Community discussions

MikroTik App
 
coliflower
newbie
Topic Author
Posts: 31
Joined: Mon Aug 21, 2017 1:10 pm

wAP-ac | new bridge solution | 6.41.x

Mon Feb 12, 2018 12:59 pm

Dear all,

I updated my wAP's to 6.41.2 and would like to configure them as best as possible to avoid mistakes, security leaks, bandwidth loss, etc ... to be honest, I was not successful to do it nor to find a perfect red-line-story / tutorial :-(

My target is to distribute some radios as vAP to connect un-tagged clients, eg: NAS, Notebooks, Smartphones, Tablets, IoT, etc...

On the (only one) ether1, there is a trunk with vlan1-un-tagged and some additional tagged-vlans (10,20,30,40,50,60,70,80,90).
All vlans are external (L3/Firewall) managed by GW, Routing, DHCP-Server, NTP, etc ... that works fine with 6.40.3.
vlan1 (un-tagged) is the administrative vlan only with network 10.0.100.0/24. In this network there are the L3/Firewall, some Switch and some wAP-ac.
vlan10 = 10.0.10.0/24
vlan20 = 10.0.20.0/24
etc.

Now, I would like to set-up a well working configuration :-)

I created a bridge with following setup:
  • ARP, enabled
  • IGMP Snooping, unchecked
  • Fast Forward, unchecked
  • Protocol mode, none
  • PVID = 1
  • VLAN Filtering, unchecked
  • DHCP-Client (on DHCP-Server as static / MAC "connected")
  • Bridge IP = 10.0.100.4

Now I added ether1 to the bridge via Port ...
Ether settings are:
  • PVID = 1
  • Frame Types = admit all
  • Ingress Filtering, unchecked
  • HW Offload, unchecked

Than I added wlan1 (2.4GHz) and wlan2 (5GHz) via bridge port with following configuration (these bridge ports are usually inactive to avoid to put my administrative vlan1 on the air):
  • Mode = ap bridge
  • WMM Support, enabled
  • Bridge Mode, enabled
  • VLAN Mode = no tag
  • VLAN ID = 1
  • Frame Types = admit all
  • Ingress Filtering, unchecked
  • HW Offload, unchecked

Now, if I connect wit my MBP to the wlan2, than it see some big bandwidth loss from (on average) approximately 700 Mbps (1,000) to 60 Mbps what make me not that happy :-(

Is there any miss-configuration in my first step with only vlan1 on the air ?
Here some examples of OK and NOK:
OK.png
NOK.png

The second step, my main step, is to add vAP according to my VLANs ... but this, I maybe will describe after may bandwidth topic with vlan1 is solved ...

Any help is really very appreciated :-)

Have a nice day !!
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: wAP-ac | new bridge solution | 6.41.x

Wed Feb 21, 2018 11:30 pm

I cannot see how wireless speed could be related to bridge/switch configuration method. Do your printouts come from a tool which really measures the speed or it just analyses the negotiated modulation schemes and translates that into speed information? As it only shows Tx speed, and as the MCS (modulation coding scheme) index is also displayed there and differs between the two siituations (software releases), I'd assume it is the second case. Mikrotik also constantly changes the wireless drivers between software releases. These changes usually lead to better speeds but it may not always be the case. I mean, it seems more likely to me that some other difference between 6.41.2 and your previous version than the bridge implementation is responsible for the wireless speed decrease between the versions. On the other hand, if the new bridge implementation is responsible, I'm afraid it does not depend on bridge configuration.

Check your wireless interface settings to see whether MCS index 7 is permitted at all.

As for the configuration, the VLAN ID related settings on the "/initerface wireless" itself and the "/interface bridge port" binding are in a way duplicate to each other - when you set vlan-mode=no-tag on the wireless interface, the binding rule will ensure that tagless packets from the wireless interface wil be tagged when getting to the bridge with that rule's pvid value; when you set vlan-mode=use-tag, the packets will get tagged already at the wireless interface so the pvid value of the binding rule becomes irrelevant for them on the way from wireless to bridge. I can imagine, however, that such settting may lead to frames from bridge binding's pvid being sent tagless from the bridge to the wireless interface along with those tagged with wireless interface's pvid (but I guess that a wireless interface with vlan-mode=use-tag ignores tagless packets coming from wired side so if this guess is correct, setting identical pvids at the binding and at the interface and setting vlan-mode=use-tag at the interface should break the bridge->wireless path).

For this part of configuration it doesn't matter whether the wireless interface is the physical one or a vAP, any you have to make each vAP a member port of the bridge individually - the fact that you've made the "physical" AP a member port of a bridge does not mean that vAPs running atop that physical AP will be connected to the same bridge.

As for the ingress filtering etc. settings, my guess is that they are only relevant for physical ports so it is not important how you set them for wireless interfaces.

You've written somewhere that you have created an /interface vlan with vlan-id=1; I believe it is not necessary because you can use directly the /interface bridge with pvid=1. I was even not sure whether the existence of /interface vlan doesn't cause some issue as it has the same MAC address as the brdge itself, so I've tested and it did make my router inaccessible.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
marrold
Member
Member
Posts: 417
Joined: Wed Sep 04, 2013 10:45 am

Re: wAP-ac | new bridge solution | 6.41.x

Thu Feb 22, 2018 12:44 pm

Exports are easier to read than verbose text, please include them.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
coliflower
newbie
Topic Author
Posts: 31
Joined: Mon Aug 21, 2017 1:10 pm

Re: wAP-ac | new bridge solution | 6.41.x

Thu Feb 22, 2018 9:15 pm

Thank you very much you all to help me to understand and to find the red-line how to setup a wAP-ac correctly :-) !

What I did before I exported the settings, I deleted all /Interface VLAN ...
[91@MikroTik2] > /export hide-sensitive 
# feb/22/2018 20:02:21 by RouterOS 6.41.2
# software id = 738V-JEJW
#
# model = RouterBOARD wAP G-5HacT2HnD

/interface bridge
add admin-mac=64:D1:54:16:66:2D auto-mac=no fast-forward=no name=bridge.wAP2 protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full name=ether-uplink.wAP2

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=WPA2-PSK-AES-CCM supplicant-identity=MikroTik

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-g/n country=austria disabled=no distance=indoors frequency=2472 mode=ap-bridge name=wAP2-2GHz security-profile=\
    WPA2-PSK-AES-CCM ssid=MikroTik2-2GHz wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled

set [ find default-name=wlan2 ] antenna-gain=2 area=Area-wAP2-5GHz band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=austria disabled=no distance=indoors frequency=auto \
    mode=ap-bridge name=wAP2-5GHz scan-list=5150-5250 security-profile=WPA2-PSK-AES-CCM ssid=MikroTik2-5GHz wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:12 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-10-KNX2 ssid=WBC-KNX2 \
    vlan-id=10 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:15 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-10-KNX5 ssid=WBC-KNX5 \
    vlan-id=10 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:22 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-20-HIFI2 ssid=WBC-HiFi2 \
    vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:25 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-20-HIFI5 ssid=WBC-HiFi5 \
    vlan-id=20 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:32 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-30-DOM2 ssid=WBC-DOM2 \
    vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:35 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-30-DOM5 ssid=WBC-DOM5 \
    vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:42 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-40-NAS2 ssid=WBC-NAS2 \
    vlan-id=40 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:45 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-40-NAS5 ssid=WBC-NAS5 \
    vlan-id=40 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:52 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-50-MBP2 \
    security-profile=WPA2-PSK-AES-CCM ssid=WBC-MBP2 vlan-id=50 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:55 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-50-MBP5 ssid=WBC-MBP5 \
    vlan-id=50 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:62 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-60-CAM2 ssid=WBC-CAM2 \
    vlan-id=60 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:65 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-60-CAM5 ssid=WBC-CAM5 \
    vlan-id=60 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:72 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-70-KIND2 ssid=WBC-KIND2 \
    vlan-id=70 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:75 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-70-KIND5 ssid=WBC-KIND5 \
    vlan-id=70 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:82 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-80-GAST2 ssid=WBC-GAST2 \
    vlan-id=80 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:85 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-80-GAST5 ssid=WBC-GAST5 \
    vlan-id=80 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:92 master-interface=wAP2-2GHz multicast-buffering=disabled name=vAP2-90-EXT2 ssid=WBC-EXT2 \
    vlan-id=90 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=66:D1:54:16:66:95 master-interface=wAP2-5GHz multicast-buffering=disabled name=vAP2-90-EXT5 ssid=WBC-EXT5 \
    vlan-id=90 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=disabled

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 pfs-group=modp2048

/queue interface
set wAP2-2GHz queue=only-hardware-queue
set wAP2-5GHz queue=only-hardware-queue

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
add addresses=0.0.0.0/0 encryption-protocol=AES name=name security=security

/interface bridge port
add bridge=bridge.wAP2 hw=no interface=ether-uplink.wAP2
add bridge=bridge.wAP2 disabled=yes interface=wAP2-2GHz
add bridge=bridge.wAP2 disabled=yes interface=wAP2-5GHz
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-10-KNX2 pvid=10
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-10-KNX5 pvid=10
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-20-HIFI2 pvid=20
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-20-HIFI5 pvid=20
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-30-DOM2 pvid=30
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-30-DOM5 pvid=30
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-40-NAS2 pvid=40
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-40-NAS5 pvid=40
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-50-MBP2 pvid=50
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-50-MBP5 pvid=50
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-60-CAM2 pvid=60
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-60-CAM5 pvid=60
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-70-KIND2 pvid=70
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-70-KIND5 pvid=70
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-80-GAST2 pvid=80
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-80-GAST5 pvid=80
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-90-EXT2 pvid=90
add bridge=bridge.wAP2 disabled=yes frame-types=admit-only-vlan-tagged interface=vAP2-90-EXT5 pvid=90

/interface bridge vlan
add bridge=bridge.wAP2 untagged=bridge.wAP2,wAP2-2GHz,wAP2-5GHz vlan-ids=1
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-10-KNX2,vAP2-10-KNX5 vlan-ids=10
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-20-HIFI2,vAP2-20-HIFI5 vlan-ids=20
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-30-DOM2,vAP2-30-DOM5 vlan-ids=30
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-40-NAS2,vAP2-40-NAS5 vlan-ids=40
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-50-MBP2,vAP2-50-MBP5 vlan-ids=50
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-60-CAM2,vAP2-60-CAM5 vlan-ids=60
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-70-KIND2,vAP2-70-KIND5 vlan-ids=70
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-80-GAST2,vAP2-80-GAST5 vlan-ids=80
add bridge=bridge.wAP2 tagged=bridge.wAP2 untagged=vAP2-90-EXT2,vAP2-90-EXT5 vlan-ids=90

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge.wAP2

/ip service
set www disabled=yes
set www-ssl certificate=MikroTik2 disabled=no
set api disabled=yes
set api-ssl certificate=MikroTik2

/ip smb
set domain=localdomain

/system clock
set time-zone-name=Europe/Vienna

/system clock manual
set time-zone=+01:00

/system identity
set name=MikroTik2

/system leds
set 0 interface=wAP2-2GHz
set 1 interface=wAP2-5GHz

/system ntp client
set enabled=yes primary-ntp=10.0.100.1 secondary-ntp=10.0.100.1
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: wAP-ac | new bridge solution | 6.41.x

Thu Feb 22, 2018 10:00 pm

... to find the red-line how to setup a wAP-ac correctly :-) !
Off topic, what is the etymology and meaning of red line in this context? Is it an English idiom, a German one, or Wienerisch?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
coliflower
newbie
Topic Author
Posts: 31
Joined: Mon Aug 21, 2017 1:10 pm

Re: wAP-ac | new bridge solution | 6.41.x

Thu Feb 22, 2018 10:09 pm

red-line is "der rote Faden" a tutorial / how-to ... the way to achieve the goal :-)
In English I think "story-line" ...
 
coliflower
newbie
Topic Author
Posts: 31
Joined: Mon Aug 21, 2017 1:10 pm

Re: wAP-ac | new bridge solution | 6.41.x

Sat Feb 24, 2018 4:45 pm

Hello Sindy,

Check your wireless interface settings to see whether MCS index 7 is permitted at all.
HT Supported MSC are all checked from 0 to 23.
HT Basic MCS are checked from 0 to 7

... when you set vlan-mode=no-tag on the wireless interface, the binding rule will ensure that tagless packets from the wireless interface wil be tagged when getting to the bridge with that rule's pvid value;
With "no-tag" I am able to connect with my MacBook to the vAP by wireless (with "use-tag" I am not ...).
To be sure, your explanation means: data-packets un-tagged sent out from my MacBook (wireless-client) through the radio to the vAP50-interface (as a kind of "access-port") where tagless data-packets get their tags with e.g. VLAN ID 50 because of, the PVID is set to 50 ... These now tagged data-packets are forwarded from these port, trough the bridge to the ether-port on which a trunk-cable is connected to ... And vice-versa ?



Bridge-Port Settings of vAP ...
As for the ingress filtering etc. settings, my guess is that they are only relevant for physical ports so it is not important how you set them for wireless interfaces.
If I look to the "Bridge VLAN Filtering" here:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
/interface bridge port
pvid means "Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to"
Doesn't that mean, if the pvid is set to 50 on this port, that, if the untagged ingress traffic comes from my MacBook to the vAP50-interface (port) where pvid=50 is set to tagg data-packets is not relevant ... ONLY in case of wired connections ?
PVID requires a value ... If I set 1 instead of 50 what does that causes or is that also irrelevant because not linked in case of wireless ports ?
Is there someone who is able to answer it by 100% ?

You've written somewhere that you have created an /interface vlan with vlan-id=1; I believe it is not necessary because you can use directly the /interface bridge with pvid=1. I was even not sure whether the existence of /interface vlan doesn't cause some issue as it has the same MAC address as the brdge itself, so I've tested and it did make my router inaccessible.
You are right with the same MAC ...
The vlan1 is dynamically created after Bridge Filtering is activated ...
 
sindy
Forum Guru
Forum Guru
Posts: 5514
Joined: Mon Dec 04, 2017 9:19 pm

Re: wAP-ac | new bridge solution | 6.41.x

Sat Feb 24, 2018 7:11 pm

Hello Sindy,
Check your wireless interface settings to see whether MCS index 7 is permitted at all.
HT Supported MSC are all checked from 0 to 23.
HT Basic MCS are checked from 0 to 7
In this case, if you still systematically cannot get higher than MCS#1/79 Mbit/s on Tx, the issue is not that the MCS would not be permitted but rather that there is some issue in MCS negotiation between the Mikrotik and the particular device.

... when you set vlan-mode=no-tag on the wireless interface, the binding rule will ensure that tagless packets from the wireless interface wil be tagged when getting to the bridge with that rule's pvid value;
With "no-tag" I am able to connect with my MacBook to the vAP by wireless (with "use-tag" I am not ...).
To be sure, your explanation means: data-packets un-tagged sent out from my MacBook (wireless-client) through the radio to the vAP50-interface (as a kind of "access-port") where tagless data-packets get their tags with e.g. VLAN ID 50 because of, the PVID is set to 50 ... These now tagged data-packets are forwarded from these port, trough the bridge to the ether-port on which a trunk-cable is connected to ... And vice-versa ?
I believe so. But what surprises me is that if you set vlan-mode=use-tag and vlan-id=N already at the wireless interface, it does not work. I admit that I use this in cAPsMAN wireless access list (where certain clients on the same AP with the same SSID get individual WPA passphrases and are placed into a "VIP" VLAN), so maybe it behaves properly in this case and weird if you set it up on a "directly controlled" wireless interface (i.e. without cAPsMAN).

The 802.11 protocol family does not support VLANs so yes, all frames coming from the air are tagless and only get tagged at the "wired side of the wireless chip", while tagged framess coming from the wire are untagged before being forwarded to the "wireless side".

Bridge-Port Settings of vAP ...
As for the ingress filtering etc. settings, my guess is that they are only relevant for physical ports so it is not important how you set them for wireless interfaces.
If I look to the "Bridge VLAN Filtering" here:
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
/interface bridge port
pvid means "Port VLAN ID (pvid) specifies which VLAN the untagged ingress traffic is assigned to"
Doesn't that mean, if the pvid is set to 50 on this port, that, if the untagged ingress traffic comes from my MacBook to the vAP50-interface (port) where pvid=50 is set to tag data-packets is not relevant ... ONLY in case of wired connections ?
PVID requires a value ... If I set 1 instead of 50 what does that causes or is that also irrelevant because not linked in case of wireless ports ?
Is there someone who is able to answer it by 100% ?
I think that that guy's name is Herr Experiment :-)

My understanding is that if you configure "/interface bridge port"'s pvid to N, then tagless packets coming from the wireless chip are getting tagged with VLAN ID N when entering the bridge, and packets tagged with VLAN ID N are getting untagged on egress from the bridge towards the wireless chip.

The problem is that when using cAPsMAN, you choose the bridge to which the wireless chip should be connected in the cAPsMAN's configuration for that wireless interface, so the "/interface bridge port" rule is created "autodynamically" from that configuration. When you configure wireless/virtual interfaces directly, you can choose a bridge for the WDS mode in the interface configuration, but you have to create manually the rule in "/interface bridge port" to bind the "basic" part of the interface (in your case, the AP) to a bridge.

So at least when using cAPsMAN, it is irrelevant where you set the VLAN ID you want your wireless packets to be tagged with at the ethernet trunk:
  1. you can set the correct ID already in the "/interface wireless" or "/interface virtual" configuration together with "vlan-mode=use-tag", and in that case, the rule in "/interface bridge port" should have a different pvid value and the frames will be tagged/untagged by the software handling the wired side of the wireless chip (this is the way "VIP" clients are treated),
  2. or you can configure the "/interface wireless" or "/interface virtual" with "vlan-mode=no-tag", and in that case, the pvid value of the rule in "/interface bridge port" decides which VLAN ID the frames coming from the wireless chip will be tagged with while entering the bridge (which is the way my "ordinary" wireless clients are treated except that the rule is created autodynamically).
But I also assume that if vlan-mode in the "/interface wireless(virtual)" configuration is set to use-tag, tagless packets coming from the bridge are ignored. So if you use vlan-mode=use-tag in the wireless configuration and set the same VLAN ID both as vlan-id in the wireless configuration and as pvid in the "/interface bridge port" rule, the frame coming from the bridge gets untagged by the bindnig rule and then ignored by the wired side of the wireless chip.

You've written somewhere that you have created an /interface vlan with vlan-id=1; I believe it is not necessary because you can use directly the /interface bridge with pvid=1. I was even not sure whether the existence of /interface vlan doesn't cause some issue as it has the same MAC address as the brdge itself, so I've tested and it did make my router inaccessible.
You are right with the same MAC ...
The vlan1 is dynamically created after Bridge Filtering is activated ...
Wait, that's another thing. There is a certain type of virtual interface called "vlan", whose parameters are the bridge to which its tagged side is connected and the VLAN ID which it interfaces to its tagless side. And such interface is never created dynamically AFAIK. What does get created dynamically is a row in the "/interface bridge vlan" table if vlan-filtering is set to yes on the bridge and
  • some "/interface bridge port" rule, static or dynamic, exists with pvid set to that VLAN ID
  • or some /interface vlan exists and its configuration refers to the bridge and its vlan-id is set to that VLAN ID,
  • or the bridge itself's pvid is set to that VLAN ID
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 30 guests