Community discussions

MUM Europe 2020
 
Hitchman
just joined
Topic Author
Posts: 1
Joined: Wed Feb 12, 2020 10:05 pm

Need your help with bridge+multiple ssid per vlan+vlan filtering

Wed Feb 12, 2020 11:09 pm

Hello folks

Kindly ask your help with correct configuration. I too much confused. As for me is pretty hard to switch from cisco to mikrotik vlan conception.

I have CAP AC as access point (ap bridge) and want to create two SSIDs fully isolated by vlans (2,5). Even on pvid (I mean native vlan) level.
And also going to separate management interface just by assigning ip address directly on the physical ethernet1 interface.

Target network scheme
Image

In other words I need to achieve L2 isolation all of three essences between each other and permit L2/L3 access to AP only across management interface (ethernet1). Also I want to enable VLAN filtering feature.

My steps:
1. Create VLAN interface
/interface vlan
add interface=ether1 name=ether1-vlan2 vlan-id=2
add interface=ether1 name=ether1-vlan5 vlan-id=5

2. Create Bridges
/interface bridge
add ingress-filtering=yes name=bridge-camera pvid=5 vlan-filtering=yes
add auto-mac=no frame-types=admit-all name=bridge-main pvid=2 vlan-filtering=yes

3. Add ports to my 2 bridges
/interface bridge port
add bridge=bridge-main frame-types=admit-all ingress-filtering=yes interface=wlan-vlan2-2ghz pvid=2
add bridge=bridge-main frame-types=admit-all ingress-filtering=yes interface=ether1-vlan2 pvid=2
add bridge=bridge-camera frame-types=admit-all ingress-filtering=yes interface=ether1-vlan5 pvid=5
add bridge=bridge-camera frame-types=admit-all ingress-filtering=yes interface=wlan-vlan5-2ghz pvid=5

4. Fill bridge VLAN rules
/interface bridge vlan
add bridge=bridge-main tagged=ether1-vlan2 untagged=wlan-vlan2-2ghz vlan-ids=2
add bridge=bridge-camera tagged=ether1-vlan5 untagged=wlan-vlan5-2ghz vlan-ids=5

5. Specify VLAN ID for wireless
/interface wireless
set [ find default-name=wlan1 ] amsdu-limit=2048 antenna-gain=15 band=2ghz-b/g/n country="united states" default-authentication=no default-forwarding=no disabled=no distance=indoors frequency=2462 hide-ssid=yes hw-protection-mode=rts-cts mode=ap-bridge name=wlan-vlan2-2ghz nv2-security=enabled security-profile=wifi_profile_def ssid=Test vlan-id=2 wireless-protocol=802.11 wps-mode=disabled
add default-authentication=no default-forwarding=no hide-ssid=yes keepalive-frames=disabled master-interface=wlan-vlan2-2ghz multicast-buffering=disabled name=wlan-vlan5-2ghz security-profile=wifi_profile_c ssid=Test_c vlan-id=5 wds-cost-range=0-4294967295 wds-default-bridge=bridge-camera wds-default-cost=0 wps-mode=disabled

6. And finally - set mgmt interface IP address
add address=10.10.10.100/24 interface=ether1 network=10.10.10.0 
With "vlan filtering" configuration absolutely dead. Only mgmt interface normally stay alive.

But it seems things going well with disabled "vlan filtering" feature. Of course, I'm not sure configuration is the best but it works.

So, wasting couple of days I reached some results. AP started to work with vlan filtering but I can't understand how. Really.

The only change was made to get it workable is PVIDs on wireless and vlan interfaces of a bridge. It works only if set some another number to PVIDs than interface belongs to.

Changes I made:
/interface bridge
add ingress-filtering=yes name=bridge-camera pvid=3003 vlan-filtering=yes
add auto-mac=no frame-types=admit-all name=bridge-main pvid=3001 vlan-filtering=yes

/interface bridge port
add bridge=bridge-main frame-types=admit-all ingress-filtering=yes interface=wlan-vlan2-2ghz pvid=3000
add bridge=bridge-main frame-types=admit-all ingress-filtering=yes interface=ether1-vlan2 pvid=3000
add bridge=bridge-camera frame-types=admit-all ingress-filtering=yes interface=ether1-vlan5 pvid=3002
add bridge=bridge-camera frame-types=admit-all ingress-filtering=yes interface=wlan-vlan5-2ghz pvid=3002

/interface bridge vlan
add bridge=bridge-main tagged=ether1-vlan2 untagged=wlan-vlan2-2ghz vlan-ids=2
add bridge=bridge-camera tagged=ether1-vlan5 untagged=wlan-vlan5-2ghz vlan-ids=5
So, I almost sure this configuration is not acceptable and I'm doing something totally wrong, although it works somehow.

Please help me configure cap-ac correctly and make it possible to understand how Mikrotik works in scenarios like above.

Who is online

Users browsing this forum: MSN [Bot] and 31 guests