MikroTik

Hello Guys

For my past and legacy configuration of vlans with bridge setup, my primary goal is to do L2 isolation between connected APs (Nanostation M2) with vlans
Now i want to move up my configuration to the new approach +6.41 bridge vlan with vlan-filtering

I've been searching for a topic discussing a similar scenario i'm looking for but i couldn't find one. If there's one please point me there

My basic configuration is as follow:

1- Create vlan1, vlan2, vlan3 ... and assign them to ether5 physical interface on my CCR router
/interface vlan add name=vlan1 vlan-id=11 interface=ether5
/interface vlan add name=vlan2 vlan-id=12 interface=ether5
...

2- Create bridge1 interface

3- Create bridge1 ports and do L2 isolation with (horizon: 1) for all vlans.
/interface bridge port add interface=vlan1 bridge=bridge1 horizon=1
/interface bridge port add interface=vlan2 bridge=bridge1 horizon=1
...

and finally I create /24 subnet ip address, dhcp server and hotspot server for the bridge1 interface
So basically it's one subnet lan with one bridge interface and one dhcp server for the whole network.

Such a configuration is considered not the right way of doing vlan bridge as noted in this wiki
https://wiki.mikrotik.com/wiki/Manual:L ... interfaces

as it may cause a low throughput as well as inaccessibility which seems to happen from time to time but not so often

The problem is the solution explained there cannot be done in my case
I don't think i will create a 40 hotspot server with a 40 dhcp-server for the 40 vlan interface (I do have 40 APs in the moment)

Can anyone guide me moving my setup configuration to the new way of bridge vlan with vlan-filtering ?

Thank you

What i did as i follow the solution provided in the wiki url mentioned above was the following:

/interface bridge
add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether5

/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 vlan-ids=11,12,13,14

/interface vlan
add name=vlan1 interface=bridge1 vlan-id=11
add name=vlan2 interface=bridge1 vlan-id=12
add name=vlan3 interface=bridge1 vlan-id=13
add name=vlan4 interface=bridge1 vlan-id=14

set vlan-filtering=yes

/ip address add address=10.101.0.1/24 interface=bridge1 network=10.101.0.0
/ip dhcp-server add address-pool=dhcp-pool interface=bridge1 name=dhcp1
/ip dhcp-server network ...

Now if i try to connect to the Access point .. i can't get an ip address from the dhcp server
But if i assign the subnet address (10.101.0.1/24) and dhcp-server to say (vlan1 interface) it works

So how can i make it works on bridge1 interface ?

I dont recall seeing vlans being assigned subnets by the bridge vice having their own specific DHCP settings?
Which example in the VLAN thread/reference shows that??

Hi anav .. yes that's the point.. I wanna do it in the right way

If i have 40 or 50 vlans
Well i have to stick to the way of creating dhcp - hotspot - nat for each vlan interface and maybe doing QoS ?
like i said .. the main point is to do L2 isolation between APs (vlan for each AP)

Conceptually VLANs are almost as separate LANs. They separate devices on L2 (ethernet) level.
If, on the other hand, you want to have those devices in same L2 domain (because you want to use single DHCP server which is L2/L3 service and serves IP addresses from single L3 domain (IP subnet), then you have to join those L2 domains to single domain ... where you loose all the separation offered by deploying VLANs.

What you can do is some abuse (I've never tested it, so it might or might not work): create another bridge and make all vlan interfaces member of that bridge. Then set horizon property of these bridge ports. Bind IP address and DHCP server to this abused bridge. Which is more or less the same you have it now, but with additional bridge

Havind this kind of setup (all APs member of same "top-most" L2 domain) helps with client mobility (if adjacent APs emit same SSID and clients are allowed/supposed to roam between APs).

I think the first thing is to understand why the APs should be isolated from each other, as it is an unusual requirement.

What @mkx says is important - by having all APs (or same SSIDs on all APs) in same VLAN, you let the clients roam from AP to AP without losing their IP addresses, which is how most admins configure their networks.

One thing which comes to my mind - whilst two clients associated to the same AP cannot send frames to each other if the AP is set to prevent this, two clients associated to different APs which are interconnected transparently at L2 can send frames to each other regardless the APs being set to block client-to-client forwarding. But this is easily resolved using bridge horizon where all bridge ports can forward traffic to one "uplink" port but not to any other one.

... two clients associated to different APs which are interconnected transparently at L2 can send frames to each other regardless the APs being set to block client-to-client forwarding. But this is easily resolved using bridge horizon where all bridge ports can forward traffic to one "uplink" port but not to any other one.

My guess (I'm feeling adventurous tonight) is that OP wants to connect his 40 to 50 APs to a RB with slightly less physical ports which makes using bridge horizon on physical ports unpractical. So OP will use some switch(es) without any advanced features (might even be simple dumb switches) and is looking for some other way to block inter-AP connections.

What you can do is some abuse (I've never tested it, so it might or might not work): create another bridge and make all vlan interfaces member of that bridge. Then set horizon property of these bridge ports. Bind IP address and DHCP server to this abused bridge. Which is more or less the same you have it now, but with additional bridge

Hi mkx thanks for your input. this is exactly what i did .. isolating vlans ports by horizon value, but again.. doing what i did is not what mikrotik support suggests in dealing with bridge vlan as noted in wiki url in my post and i wanna do it in bridge vlan with vlan-filtering (6.41+) and this is how it should be done now

What @mkx says is important - by having all APs (or same SSIDs on all APs) in same VLAN, you let the clients roam from AP to AP without losing their IP addresses, which is how most admins configure their networks.

thanks sindy glad for your input .. by saying APs isolation it's for L2 (horizon value on all vlans ports in the bridge which acts as dhcp server) hence all clients will stay within the same IP address range.

whilst two clients associated to the same AP cannot send frames to each other if the AP is set to prevent this

Sure .. the AP comes with a built-in isolation feature that will prevent all connected hosts from talking to each other within that AP, but with horizon feature mikrotik will block talking between all connected APs


What i can say is i totally agree with you all guys, doing L2 isolation with bridge vlan in such a way is not what vlan supposed to be configured
and while doing further search i came to a solution where i will get another mikrotik that will be dedicated to ports isolation either with bridge vlan or in switch chip hardware level

Just like in this topology

(internet) ---------- (CCR1009 as Hotspot server) ---------- (RB2011 for port isolation and dhcp server) ----------- (switch) ------------ (APs)

I did a complete test yesterday and it worked, so in this way i will keep CCR1009 for hotspot server with one physical interface and RB2011 will contains all vlans with all subnets and by doing static routes between the two mikrotik everything worked as is should be

Well, to my understanding vlan filtering and bridge port isolation are more or less orthogonal features, so there is no reason why you could not use both at the same time if that makes sense. So e.g. each AP connected to its own port on the switch, three SSIDs, each of them on all APs and in its own VLAN network-wide. Then you can still use three /interface vlan on the CRS to attach the IP configurations for the SSIDs to, and still use port isolation to prevent frames from leaking from one AP to another. In this case, vlan-filtering may be used to have one of the VLANs on each AP-facing port tagless, or even have one of them tagless on the bridge itself.

Of course you need to know what you are doing if you combine these features. There are many other situations when you can create mysterious malfunctions by combining features - e.g. if you use MSTP and the VLANs permitted on trunk ports are not aligned with the VLANs permitted in MSTP instances using these trunk ports.

Well, to my understanding vlan filtering and bridge port isolation are more or less orthogonal features, so there is no reason why you could not use both at the same time if that makes sense. So e.g. each AP connected to its own port on the switch, three SSIDs, each of them on all APs and in its own VLAN network-wide. Then you can still use three /interface vlan on the CRS to attach the IP configurations for the SSIDs to, and still use port isolation to prevent frames from leaking from one AP to another. In this case, vlan-filtering may be used to have one of the VLANs on each AP-facing port tagless, or even have one of them tagless on the bridge itself.

No doubt what you said is 100% correct I like ot keep my router configs following the standards of vlan concepts rather than doing a misconfiguration like stated on mikrotik support so with vlan-filtering and with assigning an ssid with ip subnet and dhcp for every vlan, everything will work as it should..

the main issue is having so many hotspot servers (50 hotspot server) one for every vlan interface is not practical in my case, so i find the solution of adding another router (R2) that will do port isolation and dhcp-server for all vlans and works behind the hotspot server (R1)

and in this way i need only one physical interface for the hotspot server (R1) and with static routes between (R1 and R2) traffic will go smoothly and i will keep configuration as clean and precise as possible (better than making that all complex setup in one box)

@ZiadZone, can you please elaborate bit more on your final solution? I am trying to achieve same results. Please see my post viewtopic.php?f=2&t=167456&p=823272#p823272 and I will love to know how did you achieve isolation by using two routers. Thanks