Best way to configure multi-SSID-AP with VLAN-breakout

Stril · Mon Oct 05, 2020 12:43 pm

Hi!

I am just configuring some access points, with 2 SSIDs that have to break out to different VLANs on ether1.
I found multiple possibilities and hope, you can help me to use the "easiest" one fot the futur:

Background:
SSID1 to vlan 10
SSID2 to vlan 20
Management on default VLAN 1 (untagged)

Multiple bridges:

/interface bridge
add fast-forward=no name=Bridge_vlan10
add fast-forward=no name=Bridge_vlan20

/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20

/interface bridge port
add bridge=Bridge_vlan10 interface=wlan1-ssid1
add bridge=Bridge_vlan10 interface=wlan2-ssid1
add bridge=Bridge_vlan10 interface=vlan10
add bridge=Bridge_vlan20 interface=wlan1-ssid2
add bridge=Bridge_vlan20 interface=wlan2-ssid2
add bridge=Bridge_vlan20 interface=vlan20

Only one bridge:

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1-ssid1 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2-ssid1 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1-ssid2 pvid=20
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2-ssid2 pvid=20

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=ether1 vlan-ids=20

#and for wireless interfaces:
vlan-id=10 vlan-mode=use-tag
vlan-id=20 vlan-mode=use-tag

I am not sure, if I do some configuration "redundant". Can you give me a hint on how to solve this according to the "best practice"?

Thank you and best wishes
Stril

anav · Mon Oct 05, 2020 2:03 pm

Before you go any further, you should read the this thread as the best reference on the topic.........
viewtopic.php?t=143620

Stril · Mon Oct 05, 2020 2:22 pm

Hi!

@anav
Thank you! This is a great post!

The "default AP-rsc" seems to be working like my "single-bridge-setup".

mkx · Mon Oct 05, 2020 10:16 pm

Almost ... except that your Only one bridge doesn't really work because it lacks

/interface bridge
set [ find name=bridge1 ] vlan-filtering=yes

And your don't configure vlan-mode=use-tag vlan-id=xxx on wireless interfaces since you have pvid set on corresponding bridge port.

bpwl · Mon Oct 05, 2020 11:19 pm

Almost ... except that your Only one bridge doesn't really work because it lacks
Code: Select all
/interface bridge
set [ find name=bridge1 ] vlan-filtering=yes
And your don't configure vlan-mode=use-tag vlan-id=xxx on wireless interfaces since you have pvid set on corresponding bridge port.

Confusing world for me. But have recently been doing some experiments.
- with vlan-filtering =no, the WLAN connection works when tagged is used. (The bridge/switch did not consider the VLAN tag, and the WLAN is extracting the correct VLAN and untags)
- with vlan-filtering=yes the WLAN interface must be a tagged interface, and the port pvid not set to the VLAN number of the WLAN, but left on default. The WLAN is used as tagged.
- with vlan-filtering=yes the WLAN interface can be untagged , but then the VLAN table must define the WLAN as an untagged interface for that specific VLAN, port pvid set to the same number.

Interesting reading was: https://wiki.mikrotik.com/wiki/Manual:W ... VLAN_Trunk.
(Not exactly this case, but at least a "bridge method" example.)
"Since RouterOS v6.41 this can be done using bridge VLAN filtering and should be used instead of any other methods (including bridging VLAN interfaces)"

@mkx: On the hAP ac2 I could not use the management link from a tagged VLAN. (Not WLAN related). Delivering untagged traffic to an ether port with pvid equal to the bridge pvid did work.
Looks similar to the "switch method" struggle for mgmt link on the hAP ac2. (viewtopic.php?f=2&t=166966#p820131)

mkx · Mon Oct 05, 2020 11:39 pm

@bpw, VLANs are indeed one of moot points in ROS. I've managed to get around by going strictly tagged inside device, which means management is on VLAN interface as well.

E.g. instead of having this

/interface bridge
add name=bridge vlan-filtering=yes pvid=99
/interface bridge port
add bridge=bridge interface=etherX pvid=99
add bridge=bridge interface=etherY
/interface bridge vlan
add bridge=bridge tagged=etherY vlan-ids=42
add bridge=bridge tagged=etherY untagged=bridge,etherX
/ip address
add interface=bridge address=192.168.88.1/24

I rather have this:

/interface bridge
add name=bridge vlan-filtering=yes # pvid not set, inherits default value of pvid=1
/interface bridge port
add bridge=bridge interface=etherX pvid=99
add bridge=bridge interface=etherY
/interface bridge vlan
add bridge=bridge tagged=etherY vlan-ids=42
add bridge=bridge tagged=bridge,etherY untagged=etherX
/interface vlan
add interface=bridge name=MGMT vlan-id=99
/ip address
add interface=MGMT address=192.168.88.1/24

The later config works for me just fine (in RBD52G as well). Plus this makes bridge config more uniform, all L3 setup is done on top of VLAN interfaces, management being no exception.

mkx · Mon Oct 05, 2020 11:54 pm

Confusing world for me.

Things are not that confusing. It's simple: packet, coming untagged from wireless, has to be tagged and only once.

It can either be tagged by wireless interface (by having vlan-mode=use-tag vlan-id=XX) or by bridge (having pvid=XX set on member port wlan).

If one decides to get it tagged by wireless interdace, then bridge has to leave tag alone. Either bridge has to be dumb (with vlan-filtering=no) or wireless port has to be tagged port of same VLAN.

Of course decision stream can go in another direction: is bridge VLAN aware or not? If not, then the only solution is to get wireless interface tagging packets. If yes, then do we want to spread VLAN-related config in multiple places or do we want to keep it under /interface bridge?

And we didn't even start to talk about CAPsMAN datapath settings ;-)

bpwl · Tue Oct 06, 2020 2:05 am

Thanks MKX. If do have the second config. The problem was another brand device (Draytek router) that did not connect VLAN-tagged and same VLAN-untagged on the same interface properly.
My setup WAS complex ... WAN and LAN both basically untagged streams ... with a hAP ac2 on the WAN side cabling, that had to have an SSID of the LAN side as well.

And I started configuring with an Omnitik ac(for its switch chip only, using that HW), a RB260 switch, and a hAP ac2 on the WAN side, and a wAP ac on the LAN side.
WAN and LAN defined by the Draytek (RoaS). There are multiple LAN side VLAN's (guest, iot, domotics, ....)

Well starting Omnitik in switch method, learning the RB260 SwOS, and using the hAP ac2 in bridge method, all at the same time, was quite a challenging learning.experience.
I do understand the "pvid" / "Default VLAN id" now, I think. The SwOS has a nice interface to test those switch VLAN properties fast. The untagged WAN and LAN, and the mix of WAN VLAN's and LAN VLAN's could be added on top, could all be handled by the RB260 only. And as the switch method is almost identical, the QCA8337 in the Omnitik could do it as well.
I enjoyed the 141 posts in viewtopic.php?f=13&t=143620

bpwl · Thu Oct 22, 2020 1:36 am

Just weird. After cleaning up my experiment, (removing all VLAN settings in the Omnitik as I could eliminate that node from my VLAN network) my home network failed every two or 3 days. The Draytek router crashed and reported "fraggle attack". Just by accident while looking in the Omnitik sitting idle, just connected with ether1, I saw it's DHCP lease go from offered-bounded-error. Never seen that error before. Nothing in the log. The config was cleaned back to default (except for ether1 on the bridge, DHCP server removed and DHCP client on the bridge). Reboot, 10 min power off, nothing helped. Ultimately had to reset the configuration, and make the same simple changes again. All clear, network stable , DHCP lease bound for 5 days.

This VLAN stuff seems not to be cleaning up everything, if just removed manually. Is it ? I have no explanation for the "fraggle attack" nor for the error of the DHCP leases. Don't like hidden persistent parameters or configurations. ROS 6.47.4 related ???

CZFan · Thu Oct 22, 2020 6:40 pm

My understanding is that "fraggle attack" (UDP Broadcast) is a variant of "smurf Attack" (ICMP),

Did you not maybe had a loop somewhere and the Draytek possibly interpreted this as a "fraggle attack"?

bpwl · Thu Oct 22, 2020 7:05 pm

My understanding is that "fraggle attack" (UDP Broadcast) is a variant of "smurf Attack" (ICMP),

Did you not maybe had a loop somewhere and the Draytek possibly interpreted this as a "fraggle attack"?

Yes, lots of ICMP, but the cleaned up Omnitik, with only one connection, must have caused that loop. It only stopped after the configuration reset of the Omnitik.
There was only all ethernet ports on bridge, no config in interface VLAN, bridge VLAN or switch, but I made quite some switch VLAN and bridge VLAN tests before, even combined bridge+switch VLAN.

CZFan · Fri Oct 23, 2020 3:31 pm

@bpwl,

I suspect you might be onto something here, i.e. configs not cleaning up properly. I suspect it is more a "Winbox" issue.

Was playing around with various configs re EoIP tunnel now in GNS 3 on CHR 6.45.9, had tunnel up, then made changes, tunnel down, then reverted the changes, tunnel stayed down.

Did an export of the config, copied to clipboard, reset chr in terminal, after restart pasted the exported config and tunnel came up immediately!!!!

EDIT: This can be extremely dangerous bug!!!!!

EDIT2: I might have jumped to conclusion too quickly, my issue might have been FW connections have not timed out yet and restart of chr might have resolved the problem also, so ignore above

anav · Fri Oct 23, 2020 7:14 pm

EDIT2: I might have jumped to conclusion too quickly, my issue might have been FW connections have not timed out yet and restart of chr might have resolved the problem also, so ignore above

I usually do !! ;-PP

charifch · Wed Mar 09, 2022 11:23 am

Good morning,
I am running into a very weird problem. I have setup my mikrotik router with 2 vlans and I am using Port 2 to send the vlans to another building throug ethernet cable. In that building there is an unmanaged switch that distributes to 2 levell. In each of these levels, I have a TPlink multi ssip AP (that deals with vlans)... Please see picture attached.
When I configure the multi ssid AP with vlan 10 and vlan 100 and connect to vlan100 wirelessly everything works fine except I dont see Iot devices connected to the unmanaged switch (NAS). If I replace in tplink multi ssid ap the vlan 100 number by vlan 1, I still get the same IP address and then I can see the NAS, printer ...etc.
For wired clients plugged to the managed switch likemy PC, everything works fine also, and it can ping the NAs also.
Here is my config if you can please have a look and tell me what I am doing wrong.
Many thanks

/ip pool
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=dhcp_pool2 disabled=no interface=BR1 name=defconf
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN

add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=100
add bridge=BR1 tagged=BR1 untagged=ether5,ether2 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=e1f10fac4c39.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    !192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5000 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=80 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5006 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=6690 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5001 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=16881 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=32400 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10

ACC

404Network · Wed Mar 09, 2022 2:05 pm

?????????????

This is a thread by Stihl, if you have a separate issue start a new thread........
Also image didnt come through for some reason.

Best way to configure multi-SSID-AP with VLAN-breakout

Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Re: Best way to configure multi-SSID-AP with VLAN-breakout

Who is online