I have a functional LAN that’s segregated into several VLANs, and I want to add a Wi-Fi AP with three SSIDs: two on COMMON_VLAN and one on GUEST_VLAN. The current setup is:
- Router (MikroTik hEX S)
- Switch (MikroTik CRS112-8P-4S-1N) <-- VLAN tags are normally added here using ingress-vlan-translation when the client ID is 0.
- Wi-Fi AP (MikroTik hAP ac^3)
- Guest SSID is a virtual interface with its master being one of the SSIDs on COMMON_VLAN.
The AP works well if I don’t tell it to tag outbound traffic with a VLAN ID, but if I do so with
/interface wireless set vlan-mode=use-tag vlan-id=30
(where 30 is the ID associated with GUEST_VLAN), then the following happens:
- Packets from any client on the guest SSID go through the AP to the switch and to the router.
- The router responds and the packets make it back it to the AP (as verified with Torch).
- The client never gets the responses.
I assume this is a Layer 2 misconfiguration, but I’m not certain how this should be configured. In the attached configuration files, ether5 on the switch is directly connected to ether1 on the AP.
You do not have the required permissions to view the files attached to this post.