Community discussions

MikroTik App
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

WLAN SSIDs attached to VLANs

Mon May 31, 2021 8:36 pm

Dear all,

Here's a challenge for the VLAN / Wifi experts :-) : I have a bridge with the main interface of a WLAN Access Point (cAP) and eth1; on eth1 is the main LAN (untagged) and additionally two VLANs tagged 2 and 3. There are no VLANs explicitly configured in the Access Point, the VLANs 2 and 3 have endpoints in another router (serving dhcp to all VLANs). I guess this is pretty simple scemario, there is little configured in the Access Point besides security profiles and the AP is largely concerned with layer 2 business.

Now I want to set up two additional SSIDs W2 and W3 on two virtual wlan interfaces for the VLANs 2 and 3. I spend nearly the whole afternoon trying to figure out how to do this, finally, I came across https://www.youtube.com/watch?v=i-qQo06ow7Y. The suggested way is as follows: Create two VLAN-Interfaces for VLAN 2 and 3 under eth1, then put these on two seperate bridges. Finally add the virtual wlan-interfaces for the SSIDs W2 and W3 to the corresponding bridge.

This works, but if I understand this correctly it is outdated, since WLAN handling in RouterOS has recently changed. Is anyone aware of a good documentation how to configure this scenario with a sigle bridge and WLAN filtering?

The problem for me is that there are roughly 4 places where VLAN-relevant configurations are located: under the bridge interface, in the bridge instance itself, in the virtual wlan interfaces, and in the VLANs "below" the physical interface eth1... I could not figure out how to combine all this to a working configuration. I managed to set up these VLAN with bridge-internal VLAN filtering in my main router (which runs the above mentioned dhcp-server), but virtual wlan interfaces seem to behave somehow different when it comes to VLANs...

Thanks, Joachim.
Last edited by DL7JP on Tue Jun 01, 2021 12:54 pm, edited 1 time in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: WLAN SSIDs attached to VLANs

Mon May 31, 2021 9:02 pm

Please use this great tutorial on how to configure VLAN's with MikroTik:
viewtopic.php?t=143620
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN SSIDs attached to VLANs

Mon May 31, 2021 9:24 pm

There is a first must read, if you want to understand the current way of handling VLAN in Routeros (aka "bridge method".) See link above.

However to take a shortcut , I use 2 ways to handlel this in the AP.

1. Also old style (when VLAN's were handled via Switch, or just handled with a non-smart bridge (this is one where the VLAN's are not configured))

For this method add all WLAN to the one bridge with also ether1, and fill in the VLAN id to tag in the Wireless setup of the WLAN where needed. Set VLAN mode to "use tag".
All done, this works immediately, until you want to have 2 WLAN (eg one 2.4GHz and one 5 GHz) connected to the same VLAN. In that case this setup failed (the WLAN started to use the untagged connection). EDIT ! -> the setup failed because there was an Access List rule setting the second WLAN to untagged <- EDIT !

2. Just happen to have set up and document the second method because of the above failure.
This is just about one VLAN 10 , to be distributed by two WLAN , WLAN11 and WLAN21 (2.4 and 5 GHz). The original WLAN1 and WLAN2, and other ether ports use the untagged.

Not the finest and purest setup (Frame type, Ingress Filtering, and other settings not considered) , but at least this combination works. The VLAN traffic is delivered untagged to the WLAN.
Be aware that enabling "VLAN filtering" on the bridge can lock you out of the MT router! Always use "Safe mode" or have some ether port not connected to the bridge, as backdoor.

The VLAN ID =1 line in the bridge is created automatically by RouterOS, but that automatic line included WLAN11 and WLAN21 as untagged. So I added it myself.
Klembord-2.jpg
Klembord-3.jpg
Klembord-4.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by bpwl on Mon Jun 21, 2021 1:56 am, edited 1 time in total.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Mon May 31, 2021 11:53 pm

Thanks a bunch, I will work myself through the tutorial in the next days.

Meanwhile, I tried bpwl 's suggestion:
1. Also old style (when VLAN's were handled via Switch, or just handled with a non-smart bridge (this is one where the VLAN's are not configured))

For this method add all WLAN to the one bridge with also ether1, and fill in the VLAN id to tag in the Wireless setup of the WLAN where needed. Set VLAN mode to "use tag".
All done, this works immediately, until you want to have 2 WLAN (eg one 2.4GHz and one 5 GHz) connected to the same VLAN. In that case this setup failed (the WLAN started to use the untagged connection).

Here's what I gathered (VLAN tags are actually 15 and 25):
/interface bridge add name=bridge-WLAN

/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=WLAN-1
add master-interface=wlan1  name=wlan15 ssid=WLAN-15 vlan-id=15 vlan-mode=use-tag 
add master-interface=wlan1  name=wlan25 ssid=WLAN-25 vlan-id=25 vlan-mode=use-tag 

/interface bridge port
add bridge=bridge-WLAN interface=ether1
add bridge=bridge-WLAN interface=wlan1
add bridge=bridge-WLAN interface=wlan15
add bridge=bridge-WLAN interface=wlan25
I can connect to WLAN-1, all perfect, WLAN-Client gets an IP, etc. But WLAN-15 and WLAN-25 seem not connected to the corresponding VLANs: I verified that VLAN traffic of 15 and 25 is present on the bridge, and I also see dhcp requests of the client connected to WLAN-15 or 25 on the bridge, but these requests do not show up on ether1. What am I missing?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 12:26 am

these requests do not show up on ether1
How do you check? If it is tagged on the bridge, it should be tagged on ether1. (Unless STP/RSTP is blocking the transfer)
We have not defined a VLAN interface here that can read/write in the VLAN 15 or 25. Should not be needed for normal traffic.

You did not show everything ... for solution 1 ..." VLAN filtering" must be "no", and all PVID on value 1.
viewtopic.php?f=2&t=167155#p820741
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 1:36 am

these requests do not show up on ether1
How do you check? If it is tagged on the bridge, it should be tagged on ether1. (Unless STP/RSTP is blocking the transfer)
We have not defined a VLAN interface here that can read/write in the VLAN 15 or 25. Should not be needed for normal traffic.

You did not show everything ... for solution 1 ..." VLAN filtering" must be "no", and all PVID on value 1.
viewtopic.php?f=2&t=167155#p820741
I use torch, when I connect to the SIID attached to a VLAN then I see the dhcp request on the bridge but not on ether1.
Here's the complete config of the test router, thanks a lot for your time!
[admin@MikroTik] > export 
# jun/01/2021 00:30:53 by RouterOS 6.48.3
# software id = E1I6-5EUR
#
# model = RBcAPL-2nD
# serial number = BB270B038551
/interface bridge
add name=bridge-WLAN
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=WLAN-1
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:1D:18:02 master-interface=wlan1 multicast-buffering=disabled name=wlan15 \
    ssid=WLAN-15 vlan-id=15 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:1D:18:03 master-interface=wlan1 multicast-buffering=disabled name=wlan25 \
    ssid=WLAN-25 vlan-id=25 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-WLAN interface=ether1
add bridge=bridge-WLAN interface=wlan1
add bridge=bridge-WLAN interface=wlan15
add bridge=bridge-WLAN interface=wlan25
/ip dhcp-client
add disabled=no interface=bridge-WLAN
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
[admin@MikroTik] > 
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 10:49 am

Should work. But disable STP on bridge and potentially on other end of cable as well. (Have run into cases where HP Procurve switches saw a loop when VLAN's were used, as it counted each VLAN as a direct path)
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 12:39 pm

Should work. But disable STP on bridge and potentially on other end of cable as well. (Have run into cases where HP Procurve switches saw a loop when VLAN's were used, as it counted each VLAN as a direct path)
It was not STP (was at default "RSTP" on both sides), but I rebooted the router on the other side and, guess what: It works!
When if have time I will try other solutions with bridge filtering and open another thread.

Thanks a lot!
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 3:19 pm

Just for the records, here's the other solution I mentioned in my original post at the beginning - I guess it is less efficient:
/interface bridge
add name=bridge-vlan1 vlan-filtering=yes
add frame-types=admit-only-untagged-and-priority-tagged name=bridge-vlan15 vlan-filtering=yes
add frame-types=admit-only-untagged-and-priority-tagged name=bridge-vlan25 vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=WLAN-1
add master-interface=wlan1 name=wlan15 ssid=WLAN-15 
add master-interface=wlan1 name=wlan25 ssid=WLAN-25 

/interface vlan
add interface=ether1 name=vlan15 vlan-id=15
add interface=ether1 name=vlan25 vlan-id=25

/interface bridge port
add bridge=bridge-vlan1 interface=ether1
add bridge=bridge-vlan1 interface=wlan1
add bridge=bridge-vlan15 interface=vlan15
add bridge=bridge-vlan15 interface=wlan15
add bridge=bridge-vlan25 interface=wlan25
add bridge=bridge-vlan25 interface=vlan25

/ip dhcp-client interface=bridge-vlan1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 6:47 pm

The reference link works great, feel free to pursue other methods.
Its dirt simple and it makes not sense to me to do anything different..
all lans/subnets get vlans
assign vlans to bridge
assign vlans dhcp, pool, server-network and address

Configure bridge ports settings appropriately
Configure bridge vlan settings appropriately

Configure wifi as per wifi normally done, without any need to mention anything but wifi parameters.
The tie in between vlans and wifi is done at the Bridge Port settings where each WLAN is considered a bridge port and should have a PVID associated.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 10:40 pm

Btw, the config in post #4 might not to isolate vlans properly: I just had a client on wlan25/vlan25 that got an IP from the dhcp-server on wlan1/vlan1. I guess there is something missing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 11:18 pm

yeah well thats the stupid method of mixing vlans in wifi settings. I dont like it cant help you...........
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Tue Jun 01, 2021 11:32 pm

Please use this great tutorial on how to configure VLAN's with MikroTik:
viewtopic.php?t=143620
OK, I read it and tried to adapt the Access Point scenaerio (#4). Here's my configuration with bridge VLAN siltering for what I explained in post #1:
/interface bridge
add name=bridge-vlan vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=WLAN-1
add master-interface=wlan1 name=wlan15 ssid=WLAN-15 
add master-interface=wlan1 name=wlan25 ssid=WLAN-25 
/interface vlan
add interface=bridge-vlan name=vlan1 vlan-id=1
/interface bridge port
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan15 pvid=15
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan25 pvid=25
add bridge=bridge-vlan interface=ether1
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1,bridge-vlan,vlan1 vlan-ids=1
add bridge=bridge-vlan tagged=ether1 vlan-ids=15
add bridge=bridge-vlan tagged=ether1 vlan-ids=25
/ip dhcp-client
add disabled=no interface=vlan1
I did not test it a lot, but it seems to do the trick. A slight hurdle is that you need to "admit all" VLANs on the either1 port, I guess since incoming packets are a mixture of untagged and tagged ones.

I do not understand yet where/why the vlan tags are removed for the interfaces wlan15 and wlan25. Is this the result of the configuration "frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes" on the respective bridge ports?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN SSIDs attached to VLANs

Wed Jun 02, 2021 1:09 am

WLAN15 and WLAN25 are untagged interfaces. By putting pvid=15 and pvid=25 on the ports , for tagging the traffic from the WLAN interfaces you implicitly added WLAN15 and WLAN25 to the corresponding VLAN to send untagged traffic to the interfaces (see comment: "# egress behavior, handled automatically"). In my example they were named explicitly as untagged interfaces in the bridge-vlan-table.

Using VLAN1 , and setting port ether1 to pvid=1, and adding ether1 and VLAN1 as tagged to bridge-vlan vlan-id=1 is a bit confusion.

Ether1 is "untagged" for vlan-ids=1, so is WLAN1. I see no need for the extra VLAN1 interface as intermediate tagged/untagged conversion.
PVID=1 is the default pvid, and is used by default in MT for the untagged traffic. (That line is even added automatically (D dynamic))

Just to confuse you ... you could still set the wireless interfaces to tagged, and deliver the traffic as tagged, but that's a 3th way of doing it, and is just confusing it all.
(I played with this .....just to learn... see my not-to-be-copied config below)
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: WLAN SSIDs attached to VLANs

Wed Jun 02, 2021 1:23 am

A slight hurdle is that you need to "admit all" VLANs on the either1 port, I guess since incoming packets are a mixture of untagged and tagged ones.
Yes.

I do not understand yet where/why the vlan tags are removed for the interfaces wlan15 and wlan25. Is this the result of the configuration "frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes" on the respective bridge ports?
No. Setting the pvid= for the entries under /interface bridge port which adds dynamic untagged VLAN membership.

You should only include real interfaces as members under /interface bridge vlan, not those interfaces created under /interface vlan.

Also you are attempting to use VLAN 1 both untagged with pvid=1 for bridge, wlan1 and ether1 /interface bridge port, and as tagged members with vlan-ids=1 under /interface bridge vlan - this sometimes works and sometimes doesn't depending if the device will accept that VLAN both tagged and untagged:
/interface bridge
add name=bridge-vlan vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=WLAN-1
add master-interface=wlan1 name=wlan15 ssid=WLAN-15
add master-interface=wlan1 name=wlan25 ssid=WLAN-25
/interface vlan
add interface=bridge-vlan name=vlan1 vlan-id=1

/interface bridge port
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan15 pvid=15
add bridge=bridge-vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan25 pvid=25
add bridge=bridge-vlan ingress-filtering=yes interface=ether1
/interface bridge vlan
add bridge=bridge-vlan tagged=ether1,bridge-vlan,vlan1 vlan-ids=1
add bridge=bridge-vlan tagged=ether1 vlan-ids=15
add bridge=bridge-vlan tagged=ether1 vlan-ids=25
/ip dhcp-client
add disabled=no interface=vlan1bridge-vlan


You can use /interface bridge vlan print detail to show the actual VLAN membership, by way of the current-tagged= and current-untagged= entries. Note than inactive interfaces do not appear.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: WLAN SSIDs attached to VLANs

Wed Jun 02, 2021 9:21 pm

Thanks to bpwl and tdw for potently explaning things! I am slowly gaining an understanding of VLAN handling in RouterOS.

I configured a VLAN-Interface vlan1 and put the dchp-client on it, becase a German tutorial https://administrator.de/tutorial/mikro ... 67186.html states that the bridge filtering VLANs should not have an IP address. It seems this is wrong, resp. does not apply here.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: WLAN SSIDs attached to VLANs

Wed Jun 02, 2021 10:31 pm

As you have found extra care should be taken when using VLAN 1 tagged - any ports added to a vlan-aware bridge, plus the implicit bridge-to-CPU port, are by default made untagged members of VLAN 1 unless additional configuration options are specified.

It is frequently suggested that VLAN 1 be avoided due to this potential trap for the unwary, and that some other manufacturers equipment does not permit VLAN 1 to be used tagged at all. Once aware of the defaults, and any limitations of various manufacturers equipment, using it is fine.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: WLAN SSIDs attached to VLANs

Mon Jun 21, 2021 1:44 am

For this method add all WLAN to the one bridge with also ether1, and fill in the VLAN id to tag in the Wireless setup of the WLAN where needed. Set VLAN mode to "use tag".
All done, this works immediately, until you want to have 2 WLAN (eg one 2.4GHz and one 5 GHz) connected to the same VLAN. In that case this setup failed (the WLAN started to use the untagged connection).
My statement on not working "you want to have 2 WLAN (eg one 2.4GHz and one 5 GHz) connected to the same VLAN" seems not correct. As I found RX signal strength access list rules for one of the two WLAN interfaces, leaving the VLAN as untagged, in contrast to the wireless interface setting itself (setting that acts as default only if there are no access list rules specified) ! No wonder that one WLAN started using the untagged connection.

Who is online

Users browsing this forum: joshnielsen, phascogale and 57 guests