VLAN Access Port on Access Point Issue (Hybrid Access Port)
I have a MikroTik router and access point. I am connecting ether2 on the router to ether1 on the access point via MoCA device (coax cable). I want to setup ether2 on the router as a hybrid access port as I want it to accept tagged traffic and untagged traffic. If it sees untagged traffic, then I want it to tag that traffic with VLAN 10. However, VLAN 10 will also be tagged coming from the access point. I can get this working taking the MoCA devices out of the equation, but I really would like the MoCA devices to receive a VLAN tag of 10. The problem that I seem to be encountering is that a port cannot both be VLAN tagged and untagged at the same time. Any advice / recommendations?
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
Mikrotiks don't know anything about MoCAs ... if the setup works uf AP and router are connected directly by ethernet cable, then the problem is in MoCA devices ... not being transparent enough. The thing is tgat VLAN tags add 4 bytes of overhead to each ethernet frame so any device in the way must support at least 1504 bytes MTU.
If the setup doesn't work when both devices are directly connected, then post config of both (execute /export hide-sensitive file=anynameyouwish, exported files are plain text files).
If the setup doesn't work when both devices are directly connected, then post config of both (execute /export hide-sensitive file=anynameyouwish, exported files are plain text files).
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
Below are the Router & AP exports. Note: on the router, by changing ether2 from untagged to tagged, it does change the behavior that I see with MoCA & AP. When ether2 is tagged for VLAN 10 then devices on the AP get an IP assigned (but the MoCA device does not). When it's untagged, then the MoCA device gets an IP assigned, but the access ports on the AP don't work. Everything from the AP should be tagged, but I think the problem is that the MoCA device itself is not tagged and therefore cannot pull an IP.
Router
AP
Router
Code: Select all
# jan/30/2021 07:33:35 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5805/20-eeCe/ac(27dBm)+5210/80(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-0359D8 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=no name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-2ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=5ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-5ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=2ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-2ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-5ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-2ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-5ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
/interface wireless cap
#
set discovery-interfaces=vlan99-base enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
Code: Select all
# jan/30/2021 07:34:07 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add admin-mac=CC:2D:E0:E0:8D:3B auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-E08D41 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-E08D40 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan99-base vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=sfp1 pvid=10
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1 multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2,ether3,ether4,ether5,sfp1 \
vlan-ids=10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan2,wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=vlan99-base
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=AP
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
OK, se ether2 on router needs to be a trunk port tagged with VLAN 10, 20, 30, and 99 (because that's what AP expects). At the same time it needs to be untagged (member of any of VLANs for that matter) for MoCA administration.The thing is that single port can either be tagged or untagged member of certain VLAN, not both. What I'd do is to introduce another VLAN which would actually be untagged on port ether2 and tagged on bridge ... and these two would be only member interfaces. Then add additional IP subnet on top of it (together with DHCP server). Then configure firewall accordingly to allow access to those MoCA devices.
Alternative would be to configure AP to use VLAN 10 untagged on ether1, but I'm not a fan of hybrid ports used between LAN infrastructure devices (such as link between router and AP).
BTW, your firewall could benefit from some review. E.g.:
Alternative would be to configure AP to use VLAN 10 untagged on ether1, but I'm not a fan of hybrid ports used between LAN infrastructure devices (such as link between router and AP).
BTW, your firewall could benefit from some review. E.g.:
The first rule overshadows the second one because the first rule allows to pass any connection which ingresses through any of VLAN interfaces ... which certainly includes those which specifically egress through WAN interface.add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
Thank you! That worked (e.g. MoCA is now on VLAN11) and I've adjusted my firewall rules per your recommendation. However, I think I am still having issues with visibility of devices across VLANs. I have devices that are on the VLAN11 that can't seem to find devices on VLAN10. For example, I have a set of TIVO TV boxes that are connected to VLAN10 & some on VLAN11, but they can't seem to find each other (but they do have internet access). Are there additional firewall rules that are needed? Below is that latest router export:
Code: Select all
# jan/30/2021 22:43:17 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5805/20-eeCe/ac(27dBm)+5210/80(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-0359D8 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: PRIVATE_CAP, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-MoCA vlan-id=11
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=no name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-2ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=5ghz datapath=datapath-10-private mode=ap name=\
cfg-10-private-5ghz security=security-cfg-10-private ssid=PRIVATE_CAP
add channel=2ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-2ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz datapath=datapath-20-guest mode=ap name=cfg-20-guest-5ghz \
security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-2ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz datapath=datapath-30-kids mode=ap name=cfg-30-kids-5ghz \
security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
add name=pool11 ranges=10.0.11.2-10.0.11.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
add address-pool=pool11 disabled=no interface=vlan11-MoCA name=dhcp-server11
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
add interface=vlan11-MoCA list=VLAN
/interface wireless cap
#
set discovery-interfaces=vlan99-base enabled=yes interfaces=wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
add address=10.0.11.1/24 interface=vlan11-MoCA network=10.0.11.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.11.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.11.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
"Visibility" of network devices is many times based on broadcasts ... and that only works inside single L2 domain which most of times is same as IP subnet. So you'll have to rethink your network layout and requirements of individual devices. From your explanations so far yor network layout is not clear to me and some sketch would probably help.
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
I agree with you! Here's the relevant details:
The problem (I think) is that Tivo box #2 is a part of VLAN 10, but Tivo boxes #1 is on VLAN 11. Ideally, I wanted these all to be a part of VLAN 10, but was running into the issues in this post, so I created VLAN 11. However, now they can't seem to find each other. Any suggestions? I'm starting to think maybe going untagged VLAN 10 traffic on ether1 of the Access Point might be the best way to go.
- The Main Router ether2 has MoCA Adapter #1 connected (the MoCA adapter allows network to be extended via coax cable).
- There are 2 locations connected via this coax network:
- Tivo box #1 (has built-in MoCA adapter)
- MoCA Adapter #2 which connects to ether1 on the Access Point.
- On the Access point, Tivo box #2 is connected to ether2.
The problem (I think) is that Tivo box #2 is a part of VLAN 10, but Tivo boxes #1 is on VLAN 11. Ideally, I wanted these all to be a part of VLAN 10, but was running into the issues in this post, so I created VLAN 11. However, now they can't seem to find each other. Any suggestions? I'm starting to think maybe going untagged VLAN 10 traffic on ether1 of the Access Point might be the best way to go.
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port) [SOLVED]
OK, so we need to treat MoCAs as kind of a dumb switch. Since you have one Tivo box connected directly to MoCA network, some untagged traffic has to pass MoCA. And if you want to have the other Tivo device member of same subnet, then yes, you have to pass VLAN 10 untagged over MoCA network. Which means your inititial (to this thread) setup of RB4011 was almost fine (you have to remove ether2 from the list of tagged ports members of VLAN 10), but your hAP ac needs ether1 untagged for VLAN 10. Mind that while setting pvid=10 on ether1, you should also change frame-types setting to frame-types=admit-all.
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
I am going to accept your answer because you have definitely resolved my problem. Thank you! But, I'm hoping you can help with one more thing aligned to this - Everything is working in this configuration except for CAPsMAN with local forwarding (CAPsMAN forwarding working as expected but is slower, so would like to use local forwarding). The wireless for VLAN 20 & 30 work in either mode, however VLAN 10 (Private_CAP) does not work in local forwarding mode. Note: I have CAPsMAN running on both the router & ap.
Router
AP
Router
Code: Select all
# feb/01/2021 21:50:36 by RouterOS 6.48
# software id = PU3F-62RK
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4410D87938B
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX \
frequency="" name=2ghz reselect-interval=1m
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
frequency="" name=5ghz reselect-interval=1m
/interface bridge
add admin-mac=08:55:31:03:59:CE auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(27dBm)+5775/80(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-0359D8 \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2447/20-eC/gn(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-4AA9C4 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10-private vlan-id=10
add interface=bridge name=vlan11-MoCA vlan-id=11
add interface=bridge name=vlan20-guest vlan-id=20
add interface=bridge name=vlan30-kids vlan-id=30
add interface=bridge name=vlan99-base vlan-id=99
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
datapath-10-private vlan-id=10 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=\
datapath-20-guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
datapath-30-kids vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-10-private
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-20-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security-cfg-30-kids
/caps-man configuration
add channel=2ghz country="united states3" datapath=datapath-10-private mode=\
ap name=cfg-10-private-2ghz security=security-cfg-10-private ssid=\
PRIVATE_CAP
add channel=5ghz country="united states3" datapath=datapath-10-private mode=\
ap name=cfg-10-private-5ghz security=security-cfg-10-private ssid=\
PRIVATE_CAP
add channel=2ghz country="united states3" datapath=datapath-20-guest mode=ap \
name=cfg-20-guest-2ghz security=security-cfg-20-guest ssid=GUEST_CAP
add channel=5ghz country="united states3" datapath=datapath-20-guest mode=ap \
name=cfg-20-guest-5ghz security=security-cfg-20-guest ssid=GUEST_CAP
add channel=2ghz country="united states3" datapath=datapath-30-kids mode=ap \
name=cfg-30-kids-2ghz security=security-cfg-30-kids ssid=KIDS_CAP
add channel=5ghz country="united states3" datapath=datapath-30-kids mode=ap \
name=cfg-30-kids-5ghz security=security-cfg-30-kids ssid=KIDS_CAP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=pool99 ranges=10.0.0.2-10.0.0.254
add name=pool10 ranges=10.0.10.2-10.0.10.254
add name=pool20 ranges=10.0.20.2-10.0.20.254
add name=pool30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=pool99 disabled=no interface=vlan99-base name=dhcp-server99
add address-pool=pool10 disabled=no interface=vlan10-private name=\
dhcp-server10
add address-pool=pool20 disabled=no interface=vlan20-guest name=dhcp-server20
add address-pool=pool30 disabled=no interface=vlan30-kids name=dhcp-server30
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg-10-private-5ghz name-format=prefix-identity slave-configurations=\
cfg-20-guest-5ghz,cfg-30-kids-5ghz
add action=create-dynamic-enabled master-configuration=cfg-10-private-2ghz \
name-format=prefix-identity slave-configurations=\
cfg-20-guest-2ghz,cfg-30-kids-2ghz
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether9,ether10,sfp-sfpplus1 untagged=\
ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
30
add bridge=bridge tagged=bridge,ether2,ether9,ether10,sfp-sfpplus1 vlan-ids=\
99
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan99-base list=BASE
add interface=vlan10-private list=VLAN
add interface=vlan20-guest list=VLAN
add interface=vlan30-kids list=VLAN
add interface=vlan99-base list=VLAN
add interface=vlan11-MoCA list=VLAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=10.0.0.1/24 interface=vlan99-base network=10.0.0.0
add address=10.0.10.1/24 interface=vlan10-private network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-guest network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-kids network=10.0.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.0.1 netmask=24
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=\
10.0.20.1 netmask=24
add address=10.0.30.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=\
10.0.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=vlan99-base
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool mac-server
set allowed-interface-list=VLAN
/tool mac-server mac-winbox
set allowed-interface-list=VLAN
AP
Code: Select all
# feb/01/2021 21:51:34 by RouterOS 6.48
# software id = JVFK-X1M2
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D08DEEF06
/interface bridge
add admin-mac=CC:2D:E0:E0:8D:3B auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-E08D41 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5805/20-eeeC/ac(27dBm), SSID: PRIVATE_CAP, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-E08D40 \
wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan99-base vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=sfp1 pvid=10
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge ingress-filtering=yes interface=ether1 multicast-router=\
disabled pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=\
10
add bridge=bridge tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 vlan-ids=99
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=\
wlan2,wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=vlan99-base
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.0.0.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=AP
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
I'm no expert for CAPsMAN, but from my limited experience ... you should not add wlan interfaces to the bridge explicitly, they get added automatically. Manual settings are probably not overriden, hence possibility for misbehaviour.
If capsman datapath setting is local-forwarding=yes, then wlan interface gets dynamically added to AP's bridge which is set in
After wireless gets provisioned on AP, you can run /interface bridge port print and /interface bridge vlan print to see the running configuration (export doesn't show dynamic entries). My own case is slightly different, because my CAP has VLANs configured on switch-chip and bridge VLAN settings don't matter at all. wlan interface as bridge member port has pvid set (to the value configured in capsman datapath), but is ignored because vlan-filtering is disabled on bridge. And I don't know how it should look like with bridge VLAN config, could well be that PVID will be set to appropriate VID anyway.
If capsman datapath setting is local-forwarding=yes, then wlan interface gets dynamically added to AP's bridge which is set in
/interface wireless cap
set bridge=bridge discovery-interfaces=vlan99-base enabled=yes interfaces=wlan2,wlan1
After wireless gets provisioned on AP, you can run /interface bridge port print and /interface bridge vlan print to see the running configuration (export doesn't show dynamic entries). My own case is slightly different, because my CAP has VLANs configured on switch-chip and bridge VLAN settings don't matter at all. wlan interface as bridge member port has pvid set (to the value configured in capsman datapath), but is ignored because vlan-filtering is disabled on bridge. And I don't know how it should look like with bridge VLAN config, could well be that PVID will be set to appropriate VID anyway.
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
That was exactly it! Thank you! All working now! I really appreciate all the help on this post! Have a fantastic day!
Re: VLAN Access Port on Access Point Issue (Hybrid Access Port)
great...thanks for the information, really helpful