Community discussions

MikroTik App
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

Tue Sep 14, 2021 8:25 am

I am using a hAC2 connected to a CRS326 and an RB4011. Routing is handled entirely on the RB4011.

On the hAC2, I have 4 VLANs - 100 (wired), 101 (trusted network), 102 (Guest network) 103 (zero trust network - printers etc). There are 4 SSIDs - 1 5ghz and 2.4 for Trusted, and a 2.4 for each of the other 2 vlans.

When I connect a device by cable into the ports, I get a DHCP from the router on VLAN100, and internet functions normally. When I connect to wireless, I get a VID of 1, which doesn't work because it's not configured to. This is my first Mikrotik deployment, and I can't figure out what I have done differently between the hAC2 which isn't working and the hAC Lite meant to be an AP which is.
# sep/13/2021 23:15:21 by RouterOS 6.48.4
# software id = IEWC-ASHD
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0EE28D33
/interface bridge
add name=bridge1 pvid=100 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys name=Public supplicant-identity="" wpa2-pre-shared-key=SSIDKEY
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer supplicant-identity="" wpa2-pre-shared-key=SSIDKEY
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Networked supplicant-identity="" wpa2-pre-shared-key=SSIDKEY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" disabled=no installation=indoor mode=ap-bridge security-profile=Public ssid=TRUSTED-2.4 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=indoor mode=ap-bridge security-profile=Public ssid=TRUSTED5GHZ vlan-mode=use-tag wps-mode=disabled
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:A7:AF:FF master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile=Printer ssid=PRINTERWIRELESS vlan-id=103 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only
add comment="Internet-allowed security devices" disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:A7:AF:FE master-interface=wlan1 multicast-buffering=disabled name=wlan4 security-profile=Networked ssid=GUESTNETWORK vlan-id=102 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Internet-allowed security devices"
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
set *A comment="No-Internet VLAN103"
set *B comment="Internet-allowed security devices"
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.99
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=wlan2 pvid=101
add bridge=bridge1 interface=wlan1 pvid=101
add bridge=bridge1 interface=ether1 pvid=100 trusted=yes
add bridge=bridge1 interface=ether3 pvid=100
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=wlan3 pvid=103
add bridge=bridge1 interface=wlan4 pvid=102
add bridge=bridge1 interface=ether2 pvid=100 trusted=yes
add bridge=bridge1 interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=103
/interface wireless cap
set interfaces=wlan2,wlan1
/ip address
add address=192.168.100.202/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.202/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.202/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.202/24 interface=vlan103 network=192.168.103.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.0 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.100.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.101.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.102.1 netmask=24
add address=192.168.103.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.103.1 netmask=24
/ip dns
set servers=192.168.0.1,8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 gateway=192.168.101.1
add distance=1 gateway=192.168.102.1
add distance=1 gateway=192.168.103.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MikrotikWirelessMain
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

Tue Sep 14, 2021 12:10 pm

A few (minor) problems:
/interface bridge
add name=bridge1 pvid=100 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=100
First configuration (setting PVID on bridge interface ... read more about bridge roles) configures bridge interface as untagged for VLAN ID 100 ... the other two configure bridge interface as tagged member of VLAN ID 100. In short: unset PVID setting on bridge (the first command). Things may seem to work just fine with your current config, but it's not correct anyway.


And to the problem with wireless:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" disabled=no installation=indoor mode=ap-bridge security-profile=Public ssid=TRUSTED-2.4 vlan-mode=use-tag wps-mode=disabled
/interface bridge port
add bridge=bridge1 interface=wlan1 pvid=101
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1,wlan2 vlan-ids=101

Either use use-vlan=yes on wireless interface (but then you have to set vlan-id=101) or use pvid setting on bridge port, not both.

Explanation:
  • historically bridge was not VLAN-aware and only way of managing VLAN was directly on underlying hardware. For ethernet ports this meant dealing with VLAN tags through switch chip configuration, for wireless interfaces this meant using vlan-id=XY vlan-mode=use-tag which made wireless driver to deal with VLAN tags. N.b.: implicit default is vlan-id=1 which is not shown in exported config (unless running it with verbose parameter) because export only shows differences from "bare metal" defaults (and VLAN ID set to 1 everywhere is "bare metal" default).
    Setting VLANs on wireless interface this way made wireless interface a tagged-only (trunk) port of bridge. It is possible to keep using configuration this way, but in bridge settings such port has to be configured as tagged member of appropriate VLAN (including configuration under /interface bridge vlan).
  • In modern times, when bridge is VLAN aware, it's possible to set everything related to VLANs on bridge, which includes wireless interfaces (and other interfaces which historically did not allow VLAN settings). Which means that wireless interface has to keep (default) setting vlan-mode=no-tag and configure bridge port with PVID set.

And you have the same error for all wireless interfaces/ports.

BTW, since you're using hAP ac2 as simple AP / ethernet switch combo, you don't need bridge configured as tagged member of all VLANs ... you only need bridge tagged member of VLAN which will be used to manage the device itself. Which means moving DHCP server to central router. The whole exercise is a security measure.
This includes the following configuration items (and the rest of similar ones):
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=103 # bridge1 doesn't have to be member
/interface vlan
add interface=bridge1 name=vlan103 vlan-id=103 # not needed at all
/ip address
add address=192.168.103.202/24 interface=vlan103 network=192.168.103.0
/ip dhcp-server network
add address=192.168.103.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=192.168.103.1 netmask=24 # move DHCP server to central router
/ip route
add distance=1 gateway=192.168.100.1
# remove all default routes below this line, device itself only needs route belonging to own (management) subnet
add distance=1 gateway=192.168.101.1
add distance=1 gateway=192.168.102.1
add distance=1 gateway=192.168.103.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

Tue Sep 14, 2021 4:29 pm

Before you dive to deep into many changes, please have a read of this reference until its mostly understood.
Come back here if you have any questions, then slogging through the config and MKX advice will make more sense!!

viewtopic.php?f=23&t=143620
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

Tue Sep 14, 2021 10:06 pm

Thank you Anav and mkx. I'm brand new to RouterOS so in many cases I feel like I know what I want to accomplish but I'm unsure of the correct format for RouterOS or exactly what I've set.

Per mkx's suggestions, I have removed the PVID=100 from the bridge. I have set wlan1 and wlan2 to use vlan 101.
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" disabled=no installation=indoor mode=ap-bridge security-profile=Public ssid=SSIDVLAN101 vlan-id=101 \
    vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=indoor mode=ap-bridge security-profile=Public ssid=SSIDVLAN101TEST vlan-id=101 vlan-mode=use-tag wps-mode=\
    disabled
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:A7:AF:FF master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile=\
    Printer ssid=PRINTERNETWORK vlan-id=103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only
add comment="Internet-allowed security devices" disabled=no keepalive-frames=disabled mac-address=2E:C8:1B:A7:AF:FE master-interface=wlan1 multicast-buffering=disabled name=wlan4 \
    security-profile=Networked ssid=GUESTNETWORK vlan-id=102 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only
I have cleared PVID's on the bridge ports. I was unsure if I should leave the physical wired ports tagged with a PVID or not, but for the time being I cleared them as this does not seem to have interupted my connectivity.
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=ether2 trusted=yes
I removed the untagged settings for WLAN1/2 from the VLAN101 config, and changed it to tagged. Based on your explanation section, my understanding currently is that if I am using vlan-id= in my wlan settings, they will be tagged by default.
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1,wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=103
The DHCP server already resides on the primary router, so no need to change that. I configured the networks but it isn't actually running the server.

After these changes, I observe that my wireless client appears with the correct VID on wlan2. Since I still don't have connectivity for it, I presume there is likely issues with my switch and/or router configuration as well.

Moving to the CRS326, I see my wireless client in the bridge hosts on the port connected to the hAC, but not on the sfp port which trunks to the router.
# sep/14/2021 12:48:05 by RouterOS 6.48.4
# software id = 80CZ-07M7
#
# model = CRS326-24G-2S+
# serial number = CD010ED2525C
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Guest Bedroom Wireless"
set [ find default-name=ether5 ] comment="Office Wireless"
set [ find default-name=ether6 ] comment="Khellendros desktop PC"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 pvid=100 trusted=yes
add bridge=bridge1 interface=ether5 pvid=100 trusted=yes
add bridge=bridge1 interface=ether6 pvid=100 trusted=yes
add bridge=bridge1 interface=ether3 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 \
    vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=102
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=103
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.200 interface=vlan101 network=192.168.101.200
add address=192.168.102.200 interface=vlan102 network=192.168.102.200
add address=192.168.103.200 interface=vlan103 network=192.168.103.200
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainSwitch
/system routerboard settings
set boot-os=router-os
/tool traffic-monitor
add interface=bridge1 name=tmon1
My desktop connects directly in on ether6 here. Above config is what I had at the start. I removed the PVID's from ether 5 and 6, and the SFP port and this brought me online on my wireless client. I appreciate the assistance. I'm going to read over the link anav provided, then I may be back with general questions
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices connecting to the wireless are assigned vlan1 instead of intended VLAN

Tue Sep 14, 2021 11:02 pm

What I would need to see is all three configs.
/export hide-sensitive file=anynameyouwish

The RB4011 needs to have vlans identified as well as the four required entities
Vlans are idenftified by unique name, vlan number and primary interface (usually a bridge but can be a port)
- ip address
-ip pool
-dhcp server
-dhcp server-network

The switch and hapac only need vlans identified and none of the four entities.
On each device you create a bridge for that device to handle the vlans
The two devices hapac and switch should be on the same vlan (normally the managment vlan or if you have a trusted home vlan, use that one)
(by that I mean they should have an IP address of the trusted vlan).

Will wait for a coherent posting of all three configs once you have digested the document and are willing to give it a go,
OR you may want some questions answered before starting , either way..........will be here!!

Who is online

Users browsing this forum: Cmon169, dioeyandika and 31 guests