Community discussions

MikroTik App
 
shtrom
just joined
Topic Author
Posts: 12
Joined: Wed Aug 18, 2021 4:16 pm

VLANs on hAP ac^3 + managed switch

Wed Aug 25, 2021 7:47 am

Hi all,

First-time MikroTik user here, trying to set up a few VLANs between a (RouterOS) hAP ac^3 (wired and wireless), and a (non-MT) managed switch.

I have got the switch configured OK, and some traffic is exchanged with the hAP, but I am seeing two problems:
* the switch on the hAP doesn't seem to honour the PVIDs I gave it;
* when I set the switch mode to secure (or enable VLAN filtering on the bridge), all connections from the switch drop.

I've tried Bridge VLAN Filtering, with and without hardware offloading, then realised that I should use the switch chip, but still had no success, and pretty much the same outcome.

The hAP ac^3 has an Atheros 8327, which should support hardware VLAN switching [0].

# Objective

I want a few VLANs (management, trusted, untrusted, work, ...) distributed over the router's ethernet interfaces and wireless networks (all as access), and a separate switch (connected via a trunk to the router, and all other ports as access).
             ┌────────────────────── trunk, vlan 1, 2, 3, 10, 20
             │
       isp   │    ┌───┬───────────── access, vlan 10
             │    │   │
        │    │    │   │    ┌──────── access, vlan 1 (management)
        │    │    │   │    │
        │    │    │   │    │
    ┌───┼────▼────▼───▼────▼──────┐
    │   │  ether2 3   4    5      │ vlan 3 and 20 also on dedicated
    │ ┌─┼──┬────┬────┬────┬────┐  │ Wi-Fi networks served by the hAP,
    │ │ │  │    │    │    │    │  │ say, wl-3 and wl-20
    │ │    │  │ │  │ │    │    │  │
    │ └────┴──┼─┴──┼─┴────┴────┘  │
    │ ether1  │    │              │
    └─────────┼────┼──────────────┘
              │    │
              │    │          ┌────────────────────────── vlan 20
              │    │          │
              │  ┌─┴─┐        │    ┌───────────────────── vlan 10
              │  │ A │        │    │
              │  └───┘        │    │    ┌──────────────── vlan 3
              │               │    │    │
              │               │    │    │
              │               │    │    │         ┌────── vlan 2
              │               │    │    │         │
              │               │    │    │         │
         ┌────┼───────────────▼────▼────▼─────────▼────┐
         │    │    if2  if3  if4  if5  if6  if7  if8   │
         │  ┌─┼──┬────┬────┬────┬────┬────┬────┬────┐  │
         │  │ │  │    │    │    │    │    │    │    │  │
         │  │ │  │    │    │  │ │  │ │  │ │    │    │  │
         │  │    │    │    │  │ │  │ │  │ │    │    │  │
         │  └────┴────┴────┴──┼─┴──┼─┴──┼─┴────┴────┘  │
         │   if1              │    │    │              │
         └────────────────────┼────┼────┼──────────────┘
                              │    │    │
                              │    │    │
              ┌───┐           │    │    │             ┌───┐
              │ B ├───────────┘    │    └─────────────┤ D │
              └───┘                │                  └───┘
                                   │
                                   │
                                   │
                                   │
                                 ┌─┴─┐
                                 │ C │
                                 └───┘
# Current state

* VLANs are created on the router, each with one DHCP server and a dedicated IP range
* The original `dhcp` server for 192.168.88.0/24 is still on on the `bridge1` interface, for management access and not to lock myself out just yet, but will eventually need to go
* I haven't gotten to dealing with Wi-Fi yet, so Wi-Fi is (mercifully) still on served by the `bridge1` DHCP server

* Good: The trunk and access ports on the switch seem to work, and devices connected there (B, C, D) get IP addresses from the DHCP server on their dedicated VLAN
* Bad: The device connected directly to ether3 on the router (A) gets an IP address from the default DHCP server (192.168.88.0/24), rather than from VLAN 10 as expected
* Bad: setting the switch port to any `vlan-mode` but `disabled` ends up dropping all traffic, including from the switch, regardless of the `vlan-header` (be it `leave-as-is`, as recommended for the Ath8327 [3], or any other value)

# Already read

* viewtopic.php?t=143620
* viewtopic.php?t=172178
* https://www.youtube.com/watch?v=Rj9aPoyZOPo
* https://www.reddit.com/r/mikrotik/comme ... &context=3
* https://wiki.mikrotik.com/wiki/Manual:B ... _switching

# Already tried

1. I first went with the Bridge VLAN filtering [1], and all seems to work with tagged traffic from the switch. Device A on ether3 was however not getting an IP address from the expected DHCP server for that VLAN. I Then turned `vlan-filtering=yes`. Oddly enough, one doing this, the VLAN table started showing `current-tagged` and `current-untagged` with the VLANs served by the switch, as expected. But a few minutes later, all traffic had died, devices behind the switch did not have internet access, and the “current” entries in the VLAN table were empty.
2. I tried disabling hardward off-loading on the bridge, to no avail (same outcome)
3. I realised I should use the switch chip rather than the bridge VLAN filtering, so I disable the bridge entries, and followed the example for trunk/access with a switch chip instead [3]. The outcome was identical: traffic tagged from the switch as expected, but something fishy for ether3, and as soon as I set `vlan-mode` to `secure` on the `ether` interfaces, traffic stops flowing, even from the switch.

# What now?

I'm at wits' end, so here I am. I'm not sure what might be amiss, nor how to debug this further. I have tried to use the packet sniffer in the tools, to look at the traffic, but it while it can show some packets, most of the metadata is empty apart from protocol, which is most often 4 or “2048 (ip)” (so, 802.1q EtherType for ipv4).

A couple of thoughts, but not sure if that might be linked:
* The original `dhcp` server on `bridge1` might have been racing with the one on the vlan serving ether3 and 4. I disabled it, but device A then did not get any IP address.
* `bridge1` includes the Wi-Fi networks, too, could this be messing up the switch filtering?
* `/export hide-sensitive file=2021-08-25.rsc`
# aug/25/2021 14:35:26 by RouterOS 6.48.3
# software id = V30H-QYIG
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:BB:2D:8F auto-mac=no comment="CPU port" name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wl-3-2g ssid=MikroTik-BB2D93 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=australia disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge name=wl-3-5g ssid=\
    MikroTik-BB2D94 wireless-protocol=802.11 wps-mode=disabled
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=XXX
/interface vlan
add interface=bridge1 name=vl-dmz vlan-id=2
add interface=bridge1 name=vl-management vlan-id=1
add interface=bridge1 name=vl-trusted vlan-id=3
add interface=bridge1 name=vl-untrusted vlan-id=10
add interface=bridge1 name=vl-work vlan-id=20
/interface wireless
add disabled=no hide-ssid=yes mac-address=2E:C8:1B:BB:2D:96 master-interface=\
    wl-3-5g name=wl-iot-5g ssid=wl-10 vlan-id=10 wps-mode=disabled
/interface ethernet switch port
set 2 default-vlan-id=10
set 3 default-vlan-id=10
set 4 default-vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=iot supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=2E:C8:1B:BB:2D:93 master-interface=wl-3-2g \
    name=wl-guest-2g security-profile=guest ssid=guest vlan-id=10 \
    wps-mode=disabled
add disabled=no mac-address=2E:C8:1B:BB:2D:94 master-interface=wl-3-5g \
    name=wl-guest-5g security-profile=guest ssid=guest vlan-id=10 \
    wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=2E:C8:1B:BB:2D:95 master-interface=\
    wl-3-2g name=wl-iot-2g security-profile=iot ssid=10 vlan-id=10 \
    wps-mode=disabled
/ip pool
add comment=defconf name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dp-management ranges=192.168.1.10-192.168.1.254
add name=dp-dmz ranges=192.168.2.10-192.168.2.254
add name=dp-trusted ranges=192.168.3.10-192.168.3.254
add name=dp-untrusted ranges=192.168.10.10-192.168.10.254
add name=dp-work ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp
add address-pool=dp-dmz disabled=no interface=vl-dmz  name=dh-dmz
add address-pool=dp-trusted disabled=no interface=vl-trusted  name=dh-trusted
add address-pool=dp-untrusted disabled=no interface=vl-untrusted name=dh-untrusted
add address-pool=dp-work disabled=no interface=vl-work  name=dh-work
add address-pool=dp-management disabled=no interface=vl-management name=dh-management
/user group
add name=admin policy="local,ssh,reboot,read,write,policy,password,web,sniff,s\
    ensitive,api,!telnet,!ftp,!test,!winbox,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge1 comment=defconf interface=wl-3-2g
add bridge=bridge1 comment=defconf interface=wl-3-5g
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge1 comment="1 tagged ether2 untagged ether5" disabled=yes \
    tagged=ether2 untagged=ether5 vlan-ids=1
add bridge=bridge1 comment="2 tagged ether2" disabled=yes tagged=ether2 \
    vlan-ids=2
add bridge=bridge1 comment="3 tagged ether2 untag 3-2g" disabled=yes \
    tagged=ether2 untagged=wl-3-2g vlan-ids=3
add bridge=bridge1 comment="10 tagged ether2 untagged 3,4" disabled=yes \
    tagged=ether2 untagged=ether3,ether4 vlan-ids=10
add bridge=bridge1 comment="20 tagged ether2" disabled=yes tagged=ether2 \
    vlan-ids=20
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether2,ether5 switch=switch1 \
    vlan-id=1
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=2
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=3
add independent-learning=yes ports=ether2,ether3,ether4 switch=switch1 \
    vlan-id=10
add independent-learning=yes ports=ether2 switch=switch1 vlan-id=20
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=\
    192.168.88.0
add address=192.168.2.1/24 interface=vl-dmz network=192.168.2.0
add address=192.168.1.1/24 interface=vl-management network=192.168.1.0
add address=192.168.3.1/24 interface=vl-trusted network=192.168.3.0
add address=192.168.10.1/24 interface=vl-untrusted network=192.168.10.0
add address=192.168.20.1/24 interface=vl-work network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 next-server=\
    192.168.88.1 ntp-server=192.168.88.1
add address=192.168.1.0/24 gateway=192.168.1.1 next-server=192.168.1.1 \
    ntp-server=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1 next-server=192.168.2.1 \
    ntp-server=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1 next-server=192.168.3.1 \
    ntp-server=192.168.3.1
add address=192.168.10.0/24 gateway=192.168.10.1 next-server=192.168.10.1 \
    ntp-server=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1 next-server=192.168.20.1 \
    ntp-server=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox disabled=yes
/ipv6 address
add address=::1 comment="change to vl-management" from-pool=isp interface=\
    bridge1
add address=::1 from-pool=isp interface=vl-management
add from-pool=isp interface=vl-dmz
add from-pool=isp interface=vl-trusted
add from-pool=isp interface=vl-untrusted
add from-pool=isp interface=vl-work
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=isp request=prefix
/ipv6 firewall filter
add action=accept chain=forward comment="forward related,established in" \
    connection-state=established,related in-interface-list=WAN \
    out-interface-list=LAN
add action=drop chain=forward comment="forward nothing else in" \
    in-interface-list=WAN
/system identity
set name=hapac3
/system leds
set 0 interface=ether1 leds=led1 type=interface-activity
set 1 leds=poe-led type=poe-fault
set 2 interface=vl-management leds=led2
set 3 interface=vl-dmz leds=led3
set 4 interface=vl-trusted leds=led4
add interface=vl-untrusted leds=led5 type=interface-activity
/system ntp client
set enabled=yes mode=broadcast
/system ntp server
set enabled=yes
/tool graphing interface
add
/tool graphing resource
add allow-address=127.0.0.1/32
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3
What am I doing wrong?

# References

[0] https://help.mikrotik.com/docs/display/ ... troduction
[1] https://help.mikrotik.com/docs/display/ ... ccessPorts
[2] https://help.mikrotik.com/docs/display/ ... sportsetup
[3] https://help.mikrotik.com/docs/display/ ... cessPorts)
Last edited by shtrom on Wed Aug 25, 2021 4:34 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs on hAP ac^3 + managed switch

Wed Aug 25, 2021 4:10 pm

Use this reference it works, regardless of switch chips.......
viewtopic.php?f=23&t=143620

The following is relevant for the document above!
One issue is your use of vlan1, DONT.
if you need a managment vlan use 99 or 66 for example.
Vlan1 is reserved as a default vlan for the bridge itself.
Also we dont assign vlans within wifi settings, WLANs are related to bridge ports settings and bridge vlan settings and thusly associated with specific vlans.

IF you want to use switch chip settings this is the reference I provide..........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
 
shtrom
just joined
Topic Author
Posts: 12
Joined: Wed Aug 18, 2021 4:16 pm

Re: VLANs on hAP ac^3 + managed switch

Wed Aug 25, 2021 4:43 pm

I've already seen those two references. My last attempt was, as far as I can tell, matching pretty much exactly the description in the video.

I'll give a second go to the first link, now that I'm more familiar with some of the concept.

All this said, I'm hopeful using VLAN1 is the issue. I had seen a few mentions of this before, but also some conflicting information that it was just fine, so wasn't sure what to trust.

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs on hAP ac^3 + managed switch

Wed Aug 25, 2021 5:00 pm

No worries, I can get you up and running on the non-switch method with little fuss.
 
shtrom
just joined
Topic Author
Posts: 12
Joined: Wed Aug 18, 2021 4:16 pm

Re: VLANs on hAP ac^3 + managed switch  [SOLVED]

Thu Aug 26, 2021 4:05 pm

Ok, so I did a bit of deleting, and went back to viewtopic.php?t=143620. I did a combination of the RoaS and Router-Switch-AP, but they are all pretty similar. Unfortunately, I'm still seeing the same issue as before: the device on ether3 is not in the right VLAN, and everything drops when I enable `vlan-filtering` on the bridge. [spoiler alert: things changed before I finished writing this post]

Switch config is empty, and bridge config should match my requirements.
[admin@hapac3] > /interface ethernet switch export 
# aug/26/2021 22:08:57 by RouterOS 6.48.3
# software id = XXX
#
# model = RBD53iG-5HacD2HnD
# serial number = XXX
[admin@hapac3] > /interface bridge export 
# aug/26/2021 22:09:01 by RouterOS 6.48.3
# software id = XXX
#
# model = RBD53iG-5HacD2HnD
# serial number = XXX
/interface bridge
add admin-mac=XXX auto-mac=no comment="CPU port" name=bridge1 protocol-mode=none
/interface bridge port
add bridge=bridge1 comment=defconf interface=wl-3-2g
add bridge=bridge1 comment=defconf interface=wl-3-5g
add bridge=bridge1 interface=ether5
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge1 interface=wl-guest-2g
add bridge=bridge1 interface=wl-guest-5g
The management VLAN is now 99.
[admin@hapac3] > /interface vlan export  
# aug/26/2021 22:11:39 by RouterOS 6.48.3
# software id = XXX
#
# model = RBD53iG-5HacD2HnD
# serial number = XXX
/interface vlan
add interface=bridge1 name=vl-dmz vlan-id=2
add interface=bridge1 name=vl-management vlan-id=99
add interface=bridge1 name=vl-trusted vlan-id=3
add interface=bridge1 name=vl-untrusted vlan-id=10
add interface=bridge1 name=vl-work vlan-id=20
For reference, I have multiple DHCP servers running, and the default one still on the bridge itself.
[admin@hapac3] > /ip address export 
# aug/26/2021 22:14:20 by RouterOS 6.48.3
# software id = XXX
#
# model = RBD53iG-5HacD2HnD
# serial number = XXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
add address=192.168.2.1/24 interface=vl-dmz network=192.168.2.0
add address=192.168.1.1/24 interface=vl-management network=192.168.1.0
add address=192.168.13.1/24 interface=vl-trusted network=192.168.13.0
add address=192.168.10.1/24 interface=vl-untrusted network=192.168.10.0
add address=192.168.20.1/24 interface=vl-work network=192.168.20.0
add address=192.168.99.1 interface=vl-management network=192.168.99.1
[admin@hapac3] > /ip dhcp-server export 
# aug/26/2021 22:14:27 by RouterOS 6.48.3
# software id = XXX
#
# model = RBD53iG-5HacD2HnD
# serial number = XXX
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-script="/system script run dhcpDnsUpdate" name=dhcp
add address-pool=dp-dmz disabled=no interface=vl-dmz lease-script="/system script run dhcp-dns-update" name=dh-dmz
add address-pool=dp-trusted disabled=no interface=vl-trusted lease-script="/system script run dhcp-dns-update" name=dh-trusted
add address-pool=dp-untrusted disabled=no interface=vl-untrusted lease-script="/system script run dhcp-dns-update" name=dh-untrusted
add address-pool=dp-work disabled=no interface=vl-work lease-script="/system script run dhcp-dns-update" name=dh-work
add address-pool=dp-management disabled=no interface=vl-management lease-script="/system script run dhcpDnsUpdate" name=dh-management
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 next-server=192.168.88.1 ntp-server=192.168.88.1
add address=192.168.1.0/24 gateway=192.168.1.1 next-server=192.168.1.1 ntp-server=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1 next-server=192.168.2.1 ntp-server=192.168.2.1
add address=192.168.3.0/24 gateway=192.168.3.1 next-server=192.168.3.1 ntp-server=192.168.3.1
add address=192.168.10.0/24 gateway=192.168.10.1 next-server=192.168.10.1 ntp-server=192.168.10.1
add address=192.168.13.0/24 gateway=192.168.13.1 ntp-server=192.168.13.1
dd address=192.168.20.0/24 gateway=192.168.20.1 next-server=192.168.20.1 ntp-server=192.168.20.1
Clients get IPs alright.
[admin@hapac3] > /ip dhcp-server lease print        
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 #   ADDRESS                               MAC-ADDRESS       HOST-NAME                   SERVER                   RATE-LIMIT                   STATUS  LAST-SEEN                              
 0 D 192.168.88.237                        XX:XX:XX:XX:XX:XX other-device                            dhcp                                                  bound   1m54s                                  
 1 D 192.168.88.254                        XX:XX:XX:XX:XX:XX laptop                      dhcp                                                  bound   1m38s                                  
 2 D 192.168.88.242                        XX:XX:XX:XX:XX:XX A      dhcp                                                  bound   58s                                    
 3 D 192.168.13.10                        XX:XX:XX:XX:XX:XX C                   dh-trusted                                            bound   26s                                    
 4 D 192.168.2.254                       XX:XX:XX:XX:XX:XX  D                       dh-dmz                                                bound   23s                                    
 5 D 192.168.10.253                       XX:XX:XX:XX:XX:XX B                      dh-untrusted                                          bound   3m11s  
* My laptop accesses the router on Wi-Fi, and gets onto the default DHCP via the bridge, which is expected, and so does the other device.
* Devices B, C, and D are connected to the switch as per my original diagram so the trunk seems to be working ok.
* BUT device A is connected to ether3, which is configured as an untagged port with PVID 10, but it somehow gets an IP address from the default DHCP server, rather than the one on VLAN 10

If I then enable `vlan-filtering` on the bridge,
[admin@hapac3] > /interface bridge set bridge1 vlan-filtering=yes 
...all leases but from the Wi-Fi stop getting renewed.

HOWEVER, I realised I forgot to add the bridge-level VLAN options when reviewing the draft of this post. The following was missing.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=2
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=3
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=99
And all seems to have started working as expected!
[admin@hapac3] > /ip dhcp-server lease print    
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 #   ADDRESS                               MAC-ADDRESS       HOST-NAME                   SERVER                   RATE-LIMIT                   STATUS  LAST-SEEN                              
 0 D 192.168.88.237                        XX:XX:XX:XX:XX:XX other-device                dhcp                                                  bound   2m12s                                  
 1 D 192.168.88.254                        XX:XX:XX:XX:XX:XX laptop                      dhcp                                                  bound   1m56s                                  
 2 D 192.168.10.252                       XX:XX:XX:XX:XX:XX A                           dh-untrusted                                          bound   1m30s                                  
 3 D 192.168.2.254                       XX:XX:XX:XX:XX:XX D                           dh-dmz                                                bound   27s                                    
 4 D 192.168.10.253                       XX:XX:XX:XX:XX:XX B                           dh-untrusted                                          bound   4m18s                                  
 5 D 192.168.13.10                        XX:XX:XX:XX:XX:XX C                           dh-trusted                                            bound   17s                                    
[admin@hapac3] > /interface bridge vlan print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                               VLAN-IDS  CURRENT-TAGGED                                              CURRENT-UNTAGGED                                              
 0 D bridge1                                              1                                                                     bridge1                                                       
                                                                                                                                wl-3-5g                                                    
                                                                                                                                wl-guest-2g                                                   
 1   bridge1                                              2         bridge1                                                    
                                                                    ether2                                                     
 2   bridge1                                              3         bridge1                                                    
                                                                    ether2                                                     
 3   bridge1                                              10        bridge1                                                     ether3                                                        
                                                                    ether2                                                     
 4   bridge1                                              20        bridge1                                                    
                                                                    ether2                                                     
 5   bridge1                                              99        bridge1                                                    
                                                                    ether2
For what is worth, the most noticeable difference to what I did before was that the `bridge1` interface itself is explicitly tagged on the VLANs.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=XXX
So my problems look like they were:
  • having some stuff hanging on VLAN1 (though I still do, so maybe that's a red herring),
  • forgetting to mark the bridge itself as a tagged interface for all VLAN traffic (that is probably the key thing),
  • trying to do VLAN switching with the switch chip (while the Ath8327 supports it, it doesn't seem to be needed).
This is looking pretty good. I'll keep and eye on it, and start adding the WLANs to the VLANS, but my problem might just have been solved. I'll also have to do some performance testing and see how this goes.

PS: For my understanding, why should VLAN1 not be used for management (or at all)? One compelling reason I've read is so that other unconfigured devices might be sending tagged traffic to this VLAN by default, thereby making it trivial to get onto the management VLAN. However, it seems VLAN1 might have a more specific role in the case of MikroTik bridges (which @anav seemed to imply, too), what is this role? (I wasn't able to find any authoritative information about this).
Last edited by shtrom on Sun Nov 14, 2021 2:17 pm, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLANs on hAP ac^3 + managed switch

Thu Aug 26, 2021 4:47 pm

PS: For my understanding, why should VLAN1 not be used for management (or at all)?

Actually VLAN ID 1 is no different than others. If everything is configured correctly, also VLAN 1 should work just fine. But there's a gotcha: VLAN ID 1 is used as default all over the place, it is not shown in output of export (since it's default) - unless export is run with verbose option. So it's really easy to miss some VLAN ID 1 setting somewhere where it should not be and sometimes it's hard to get rid of that setting as well. Hence the easiest way of not getting into trouble is to stay away from using VLAN ID 1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs on hAP ac^3 + managed switch

Thu Aug 26, 2021 5:37 pm

Practical reasons.
I have attached my Mikrotik products to
a. other MT products (switches and access points)
b. D link devices (switches)
c. netgear devices
d. TP link devices

They all work with no issues on multiple vlan subnets using the referenced document which supports NOT using vlan1 for anything other than the default settings on the bridge.

Who is online

Users browsing this forum: No registered users and 42 guests