Community discussions

MikroTik App
 
AstroPig7
newbie
Topic Author
Posts: 28
Joined: Mon Feb 17, 2020 12:28 am

[Solved] Unexpectedly tricky VLAN setup

Sun Jun 06, 2021 4:09 am

I have a functional LAN that’s segregated into several VLANs, and I want to add a Wi-Fi AP with three SSIDs: two on COMMON_VLAN and one on GUEST_VLAN. The current setup is:
  • Router (MikroTik hEX S)
  • Switch (MikroTik CRS112-8P-4S-1N) <-- VLAN tags are normally added here using ingress-vlan-translation when the client ID is 0.
  • Wi-Fi AP (MikroTik hAP ac^3)
  • Guest SSID is a virtual interface with its master being one of the SSIDs on COMMON_VLAN.
The AP works well if I don’t tell it to tag outbound traffic with a VLAN ID, but if I do so with
/interface wireless set vlan-mode=use-tag vlan-id=30
(where 30 is the ID associated with GUEST_VLAN), then the following happens:
  • Packets from any client on the guest SSID go through the AP to the switch and to the router.
  • The router responds and the packets make it back it to the AP (as verified with Torch).
  • The client never gets the responses.
I assume this is a Layer 2 misconfiguration, but I’m not certain how this should be configured. In the attached configuration files, ether5 on the switch is directly connected to ether1 on the AP.
You do not have the required permissions to view the files attached to this post.
Last edited by AstroPig7 on Sun Jun 06, 2021 4:53 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unexpectedly tricky VLAN setup

Sun Jun 06, 2021 3:04 pm

There is no reason to assign vlans on switch, they should be assigned via DHCP from the router. On the switch one needs to solely assign the vlan-ids, that they exist and on which ports they do their magic.

Read this article.
viewtopic.php?f=23&t=143620
 
AstroPig7
newbie
Topic Author
Posts: 28
Joined: Mon Feb 17, 2020 12:28 am

Re: Unexpectedly tricky VLAN setup

Sun Jun 06, 2021 3:20 pm

That article (specifically the configuration viewtopic.php?f=23&t=143620#p706997) was how I built my environment prior to adding the AP.

(I completely misread your post and thought you were telling me to assign VLAN IDs at the router, which I was not doing. If you saw this reply prior to this edit, then I apologize.)

I am only tagging the VLAN IDs at the switch (and trying to tag them at the AP as well). If I tag the guest network with a VLAN ID at the AP, then packets never get back to clients on that network. If I let the switch tag this traffic instead, then packets make it back. However, the switch doesn’t know about the guest network and can’t separately tag it with a different VLAN ID.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Unexpectedly tricky VLAN setup

Sun Jun 06, 2021 3:44 pm

As you have
/interface ethernet switch vlan
...
add ports=ether2,ether5,sfp10 vlan-id=30


then you likely want
/interface ethernet switch egress-vlan-tag
...
add tagged-ports=ether2,ether5,sfp10 vlan-id=30


otherwise the VLAN ID 30 tag is stripped on egress from ether2 and ether5 on the CRS
 
AstroPig7
newbie
Topic Author
Posts: 28
Joined: Mon Feb 17, 2020 12:28 am

Re: Unexpectedly tricky VLAN setup

Sun Jun 06, 2021 3:54 pm

As you have
/interface ethernet switch vlan
...
add ports=ether2,ether5,sfp10 vlan-id=30


then you likely want
/interface ethernet switch egress-vlan-tag
...
add tagged-ports=ether2,ether5,sfp10 vlan-id=30


otherwise the VLAN ID 30 tag is stripped on egress from ether2 and ether5 on the CRS
Good idea, and I hoped it was something that simple.

Edit: It worked! I previously said it didn’t work because I had to reset the configuration on the AP and neglected to add the guest interface to the bridge. It’s often the little things…

Who is online

Users browsing this forum: GoogleOther [Bot], karlisi, kivimart, mkx, peterda and 97 guests