I just bought RB4011+Wifi and have configured VLANs on it the new way.
There is one CAP ac connected to it and generally all is working well, I got 3 VLANs - all the ethernet ports on VLAN1 for simplicity.
Basically all is how I wanted - 3 VLANs:
- 30 - IOT - Wifi on 2G - IP 30./24
- 1 - Servers - IP 50./23
- 52 - Clients - Wifi on 5G -IP 52./24
Previously all was working great on hAP ac2 with 3 bridges and no vlans.
I am attaching export without Firewall as it have nothing to do with the issue in my opinion as disabling all the rules did not changed a thing.
Code: Select all
# 2024-03-06 19:35:02 by RouterOS 7.14
# model = RB4011iGS+5HacQ2HnD
/caps-man channel add band=2ghz-onlyn control-channel-width=20mhz frequency=2412 name=channel_30 save-selected=no skip-dfs-channels=yes
/caps-man channel add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce frequency=5260 name=channel_52 save-selected=no skip-dfs-channels=no tx-power=38
/interface bridge add name=bridge vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ]
/interface ethernet set [ find default-name=ether2 ]
/interface ethernet set [ find default-name=ether3 ]
/interface ethernet set [ find default-name=ether4 ]
/interface ethernet set [ find default-name=ether6 ]
/interface ethernet set [ find default-name=ether7 ]
/interface ethernet set [ find default-name=ether8 ]
/interface ethernet set [ find default-name=ether9 ]
/interface ethernet set [ find default-name=ether10 ]
/interface wireless set [ find default-name=wlan1 ] band=5ghz-onlyac channel-width=20/40mhz-Ce name=wlan_5 ssid=""
/interface wireless set [ find default-name=wlan2 ] band=2ghz-onlyn country=poland name=wlan_24 ssid=""
/interface vlan add interface=bridge name=vl_clients vlan-id=52
/interface vlan add interface=bridge name=vl_iot vlan-id=30
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=dp_52 vlan-id=52 vlan-mode=use-tag
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=dp_30 vlan-id=30 vlan-mode=use-tag
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes eap-radius-accounting=no encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=security1
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes eap-radius-accounting=no encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=security2
/caps-man configuration add channel=channel_30 country=poland datapath=dp_30 hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled mode=ap name=cfg_30 rx-chains=0,1,2,3 security=security1 ssid=SSID1 tx-chains=0,1,2,3
/caps-man configuration add channel=channel_52 country=poland datapath=dp_52 hw-protection-mode=rts-cts hw-retries=3 installation=indoor keepalive-frames=enabled mode=ap name=cfg_52 rx-chains=0,1,2,3 security=security2 ssid=SSID2 tx-chains=0,1,2,3
/caps-man interface add configuration=cfg_30 disabled=no l2mtu=1600 mac-address= master-interface=none name=cap2g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_52 disabled=no l2mtu=1600 mac-address= master-interface=none name=cap5g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_30 disabled=no l2mtu=1600 mac-address= master-interface=none name=mt2g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_52 disabled=no l2mtu=1600 mac-address= master-interface=none name=mt5g radio-mac= radio-name=""
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=neighbords
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=pool_vl30 ranges=192.168.30.10-192.168.30.90
/ip pool add name=pool_vl50 ranges=192.168.50.1-192.168.50.99
/ip pool add name=pool_vl52 ranges=192.168.52.100-192.168.52.200
/ip dhcp-server add add-arp=yes address-pool=pool_vl30 interface=vl_iot lease-time=4w2d name=dhcp_vl30
/ip dhcp-server add add-arp=yes address-pool=pool_vl52 interface=vl_clients lease-time=3d name=dhcp_vl52
/ip dhcp-server add add-arp=yes address-pool=pool_vl50 interface=bridge lease-time=3d name=dhcp_vl50
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man manager interface add disabled=no interface=ether10
/caps-man manager interface add disabled=no interface=lo
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg_30 name-format=prefix name-prefix=CAP2G_
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_52 name-format=prefix name-prefix=CAP5G_
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=veth1
/ip firewall connection tracking set tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=52
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=30
/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge list=neighbords
/interface list member add interface=bridge list=LAN
/interface list member add interface=vl_clients list=LAN
/interface list member add interface=vl_clients list=neighbords
/interface list member add interface=vl_iot list=LAN
/interface wireless cap set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=lo enabled=yes interfaces=wlan_24,wlan_5
/ip address add address=192.168.50.250/23 interface=bridge network=192.168.50.0
/ip address add address=192.168.30.250/24 interface=vl_iot network=192.168.30.0
/ip address add address=192.168.52.250/24 interface=vl_clients network=192.168.52.0
/ip dns set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=200