Hello, I have two hAP ac². One is Internet-Router, Switch/AP and the other Switch/AP.
There are two VLANs (private/guest). All VLAN-Settings are made in Switch-menu as these devices are capable of hardware-VLAN-switching.
There is one trunk between the two Units and the rest are Access Ports.
Recently I added a mAP lite to one private Access Port. It was blank with no config. I only created a bridge and added ether1 to that bridge resulting in mAP lite not being reachable anymore. This was the same on all ports on both units.
I noticed that I can disable RSTP (change to none) either on the mAP lite or on the unit it's connected to, to have it reachable again.
What also worked was to change the port it's connected to from "secure/always strip" to "secure/add-if-missing" which does not make sense to me.
Going on with RSTP, I found out that both hAP ac² set themselves as root bridge. As soon as I change priority on one of the units the connection got lost. So I think the main problem is, that RSTP is not working correctly.
To my knowledge, in such a simple setup it is just fine to turn RSTP off on all devices. But is the problem that these units can't do this when using hardware-VLAN-switching?
I have quit same settings on another place:
hEX POE as Internet-Router, Trunks two 2x RB951Ui-2HnD, 1x RB260GS
The RB260GS sets itself as root bridge and the hEX POE hangs on this. But the 2x RB951Ui-2HnD also set themselves as root bridge.
Changing priority on RB260S higher or on hEX POE lower looses connection.
Connecting the same mAP lite from above to RB260S or hEX POE does work, but not when connecting to one of the RB951Ui-2HnD.
Re: RSTP not working with Switch-VLANs
In my SOHO network I have similar devices (hAP ac², hAP ac3), I'm running ROS v7.x and I don't have problems having VLANs and RSTP active at the same time.
I have a single CRS switch as root bridge and all other APs/switches are acting as non root bridges.
So such config works properly.
I have a single CRS switch as root bridge and all other APs/switches are acting as non root bridges.
So such config works properly.
Re: RSTP not working with Switch-VLANs
OK. So a few more thought:
Can the firewall somehow block RSTP with an Input-rule?
I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT.
On the second unit I started with no default config, so the special dummy rules for fasttrack counters are missing there.
I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and dynamic Guest-WLAN-clients are part of this bridge.
I saw tutorials creating the VLANs on ether2 for example. Or creating only one VLAN for guests and no VLAN for privat.
Also read about the need for to two separate bridges for private and guest. But then I would need to add the trunk ports to both bridges I think.
And I also read somewhere that two bridges will deactivate hardware offload, so that it's no hardware switching anymore.
Could CAPsMAN create an issue with RSTP?
I have also a problem with CAPsMAN config at the place with the two hAP ac² but the same config is working at the other place:
When enabling the guest-cap-interface on the second unit, a privat connection to this unit is not working anymore. My mobile shows best signal sitting next to it and tries to connect multiple times, then states the wifi as "deactivated". As soon as I disable the guest-wifi on that unit, it connects successfully to the privat wifi again. No problem with this on the first unit, which is the internet router and CAPsMAN.
Should I post my whole configs?
Any comment is welcome!
Thanks!
Can the firewall somehow block RSTP with an Input-rule?
I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT.
On the second unit I started with no default config, so the special dummy rules for fasttrack counters are missing there.
I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and dynamic Guest-WLAN-clients are part of this bridge.
I saw tutorials creating the VLANs on ether2 for example. Or creating only one VLAN for guests and no VLAN for privat.
Also read about the need for to two separate bridges for private and guest. But then I would need to add the trunk ports to both bridges I think.
And I also read somewhere that two bridges will deactivate hardware offload, so that it's no hardware switching anymore.
Could CAPsMAN create an issue with RSTP?
I have also a problem with CAPsMAN config at the place with the two hAP ac² but the same config is working at the other place:
When enabling the guest-cap-interface on the second unit, a privat connection to this unit is not working anymore. My mobile shows best signal sitting next to it and tries to connect multiple times, then states the wifi as "deactivated". As soon as I disable the guest-wifi on that unit, it connects successfully to the privat wifi again. No problem with this on the first unit, which is the internet router and CAPsMAN.
Should I post my whole configs?
Any comment is welcome!
Thanks!
Re: RSTP not working with Switch-VLANs
No.Can the firewall somehow block RSTP with an Input-rule?
That is RTSP not RSTP.I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT.
Likely outdated or incorrect third-party examples.I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and dynamic Guest-WLAN-clients are part of this bridge.
I saw tutorials creating the VLANs on ether2 for example. Or creating only one VLAN for guests and no VLAN for privat.
Also read about the need for to two separate bridges for private and guest. But then I would need to add the trunk ports to both bridges I think.
On most Mikrotiks that is correct.And I also read somewhere that two bridges will deactivate hardware offload, so that it's no hardware switching anymore.
Unlikely.Could CAPsMAN create an issue with RSTP?
Yes, with any sensitive/personal information redacted, and in code blocks (the [] icon in the toolbar when posting).Should I post my whole configs?
Re: RSTP not working with Switch-VLANs
Hey thanks for you comments!
I just updated to v7.12 and both units stay as Root Bridge, but the connection does not break anymore when changing priorities on either unit. So a small step forward.
I also reset both units to factory default and started from there. Same issue. So here the two configs... Firewall-stuff is default on both units but disabled on second one. Basically just created the vlans and did the switch setup and adjusted basic IP-stuff.
Unit 1:
Unit 2:
Spaces are just to have both configs side by side easier.
Kind regards!
I just updated to v7.12 and both units stay as Root Bridge, but the connection does not break anymore when changing priorities on either unit. So a small step forward.
I also reset both units to factory default and started from there. Same issue. So here the two configs... Firewall-stuff is default on both units but disabled on second one. Basically just created the vlans and did the switch setup and adjusted basic IP-stuff.
Unit 1:
Code: Select all
# 1970-01-02 01:34:12 by RouterOS 7.12
# software id =
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:01 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.11.201-192.168.11.250
/ip dhcp-server
add address-pool=default-dhcp interface=vlan11 lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=11
add independent-learning=yes ports=ether2,switch1-cpu switch=switch1 vlan-id=\
12
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan11 list=LAN
/ip address
add address=192.168.11.1/24 comment=defconf interface=vlan11 network=\
192.168.11.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf dns-server=192.168.11.1 gateway=\
192.168.11.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=Unit1
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Unit 2:
Code: Select all
# 1970-01-02 01:07:37 by RouterOS 7.12
# software id =
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:02 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=12 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=12 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge comment=defconf disabled=yes interface=wlan2
add bridge=bridge comment="no WAN" interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,ether3,switch1-cpu switch=\
switch1 vlan-id=11
add independent-learning=yes ports=ether1,ether4,ether5,switch1-cpu switch=\
switch1 vlan-id=12
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add interface=vlan11 list=LAN
/ip address
add address=192.168.11.2/24 comment=defconf interface=vlan11 network=\
192.168.11.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \
protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\
546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \
protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\
yes protocol=ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\
bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\
bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \
protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \
dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\
yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\
yes protocol=ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" disabled=yes \
ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
/system identity
set name=Unit2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Spaces are just to have both configs side by side easier.
Kind regards!
Re: RSTP not working with Switch-VLANs
Nothing obvious, other than the Qualcomm/Atheros gigabit switch chips ignore the vlan-header property and use the default-vlan-id property to determine which ports are access ports. From the documentation the vlan-header should always be set to leave-as-is for these chips.
The other possibility is that your configuration is blocking the untagged BPDUs from the switch chip to the CPU - you could try setting the switch1-cpu port VLAN mode to fallback or adding
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu switch=switch1 vlan-id=1
(or possibly vlan-id=0)
The other possibility is that your configuration is blocking the untagged BPDUs from the switch chip to the CPU - you could try setting the switch1-cpu port VLAN mode to fallback or adding
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu switch=switch1 vlan-id=1
(or possibly vlan-id=0)
Re: RSTP not working with Switch-VLANs
Oh my god! I didn't see this note about these chipsets. So changing everything to "leave-as-is" solved the RSTP issue.
I tried your other suggestion first (fallback with any combination of default vlan-id) but that did not work.
But what worked was to just add vlan 1 to the switch vlan-table on the trunk-port.
However, I decided to go the way according to the documentation.
But: when adding my mAP lite to an access port it will still not be reachable by default.
Default means, every bridge has default priority 8000. As the mAP lite has the lowest Mac it must be trying to become root bridge but the other devices ignore that and block it. I have to be sure that mAP lite has lower priority to make it reachable. My solution is to just turn RSTP off on mAP lite. If I set lower priority it successfully "hangs on" the existing root-bridge.
So my guess is, that BPDUs are only successfully transmitted in one direction in this scenario. Not sure if the mAP lite sends its BPDUs either tagged with vlan-id=1 or untagged. In case of untagged the switch tags ingress on that port to vlan-id=10 according to default vlan-id setting on that access port. In case of vlan-id=1 the switch may just drop these packets. It also didn't work when adding vlan 1 to switch vlan-table on trunk and the access port mAP lite is connected to. So I think BPDUs are untagged and become vlan 10 tagged but other bridges communicate on vlan 1.
As I now know how to correctly setup the switch on these devices and how to avoid or workaround the issue when adding bridges on access ports, I don't need a solution to have RSTP working correctly in this scenario. I just wanted to share my testing results and thoughts if someone likes to investigate further in this.
Thanks for helping out so far!
I'm still left with the CAPsMAN issue mentioned in my second post. I will try this also starting from factory defaults when I find the time.
Any input on this? Or should I start a new thread with correct topic?
I tried your other suggestion first (fallback with any combination of default vlan-id) but that did not work.
But what worked was to just add vlan 1 to the switch vlan-table on the trunk-port.
However, I decided to go the way according to the documentation.
But: when adding my mAP lite to an access port it will still not be reachable by default.
Default means, every bridge has default priority 8000. As the mAP lite has the lowest Mac it must be trying to become root bridge but the other devices ignore that and block it. I have to be sure that mAP lite has lower priority to make it reachable. My solution is to just turn RSTP off on mAP lite. If I set lower priority it successfully "hangs on" the existing root-bridge.
So my guess is, that BPDUs are only successfully transmitted in one direction in this scenario. Not sure if the mAP lite sends its BPDUs either tagged with vlan-id=1 or untagged. In case of untagged the switch tags ingress on that port to vlan-id=10 according to default vlan-id setting on that access port. In case of vlan-id=1 the switch may just drop these packets. It also didn't work when adding vlan 1 to switch vlan-table on trunk and the access port mAP lite is connected to. So I think BPDUs are untagged and become vlan 10 tagged but other bridges communicate on vlan 1.
As I now know how to correctly setup the switch on these devices and how to avoid or workaround the issue when adding bridges on access ports, I don't need a solution to have RSTP working correctly in this scenario. I just wanted to share my testing results and thoughts if someone likes to investigate further in this.
Thanks for helping out so far!
I'm still left with the CAPsMAN issue mentioned in my second post. I will try this also starting from factory defaults when I find the time.
Any input on this? Or should I start a new thread with correct topic?
I have also a problem with CAPsMAN config at the place with the two hAP ac² but the same config is working at the other place:
When enabling the guest-cap-interface on the second unit, a privat connection to this unit is not working anymore. My mobile shows best signal sitting next to it and tries to connect multiple times, then states the wifi as "deactivated". As soon as I disable the guest-wifi on that unit, it connects successfully to the privat wifi again. No problem with this on the first unit, which is the internet router and CAPsMAN.
Re: RSTP not working with Switch-VLANs
I'd suggest a new thread with an appropriate title to attract people with CAPsMAN experience. There is also https://help.mikrotik.com/docs/display/ ... with+VLANs if you haven't found it already.
Re: RSTP not working with Switch-VLANs
Ah thanks! Another document I didn't read until now!
I will go thru it and if needed create a new thread.
Thank you so much!
I will go thru it and if needed create a new thread.
Thank you so much!