Community discussions

MikroTik App
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Howto use HAP AC2 as switch+AP on vlan(s)

Mon Jun 14, 2021 9:34 pm

I have a network that consists of a WAN router, a switch and another router.

They are connected like this: https://imgur.com/a/F0Le04M

My original network without the access point was discussed here: viewtopic.php?f=2&t=175973

It is now working fine. In the next step, I would like to add the second HAP AC2 device for two things: use it as a switch for vlan10 network, and also use it as a wireless access point later (CAP with multiple SSIDs on different vlans).

Here is my current config on the access point:
/interface bridge
add name=BR1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-blue
set [ find default-name=ether3 ] name=ether3-blue
set [ find default-name=ether4 ] name=ether4-blue
set [ find default-name=ether5 ] name=ether5-blue
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/interface list
add name=VLAN
add name=BASE
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2-blue pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3-blue pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4-blue pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5-blue pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-trunk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1-trunk untagged=ether2-blue,ether3-blue,ether4-blue vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.19.252/24 interface=BASE_VLAN network=192.168.19.0
/ip dns
set servers=192.168.19.254
/ip route
add distance=1 gateway=192.168.19.254 pref-src=192.168.19.252
/system identity
set name=caps01
I did not turn on vlan filtering on the bridge yet. If I login the this AP router, then I can ping the other router, and I can also access the internet.

But the access ports do not work. If I connect my laptop into one of the access ports of the switch, then I get an IP address from the DHCP server (running on the wan router). But if I connect to one of the access ports of the AP router (e.g. ether3-blue), then it does not work. Even if I type in an address/gateway/netmask manually, it does not work.

What am I doing wrong?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Mon Jun 14, 2021 10:55 pm

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership.


So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your management connection doesn't break, then disable safe mode and check if access ports started to work. If your management connection broke, then wait a few seconds until device rolls back the change and re-connect.


BRW, not sure if this will make anything:
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=99
Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access. OTOH BR1 doesn't have to be member of the rest of VLANs, ROS will not interact with them (not until you have corresponding vlan interface with IP address set).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Mon Jun 14, 2021 11:07 pm

mkx is getting forgetful in his old age bhwahahaha

Read this link it tells all........
viewtopic.php?f=23&t=143620
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Mon Jun 14, 2021 11:16 pm

My dear @anav, as always you're one step ahead of me ... you already forgot you're forgetting things :-P
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Mon Jun 14, 2021 11:23 pm

This is true, what I realize I dont know...... GROWS every day!!
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Tue Jun 15, 2021 7:33 am

Access ports won't work until you enable vkan-filtering on bridge. Without that bridge does not add VLAN tag on ingress as per pvid settings nor does it strip VLAN tags on egress as per untagged vlan membership.


So: take a deep breathe, enable safe mode and enable vlan-filtering on bridge. If your management connection doesn't break, then disable safe mode and check if access ports started to work. If your management connection broke, then wait a few seconds until device rolls back the change and re-connect.
Yes, it rolls back. If I enable vlan filtering, then I cannot connect from access ports, nor through the trunk port.
BRW, not sure if this will make anything:
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=99
Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access.
Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through the ether1-trunk port.
OTOH BR1 doesn't have to be member of the rest of VLANs, ROS will not interact with them (not until you have corresponding vlan interface with IP address set).
I'm going to add wireless interfaces to those vlans later because I want this device to function as a CAP too. I just did not do it yet, because I wanted to setup access ports first.

And yes, I have followed the given tutorial to setup this device too. I can go through the tutorial again but I'm not sure if it will help.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Tue Jun 15, 2021 8:23 am

Bridge is the only port member of these VLANs. At least for VLAN 99 you should add ether1 as tagged port or else you'll almost definitely loose management access.
Nope, there is a vlan interface that is added to the brige, vlan 99, with static IP 192.168.19.252. I was managing the router through the ether1-trunk port.

This is the relevant part of config ... if it's config you posted in your post #1 above:
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-trunk
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1-trunk untagged=ether2-blue,ether3-blue,ether4-blue vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=99
/ip address
add address=192.168.19.252/24 interface=BASE_VLAN network=192.168.19.0

The first setting (creation of vlan interface) means interface BR1 has to be tagged member of VLAN 99 on bridge BR1. The third setting (bridge vlan configuration) does configure it indeed. But is there any other member interface? No. As long as you don't have vlan-filtering=yes set on bridge, the security setting from configuration #2 above (ingress-filtering=yes) doesn't do anything. As soon as you enable vlan-filtering, this option will consult egress vlan table (egress vlan table is constructed according to settings in /interface bridge vlan) and block frames belonging to VLANs not enabled on ingress. Port ether1-trunk is only tagged member of VLAN ID 10 but not member (neither tagged nor untagged) of VLAN ID 99. As long as vlan-filtering is disabled, frames tagged with VLAN ID 99 are passed through ether1-trunk, bridge BR1 acts as dumb switch and passes tagged frames to any port willing to take them. That icludes port BR1, where vlan interface BASE_VLAN gladly accepts them. Similar on the way back.


Do you now see the problem you have?
 
nagylzs
Member
Member
Topic Author
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Tue Jun 15, 2021 11:51 am

The first setting (creation of vlan interface) means interface BR1 has to be tagged member of VLAN 99 on bridge BR1. The third setting (bridge vlan configuration) does configure it indeed. But is there any other member interface? No. As long as you don't have vlan-filtering=yes set on bridge, the security setting from configuration #2 above (ingress-filtering=yes) doesn't do anything. As soon as you enable vlan-filtering, this option will consult egress vlan table (egress vlan table is constructed according to settings in /interface bridge vlan) and block frames belonging to VLANs not enabled on ingress. Port ether1-trunk is only tagged member of VLAN ID 10 but not member (neither tagged nor untagged) of VLAN ID 99. As long as vlan-filtering is disabled, frames tagged with VLAN ID 99 are passed through ether1-trunk, bridge BR1 acts as dumb switch and passes tagged frames to any port willing to take them. That icludes port BR1, where vlan interface BASE_VLAN gladly accepts them. Similar on the way back.


Do you now see the problem you have?
Yes, I do. I was completely blind. I should have seen, but I didn't. I don't have a good explanation, I'm sorry for robbing your time. :-(

Changed vlan config to this:
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1-trunk untagged=ether2-blue,ether3-blue,ether4-blue vlan-ids=10
add bridge=BR1 tagged=BR1,ether1-trunk vlan-ids=20
add bridge=BR1 tagged=BR1,ether1-trunk vlan-ids=30
add bridge=BR1 tagged=BR1,ether1-trunk vlan-ids=99
And now verything works as expected: I can enable vlan filtering on the bridge, connect to the AP router through the trunk port, and I can also use the access ports on it.

In the next step, I'll be adding wireless interfaces (CAP). I have never done that together with vlans, I just hope that I'll be clever enough to do that without asking dumb questions.

Thank you for your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Howto use HAP AC2 as switch+AP on vlan(s)

Tue Jun 15, 2021 4:47 pm

Yup all in the article linked...... literacy is the key!!

Who is online

Users browsing this forum: Google [Bot] and 78 guests