b="" \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled  \
    master-interface=mediaWlan multicast-buffering=disabled name=HVAC_WLAN \
    security-profile=Cerv_key ssid=Cerv2 wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface bridge port
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged \
    interface=homeWLan pvid=19
add bridge=bridgegym interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged \
    interface=mediaWlan pvid=60
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=HVAC_WLAN pvid=29
/ip neighbor discovery-settings
set discover-interface-list=capwin
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=19
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=60
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=29
/interface list member
add interface=emergaccess list=LAN
add interface=bridgegym list=LAN
add interface=homeVlan list=capwin
add interface=emergaccess list=capwin
/ip address
add address=192.168.0.xx/24 interface=homeVlan network=192.168.0.0
add address=192.168.10.xx/24 interface=emergaccess network=102.168.10.0
/ip dns
set servers=192.168.0.1
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=seewinbox
set api disabled=yes
set winbox address=noneofurphuckinbusiness
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Halifax
/system identity
set name=capac-gym
/system ntp client
set enabled=yes primary-ntp=192.168.0.1 secondary-ntp=192.168.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=capwin
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Sat Aug 21, 2021 6:41 pm

Thank you all for the feedback, I'm reviewing and testing a few configurations and will reply back follow-up questions.
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Mon Aug 23, 2021 6:45 am

I've tried a number of configurations following the suggestions provided, and have made the following observations and related questions:

1. No configuration that I have tried will provide ssh, web, or winbox access to the IP addresses allocated to the AP
2. When moving the interfaces to the default bridge named "bridge" the VLAN traffic still works as expected but both vlan6 and vlan3 have access to the admin tools.
3. There does not seem to be a way to allow two bridges to have access to port ether1.

At this point, I could use the configuration and start looking at firewall rules to control traffic to the admin tools. But I really want to unnderstand the behavior and limitations that I am seeing.

1. What is it specifically that is denying bridgev access to the IPs allocated to the AP?
2. Similarly, what is it specifically that lets bridge access the AP IP addresses?
3. Is there any configuration that I can change which will allow me to refine access to the admin tools without adding firewall settings?
4. The /tool mac-server settings don't seem to control access to the admin tools. What does this setting actually control or restrict?


/interface bridge
add admin-mac=2C:C8:1B:71:BA:A4 auto-mac=no comment=defconf name=bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    name=bridgev pvid=6 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Admin
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=Family supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=Admin \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=Admin ssid=CASSWAP224 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=Admin ssid=\
    CASSWAP250 wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A6 \
    master-interface=wlan2 multicast-buffering=disabled name=CASSA50 \
    security-profile=Admin ssid=CASSA50t vlan-id=3 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A5 \
    master-interface=wlan1 multicast-buffering=disabled name=CASSF24 \
    security-profile=Family ssid=CASSF24t vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A7 \
    master-interface=wlan2 multicast-buffering=disabled name=CASSF50 \
    security-profile=Family ssid=CASSF50t vlan-id=6 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A8 \
    master-interface=wlan1 multicast-buffering=disabled name=CASSG24 \
    security-profile=Guest ssid=CASSG24t vlan-id=4 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSF50 pvid=6
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSF24 pvid=6
add bridge=bridgev frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSG24 pvid=4
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=CASSA50 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1,CASSF50,CASSF24 vlan-ids=6
add bridge=bridgev tagged=ether1,CASSG24 vlan-ids=4
add bridge=bridge tagged=ether1,CASSA50 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridgev list=LAN
add interface=vlan3 list=LAN
add interface=vlan3 list=Admin
/ip address
add address=192.168.88.16/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.6.16 interface=bridgev network=192.168.6.0
add address=192.168.4.16 interface=bridgev network=192.168.4.0
add address=192.168.3.16/24 interface=vlan3 network=192.168.3.0
/ip dhcp-client
add comment=defconf disabled=no interface=vlan3
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=Admin
/tool mac-server mac-winbox
set allowed-interface-list=Admin
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Mon Aug 23, 2021 1:48 pm

Your problem is at the top
FIRST you only need one bridge!!
SECOND
/interface bridge
add admin-mac=2C:C8:1B:71:BA:A4 auto-mac=no comment=defconf name=bridge {is this your bridge}
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes \ {or is this your bridge?}
name=bridgev pvid=6 vlan-filtering=yes

The only thing one should do on the bridge itself is check the box, vlan filtering YES once the config is complete.
The vlan deafult pvid of 1 should be left alone ( frame type default is admit all and ingress filtering box NOT checked).

You clearly did not read the link provided!!

The only address that should be in IP address is the IP address of the AP on the management vlan.


There is no need for firewall rules

YOu dont put vlans in the security profile.............

There is no need for dhcp server! or IP pool! or ip dhcp server network

This is also not correct.........
WLANs are like access ports on MT devices and thus require PVID= as a minimum, and for access ports frame-type is priority and untagged only, ingress filtering can be applied.
Therefore WLAN1 and WLAN2 are not complete.
The rest of the WLANS have the wrong frame type selected.

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSF50 pvid=6
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSF24 pvid=6
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSG24 pvid=4
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=CASSA50 pvid=3

What is also amusing is you have three VLANS selected in bridge ports 3,4,6 but VLAN four is not defined ???

Bridge vlan filtering is incorrect.
/interface bridge vlan
add bridge=bridge tagged=ether1,CASSF50,CASSF24 vlan-ids=6
add bridge=bridge tagged=ether1,CASSG24 vlan-ids=4
add bridge=bridge tagged=ether1,CASSA50 vlan-ids=3


This is closer to what it should be could be.....
/interface bridge vlan
add bridge=bridge tagged=bridge, ether1 untagged=WLAN1,WLAN2,CASSA50 vlan-ids=3
add bridge=bridge tagged=ether1, untagged= ASSG24 vlan-ids=4
add bridge=bridge tagged=ether1, untagged=CASSF24,CASSF50 vlan-ids=6

The bridge is tagged for vlan3 as that is the management vlan.
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Mon Aug 23, 2021 7:01 pm

anav, thank you for your detailed reply. I did read the link provided a few times but networking is not my strongest area and some of the concepts as implemented on Mikrotik devices are beyond my understanding. I'm trying to fix that.

Thank you for the clarification on bridges. If I understand correctly, you are saying that the admin-mac=2C:C8:1B:71:BA:A in "bridge" is what is granting the admin access? Since this bridge was created in the default configuration, and was not specified in the bridge I created, it makes sense why bridgev was missing admin access.

I left the dhcp server on wlan1 and wlan2 as a way to connect to the device while I worked on the vlans. I could not remove it until I got my configuration working as expected, or I would lose access to the device and have to start over.

vlan4 was left out of scope for this discussion and was mentioned in the original post. I should have completely removed it from the configuration. I'm sorry for creating any confusion.

I wil continue cleaning up my configuration and will review and test your suggestions for the bridge port and vlan configurations and reply with specific questions. Thank you again for taking the time to break things down for me. I know that I am missing some fundamental understandings and I really appreciate your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Mon Aug 23, 2021 7:18 pm

Hi Savet, I rarely config the capac in place, normally from my desktop or smart switch connected from my desktop so I can swith the capac easily from.

access port on management lan while initially configuring it
TO
trunk port on ether1 simulating its deployed aka a trunk port on the managed switch next to my destop.

Alternatively, you can setup the Capac using ETH2
Just ensure ether2 is NOT on the bridge
assigne an IP adddress such as 192.168.66.2 to ether 2
then give your computer an iP of 192.168.66.5 and you should be able to winbox in.
ALso ensure that ether2 is part of the LAN interface list and management interface list if you have it.
Also winbox port if you define users includes 192.168.66.0/24

EXAMPLE
# model = RBcAPGi-5acD2nD
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface bridge
add name=bridgegym vlan-filtering=yes

/interface list
add name=WAN
add name=LAN
add name=mgmt

/ip neighbor discovery-settings
set discover-interface-list=mgmt

/interface list member
add interface=bridgegym list=LAN
add interface=emergaccess list=LAN
add interface=homevlan list=mgmt
add interface=emergaccess list=mgmt
/ip address
add address=192.168.x.yy/24 interface=homeVlan network=192.168.x.0
add address=192.168.66.2 interface=emergaccess network=192.168.66.0

/ip route
add distance=1 gateway=192.168.x.1
/ip service
set winbox address=192.168.x.0/24,192.168.66.0/24 port=yyy
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mgmt
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Wed Aug 25, 2021 1:32 am

anav, thanks. I think I finally have an understanding of the behavior that I'm seeing. It seems obvious in hindsight but the ether2 configuration as an emergency access makes a lot of sense and actually helped me work through an issue. I'm attaching a configuration with an intentionally bad configuration to ask a question and hopefully help refine my understanding.

When I started configuring the device, I started with this document: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless

It was this document that caused me to initially tag the wireless interfaces, and it was those tags that led me to implement the admin-only-vlan-tagged frame type, because it just worked as it was enabled from start to finish. So, with that being said, in the below configuration I have configured CASSF50 and CASSF24 without tagging, and I have implemented CASSA50 with tagging. I've configured each of them in each configuration and the behaviour seems to be the same. From other non-mikrotik devices that I have configured, the standard is that access points are not tagged and it would make sense that Mikrotik would follow this pattern. But I am confused why tagging the wireless interfaces actually works. Is there any situation where I would want the wireless interface to be tagged? Is there any performance impact to one configuration vs. the other? I will change the CASSA50 configuration to standardize on the non-tagged wireless interface, I just want to understand why this actually works and if there's a situation where I would want this design.

I have not done much configuration on the physical wlan1 and wlan2 interfaces because I don't actually want people connecting to them.
I've left the dhcp client because it sets route and dns information and I haven't gotten to the point of manually configuring that yet within the device.
/interface bridge
add admin-mac=2C:C8:1B:71:BA:A4 auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Family \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=Admin supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Guest supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto hide-ssid=yes installation=indoor mode=ap-bridge security-profile=Admin ssid=CASSWAP224 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge security-profile=Admin ssid=CASSWAP250 \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A6 master-interface=wlan2 \
    multicast-buffering=disabled name=CASSA50 security-profile=Admin ssid=CASSA50t vlan-id=3 vlan-mode=use-tag \
    wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A5 master-interface=wlan1 \
    multicast-buffering=disabled name=CASSF24 security-profile=Family ssid=CASSF24t vlan-id=6 wds-cost-range=\
    0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:71:BA:A7 master-interface=wlan2 \
    multicast-buffering=disabled name=CASSF50 security-profile=Family ssid=CASSF50t vlan-id=6 wds-cost-range=\
    0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=CASSF50 \
    pvid=6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=CASSF24 \
    pvid=6
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=CASSA50 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=CASSF24,CASSF50 vlan-ids=6
add bridge=bridge tagged=ether1,bridge,CASSA50 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan3 list=LAN
add interface=vlan3 list=MGMT
add interface=emergaccess list=LAN
add interface=emergaccess list=MGMT
/ip address
add address=192.168.3.16/24 interface=vlan3 network=192.168.3.0
add address=192.168.66.2 interface=emergaccess network=192.168.66.0
/ip dhcp-client
add comment=defconf disabled=no interface=vlan3
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.3.0/24
set ssh address=192.168.3.0/24
set api disabled=yes
set winbox address=192.168.3.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Wed Aug 25, 2021 3:53 am

Throw that ref out the window and stick to the one that I provided.
No point in discussing an config thats intentionally bad or deviates from the provided reference or my input.

Try a new config that conforms to the above info.
When its up and running and working and you have aside other questions we can entertain them at that time.
This other approach is just wasting time.
 
Savet
just joined
Topic Author
Posts: 7
Joined: Sun Feb 24, 2019 4:53 am
Location: NC

Re: Help configuring admin vlan on cAP ac

Wed Aug 25, 2021 4:53 am

I can appreciate that you have a preferred way of configuring a network and that you believe it is the correct way. I'm asking questions to help me understand why something is the best way, but I recognize that your help has been free of charge, so if I've reached the end of what you are willing to discuss from a best practices or theoretical perspective, I'll thank you for your help getting me to a working configuration and helping me understand why my prior configurations wasn't working in the way that I desired. Thank you for your help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help configuring admin vlan on cAP ac

Wed Aug 25, 2021 11:16 am

My concern first and foremost is to get you up and running, and after help to understand.
Usually my explanations include some learning bits during that process.
If you have specific questions please go ahead and ask them, clearly but since my knowledge is limited I may not be able to answer the why things dont work...... Others much smarter than me would be able to answer them so dont hold back on account of me. :-)

Who is online

Users browsing this forum: Bing [Bot], BrateloSlava and 45 guests