Community discussions

 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Native VLAN

Tue Jun 25, 2019 2:59 pm

Hi,
I'm trying to configure a WAP to Mikrotik routeur using VLANs, the WAP is on VLAN 11 for management and SSID configured on VLAN 10.
how can i define the vlan 11 as native vlan so the WAP can connect to the controller and take the configuration?
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Tue Jun 25, 2019 3:06 pm

There are two parts of configuration: tagged trunk ethernet between WAP and the rest of network and VLAN tagging/untagging of traffic travelling over wireless interface.

Please describe with more details what you aim to achieve, what you already did and what is the problem you're having. Export of current config using /export hide-sensitive and post it here (in the code block for better readability).
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Tue Jun 25, 2019 3:44 pm

My need is to connect AP directly to Mikrotik routeur instead of switch which it's worked perfectly.The AP need to be connected to the controller on VLAN 11 as untagged to be take ip from DHCP server , take SSID (vlan 10) and to be managed.
The WAP was able to contact the controller when I configure the mikrotik port (connected to WAP) bridged to vlan11, but the issue is by adding the SSID vlan ,the WAP is no more connected to controller and even in some case it take IP from Guest pool (vlan 10).
bellow my configuration
/interface bridge
add name=bridge1-VLAN10
add name=bridge2-VLAN11
/interface ethernet
set [ find default-name=ether3 ] comment=Ether3 name=CnMaestro
set [ find default-name=ether4 ] comment=Ether4 name=Ether4
set [ find default-name=ether5 ] comment=Ether5 name=Ether5
set [ find default-name=ether2 ] comment=Ether2 name=WAN
set [ find default-name=ether1 ] comment=Ether1 name=WAP
/interface vlan
add interface=WAP name=vlan10 vlan-id=10
add interface=WAP name=vlan11 vlan-id=11
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.local hotspot-address=10.192.168.1 name=hsprof1
/ip pool
add name=hs-pool-2 ranges=10.192.0.1-10.192.168.0
/ip dhcp-server
add address-pool=hs-pool-2 disabled=no interface=bridge1-VLAN10 lease-time=1h \
name=dhcp2
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 interface=bridge1-VLAN10 name=\
hotspot1 profile=hsprof1

/interface bridge port
add bridge=bridge2-VLAN11 interface=CnMaestro
add bridge=bridge1-VLAN10 interface=Ether4
add bridge=bridge2-VLAN11 interface=Ether5
add bridge=bridge1-VLAN10 interface=vlan10
add bridge=bridge2-VLAN11 interface=vlan11

/ip address
add address=192.168.11.1/24 interface=bridge2-VLAN11 network=192.168.11.0
add address=10.192.168.1/16 interface=bridge1-VLAN10 network=10.192.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN
/ip dhcp-server network
add address=10.192.0.0/16 comment="hotspot network" gateway=10.192.168.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall address-list
add address=192.168.30.0/24 list=Local
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=WAN
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Tue Jun 25, 2019 4:07 pm

The configuration assumes that all traffic between this Routerboard and WAP (off ether1 port) is tagged with either VID=10 or VID=11. The configuration is a bit awkward (the modern way of doing it is using single bridge and properly configured VLAN filtering) but should work never the less.

What's configuration on WAP?
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Tue Jun 25, 2019 4:14 pm

I don't see clearly what you mean, there is no solution to untagg vlan 11 and tagged vlan 10 on the same port?
WAP is configured to broadcast SSID on vlan 10 that all , and it's managed on different vlan ( vlan10)
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Tue Jun 25, 2019 5:01 pm

I'm not sure if I understand your setup right. Is this the way your devices are connected:
  • main router (mikrotik with config you posted)
    Has connections:
    • Internet through ether2 (dynamic IP settings via DHCP client)
    • wireless controller through ether3 - untagged member of VLAN 11?
    • WAP (which device type is it) through ether1 - needs 2 VLANs: 10 and 11 ... which tagged and which untagged?
    • ether4 - untagged member of VLAN 10
    • ether5 - untagged member of VLAN 11
  • wireless controller ... does it need tagged or untagged connectivity to VLAN (with ID=11 I presume?)
  • WAP with SSID (VLAN ID 10 - tagged?) and management (VLAN ID 11 - tagged or untagged?)
  • ...

All of that can be configured on RB using single bridge, which is VLAN-aware. But it will come with performance hit (all traffic between ports belonging to same VLAN, tagged or untagged, will go through CPU). Or, if device has decent switch chip, most of things can be offloaded to hardware.

Which particular Routerboard is it?
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Tue Jun 25, 2019 5:18 pm

Yes this is exactly my setup,
-Internet through Ether2.
- wireless controller (Cnmaestro combium) through Ether3 , (untagged member of VLAN 11 only)
- WAP (cambium) through ether1 - needs 2 VLANs ( untagged on VLAN 11 to get to wireless controller , and tagged on VLAN 10).
- wireless controller need to be only untagged on VLAN 11.
- WAP which is connected to ether1 need to be untagged on VLAN 11 and tagged on VLAN 10.
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Tue Jun 25, 2019 5:25 pm

Which type of Routerboard is your main router?
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Tue Jun 25, 2019 5:26 pm

RB759GL but this one is just for the test, I have CCR 12 ports that will be used later
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Tue Jun 25, 2019 10:45 pm

Using CCR (most likely) means no switch chip. So here's the config which should be working on both models you mentioned (I'll use generic interface names, you can change them to whatever you'll be using):
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=11
add bridge=bridge interface=ether3 ingress-filtering=yes pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether3 vlan-ids=11
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan11 interface=bridge vlan-id=11

This setup adds L2 connectivity as well as two interfaces available for L3 services on router ... you might want to use vlan11 interface for management access to router, while you'll use vlan10 for routing wireless traffic towards internet (and possibly bind DHCP server for wireless clients).
If you don't need router access to some VLAN (e.g. you'll have some other management access instead of VLAN 11), you can omit creation of vlan interface in /interface vlan section and omit bridge as tagged member interface in /interface bridge vlan section.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Native VLAN

Wed Jun 26, 2019 4:42 pm

I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 9:42 am

Using CCR (most likely) means no switch chip. So here's the config which should be working on both models you mentioned (I'll use generic interface names, you can change them to whatever you'll be using):
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=11
add bridge=bridge interface=ether3 ingress-filtering=yes pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether3 vlan-ids=11
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan11 interface=bridge vlan-id=11

This setup adds L2 connectivity as well as two interfaces available for L3 services on router ... you might want to use vlan11 interface for management access to router, while you'll use vlan10 for routing wireless traffic towards internet (and possibly bind DHCP server for wireless clients).
If you don't need router access to some VLAN (e.g. you'll have some other management access instead of VLAN 11), you can omit creation of vlan interface in /interface vlan section and omit bridge as tagged member interface in /interface bridge vlan section.
It doesn't work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 9:43 am

Using CCR (most likely) means no switch chip. So here's the config which should be working on both models you mentioned (I'll use generic interface names, you can change them to whatever you'll be using):
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=11
add bridge=bridge interface=ether3 ingress-filtering=yes pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether3 vlan-ids=11
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan11 interface=bridge vlan-id=11

This setup adds L2 connectivity as well as two interfaces available for L3 services on router ... you might want to use vlan11 interface for management access to router, while you'll use vlan10 for routing wireless traffic towards internet (and possibly bind DHCP server for wireless clients).
If you don't need router access to some VLAN (e.g. you'll have some other management access instead of VLAN 11), you can omit creation of vlan interface in /interface vlan section and omit bridge as tagged member interface in /interface bridge vlan section.
It doesn't work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 9:45 am

Using CCR (most likely) means no switch chip. So here's the config which should be working on both models you mentioned (I'll use generic interface names, you can change them to whatever you'll be using):
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes pvid=11
add bridge=bridge interface=ether3 ingress-filtering=yes pvid=11
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether3 vlan-ids=11
/interface vlan
add name=vlan10 interface=bridge vlan-id=10
add name=vlan11 interface=bridge vlan-id=11

This setup adds L2 connectivity as well as two interfaces available for L3 services on router ... you might want to use vlan11 interface for management access to router, while you'll use vlan10 for routing wireless traffic towards internet (and possibly bind DHCP server for wireless clients).
If you don't need router access to some VLAN (e.g. you'll have some other management access instead of VLAN 11), you can omit creation of vlan interface in /interface vlan section and omit bridge as tagged member interface in /interface bridge vlan section.
It doesn't work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 9:46 am

Thank you for your response ;
@mkx : It doesn't work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
Last edited by medharrak on Fri Jun 28, 2019 10:07 am, edited 2 times in total.
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 9:59 am

Thank you for your response ;
@mkx : It doesn't work when I enable vlan-filtering
also I tried to add ether4 as local laptop guest on vlan 10 by adding untagged=ether4 to the bridge vlan, when I plug the my laptop I get IP from vlan 11 range not vlan 10.
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Fri Jun 28, 2019 4:18 pm

Please post your current full config (place it into [ code ] environment for better readability), you can get it executing command "/export hide-sensitive" (without double quotes) ...
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Fri Jun 28, 2019 6:32 pm

/interface ethernet
set [ find default-name=ether3 ] comment=Ether3 name=CnMaestro
set [ find default-name=ether4 ] comment=GUEST-Laptop name=Ether4
set [ find default-name=ether5 ] comment=Ether5 name=Ether5
set [ find default-name=ether2 ] comment=Ether2 name=WAN
set [ find default-name=ether1 ] comment=Ether1 name=WAP

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11

/ip pool
add name=hs-pool-2 ranges=10.192.0.1-10.192.168.0
/ip dhcp-server
add address-pool=hs-pool-2 disabled=no interface=vlan10 lease-time=1h name=\
dhcp2

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=WAP pvid=11
add bridge=bridge1 ingress-filtering=yes interface=CnMaestro pvid=11
add bridge=bridge1 interface=Ether4 pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,WAP untagged=Ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=WAP,CnMaestro vlan-ids=11

/ip address
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=10.192.168.1/16 interface=vlan10 network=10.192.0.0
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Fri Jun 28, 2019 10:15 pm

Let's pretend that the above is full config. From that I'd say there's no way to get DHCP lease anything else than from VLAN 10 range:
  1. there's only one DHCP server bound to vlan10
  2. ether4 is untagged member of vlan10
There are many bits of information missing, such as complete configuration export and context of your LAN (any other devices on any of VLAN).

Sometimes I wonder why I even bother helping people which don't want to provide us with necessary information to solve their problem which might be out of their focus and providing only information they consider relevant doesn't help to see the big picture.
BR,
Metod
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Sat Jun 29, 2019 9:47 am

Hi ,
I did send you the complete configuration , I have just removed what it's not necessary , Hostspot config ( too much logins infos ..)
Yes I have only one DHCP Server which on VLAN 10, VLAN 11 get their IP from CnMaestro host (ether3) not from Mikrotik that why you see just one DHCP pool.
I have just applied your configuration as it is, what I have added is untagged ether4(my local pc) on vlan10 , and I wonder why I don't get the IP from vlan 10 dhcp pool and I get it from VLAN11 pool .
 
mkx
Forum Guru
Forum Guru
Posts: 3195
Joined: Thu Mar 03, 2016 10:23 pm

Re: Native VLAN

Sat Jun 29, 2019 2:15 pm

What's missing from your posted config is root section of /interface bridge with definition of bridges themselves.

And that I was talking about: you removed what you thought was unnecessary. If you knew what's necessary to show us, you probably wouldn't need advice in the first place ...
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3122
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Native VLAN

Sat Jun 29, 2019 4:41 pm

What's missing from your posted config is root section of /interface bridge with definition of bridges themselves.

And that I was talking about: you removed what you thought was unnecessary. If you knew what's necessary to show us, you probably wouldn't need advice in the first place ...
@Young student mkx , its Master Yoda here. I must say you are starting to be able to use and control the 'The Force' of sarcasm as a true Forum Jedi!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Sat Jun 29, 2019 7:20 pm

you need to re-read the confi nothing is missing for the section /interface bridge : there is only one bridge interface "bridge1"
so the whole config will be :
# serial number = 3B05024DCBAA
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] comment=Ether3 name=CnMaestro
set [ find default-name=ether4 ] comment=Ether4 name=Ether4
set [ find default-name=ether5 ] comment=Ether5 name=Ether5
set [ find default-name=ether2 ] comment=Ether2 name=WAN
set [ find default-name=ether1 ] comment=Ether1 name=WAP
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11

/ip pool
add name=hs-pool-2 ranges=10.192.0.1-10.192.168.0
/ip dhcp-server
add address-pool=hs-pool-2 disabled=no interface=vlan10 lease-time=1h name=\
dhcp2
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 name=hotspot1 profile=hsprof1

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=WAP pvid=11
add bridge=bridge1 ingress-filtering=yes interface=CnMaestro pvid=11
add bridge=bridge1 interface=Ether4 pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,WAP untagged=Ether4 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=WAP,CnMaestro vlan-ids=11

/ip address
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=10.192.168.1/16 interface=vlan10 network=10.192.0.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN

/ip dhcp-server network
add address=10.192.0.0/16 comment="hotspot network" gateway=10.192.168.1
 
sindy
Forum Guru
Forum Guru
Posts: 3994
Joined: Mon Dec 04, 2017 9:19 pm

Re: Native VLAN

Sat Jun 29, 2019 9:23 pm

If you look at the first posting of your configuration, this part (interface bridge add name=bridge1) is missing there. And it is the key - as the property of that single bridge vlan-filtering=yes is missing there, it means that vlan-filtering on that bridge has a default value of no, which means that frame tagging and untagging on ports of that bridge does not happen, which is why it doesn't work the way you expect it to.

As I don't know how your management PC is connected to the device when you configure it, be sure to activate safe mode before setting vlan-filtering on the bridge to yes, as you may cut yourself off the management.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
medharrak
newbie
Topic Author
Posts: 42
Joined: Tue Feb 13, 2018 7:27 pm

Re: Native VLAN

Sat Jun 29, 2019 9:43 pm

As I mentioned on one of my post , the issue is when I enable vlan-filtering nothing work, at least now the WAP is broadcasting the SSID and clients can take IP from VLAN 10 range and reach the internet.
For my management Interface don't bother yourself about it now, I use winbox and I'm connected on port ether5 (no vlan is affected to it)
 
sindy
Forum Guru
Forum Guru
Posts: 3994
Joined: Mon Dec 04, 2017 9:19 pm

Re: Native VLAN

Sat Jun 29, 2019 10:03 pm

the issue is when I enable vlan-filtering nothing work
Well, in that case you must dig deeper into the rest of the configuration :) vlan-filtering=yes is a mandatory pre-requisite for tagging/untagging the frames as they ingress/egress the bridge via one of its ports.

What was the idea behind setting ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged? This property of an /interface bridge port row is also only taken into account when vlan-filtering=yes, which explains why it doesn't break things while vlan-filtering=no, and the value you've set prevents tagged frames (i.e. in your case those from the WAP tagged with VID 10) from entering the bridge. The name of the value may be misleading - while untagged really means untagged, priority-tagged actually means "bearing a tag which only carries information about priority but not about VLAN membership", which protocol-wise means tags with VLAN-ID field set to 0 which are treated as tagless (so they get retagged with the PVID of the interface on ingress). So neutralize that setting by setting ingress-filtering to no, set vlan-filtering=yes, and you should be good.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot] and 92 guests