Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Mon Apr 20, 2020 1:09 pm

Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 1:44 am

Hi guys,

I have been applying with my vlan filtering on mikrotik audience

Internet is coming from another router on port 1 (trunk), port 2 is an access port

I am not sure what I did wrong but wireless clients on wlan interfaces don't get a dhcp lease

a client connected to port 2 (physical on audience) gets a dhcp lease just fine, the wireless only are the problem


may you please help?

[admin@Mikrotik_Audience] > /export hide-sensitive                              
# may/08/2021 10:43:09 by RouterOS 6.48.2
# software id = M0L0-MR8G
#
# model = RBD25G-5HPacQD2HPnD
# serial number = B6BE0A6C03AF
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] comment=NOT_IN_USE
/interface vlan
add comment=LAN_VLAN_10 interface=bridge name=vlan10_main vlan-id=10
add comment=LAN_VLAN_20 interface=bridge name=vlan20_guest vlan-id=20
/interface list
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wlan_10_main supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wlan_20_guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX comment=Phisical_2.4GHz_VLAN10 country="new zealand" default-authentication=no disabled=no frequency=2447 mode=\
    ap-bridge name=wlan10_main_2.4GHz security-profile=wlan_10_main ssid=wifi vlan-id=10 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan3 ] band=5ghz-n/ac channel-width=20/40/80/160mhz-XXXXXXXX comment=Phisical_5.0GHz+_VLAN10 country="new zealand" disabled=no frequency-mode=superchannel mode=\
    ap-bridge name=wlan10_main_5.0GHz+ security-profile=wlan_10_main ssid=wifi vlan-id=10 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX comment=Phisical_5.0GHz_VLAN10_Backup country="new zealand" frequency=5260 frequency-mode=superchannel mode=\
    ap-bridge name=wlan10_main_5.0GHz_Backup security-profile=wlan_20_guest ssid=backup_wifi_link vlan-id=20 vlan-mode=use-tag wps-mode=disabled
add comment=Virtual_2.4GHz_VLAN20 disabled=no keepalive-frames=disabled mac-address=76:4D:28:F4:F7:F3 master-interface=wlan10_main_2.4GHz multicast-buffering=disabled name=\
    wlan20_guest_2.4GHz security-profile=wlan_20_guest ssid=wifi_guest vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment=Virtual_5.0GHz+_VLAN20 disabled=no keepalive-frames=disabled mac-address=76:4D:28:F4:F7:F7 master-interface=wlan10_main_5.0GHz+ multicast-buffering=disabled name=\
    wlan20_guest_5.0GHz+ security-profile=wlan_20_guest ssid=wifi_guest vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan10_main_2.4GHz comment=Phisical_2.4GHz_VLAN10
set wlan10_main_5.0GHz+ comment=Phisical_5.0GHz+_VLAN10
set wlan10_main_5.0GHz_Backup comment=Phisical_5.0GHz_VLAN10_Backup
set wlan20_guest_2.4GHz comment=Virtual_2.4GHz_VLAN20
set wlan20_guest_5.0GHz+ comment=Virtual_5.0GHz+_VLAN20
/interface wireless nstreme
set wlan10_main_2.4GHz comment=Phisical_2.4GHz_VLAN10
set wlan10_main_5.0GHz+ comment=Phisical_5.0GHz+_VLAN10
set wlan10_main_5.0GHz_Backup comment=Phisical_5.0GHz_VLAN10_Backup
set *11 comment=Virtual_2.4GHz_VLAN20
set *1A comment=Virtual_5.0GHz+_VLAN20
/interface bridge port
add bridge=bridge interface=ether1-trunk
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=wlan10_main_2.4GHz pvid=10
add bridge=bridge interface=wlan20_guest_2.4GHz pvid=20
add bridge=bridge interface=wlan10_main_5.0GHz+ pvid=10
add bridge=bridge interface=wlan20_guest_5.0GHz+ pvid=20
add bridge=bridge interface=wlan10_main_5.0GHz_Backup pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether1-trunk,bridge untagged=ether2,wlan10_main_2.4GHz,wlan10_main_5.0GHz+,wlan10_main_5.0GHz_Backup,*1E vlan-ids=10
add bridge=bridge tagged=ether1-trunk,bridge untagged=wlan20_guest_2.4GHz,wlan20_guest_5.0GHz+ vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface wireless access-list
add comment=LIFX disabled=yes interface=wlan10_main_2.4GHz mac-address=D0:73:D5:12:25:E9 vlan-id=10 vlan-mode=use-tag
add comment=LIFX disabled=yes interface=wlan10_main_2.4GHz mac-address=D0:73:D5:24:52:2F vlan-id=10 vlan-mode=use-tag
add comment=Kettle disabled=yes interface=wlan10_main_2.4GHz mac-address=BC:DD:C2:A8:06:52 vlan-id=10 vlan-mode=use-tag
add comment=CCTV disabled=yes interface=wlan10_main_2.4GHz mac-address=50:EC:50:3A:F7:C5 vlan-id=10 vlan-mode=use-tag
add comment=Printer disabled=yes interface=wlan10_main_2.4GHz mac-address=C0:B5:D7:5B:D7:4E vlan-id=10 vlan-mode=use-tag
add comment=VOIP_Phone disabled=yes interface=wlan10_main_2.4GHz mac-address=00:0B:82:EA:D2:C4 vlan-id=10 vlan-mode=use-tag
/ip route rule
add action=unreachable dst-address=10.20.0.0/24 src-address=10.10.0.0/24
add action=unreachable dst-address=10.10.0.0/24 src-address=10.20.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=Mikrotik_Audience
/system scheduler
add interval=8w4d name=monthly_reboot on-event="/system reboot" policy=reboot start-date=mar/29/2021 start-time=03:15:00
[admin@Mikrotik_Audience] > 

 
mducharme
Trainer
Trainer
Posts: 1340
Joined: Tue Jul 19, 2016 6:45 pm

Re: Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 2:27 am

a client connected to port 2 (physical on audience) gets a dhcp lease just fine, the wireless only are the problem
Hello,

I think you have unintentionally done Q-in-Q. You have configured your wireless interface to add a VLAN tag for VLAN 10 or 20, which is fine, but then you have bridge VLAN filtering adding a second identical tag to the same packet. Your packets that you probably want to be just plain VLAN 10 are instead VLAN 10 inside VLAN 10, or VLAN 20 inside VLAN 20. I would either use the wireless interface settings to add the VLAN tag or the bridge VLAN filtering, but not both. I think it doesn't make sense to use bridge VLAN filtering on that device in most situations.
 
tdw
Forum Veteran
Forum Veteran
Posts: 856
Joined: Sat May 05, 2018 11:55 am

Re: Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 2:28 am

As you are setting the pvid= for the wlan interfaces under /interface bridge port you should not also set vlan-mode=use-tag under /interface wireless - either create untagged wireless interfaces and set a PVID for the bridge port, or create a tagged wireless interface and make them a tagged bridge VLAN member.

Also you do not need to specify any untagged= memberships under /interface bridge vlan, these will be dynamically added from the pvid= settings under /interface bridge port - this avoids potentially having a mismatch which can cause unexpected issues.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Mon Apr 20, 2020 1:09 pm

Re: Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 2:32 am

I fixed that by moving WLAN interfaces to Tagged, but why are they tagged, aren't they treated like access interfaces?

wiwi.png
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 1340
Joined: Tue Jul 19, 2016 6:45 pm

Re: Mikrotik Audience vlan filtering and dhcp issues  [SOLVED]

Sat May 08, 2021 2:40 am

I fixed that by moving WLAN interfaces to Tagged, but why are they tagged, aren't they treated like access interfaces?
When you configure a wireless interface with a VLAN ID in the wireless settings, the tag is added by the wireless interface itself. In other words, by setting vlan-id in a wireless interface settings, you are making that wireless interface a trunk port instead of an access port. So if this is on your main wireless, this would be a VLAN of 10. This packet with a VLAN ID of 10 arrives at the bridge, and if the bridge port has a PVID of 10, this means that the bridge VLAN filtering adds a second VLAN 10 tag to the packet even though it already has one tag (or possibly completely drops the packet because there is no tagged 10 enabled for that port - I haven't tested such a config before, but either way it is wrong).

The solutions are either to make the port a tagged port for that VLAN (as you have done), or make the port untagged (PVID) and then remove the vlan ID setting from the wireless interface settings so that you don't end up with two tags.

EDIT: It would probably actually drop the packet instead of doing Q-in-Q because apparently "tag-stacking" has to be enabled for it to tag packets that already have a tag.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 125
Joined: Mon Apr 20, 2020 1:09 pm

Re: Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 9:45 am

thank you I didn't realise it was tagged before, I saw in "advance configuration"
 
mkx
Forum Guru
Forum Guru
Posts: 5981
Joined: Thu Mar 03, 2016 10:23 pm

Re: Mikrotik Audience vlan filtering and dhcp issues

Sat May 08, 2021 10:33 am

When you configure a wireless interface with a VLAN ID in the wireless settings, the tag is added by the wireless interface itself. In other words, by setting vlan-id in a wireless interface settings, you are making that wireless interface a trunk port instead of an access port. So if this is on your main wireless, this would be a VLAN of 10. This packet with a VLAN ID of 10 arrives at the bridge, and if the bridge port has a PVID of 10, this means that the bridge VLAN filtering adds a second VLAN 10 tag to the packet even though it already has one tag (or possibly completely drops the packet because there is no tagged 10 enabled for that port - I haven't tested such a config before, but either way it is wrong).

I don't think this is the case. In OP's original case frames pass unaltered in direction between wlan and bridge (because tags are already there, pvid is only applied to frames without VLAN tag). However, due to configuration (wlan port declared untagged in /interface bridge vlan) frames get untagged in direction between bridge and wlan and wlan driver drops them.

@OP: do yourself a favour and change this part of config to
/interface detect-internet
set detect-interface-list=none
BR,
Metod

Who is online

Users browsing this forum: akakua, bka, DanMos79, David1234, thebabufrik and 152 guests