Community discussions

MikroTik App
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Find hostname between vlan

Sat Jul 10, 2021 6:26 am

Hi everyone
I want to make home networking with several vlan
My target is
Create vlan
Trunk (vlan id 1) : for router, AP, Switch, and all networking device
Server (vlan id 2) : for sever (NAS)
LAN (vlan id 3): for user
Guest (vlan id 4): for guest
Allow traffic between Trunk - server - LAN
Restricted traficc guest only to internet
I use 2 internet connection and make failover
Bandwith management for each vlan
Capsman (with 2 AP for now) with multiple SSID

And if can I also want to make
Hope can make different channel for each SSID (right now all SSID still used master wlan)
DNS with DoH
limit time and access for kids device
split traffic for youtube

I have search and try to configure setting but still have some issue
And please give me correction if my setting is not correct

My config is
# jul/10/2021 09:45:06 by RouterOS 6.48.3
# software id = 6SEY-DDPH
#
# model = RB450Gx4
# serial number = B8D00B104484
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=ch1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2417 name=ch2
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2422 name=ch3
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2427 name=ch4
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2432 name=ch5
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=ch6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2442 name=ch7
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2447 name=ch8
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2452 name=ch9
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2457 name=ch10
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=ch11
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2467 name=ch12
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2472 name=ch13
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2477 name=ch14
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5320 name=ch64
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5180 name=ch36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5500 name=ch100
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5200 name=ch40
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5520 name=ch104
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5220 name=ch44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5540 name=ch108
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5240 name=ch48
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5560 name=ch112
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5260 name=ch52
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5580 name=ch116
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5280 name=ch56
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    frequency=5300 name=ch60
/interface bridge
add mtu=1500 name=bGuest
add mtu=1500 name=bLAN
add mtu=1500 name=bServer
add mtu=1500 name=bTrunk
/interface ethernet
set [ find default-name=ether1 ] name=eth1_Trunk
set [ find default-name=ether4 ] name=eth4_BackInt
set [ find default-name=ether5 ] name=eth5_MainInt
/caps-man interface
add channel=ch36 disabled=no l2mtu=1600 mac-address=48:8F:5A:16:20:63 \
    master-interface=none name=AP1_5 radio-mac=48:8F:5A:16:20:63 radio-name=\
    488F5A162063
add channel=ch52 disabled=no l2mtu=1600 mac-address=48:8F:5A:09:2B:83 \
    master-interface=none name=AP2_5 radio-mac=48:8F:5A:09:2B:83 radio-name=\
    488F5A092B83
/interface vlan
add arp=reply-only interface=eth1_Trunk loop-protect=on \
    loop-protect-disable-time=1m name=vGuest vlan-id=4
add interface=eth1_Trunk loop-protect=on loop-protect-disable-time=1m name=\
    vLAN vlan-id=3
add interface=eth1_Trunk loop-protect=on loop-protect-disable-time=1m name=\
    vServer vlan-id=2
/caps-man datapath
add bridge=bTrunk client-to-client-forwarding=yes local-forwarding=no name=\
    dpTrunk
add bridge=bLAN client-to-client-forwarding=yes local-forwarding=no name=\
    dpLAN vlan-id=3
add bridge=bGuest client-to-client-forwarding=yes local-forwarding=no name=\
    dpGuest vlan-id=4
add bridge=bServer client-to-client-forwarding=yes name=dpServer vlan-id=2
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=sAUse passphrase=Amao@123
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=sAGue passphrase=wifi1234
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=sSer passphrase=Serv@123
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=sTrunk passphrase=Trunk@123
/caps-man configuration
add channel=ch1 channel.tx-power=20 country=indonesia datapath=dpLAN mode=ap \
    name=LANa security=sAUse ssid=Amao
add channel=ch3 channel.tx-power=12 country=indonesia datapath=dpGuest mode=\
    ap name=Guesta security=sAGue ssid=Wifi
add channel=ch6 channel.tx-power=14 country=indonesia datapath=dpLAN mode=ap \
    name=LANb security=sAUse ssid=Amao
add channel=ch8 channel.tx-power=12 country=indonesia datapath=dpGuest mode=\
    ap name=Guestb security=sAGue ssid=Wifi
add channel=ch1 channel.tx-power=20 country=indonesia datapath=dpTrunk name=\
    Trunka security=sSer ssid=Trunk tx-chains=0,1,2,3
add channel=ch6 channel.tx-power=20 country=indonesia datapath=dpTrunk name=\
    Trunkb security=sSer ssid=Trunk
add channel=ch3 channel.tx-power=12 country=indonesia datapath=dpServer mode=\
    ap name=Server security=sSer ssid=Server
/caps-man interface
add channel=ch1 channel.frequency=2412 channel.tx-power=20 configuration=\
    Trunka disabled=no l2mtu=1600 mac-address=48:8F:5A:16:20:62 \
    master-interface=none name=AP1_2 radio-mac=48:8F:5A:16:20:62 radio-name=\
    488F5A162062
add channel=ch6 channel.frequency=2437 channel.tx-power=20 configuration=\
    Trunkb disabled=no l2mtu=1600 mac-address=48:8F:5A:09:2B:82 \
    master-interface=none name=AP2_2 radio-mac=48:8F:5A:09:2B:82 radio-name=\
    488F5A092B82
add configuration=Guestb disabled=no l2mtu=1600 mac-address=4A:8F:5A:09:2B:83 \
    master-interface=AP2_2 name=Guestb radio-mac=00:00:00:00:00:00 \
    radio-name=""
add configuration=LANa disabled=no mac-address=4A:8F:5A:16:20:62 \
    master-interface=AP1_2 name=LANa radio-mac=00:00:00:00:00:00 radio-name=\
    ""
add configuration=LANb disabled=no l2mtu=1600 mac-address=4A:8F:5A:09:2B:82 \
    master-interface=AP2_2 name=LANb radio-mac=00:00:00:00:00:00 radio-name=\
    ""
add channel=ch3 configuration=Server disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:16:20:63 master-interface=AP1_2 name=Server radio-mac=\
    00:00:00:00:00:00 radio-name=""
/interface list
add name=WAN
add name=LAN
add name=WLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
add name=Instagram regexp="^.+(instagram.com).*\$"
add name=Torrent regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane\
    |demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity\
    |bittoxic|thunderbytes|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\
    flixflux|seedpeer|fenopy|gpirate|commonbits|x13bittorrent protocol|azver p\
    rotocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|\
    get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=Twitter regexp="^.+(twitter.com).*\$"
add name=Youtube regexp="^.+(.youtube.|ytmig.|googlevideo.com|youtu.be|youtube\
    .com|www.youtube.com|m.youtube.com|ytimg.c\\\r\
    \n    om|s.ytimg.com|ytimg.l.google.com|youtube.lyoutu.be|youtube.l.google\
    .com).*\$"
add name=iTunes regexp=\
    "http-itunes\r\
    \nhttp/(0\\.9|1\\.0|1\\.1).*(user-agent: itunes)"
/ip pool
add name=dTrunk ranges=192.168.100.1-192.168.100.61
add name=dLAN ranges=192.168.10.1-192.168.10.61
add name=dGuest ranges=192.168.20.1-192.168.20.13
add name=dCAP ranges=192.168.99.1-192.168.99.61
/ip dhcp-server
add address-pool=dLAN disabled=no interface=bLAN lease-time=4h name=dhcpLAN
add address-pool=dTrunk disabled=no interface=bTrunk lease-time=1m name=\
    dhcpTrunk
add address-pool=dGuest disabled=no interface=bGuest lease-time=2h name=\
    dhcpGuest
# DHCP server can not run on slave interface!
add address-pool=dCAP disabled=no interface=vServer name=dhxpCAP
/queue simple
add max-limit=5M/20M name=Total-bw priority=1/1
add max-limit=5M/10M name=bw-LAN parent=Total-bw priority=2/1 queue=\
    pcq-upload-default/pcq-download-default target=192.168.10.0/26
add limit-at=4M/8M max-limit=4M/8M name=bw-LAN-others packet-marks=no-mark \
    parent=bw-LAN priority=3/2 queue=pcq-upload-default/pcq-download-default \
    target=192.168.10.0/26
add limit-at=1M/2M max-limit=1M/2M name=bw-LAN-youtube packet-marks=\
    Youtube-packet parent=bw-LAN priority=4/3 queue=\
    pcq-upload-default/pcq-download-default target=192.168.10.0/26
add max-limit=3M/5M name=bw-guest parent=Total-bw priority=5/4 queue=\
    pcq-download-default/pcq-upload-default target=192.168.20.0/28
add limit-at=2M/3M max-limit=2M/3M name=bw-guest-others packet-marks=no-mark \
    parent=bw-guest priority=6/5 queue=\
    pcq-upload-default/pcq-download-default target=192.168.20.0/28
add limit-at=1M/2M max-limit=1M/2M name=bw-guest-youtube packet-marks=\
    Youtube-packet parent=bw-guest priority=7/6 queue=\
    pcq-upload-default/pcq-download-default target=192.168.20.0/28
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-78..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-120..-79 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bTrunk
add forbid=yes interface=eth5_MainInt
add forbid=yes interface=eth4_BackInt
/caps-man provisioning
add action=create-dynamic-enabled comment=AP1 master-configuration=Trunka \
    name-format=prefix name-prefix=AP radio-mac=48:8F:5A:16:20:61 \
    slave-configurations=LANa,Guesta
add action=create-dynamic-enabled comment=AP2 master-configuration=Trunkb \
    name-format=prefix name-prefix=AP radio-mac=48:8F:5A:09:2B:80 \
    slave-configurations=LANb,Guestb
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bTrunk interface=eth1_Trunk
add bridge=bTrunk interface=ether2
add bridge=bTrunk interface=ether3
add bridge=bLAN interface=vLAN
add bridge=bGuest interface=vGuest
add bridge=bServer interface=vServer multicast-router=disabled
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=eth5_MainInt list=WAN
add interface=eth4_BackInt list=WAN
add interface=vLAN list=LAN
add interface=vServer list=LAN
add interface=AP1_2 list=WLAN
add interface=AP2_2 list=WLAN
/ip address
add address=192.168.100.62/26 interface=bTrunk network=192.168.100.0
add address=192.168.99.62/26 interface=vServer network=192.168.99.0
add address=192.168.10.62/26 interface=vLAN network=192.168.10.0
add address=172.16.20.14/28 interface=vGuest network=172.16.20.0
add address=192.168.1.2/28 interface=eth5_MainInt network=192.168.1.0
add address=192.168.2.15/24 interface=eth4_BackInt network=192.168.2.0
/ip dhcp-client
add interface=eth5_MainInt
add interface=eth4_BackInt
/ip dhcp-server lease
add address=192.168.100.59 client-id=1:48:8f:5a:16:20:61 mac-address=\
    48:8F:5A:16:20:61 server=dhcpTrunk
add address=192.168.100.58 client-id=1:48:8f:5a:9:2b:80 mac-address=\
    48:8F:5A:09:2B:80 server=dhcpTrunk
add address=192.168.10.4 client-id=1:4c:66:41:3c:65:5f mac-address=\
    4C:66:41:3C:65:5F server=dhcpLAN
add address=192.168.10.5 client-id=1:68:bf:c4:f1:92:10 mac-address=\
    68:BF:C4:F1:92:10 server=dhcpLAN
add address=192.168.10.3 client-id=1:4:d6:aa:55:1a:d2 mac-address=\
    04:D6:AA:55:1A:D2 server=dhcpLAN
add address=192.168.10.2 client-id=1:24:18:1d:16:8a:24 mac-address=\
    24:18:1D:16:8A:24 server=dhcpLAN
add address=192.168.10.6 client-id=1:10:dd:b1:a7:f2:4b mac-address=\
    10:DD:B1:A7:F2:4B server=dhcpLAN
add address=192.168.100.1 client-id=1:0:11:32:30:57:15 mac-address=\
    00:11:32:30:57:15 server=dhcpTrunk
add address=192.168.10.1 client-id=1:0:11:32:30:57:15 mac-address=\
    00:11:32:30:57:15 server=dhcpLAN
/ip dhcp-server network
add address=192.168.10.0/26 comment="Range for LAN" dns-server=\
    8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
    192.168.10.62
add address=192.168.20.0/28 comment="Range for Guest" dns-server=\
    8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
    192.168.20.14
add address=192.168.99.0/26 comment="Range for CAP" dns-server=\
    8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
    192.168.99.62
add address=192.168.100.0/26 comment="Range for Trunk" dns-server=\
    8.8.8.8,192.168.100.62,176.103.130.130,176.103.130.131 gateway=\
    192.168.100.62
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.100.62
/ip dns static
add address=176.103.130.131 name=dns.adguard.com
add address=176.103.130.130 name=dns.adguard.com
add address=127.0.0.1 name=ads.pubmatic.com
add address=127.0.0.1 name=adservice.google.com
add address=127.0.0.1 name=pagead46.l.doubleclick.net
add address=127.0.0.1 name=wzrkt.com
add address=127.0.0.1 name=ad.doubleclick.net
add address=127.0.0.1 regexp=googlesyndication*
add address=127.0.0.1 name=cxp.emogi.com
add address=127.0.0.1 name=shavar.prod.mozaws.net
add address=127.0.0.1 name=cdn.branch.io
add address=127.0.0.1 name=server.cpmstar.com
add address=127.0.0.1 name=analytics.rayjump.com
add address=127.0.0.1 name=stats.g.doubleclick.net
add address=127.0.0.1 name=pagead.l.doubleclick.net
add address=127.0.0.1 name=ads.mopub.com
add address=127.0.0.1 name=googleads.g.doubleclick.net
add address=127.0.0.1 name=211.152.129.21
add address=127.0.0.1 name=partnerad.l.doubleclick.net
add address=127.0.0.1 name=ads.yahoo.com
add address=127.0.0.1 name=www.googleadservices.com
/ip firewall filter
add action=add-src-to-address-list address-list=ICMP address-list-timeout=2m \
    chain=input comment=Knock disabled=yes protocol=icmp
add action=add-src-to-address-list address-list=Knock address-list-timeout=1m \
    chain=input disabled=yes dst-port=80 protocol=tcp
add action=drop chain=input disabled=yes dst-port=80,8291 protocol=tcp
add action=drop chain=input disabled=yes dst-port=21 protocol=tcp \
    src-address=!192.168.10.0/26
/ip firewall mangle
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
    layer7-protocol=Youtube new-connection-mark=Youtube-Conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
    layer7-protocol=Youtube new-connection-mark=Youtube-Conn passthrough=yes \
    protocol=udp
add action=mark-packet chain=forward connection-mark=Youtube-Conn \
    new-packet-mark=Youtube-packet passthrough=no
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
    layer7-protocol=Torrent new-connection-mark=Torrent-Conn passthrough=yes \
    protocol=tcp
add action=mark-connection chain=forward dst-port=443 in-interface=bTrunk \
    layer7-protocol=Torrent new-connection-mark=Torrent-Conn passthrough=yes \
    protocol=udp
add action=mark-packet chain=forward connection-mark=Torrent-Conn \
    new-packet-mark=Torrent-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth4_BackInt
add action=masquerade chain=srcnat out-interface=eth5_MainInt
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 target-scope=30
add distance=1 gateway=192.168.1.1
add distance=2 gateway=192.168.2.1
add distance=1 dst-address=192.168.100.62/32 gateway=bLAN
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=RAmao
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=36.86.63.182
/system watchdog
set watch-address=8.8.8.8
/tool romon
set enabled=yes secrets=Ph1nk13Ro
/tool user-manager database
set db-path=user-manager
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Find hostname between vlan

Sat Jul 10, 2021 4:06 pm

Use this to configure.
viewtopic.php?f=23&t=143620
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Find hostname between vlan

Sat Jul 10, 2021 4:58 pm

First, a tip: you can export only the relevant part of your configuration by changing to that section of the CLI before giving the "export" command:

/interface vlan
export

You are more likely to get help by asking specific questions about narrowly-focused areas of your configuration. As your question stands, it looks like "Please redesign my network configuration for me." I doubt you're going to have much luck with that short of engaging someone here as a paid consultant, and even then, they're still going to be asking you to provide specific answers to focused questions.

Once you have your basic setup working according to the CAPsMAN with VLANs guide, I believe all you need is to add IP firewall rules to the central router, the one the two APs forward their traffic to.

I don't see any particular advantage to using the CAPsMAN forwarding mode for a configuration like yours. You don't need a remote channel to another CAPsMAN based site, so the local forwarding mode should suffice. It has the advantage of letting you use non-MikroTik equipment on the inside of that network, since the traffic exiting the MT equipment can be VLAN-tagged, giving this other equipment enough information to do their own processing on the traffic.

Even within the central MikroTik router, VLAN tags should suffice to apply the desired network features you speak of.

Allow traffic between Trunk - server - LAN
Restricted traficc guest only to internet

What problem are you having with this, exactly? I don't see any "/ip firewall filter" commands in your configuration mentioning the configured VLANs. Are you asking us to write these rules for you?

I use 2 internet connection and make failover

A good configuration for that is documented here. I see only one "check-gateway" rule in your configuration. What problem are you having with this, exactly?

different channel for each SSID

Why would it matter that multiple clients are sharing the same channel under different SSIDs?

If you're trying to get more total bandwidth, realize that your neighbors are also trying to use those other channels. If you try to use all of the wifi channels yourself, you're likely to get worse performance as your WAPs continually fight over channel assignments with your neighbors.

There's only so much spectrum to be shared.

still have some issue

Yes? What issue, specifically? This is what I meant above about asking specific questions, to yield specific answers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Find hostname between vlan

Sat Jul 10, 2021 5:50 pm

Concur but I like to see the whole config as it shows where the OPs lack of knowledge is located and any obvious errors etc.
Also drop the idea of using capsman as that is an added layer of complexity for an advanced user and not just doing your first major config.
Once you have mastered the basic config with vlans and wifi then decide if you really want to tackle capsman.
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Re: Find hostname between vlan

Mon Jul 12, 2021 8:52 am

Use this to configure.
viewtopic.php?f=23&t=143620
Thanks for info I try it
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Re: Find hostname between vlan

Mon Jul 12, 2021 10:40 am

First, a tip: you can export only the relevant part of your configuration by changing to that section of the CLI before giving the "export" command:
/interface vlan
export

Ok thx for tip

You are more likely to get help by asking specific questions about narrowly-focused areas of your configuration. As your question stands, it looks like "Please redesign my network configuration for me." I doubt you're going to have much luck with that short of engaging someone here as a paid consultant, and even then, they're still going to be asking you to provide specific answers to focused questions.

Even within the central MikroTik router, VLAN tags should suffice to apply the desired network features you speak of.

Allow traffic between Trunk - server - LAN
Restricted traficc guest only to internet

What problem are you having with this, exactly? I don't see any "/ip firewall filter" commands in your configuration mentioning the configured VLANs. Are you asking us to write these rules for you?


Sorry if my question is not clear.
For this part my question :
1. I connect NAS in vlan Server and when I ping hostname from vlan user it cannot. But if I ping IP for NAS it reply
2. Yes I not yet put ip firewall filter. I don't understand about this

Once you have your basic setup working according to the CAPsMAN with VLANs guide, I believe all you need is to add IP firewall rules to the central router, the one the two APs forward their traffic to.

I don't see any particular advantage to using the CAPsMAN forwarding mode for a configuration like yours. You don't need a remote channel to another CAPsMAN based site, so the local forwarding mode should suffice. It has the advantage of letting you use non-MikroTik equipment on the inside of that network, since the traffic exiting the MT equipment can be VLAN-tagged, giving this other equipment enough information to do their own processing on the traffic.

I don't know is the right choice to used capsman or no. I though it good to make standart cause I used several AP with same SSID and key
That's also question for me, better use or not use capsman. That's why I need advise for my config

I use 2 internet connection and make failover

A good configuration for that is documented here. I see only one "check-gateway" rule in your configuration. What problem are you having with this, exactly?
Last time I try to disconnect main link then I cannot browse but I still can ping 8.8.8.8 (or others)
Do I need others config to make sure my failover working good?

different channel for each SSID
Why would it matter that multiple clients are sharing the same channel under different SSIDs?

If you're trying to get more total bandwidth, realize that your neighbors are also trying to use those other channels. If you try to use all of the wifi channels yourself, you're likely to get worse performance as your WAPs continually fight over channel assignments with your neighbors.

There's only so much spectrum to be shared.

As I read it say better if I have different channel to minimize interference between SSID.
My condition I put AP 2 in lower ground and AP 1 in upper ground.
And form some location I can get same signal from both AP. I think it make interference.
Is that ok if I put in same channel or better in different channel



Others thing still in progress to search reference is config for
limit time and access for kids device
split traffic for youtube to use speciffic internet link
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Re: Find hostname between vlan

Mon Jul 12, 2021 10:42 am

Concur but I like to see the whole config as it shows where the OPs lack of knowledge is located and any obvious errors etc.
Also drop the idea of using capsman as that is an added layer of complexity for an advanced user and not just doing your first major config.
Once you have mastered the basic config with vlans and wifi then decide if you really want to tackle capsman.
Thanks for advise I will try not using capsman.
And config manually for each AP
But do you have tips to make smooth connection while user from AP1 moving to area AP2
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Find hostname between vlan

Mon Jul 12, 2021 1:01 pm

But do you have tips to make smooth connection while user from AP1 moving to area AP2

Using CAPsMAN does not enhance roaming experience. The only real benefit of using CAPsMAN is easier deployment of multiple CAPs with identical (or almost identical) configuration. There's a feature of CAPsMAN that affects performance (datapath property local-forwarding), but it mostly affects throughput (and mostly it does negatively), but doesn't affect mobility.

The essence is to have exactly same wireless security configuration on all APs with same SSID and to have all APs in same L2 network segment (e.g. same VLAN) so that same DHCP server services them all. In this case the service interruption will be the shortest possible when client roams from one AP to another one. Optimizing the roaming points (so that it happens in places not many users pass frequently) is a pretty complex task though and involves mostly micro-managing the radio parameters.

I guess advice by @anav not to use CAPsMAN was due to the fact that CAPsMAN is not easy to get right initially (and causes it's share of problems as well) and while you're having connectivity issues it's easier to troubleshoot a simpler setup. When you get your settings right with simple setup (router, single AP, NAS, no CAPsMAN), you can go for CAPsMAN (for second AP) and verify proper operations while keeping first AP in stand-alone configuration for comparison. When you get CAPsMAN right, you can deploy the rest of APs (including the first one) with CAPsMAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Find hostname between vlan

Mon Jul 12, 2021 4:46 pm

<------ what he said, more succinctly than I did :-)
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Find hostname between vlan

Mon Jul 12, 2021 8:59 pm

when I ping hostname from vlan user it cannot. But if I ping IP for NAS it reply

I don't see any static DNS entries for servers on your LAN, only "blackhole" type entries for ad servers and such.

If you're expecting dynamic DHCP leases to register their host names in the MikroTik DNS, that doesn't happen by default according to what I'm reading, but there's a script to provide that functionality.

I not yet put ip firewall filter. I don't understand about this

You're going to have to learn if you want your network to behave as described in your first post. Simply setting up VLANs doesn't tell the routers and APs how traffic moves (or does not) between VLANs. You have to tell it. Firewall rules are one way to accomplish that. Other things play into this as well, such as inter-VLAN static routing rules.

Last time I try to disconnect main link then I cannot browse but I still can ping 8.8.8.8 (or others)
Do I need others config to make sure my failover working good?

I gave you a link to a guide that shows one way to do this. Your existing configuration has failover half-configured, so of course it doesn't work.

As I read it say better if I have different channel to minimize interference between SSID.

In the ideal case where all channels are available to you, sure. If you have neighbors in WiFi range, though, you'll be contending for channels no matter what you do.

You tell us: are you lucky enough to have enough physical space around your WiFi installation that everything else is out of radio range? If so, then go wild and use as many channels as you want. If not, I doubt fiddling with this will make any appreciable difference.

I put AP 2 in lower ground and AP 1 in upper ground.

To a radio, a floor is just another type of obstacle, little different from a wall.

Don't get caught up in human notions like "floors" when placing your APs. Putting them in opposite corners of the ground floor might be better than putting them atop each other one floor apart, for example.
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Re: Find hostname between vlan

Wed Jul 28, 2021 10:39 am



Using CAPsMAN does not enhance roaming experience. The only real benefit of using CAPsMAN is easier deployment of multiple CAPs with identical (or almost identical) configuration. There's a feature of CAPsMAN that affects performance (datapath property local-forwarding), but it mostly affects throughput (and mostly it does negatively), but doesn't affect mobility.

The essence is to have exactly same wireless security configuration on all APs with same SSID and to have all APs in same L2 network segment (e.g. same VLAN) so that same DHCP server services them all. In this case the service interruption will be the shortest possible when client roams from one AP to another one. Optimizing the roaming points (so that it happens in places not many users pass frequently) is a pretty complex task though and involves mostly micro-managing the radio parameters.

I guess advice by @anav not to use CAPsMAN was due to the fact that CAPsMAN is not easy to get right initially (and causes it's share of problems as well) and while you're having connectivity issues it's easier to troubleshoot a simpler setup. When you get your settings right with simple setup (router, single AP, NAS, no CAPsMAN), you can go for CAPsMAN (for second AP) and verify proper operations while keeping first AP in stand-alone configuration for comparison. When you get CAPsMAN right, you can deploy the rest of APs (including the first one) with CAPsMAN.


<------ what he said, more succinctly than I did :-)


Ok thanks for suggestion




I don't see any static DNS entries for servers on your LAN, only "blackhole" type entries for ad servers and such.

If you're expecting dynamic DHCP leases to register their host names in the MikroTik DNS, that doesn't happen by default according to what I'm reading, but there's a script to provide that functionality.


Thanks I have test and is working.

I gave you a link to a guide that shows one way to do this. Your existing configuration has failover half-configured, so of course it doesn't work.
Can you give me link failover that you tell above?

In the ideal case where all channels are available to you, sure. If you have neighbors in WiFi range, though, you'll be contending for channels no matter what you do.

You tell us: are you lucky enough to have enough physical space around your WiFi installation that everything else is out of radio range? If so, then go wild and use as many channels as you want. If not, I doubt fiddling with this will make any appreciable difference.
Ok I get your point
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Find hostname between vlan

Wed Jul 28, 2021 3:00 pm

Hope can make different channel for each SSID (right now all SSID still used master wlan)
This can not be maded (on same AP, same wlan).

/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 target-scope=30
add distance=1 gateway=192.168.1.1
add distance=2 gateway=192.168.2.1
add distance=1 dst-address=192.168.100.62/32 gateway=bLAN

If the routes are the same on your previous export....

Fixed Failover, paste this on terminal without omit the { } :
{
# set right DNSs
/ip dns set servers=1.1.1.1,8.8.8.8
/ip route
remove [find]
# previous present rule
add distance=1 dst-address=192.168.100.62/32 gateway=bLAN
# routing with failover
add comment="A - 1.1.1.1 must be reachable only from ISP1" distance=1 dst-address=1.1.1.1/32 gateway=192.168.1.1 scope=10
add comment="B - Recursive Routing, check ping 1.1.1.1 instead of ISP IP" distance=10 gateway=1.1.1.1 check-gateway=ping
add comment="C - ISP2 is alternative Gateway" distance=20 gateway=192.168.2.1
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Find hostname between vlan

Wed Jul 28, 2021 3:17 pm

A good configuration for that is documented here.
But ... just do "my" A-B-C, 3 route Failover, instead of filling the routerboard with useless rules.
For what?
If it's just failover (as written in the guide) what does everything else have to do with it?

Who is online

Users browsing this forum: Ahrefs [Bot] and 64 guests