Community discussions

MikroTik App
 
johnsilver
newbie
Topic Author
Posts: 37
Joined: Tue Aug 23, 2011 12:53 pm

How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Apr 05, 2021 8:19 pm

Hello,

I'm trying to understand how VLAN tag override mechanism (described here - https://wiki.mikrotik.com/wiki/Manual:I ... g_override) is working on a default wireless interface with VLAN id 1 and wireless access lists. The idea here is to have one single SSID, but manage access seamlessly using access-lists on wireless interface level.

I'm experimenting with the default wireless interface (wlan1) which was added into the bridge (bridge-local) together with other LAN interfaces (ether1, ether2, etc.), so I did not create any additional virtual wireless interfaces here. I created a wireless access list item on the wlan1 interface, changed the access-list's VLAN id to 10, and then wired it to a newly created VLAN interface (vlan10), added basic IP configuration for DHCP, routing, firewall, etc. everything works fine.

The question is how Bridge VLAN filtering works in such configuration, how can I enable it if needed?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Apr 05, 2021 9:27 pm

Please dont use vlanid1 for anything other than the default pvid setting on the bridge.
The best source for vlan documentation is viewtopic.php?f=23&t=143620
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Apr 05, 2021 9:41 pm

The question is how Bridge VLAN filtering works in such configuration, how can I enable it if needed?
Same as in any other situation.
In scenario you describe you should treat your wlan-interface as just another trunk port: tagged for all the needed vlans.
 
johnsilver
newbie
Topic Author
Posts: 37
Joined: Tue Aug 23, 2011 12:53 pm

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Apr 05, 2021 11:22 pm

@anav all those cases have dedicated wlan per vlan interface created

@xvo most probably I'm doing something wrong with VLAN bridge configuration here, as soon as I enable VLAN filtering option on the bridge interface my test wireless client is no more able to acquire a DHCP lease

here is my script
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=WIFI frequency=auto mode=ap-bridge disabled=no
/interface bridge
add name=bridge-local protocol-mode=none vlan-filtering=no
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge port
add bridge=bridge-local interface=wlan1
/interface wireless access-list
add allow-signal-out-of-range=20s interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx vlan-id=10 vlan-mode=use-tag
/interface vlan
add interface=bridge-local name=vlan10 vlan-id=10
/ip pool
add name=vlan10-pool ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add address-pool=vlan10-pool disabled=no interface=vlan10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
/ip dns set allow-remote-requests=yes servers="1.1.1.1"
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/interface bridge vlan
add bridge=bridge-local untagged=wlan1 vlan-ids=10
set bridge=bridge-local tagged=bridge-local [find vlan-ids=10]
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-gateway src-address=192.168.10.0/24
/ip firewall filter
add chain=input action=accept connection-state=established,related
add chain=input action=accept in-interface=vlan10
add chain=input action=drop
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept connection-state=new in-interface=vlan10 out-interface=ether5-gateway
add chain=forward action=drop
/interface bridge port
set bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
all works up until the next step
/interface bridge set bridge-local vlan-filtering=yes
wireless client now cannot acquire DHCP lease, however it works if I disable this last rule

this part from the documentation is a little bit confusing
Vlan tag override

Per-interface VLAN tag can be overridden on per-client basis by means of access-list and RADIUS attributes (for both - regular wireless and wireless controller).

This way traffic can be separated between wireless clients even on the same interface, but must be used with care - only "interface VLAN" broadcast/multicast traffic will be sent out. If working broadcast/multicast is necessary for other (overridden) VLANs as well, multicast-helper can be used for now (this changes every multicast packet to unicast and then it is only sent to clients with matching VLAN ids).
Last edited by johnsilver on Mon Apr 05, 2021 11:41 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Apr 05, 2021 11:39 pm

/interface bridge vlan
add bridge=bridge-local untagged=wlan1 vlan-ids=10

doesn't go together with

/interface wireless access-list
add allow-signal-out-of-range=20s interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx vlan-id=10 vlan-mode=use-tag

And setting vlan-filtering actually enables the former setting which causes bridge to untag VLAN 10 frames when traveling in direction bridge->wifi ... which breaks wireless which is configured to be tagged for said VID.

In short: wlan1 interface should be configured as trunk (tagged for all VLANs) port for bridge, default VID (for unknown clients) should be set on default config of wlan1 interface.
 
johnsilver
newbie
Topic Author
Posts: 37
Joined: Tue Aug 23, 2011 12:53 pm

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Apr 06, 2021 12:00 am

@mks nice catch, by default wlan1 has "no tag" VLAN mode and VID "1", if I set something here then respective VID must be also set on the client side, am I correct? I'm approaching to a conclusion that there is no way to set one SSID to manage default VID 1 and VID 10 (with enabled VLAN filtering)
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Apr 06, 2021 12:10 am

/interface bridge vlan
add bridge=bridge-local untagged=wlan1 vlan-ids=10
set bridge=bridge-local tagged=bridge-local [find vlan-ids=10]

/interface bridge port
set bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
These two parts are wrong.
As @mkx already stated it should be:
/interface bridge vlan add bridge=bridge-local tagged=bridge-local,wlan1 vlan-ids=10

/interface bridge port bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=wlan1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Apr 06, 2021 12:14 am

(1) What you should conclude is that you either didnt read the reference URL or didnt understand it.........

(2) Also very few people use firewall on the bridge its very tricky and causes issues. Why do you need to use this setting vice the normal firewall rules??
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

(3) VlanID1 is not to be used for specific vlans or traffic, it should remain the default pvid for the bridge in the majority of cases.
If you need follow on smart devices attached to the router, such as access points or switches just ensure that they get a LANIP of the managment subnet.
The management subnet is the same thing as the homesubnet if you only have one subnet.

Assuming you don't have any wired ports (attached pcs, or smart devices etc.....)?????
/interface bridge port
set bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged PVID=10
/interface bridge vlan
add bridge=bridge-local untagged=wlan1 vlan-ids=10

(4) Last thing to do is change vlan filtering from no to yes.
Often teh router will burp and kick you out but just reenter and check if its now enabled.
/interface bridge
add name=bridge-local protocol-mode=none vlan-filtering=no

(5) If your WANIP is dynamic .............
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-gateway src-address=192.168.10.0/24

THEN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5-gateway
OR if static/fixed
/ip firewall nat
add action=src-nat out-interface=ether5-gateway to-addresses=fixed_WANIP
 
johnsilver
newbie
Topic Author
Posts: 37
Joined: Tue Aug 23, 2011 12:53 pm

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Apr 06, 2021 10:34 am

thank you all for your support, I was able to configure what I wanted, and here is the recipe if someone would have the same idea, when no wireless clients will be allowed to connect to wifi without the appropriate access-list entry on one single SSID, all listed clients must have either vlan-id=1 or vlan-id=10, to sum up:
- no access-list entry - no wireless connection
- access-list entry with no tag - no wireless connection
- access-list entry with VID 1 and vlan mode - connects to default vlan1
- access-list entry with VID 10 and vlan mode - connects to vlan10
/interface wireless set vlan-mode=no-tag vlan-id=1 [ find default-name=wlan1 ]
/interface wireless access-list add interface=wlan1 mac-address=xx:xx:xx:xx:xx:xx vlan-mode=use-tag vlan-id=1 authentication=yes forwarding=yes comment="device A"
/interface wireless access-list add interface=wlan1 mac-address=yy:yy:yy:yy:yy:yy vlan-mode=use-tag vlan-id=10 authentication=yes forwarding=yes comment="device B"

/interface bridge port set bridge=bridge-local frame-types=admit-only-vlan-tagged ingress-filtering=yes [ find interface=wlan1 ]

/interface bridge vlan
add bridge=bridge-local tagged=wlan1,bridge-local vlan-ids=10
add bridge=bridge-local tagged=wlan1 untagged=bridge-local vlan-ids=1

/interface bridge set bridge-local protocol-mode=none vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes
reference https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Jan 10, 2022 12:07 am

/interface bridge vlan add bridge=bridge-local tagged=bridge-local,wlan1 vlan-ids=10

/interface bridge port bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=wlan1
What pvid would you recommend to set on the bridge port for the wlan interface? Would you suggest choosing the value among VLAN of the interface and its clients or leave at 1 (default)?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Jan 10, 2022 5:14 pm

First of all one should understand what one is actually configuring .....
/interface bridge vlan add bridge=bridge-local tagged=bridge-local,wlan1 vlan-ids=10
/interface bridge port bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=wlan1

(1) A wireless lan (WLAN) is 99.9% an access port and not a trunk port and thus would be untagged.
Unless your intent was for all receiving devices on that WLAN to be able to read vlan tags ???

(2) Same issue, !!! whereas in fact the opposite is normally true, frame-types=priority-and-untagged

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Just avoid anything Johnsilver has posted above and try to learn the config line by line
Start here with this article its really good.
viewtopic.php?t=143620
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Mon Jan 10, 2022 10:20 pm

My understanding of the configuration that johnsilver wanted [1] is the following:
The wlan interface is itself configured as tagged (/interface wireless set vlan-id=... vlan-mode=... ...). Thus configured it will tag/untag before roaming. But that also means that the packets that enters the wlan interface from bridge must be tagged. In other words: bridge <-- tagged --> wlan ((( untagged ))) clients.

You suggest [2] to disregard (disable) vlan configuration on the wlan interface and configure only the bridge: bridge <-- untagged --> wlan ((( untagged ))) clients.

[2] lacks flexibility of [1] to have multiple VLANs over a single SSID (e.g. via access lists of wireless interfaces). I have no idea whether it is the only difference, whether one should prefer [2] over [1] unless necessary or whether the behavior differs chip-to-chip.

Yet my question remains: if I'm going the [1] route and expect multiple VLANs on a single wireless interface, what pvid should I assign to it via /interface bridge port? Should I leave it unchanged since its value is going to be irrelevant with the `admit-only-vlan-tagged` filtering?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Jan 11, 2022 1:35 am

Far too sophisticated for me!
A smart AP can handle one vlan per WLAN (or vWLAN) as far as I knew. If you have a way of running multiple vlans on a single radio, then have at.
My limited experience is that for each bridge (wifi) port, the pvid is set to the vlan number.
This makes sense to me as traffic coming from a multitude of wirless users have devices that no nothing about vlans and thus there traffic is tagged incoming to the WLAN port (ingress) and upon egress back to the users the tag is stripped. This is the purpose of the pvid setting.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Jan 11, 2022 2:26 am

What pvid would you recommend to set on the bridge port for the wlan interface? Would you suggest choosing the value among VLAN of the interface and its clients or leave at 1 (default)?
From what I understand so far ...

I would leave it on PVID=1. (The bridge would untag everything that is for the PVID. If you would use one of those among the used VLAN of the interface, that one would get untagged.)

As @XVO said: "In scenario you describe you should treat your wlan-interface as just another trunk port: tagged for all the needed vlans." Keep it a trunk interface, only tagged traffic. Don't make it hybrid, it would complicate things. Hard enough to understand right now already.

I my simplification, I see the WLAN interface as a VLAN aware and capable device (like you usually have with a switch or server, serving multiple VLAN)
The bridge VLAN filtering must be set to forward ALL VLAN id's used in the Access List. (and even the WLAN wireless default VLAN id if used as tagged)
The Access List does allow to specify the VLAN mode as tagged, and set a specific VLAN id per rule. This rule selection can be MAC address specific, or be more general.
That same Access List allows also for a Private PSK. (PPSK)

@Kentzo's seek for VLAN assignment based only on the PPSK (without specifying a MAC address in the rule) is not solvable here yet, because not all rules are tried. So no DPSK or ePSK yet, what would allow to select a different VLAN based on the PPSK used, even for one and same device.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Jan 11, 2022 2:50 am

After reading https://help.mikrotik.com/docs/display/ ... VLAN+Table my understanding is that pvid is ignored on trunk ports.

I wonder what config is required to mark a port as exclusively trunk (i.e. drop untagged regardless on ingress side, preferably only allow very specific tagged)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to enable Bridge VLAN Filtering on a wireless access-list rule?

Tue Jan 11, 2022 9:26 am

I wonder what config is required to mark a port as exclusively trunk (i.e. drop untagged regardless on ingress side, preferably only allow very specific tagged)

True trunk port would be something like this (in example I'm using VLAN IDs 10, 20 and 30 and port etherX):
/interface bridge port
add bridge=bridge interface=etherX frame-types=admit-only-vlan-tagged ingress-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=etherX vlan-ids=10,20,30

Keep in mind that in ROS bridge VLAN setup is mostly separated for ingress and egress. bridge port section mostly deals with ingress and bridge vlan mostly deals with egress. The key here are frame-types=admit-only-vlan-tagged ingress-filtering=yes properties. The former property instructs bridge to drop all untagged frames and ensures port is truely trunk on ingress. The later property connects configuration of ingress and egress part instructing bridge to drop tagged frames which would not be allowed to egress through this port (and works both for tagged and untagged frames) and is more a port security setting.
For egress it's enough that port is not enumerated as untagged port member for any of VLANs ... that then makes port a true trunk port on egress.

So net result is this: even if port is (implicitly) set with pvid=1, it'll drop all untagged frames on ingress due to explicit setting. It'll also drop frames tagged with VIDs not listed as allowed on egress (either 10, 20 or 30). At the same time, port will not transmit any untagged frames (as it's not listed as untagged member of any VLAN under /interface bridge vlan) and will only allow to transmit framst tagged with certain VLAN IDs.

Who is online

Users browsing this forum: GoogleOther [Bot] and 28 guests