Community discussions

MikroTik App
 
bradi
just joined
Topic Author
Posts: 8
Joined: Wed Mar 10, 2021 2:28 am

RB4011 > hAP AC Lite VLAN configuration

Sun Mar 21, 2021 3:23 am

Hi, I have a newly purchased MikroTik RB4011iGS+5HacQ2HnD router which I would like to integrate into my existing home network and utilise VLANs to isolate network traffic. TL:DR: below.

My current setup has a pfSense Firewall connected to Fibre Internet. I have 3 physical locations that I need to provide connectivity to; Front House, Cabin and Back House, all connected via CAT5E Ethernet. I have a MikroTik hAP-ac-lite in the Front House, a Netgear WNR3500L in the Cabin and an Asus RT-AC3200 in the Back House all connected through the Firewall to the Internet.

Internet > Firewall > 192.168.1.0/24 = Back House Network devices including Cabin Netgear WNR3500L
Firewall > hAP-ac-lite > 192.168.2.0/24 = Front House devices

There are about 40 devices on this network ranging from end user devices (PC's, Tablets, Laptops, Phones, etc) to smart devices (Chromecasts, Home automation controllers, Game Consoles, etc) to Servers (NAS, Web, Email, etc) to Network devices (Switches, Routers, Firewalls) which all have varying security profiles (Untrusted, Trusted, Insecure, Guest, Secure, etc) and require differing management and access controls.

Below is an image of where I would like to get to in terms of network isolation:
55-Woodford.png
My initial configuration has got the trunk between the Firewall to the RB-4011 configured and serving the Cabin_VLAN200 and another trunk between the Firewall to a NetGear ProSafe switch serving the Server_VLAN50 and Back_VLAN100. Layer 3 Routing and DHCP is being provided by the Firewall and working correctly for these VLANs.

I am having problems understanding the correct (or most correct) way to achieve the above. I have read differing statements on forums, in documentation and in practice things are not really making sense to me. Most of the time I configure anything further on the RB-4011 or hAP AC Lite I lock myself out of the device (although interestingly traffic still flows just fine) and have to reset it to defaults and start over. I have zero problems with either the Firewall or the Netgear Switch. I can even get VLANs running on the Asus RT-AC3200 (I am wanting to discontinue this device), but there is something I am not understanding with the MikroTik configurations.

TL:DR;
Is this configuration possible with this hardware utilising VLANs on a Bridge? Is there a better way to configure this?
Do I need to tag the default Bridge with all the VLANs I will be using or is the bridge dynamically added? Tagging the Bridge results in loss of access.
How do I assign an IP address to the bridge that exists in VLAN50? as just adding "192.168.5.254/24" to the bridge only ever replies locally and then prevents further access to the device.
How do I remove VLAN1 without removing access to everything on the networks connected via the Mikrotik devices? Doing this results in loss of access.
You do not have the required permissions to view the files attached to this post.
Last edited by bradi on Wed Mar 24, 2021 4:14 pm, edited 1 time in total.
 
bradi
just joined
Topic Author
Posts: 8
Joined: Wed Mar 10, 2021 2:28 am

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 5:18 am

I have included the current configs I forgot to add to my initial post and I have some more questions.

Do I need to set the VLAN ID on the Wireless interface or the bridge port for Wireless VLANs to work?
Do I need to run another network cable to each device to use as the Management port (VLAN50)?
If I am utilising multiple virtual SSID's (and VLANs) do I need to trunk (tag) the Wifi interfaces?
Should I trunk (tag) the Wifi interfaces in a separate bridge? What is the advantage / disadvantage of this if it works?

Firewall_Interfaces.png
Firewall_VLANs.png
RB4011 Config
# mar/23/2021 16:10:29 by RouterOS 6.48.1
# software id = 0IZ2-R8JF
#
# model = RB4011iGS+5HacQ2HnD

/interface bridge
add name=RB-4011_Bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=Eth1_Firewall
set [ find default-name=ether2 ] name=Eth2_Cabin
set [ find default-name=ether3 ] name=Eth3_House

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface wireless security-profiles
set [ find default=yes ] authentication-types=\
    wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" group-ciphers=\
    tkip,aes-ccm management-protection=required mschapv2-username=DENIED \
    supplicant-identity=RB-4011 tls-mode=verify-certificate-with-crl \
    unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=BACK-PSK \
    supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    required mode=dynamic-keys name=BACK-GUEST-PSK supplicant-identity=\
    MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=BACK-RADIUS \
    supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm

/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="new zealand" disabled=no distance=indoors frequency=auto \
    hide-ssid=yes installation=indoor max-station-count=10 mode=ap-bridge \
    name=WLAN-2G radio-name=BACK-WLAN-2G security-profile=BACK-PSK ssid=\
    BACK-2G vlan-id=400 wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="new zealand" disabled=no distance=indoors \
    frequency=auto hide-ssid=yes installation=indoor max-station-count=10 \
    mode=ap-bridge name=WLAN-5G radio-name=BACK-WLAN-5G security-profile=\
    BACK-PSK ssid=BACK-5G station-roaming=enabled vlan-id=400 \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=00:00:00:00:00:00 \
    master-interface=WLAN-2G max-station-count=5 multicast-buffering=disabled \
    name=BACK-GUEST-2G security-profile=BACK-GUEST-PSK ssid=BACK-GUEST-2G \
    vlan-id=500 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=00:00:00:00:00:00 \
    master-interface=WLAN-5G max-station-count=5 multicast-buffering=disabled \
    name=BACK-GUEST-5G security-profile=BACK-GUEST-PSK ssid=BACK-GUEST-5G \
    vlan-id=500 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/interface bridge port
add bridge=RB-4011_Bridge interface=Eth1_Firewall
add bridge=RB-4011_Bridge interface=Eth2_Cabin pvid=200
add bridge=RB-4011_Bridge interface=Eth3_House
add bridge=RB-4011_Bridge interface=ether4
add bridge=RB-4011_Bridge interface=ether5
add bridge=RB-4011_Bridge interface=ether6
add bridge=RB-4011_Bridge interface=ether7
add bridge=RB-4011_Bridge interface=ether8
add bridge=RB-4011_Bridge interface=ether9
add bridge=RB-4011_Bridge interface=ether10
add bridge=RB-4011_Bridge interface=sfp-sfpplus1
add bridge=RB-4011_Bridge interface=WLAN-5G
add bridge=RB-4011_Bridge interface=WLAN-2G pvid=400

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=RB-4011_Bridge tagged=Eth1_Firewall,Eth3_House vlan-ids=\
    1,50,100,200,300,400,500,600

/ip address
add address=192.168.1.254/24 interface=RB-4011_Bridge network=192.168.1.0

/ip dns
set servers=192.168.1.1

/ip route
add distance=1 gateway=192.168.1.1
hAP-AC-Lite Config
# mar/23/2021 16:02:43 by RouterOS 6.48.1
# software id = MJZA-JEPP
#
# model = RouterBOARD 952Ui-5ac2nD

/interface bridge
add admin-mac=CC:2D:E0:DA:21:1A auto-mac=no name=HAP-AC-LITE_Bridge \
    vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="Trunk to RB-4011_Eth3" name=\
    Eth1_RB-4011
set [ find default-name=ether2 ] name=Eth2
set [ find default-name=ether3 ] name=Eth3
set [ find default-name=ether4 ] name=Eth4
set [ find default-name=ether5 ] name=Eth5

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=FRONT_Security_Profile \
    supplicant-identity=""

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="new zealand" disabled=no distance=indoors frequency=auto \
    installation=indoor max-station-count=10 mode=ap-bridge name=\
    FRONT_2G_WLAN1 radio-name=FRONT-2G security-profile=\
    FRONT_Security_Profile ssid=FRONT-2G vlan-id=400 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="new zealand" disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge name=FRONT_5G_WLAN2 \
    radio-name=FRONT-5G security-profile=FRONT_Security_Profile ssid=FRONT-5G \
    vlan-id=400 wireless-protocol=802.11

/interface bridge port
add bridge=HAP-AC-LITE_Bridge interface=Eth1_RB-4011
add bridge=HAP-AC-LITE_Bridge interface=Eth2
add bridge=HAP-AC-LITE_Bridge interface=Eth3
add bridge=HAP-AC-LITE_Bridge interface=Eth4
add bridge=HAP-AC-LITE_Bridge interface=Eth5
add bridge=HAP-AC-LITE_Bridge interface=FRONT_2G_WLAN1 pvid=400
add bridge=HAP-AC-LITE_Bridge interface=FRONT_5G_WLAN2 pvid=400

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=HAP-AC-LITE_Bridge tagged=Eth1_RB-4011 vlan-ids=1,50,300,400,500,600

Appreciate any advice, pointers or assistance.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 12:03 pm

Do I need to tag the default Bridge with all the VLANs I will be using or is the bridge dynamically added? Tagging the Bridge results in loss of access.
What do you mean by "tagging the bridge"? Frames can be tagged and untagged, bridges cannot.

The bridge forwards a frame with any VLAN ID that makes it to it; you can configure which VLANs are allowed on which port and whether frames belonging to these VLANs should be tagged on ingress & untagged on egress through that port or left intact.

Please have a look at this post and tell me whether it has helped.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 2:31 pm

So the Orange firewall does all the Routing and DHCP service and the RB4011 is just a VLAN bridge type entity (switch)?? Seems like a waste but oh well.

1. Your Bridge port wlan-5G needs a PVID, as devices attached are not vlan smart. (add pvid=500)
2. Remove reference to vlan in wireless settings!! "vlan-id=400", this identification is carried out in bridge port settings and bridge vlan settings.
3. Remove reference to vlan in wireless settings!! "vlan-id=500", this identification is carried out in bridge port settings and bridge vlan settings (once you fix the above)

In general
trunk ports should get, ingress-filtering=yes, admit only tagged frames.
access port should get, ingress-filtering=yes, admin only priority and untagged frames.
hybrid port should get, ingress-filtering=yes
DO NOT USE VLAN 1 in the configuration, it is the default pvid vlan ID on the bridge itself and should remain there.

4. The bridge vlan error,,,,,,,,,,,,,,,,,
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
TO
/interface bridge vlan
add bridge=RB-4011_Bridge tagged=RB-4011_Bridge,Eth1_Firewall,Eth3_House untagged=WLAN-5G vlan-ids=500
add bridge=RB-4011_Bridge tagged=RB-4011_Bridge,Eth1_Firewall,Eth3_House untagged=WLAN-2G vlan-ids=400
add bridge=RB-4011_Bridge tagged=RB-4011_Bridge,Eth1_Firewall,Eth3 untagged=Eth2_cabin vlan-ids=200
add bridge=RB-4011_Bridge tagged=RB-4011_Bridge,Eth1_Firewall,Eth3_House vlan-ids=\
50,300,600

Note: Its not clear to me why vlan 50 is being sent to the RB4011 and it does not seem to be sent to the house in your diagram??
Note: Technically its not required to add the untagged entries above like I have done because the router will automatically create them dynamically based on the bridge port rules, but I like to add them because I can visually map everything together.

AS FOR THE HAPACLite
SAME COMMENTS APPLY ref vlan ID in the wireless config - remove!
Fix up the other stuff which you didnt make visibile according to the above.

Your best reference is, understanding Sindy's diagram and then reading this
viewtopic.php?f=23&t=143620
Last edited by anav on Tue Mar 23, 2021 2:55 pm, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 2:42 pm

Our on-duty configuration parser @anav missed this question:
How do I assign an IP address to the bridge that exists in VLAN50? as just adding "192.168.5.254/24" to the bridge only ever replies locally and then prevents further access to the device.

For this you'll have to add bridge (the interface, it should be clear what I'm talking about after you understand thread about bridge by @sindy) as tagged member of VLAN 50. Then construct vlan interface (in /interface vlan) with appropriate VLAN ID and attach management IP address to it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 2:52 pm

Our on-duty configuration parser @anav missed this question:
How do I assign an IP address to the bridge that exists in VLAN50? as just adding "192.168.5.254/24" to the bridge only ever replies locally and then prevents further access to the device.

For this you'll have to add bridge (the interface, it should be clear what I'm talking about after you understand thread about bridge by @sindy) as tagged member of VLAN 50. Then construct vlan interface (in /interface vlan) with appropriate VLAN ID and attach management IP address to it.
Hi MKX, I had actually contemplated answering this question but was baffled by a the RB4011 being the non-router in this equation.
So the answer is already noted in that I talked about vlan50 at the RB4011 and in the config sent to the hapac but not showing in any outputs of the hapac.

So the correct answer is add vlan50 to the trunk port of the RB coming from the pf sense orange monster and on the trunk port to the hapac.
Both the RB4011 and HAPAC should get an IP address from the vlan50 subnet. Done!!

SO this is still correct for the RB4011
add bridge=RB-4011_Bridge tagged=RB-4011_Bridge,Eth1_Firewall,Eth3_House vlan-ids=\
50,300,600

This would apply for the Hapac
/interface bridge port
add bridge=HAP-AC-LITE_Bridge interface=Eth1_RB-4011
add bridge=HAP-AC-LITE_Bridge interface=Eth2
add bridge=HAP-AC-LITE_Bridge interface=Eth3 pvid=300??
add bridge=HAP-AC-LITE_Bridge interface=Eth4
add bridge=HAP-AC-LITE_Bridge interface=Eth5
add bridge=HAP-AC-LITE_Bridge interface=FRONT_2G_WLAN1 pvid=400
add bridge=HAP-AC-LITE_Bridge interface=FRONT_5G_WLAN2 pvid=500
add bridge=HAP-AC-LITE_Bridge interface=FRONT_5G_???GUEST pvid=600


/interface bridge vlan
add bridge=HAP-AC-LITE_Bridge interface tagged=Eth1_RB-4011 untagged=WLAN-5G vlan-ids=500
add bridge=HAP-AC-LITE_Bridge interface tagged=Eth1_RB-4011 untagged=WLAN-2G vlan-ids=400
add bridge=HAP-AC-LITE_Bridge interface tagged=Eth1_RB-4011 untagged=WLAN????GUEST vlan-ids=600
add bridge=HAP-AC-LITE_Bridge interface tagged=HAP-AC-LITE_Bridge, Eth1_RB-4011 untagged=Eth3 vlan-ids=300
add bridge=HAP-AC-LITE_Bridge interface tagged=HAP-AC-LITE_Bridge, Eth1_RB-4011 vlan-ids=50

Notes: what i cannot remember is why the Bridge does not have to be tagged for the wlans, and possible Eth3, need mkx or Sindy intervention to explain!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 7:23 pm

wlan interface is historically capable of dealing with VLANs itself. If wlan interface has vlan-id=400 vlan-mode=use-tag (set in /interface wireless section), then from bridge point of view this is tagged port and should be added as tagged member to appropriate VLAN.
If, OTOH, one uses wlan interface as untagged (i.e. with no vlan-related settings on wlan interface), then everything should be set in /interface bridge subtree: it should be added to bridge with PVID setting and should be added as untagged member of corresponding VLAN (which is actually done automagically but can be done explicitly anyway).

hAP ac lite should have PVID set on ether3 as it is (most probably) access port and connected PC is probably unaware of VLANs. This is probably true for all other ether ports (sans ether1 which is trunk towards RB4011).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 > hAP AC Lite VLAN configuration

Tue Mar 23, 2021 11:25 pm

You missed the question entirely LOL.
I was asking to confirm why or why not the Bridge needs to be tagged or just the incoming port on the hapac (ether1) for the vlans that are not management and not trunked elsewhere on the hapac (basic vlan into and untagged out on some port).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 11:07 am

I still fail to understand your question. Which bridge personality (according to classification by @sindy) are you talking about?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 1:04 pm

Im talking about the bridge personality on the hapac.
Why is it that the wlan ports which are tagged for ether1 and untagged for wlan port DO NOT NEED the bridge to be also tagged.
In comparison the managment VLAN
needs to be tagged with ether1 AND the bridge!!

In other words explain what is needed for ether3, which is tagged with ether1 and untagged for vlanXXX as required, Does the bridge also need to be tagged and if not for the same reason as the WLAN?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 2:54 pm

@anav, with your mileage in ROS and VLANs I still don't get what exactly is bothering you. I'll try to answer never the less (but I'll probably miss the point).

Bridge personality of bridge ... just carries frames between ports ... doesn't care if they're tagged or not.

When you're talking of bridge being tagged, then it's the "the router-facing port of the virtual switch" (nomenclature by @sindy) personality you're probably referring to. And settings to that personality only affects communication between device's L3 (IP stack) and the rest of LAN. If device is not used for routing between different IP subnets and LAN features dedicated VLAN for management, then device's bridge ("the router-facing port of the virtual switch" part) only needs to be member of management VLAN. It can either be tagged or untagged, however I'm all for tagged which means bridge will be tagged member of said VLAN and will feature vlan interface (anchored off bridge) with matching vlan-id set. The rest of VLANs, passing between bridge ports, are (and should be) ignored by bridge "the router-facing port of the virtual switch" and thus this "the router-facing port of the virtual switch" is neither tagged nor untagged member of other VLANs.

One should always think about which port should participate in which VLANs and if it should be tagged or untagged. The same goes for bridge "the router-facing port of the virtual switch".
 
bradi
just joined
Topic Author
Posts: 8
Joined: Wed Mar 10, 2021 2:28 am

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 4:30 pm

Thank you gentlemen for your advice and wisdom. I am definitely further along with your help and can report that I now have things looking much more like my diagram (which I have also updated so the big orange box is a much smaller orange box) ;)

I have moved the House hAP-AC-Lite to Eth10 and configured my old Asus RT-AC3200 in its place for the meantime as there were comments made at dinner time about the amount of downtime... I feel like I am almost there, a bit more testing to be done. I have plans to add firewalling and RADIUS authentication for the Secure_Wifi, but for now I very much appreciate your assistance with my understanding and have put my current configs below:

RB-4011 Configuration:
# mar/25/2021 02:58:35 by RouterOS 6.48.1
# software id = 0IZ2-R8JF
#
# model = RB4011iGS+5HacQ2HnD

/interface bridge
add name=RB-4011_Bridge vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=Eth1_SG-2100
set [ find default-name=ether2 ] name=Eth2_Cabin
set [ find default-name=ether3 ] name=Eth3_House
set [ find default-name=ether8 ] name=Eth8_Hue_Bridge
set [ find default-name=ether10 ] name=Eth10_TMP_House

/interface vlan
add interface=RB-4011_Bridge name=Server_VLAN50 vlan-id=50

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface wireless security-profiles
set [ find default=yes ] authentication-types=\
    wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" group-ciphers=\
    tkip,aes-ccm management-protection=required mschapv2-username=DENIED \
    supplicant-identity=RB-4011 tls-mode=verify-certificate-with-crl \
    unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=BACK-PSK \
    supplicant-identity=RB-4011 unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    required mode=dynamic-keys name=BACK-GUEST-PSK supplicant-identity=\
    RB-4011
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=BACK-RADIUS \
    supplicant-identity=RB-4011 unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    required mode=dynamic-keys name=BACK-IOT-PSK supplicant-identity=RB-4011

/interface wireless
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="new zealand" disabled=no distance=indoors frequency=auto \
    hide-ssid=yes installation=indoor max-station-count=10 mode=ap-bridge \
    name=BACK-2G radio-name=BACK-WLAN-2G security-profile=BACK-PSK ssid=\
    BACK-2G wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="new zealand" disabled=no distance=indoors \
    frequency=auto hide-ssid=yes installation=indoor max-station-count=10 \
    mode=ap-bridge name=BACK-5G radio-name=BACK-WLAN-5G security-profile=\
    BACK-PSK ssid=BACK-5G station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:10:C9:5E \
    master-interface=BACK-2G max-station-count=5 multicast-buffering=disabled \
    name=BACK-GUEST-2G security-profile=BACK-GUEST-PSK ssid=BACK-GUEST-2G \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:90:46:13 \
    master-interface=BACK-5G max-station-count=5 multicast-buffering=disabled \
    name=BACK-GUEST-5G security-profile=BACK-GUEST-PSK ssid=BACK-GUEST-5G \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    0A:55:31:10:C9:5F master-interface=BACK-2G max-station-count=5 \
    multicast-buffering=disabled name=BACK-IOT-2G security-profile=\
    BACK-IOT-PSK ssid=BACK-IOT-2G wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    0A:55:31:90:46:14 master-interface=BACK-5G max-station-count=5 \
    multicast-buffering=disabled name=BACK-IOT-5G security-profile=\
    BACK-IOT-PSK ssid=BACK-IOT-5G wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled

/interface bridge port
add bridge=RB-4011_Bridge interface=Eth1_SG-2100
add bridge=RB-4011_Bridge interface=Eth2_Cabin pvid=200
add bridge=RB-4011_Bridge interface=Eth3_House
add bridge=RB-4011_Bridge interface=ether4 pvid=100
add bridge=RB-4011_Bridge interface=ether5 pvid=100
add bridge=RB-4011_Bridge interface=ether6 pvid=100
add bridge=RB-4011_Bridge interface=ether7 pvid=100
add bridge=RB-4011_Bridge interface=Eth8_Hue_Bridge pvid=600
add bridge=RB-4011_Bridge interface=ether9 pvid=100
add bridge=RB-4011_Bridge interface=Eth10_TMP_House
add bridge=RB-4011_Bridge interface=sfp-sfpplus1 pvid=50
add bridge=RB-4011_Bridge interface=BACK-5G pvid=400
add bridge=RB-4011_Bridge interface=BACK-2G pvid=400
add bridge=RB-4011_Bridge interface=Server_VLAN50 pvid=50
add bridge=RB-4011_Bridge interface=BACK-GUEST-2G pvid=500
add bridge=RB-4011_Bridge interface=BACK-GUEST-5G pvid=500
add bridge=RB-4011_Bridge interface=BACK-IOT-2G pvid=600
add bridge=RB-4011_Bridge interface=BACK-IOT-5G pvid=600

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=RB-4011_Bridge tagged=\
    RB-4011_Bridge,Eth1_SG-2100,Eth3_House,Eth10_TMP_House vlan-ids=\
    50,100,200,300,400,500,600

/ip address
add address=192.168.5.254/24 interface=Server_VLAN50 network=192.168.5.0

/ip dns
set servers=192.168.5.1

/ip route
add distance=1 gateway=192.168.5.1
hAP-AC-Lite Configuration:
# mar/25/2021 03:24:11 by RouterOS 6.48.1
# software id = MJZA-JEPP
#
# model = RouterBOARD 952Ui-5ac2nD

/interface bridge
add admin-mac=CC:2D:E0:DA:21:1A auto-mac=no name=HAP-AC-LITE_Bridge \
    vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="Trunk to RB-4011_Eth3" name=\
    Eth1_RB-4011
set [ find default-name=ether2 ] name=Eth2
set [ find default-name=ether3 ] name=Eth3
set [ find default-name=ether4 ] name=Eth4
set [ find default-name=ether5 ] name=Eth5

/interface vlan
add interface=HAP-AC-LITE_Bridge name=Server_VLAN50 vlan-id=50

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=HAP-AC-LITE
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=FRONT-PSK supplicant-identity="HAP-AC-LITE"
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=FRONT-GUEST-PSK supplicant-identity="HAP-AC-LITE"
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=FRONT-IOT-PSK supplicant-identity="HAP-AC-LITE"
add authentication-types=wpa2-eap group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=FRONT-RADIUS \
    supplicant-identity=HAP-AC-LITE unicast-ciphers=tkip,aes-ccm

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="new zealand" disabled=no distance=indoors frequency=auto \
    hide-ssid=yes installation=indoor max-station-count=10 mode=ap-bridge \
    name=FRONT-2G radio-name=FRONT-WLAN-2G security-profile=FRONT-PSK ssid=\
    FRONT-2G wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="new zealand" disabled=no distance=indoors \
    frequency=auto hide-ssid=yes installation=indoor max-station-count=10 \
    mode=ap-bridge name=FRONT-5G radio-name=FRONT-WLAN-5G security-profile=\
    FRONT-PSK ssid=FRONT-5G wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:DA:21:1F \
    master-interface=FRONT-2G max-station-count=10 multicast-buffering=\
    disabled name=FRONT-GUEST-2G security-profile=FRONT-GUEST-PSK ssid=\
    FRONT-GUEST-2G wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:DA:21:1E \
    master-interface=FRONT-5G max-station-count=10 multicast-buffering=\
    disabled name=FRONT-GUEST-5G security-profile=FRONT-GUEST-PSK ssid=\
    FRONT-GUEST-5G wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    CE:2D:E0:DA:21:20 master-interface=FRONT-2G max-station-count=10 \
    multicast-buffering=disabled name=FRONT-IOT-2G security-profile=\
    FRONT-IOT-PSK ssid=FRONT-IOT-2G wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    CE:2D:E0:DA:21:21 master-interface=FRONT-5G max-station-count=10 \
    multicast-buffering=disabled name=FRONT-IOT-5G security-profile=\
    FRONT-IOT-PSK ssid=FRONT-IOT-5G wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled

/interface bridge port
add bridge=HAP-AC-LITE_Bridge interface=Eth1_RB-4011
add bridge=HAP-AC-LITE_Bridge interface=Eth2 pvid=300
add bridge=HAP-AC-LITE_Bridge interface=Eth3 pvid=300
add bridge=HAP-AC-LITE_Bridge interface=Eth4 pvid=300
add bridge=HAP-AC-LITE_Bridge interface=Eth5 pvid=300
add bridge=HAP-AC-LITE_Bridge interface=FRONT-2G pvid=400
add bridge=HAP-AC-LITE_Bridge interface=FRONT-5G pvid=400
add bridge=HAP-AC-LITE_Bridge interface=Server_VLAN50 pvid=50
add bridge=HAP-AC-LITE_Bridge interface=FRONT-GUEST-2G pvid=500
add bridge=HAP-AC-LITE_Bridge interface=FRONT-GUEST-5G pvid=500
add bridge=HAP-AC-LITE_Bridge interface=FRONT-IOT-2G pvid=600
add bridge=HAP-AC-LITE_Bridge interface=FRONT-IOT-5G pvid=600

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=HAP-AC-LITE_Bridge tagged=Eth1_RB-4011,HAP-AC-LITE_Bridge \
    vlan-ids=50,300,400,500,600

/ip address
add address=192.168.5.253/24 interface=Server_VLAN50 network=192.168.5.0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 4:43 pm

If its working for you, great!
If not would need an updated diagram to match.
 
bradi
just joined
Topic Author
Posts: 8
Joined: Wed Mar 10, 2021 2:28 am

Re: RB4011 > hAP AC Lite VLAN configuration

Wed Mar 24, 2021 4:58 pm

Yes is working (as far I can tell), but I need to test the SSIDs to ensure they are correctly assigning the VLAN IDs. Other than that I will need to enable VLAN filtering (ingress / egress) and confirm that devices connected to the hAP-AC-Lite get the correct VLAN ID (IP configuration) which will have to wait until the morning.

Who is online

Users browsing this forum: abdulschizo, Amazon [Bot] and 87 guests