Community discussions

MikroTik App
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed Apr 24, 2024 12:25 am

Hello,

I have a RB5009UG as my main Router/Firewall/Nat ect. From this I have a Hap AX2 and a Hap AX3. Both of these are used mainly as APs for 2.4Gz and 5GHz wifi, each having there own SSIDs for the separate bands (i.e 4 SSIDs total between the two boxes). Each are also being used as switches to provide internet access for LAN devices too. Both 2.4GHz wifi networks are used solely to provide access to weather station, Feit security cams, doorbell, and, power switches that rely on manufacturer apps for access/control. I would really like to be able to separate these devices onto their own VLAN that has no access to the rest of my LAN/5Ghz Wifi network just the required internet access path.

Questions:
1) Can this even be done with my equipment?

2) If so, what's the best way to approach it? The RB5009 is obviously the more powerful unit, should it be used to handle the VLAN setup by putting the Haps into capman mode and would this allow the RB5009 to be the only DHCP server. Right now each Hap is operating with it's own DHCP address list.


Thanks
Andrew
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed Apr 24, 2024 3:00 am

Yes, use all vlans
vlan10 home
vlan20 IOT devices 2ghz
vlan25 IOT devices 5ghz
vlan30 guest wifi
let your imagination run wild...

Vlan guide --> viewtopic.php?t=143620

To setup vlan bridge filtering with minimal fuss
take one port off the bridge and give it its own IP address like 192.168.55.1/24
and then plug your laptop/desktop into this port for configuring the router ( simply change your ipv4 settings on the PC so something like 192.168.55.5
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Thu Apr 25, 2024 1:40 am

I'm really hoping to keep the setup as simple as possible.

1) Can I have just one VLAN only for the wifi 2.4GHz devices?

2) Should I be using CAPsMAN controller on the RB5009? Do I have to put the Hap AX3 and HAP AX2 into CAPMAN mode? If so what happens to the physical connections on these Haps, do they still work but get IP address assignments from the DHCP server on the RB5009?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Thu Apr 25, 2024 2:41 am

If just starting out I do personally would stay away from capsman, it adds a layer of additional complexity that should only be tackled when more comfortable with RoS.
Yes you can only use one vlan for 2.4 but then all users on that vlan will have access to each other.
The idea is to create virtual wlans if required and separate them via vlans.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri Apr 26, 2024 8:59 pm

If just starting out I do personally would stay away from capsman, it adds a layer of additional complexity that should only be tackled when more comfortable with RoS.
Yes you can only use one VLAN for 2.4 but then all users on that VLAN will have access to each other.
The idea is to create virtual wlans if required and separate them via vlans.
Interaction between devices on the 2.4GHz WIFI is not an issue as they are pretty much all Feit or similar type devices similar to IOT (but not actually using the IOT protocols), nothing else will be using this WLAN. I just need them isolated from my the rest of my LAN/WLAN networks.

So if I don't use CAPsMAN, I then need to setup separate VLANs one for the Hap AX3 and one for the Hap AX2? These will each need trunk VLANs back to the RB5009 which will also need a VLAN to route these to the internet interface? Each VLAN will need IP arranges assigned separately?

Or is there a way (besides CAPsMAN) for the RB5009 to control all the VLANs and issue IP addresses?

Regards
Andrew
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri Apr 26, 2024 9:10 pm

All the control setup is done on the main router,
The second device acting solely as a swittch/AP has a minimal setup.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri May 10, 2024 4:01 am

All the control setup is done on the main router,
The second device acting solely as a swittch/AP has a minimal setup.
Currently both Haps are setup up as default configuration operating as their own router/bridge and AP. So would I have to reset the systems to bring them up as switches/APs?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri May 10, 2024 4:06 am

Just one of them. One would be the main router, the other would solely be an AP switch.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri May 10, 2024 4:44 am

Just one of them. One would be the main router, the other would solely be an AP switch.
The RB5009 is the router with each hap being used as an AP providing coverage in different parts of the property. So in order to get the wifi vlan traffic to travel out ether1 port the hap has to be configured in switch/AP mode? There is no way for this to work if the hap is in router mode?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Sat May 11, 2024 6:10 pm

Why do you need the hap to act as router?? All you need is for it to provide wifi locally and perhaps some of its port as local ethernet connections to another switch in the area or to other devices.
The way to do this is to send to the haps, all the vlans required that it will handle ( vlanX for wlan1, vlanY for wlan2, possibly more wlans, and required vlans for port attached devices ).
One vlan is used as either a trusted vlan or managment vlan to give the hapac its own IP address and for you as admin to reach it for configuration purposes.
I would also take one port on each hapac off the bridge so you can access it locally in case.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Mon May 13, 2024 1:57 am

I don't need them in router mode they came that way and is how they were originally installed into the network. For simplicity I was wanting to know if it was possible but doesn't matter now as I have reset the HAP AX3 with no default configuration and now have it running as plain switch/AP. The only issue I'm having now is that when trying to check if there is a software update for the HAP AX3 via winbox, I get an error message stating "ERROR: could not resolve dns name". -- Never mind found a video that showed how to fix this issue https://www.youtube.com/watch?v=y2XvhtojInk
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Mon May 13, 2024 1:54 pm

To recap you have one main router RB5009 doing the firewall rules DHCP and setting up the required vlans.
vlan for home traffic
vlan for wifi iot traffic
vlan for other
vlan for other etc.....

The two other device both hapac? set up as AP switches.
Post the config of these two if you want them reviewed.

Note: There is no such concept as one hap needs a different vlan from another hap etc.
It depends on what your uSERs need in the location being served. So you send the required vlans including the one the hap gets its IP address from to the hap.
The only VLAN that needs to be identified on the hap is the one it gets its IP address from.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Tue May 14, 2024 10:36 pm

Okay So far I have setup the the RB5009 with three VLANs:

VL10 Management 192.168.90.0/24
VL100 Wifi 2GHz for AX2 10.0.0.0/24 ether8
VL101 Wifi 2GHz for AX3 10.0.10.0/24 ether7

Ether8 has direct connection to Hap AX2. However, Ether7 is connected via two dump switches to ether1 of Hap AX3.

As of right now I have on been working on the Hap AX3, it's been reset to switch/AP and the VLANs for management and 2GHz WiFi created. Devices attached to the 2GHz WiFi are not being giving IP addresses in 10.0.10.0/24 range but there appears to be zero isolation between VL101 and default VL1 items even those connected directly to ether ports on the RG5009.
RB5009.rsc
hapax3.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed May 15, 2024 2:46 am

The problem is putting dumb switches between the router and the ax3. You should only put managed switches, even cheap ones from netgear or tplink work fine for this.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed May 15, 2024 7:08 pm

The problem is putting dumb switches between the router and the ax3. You should only put managed switches, even cheap ones from netgear or tplink work fine for this.

Okay thanks, I can test this by swapping the AX3 with the first dump switch in the line so nothing is between the RB5009 and AX3. Fortunately the Hap AX2 already has a direct connection to the RB5009.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed May 15, 2024 8:20 pm

Okay a bit confused, why do you have a LAN on this ax3? There should be no address associated with the bridge.
Other than vlans ( for management of router and potentially also associated with a trusted WIFI LAN)
vlans for data ( trusted or non-trusted - each associated with its own SSID and WIFI LAN.

What are the rest of the ports being used for??

Why do you put datapath vlan-iD in wifi setttings???
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed May 15, 2024 8:51 pm

Okay a bit confused, why do you have a LAN on this ax3? There should be no address associated with the bridge.
Other than vlans ( for management of router and potentially also associated with a trusted WIFI LAN)
vlans for data ( trusted or non-trusted - each associated with its own SSID and WIFI LAN.

What are the rest of the ports being used for??

Why do you put datapath vlan-iD in wifi setttings???
Using the both Haps as a switch/AP not just as a wireless AP.
LAN ether2 is to be setup up as management interface on VL10
LAN ether3-5 are used by other local hardware (printer, laptop docking station etc).

I put the VLAN-ID in datapath setting because the 2.4G WiFi is only used for IOT devices so wanted the whole WiFi link to ride to be VL101. No data device should ever attach to 2.4GHz.

BTW got the isolation working by adding address list and two simple firewall rules on the RB5009:
Local-Networks address list containing all VLAN IP addresses.
Accept Rule for management IP to LV1 IP New. This is placed directly below fasttrack rule.
Drop Rule for Local-Network to Local-Network New. Placed at end of filters table.

Now all inter-VLAN traffice is dropped except for the Management IP to VL1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Wed May 15, 2024 9:39 pm

Which vlan(s) are the other devices connected to on the hapax3?? There is no such thing as local devices as the hapax3 is not acting as a router.
Also why do you need a management access port, physical port, on vlan10 on the device itself?
For the reason its on the managment vlan you can reach it from your admin location assuming your on the same vlan, or even on a different vlan via forward chain firewall rules.
All to say what is 10x more useful is a separate OFF bridge access where if the bridge vlan filtering gets screwed, you can access the router separate from the bridge.
Trust me its also a clean location to implement the original working config as well.

You dont need datapath or vlan setting in wifi settings.
Control over which vlans have access to which vlans is done in firewall rules on the RB5009......

However if your happy with your config I will move on.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Thu May 16, 2024 5:55 pm

Which vlan(s) are the other devices connected to on the hapax3?? There is no such thing as local devices as the hapax3 is not acting as a router.
Also why do you need a management access port, physical port, on vlan10 on the device itself?
For the reason its on the managment vlan you can reach it from your admin location assuming your on the same vlan, or even on a different vlan via forward chain firewall rules.
All to say what is 10x more useful is a separate OFF bridge access where if the bridge vlan filtering gets screwed, you can access the router separate from the bridge.
Trust me its also a clean location to implement the original working config as well.

You dont need datapath or vlan setting in wifi settings.
Control over which vlans have access to which vlans is done in firewall rules on the RB5009......

However if your happy with your config I will move on.
I'm pretty much winging it here, been about 20 years since I took any Cisco class or even worked on VLANs. Mikrotik obviously has their own way of implementing things so I've been reading and watching a lot of video's trying to adjusted to the new ways. The Network Berg has some basic entry level videos for VLAN setup using Winbox and he recommended the physical management port just in case something you try locks you out. If I understand what he's doing it is basically what you are saying. Assign physical management interface but he also links it to the management VLAN. Still trying to figure how to do that on a switch/AP device, it was pretty straight forward on the router config but not so much on the switch.
Thanks for all the advice,
Regards
Andrew
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Thu May 16, 2024 6:55 pm

No problem his videos are decent no doubt, but he misses the point and that is a separate connection to the router config, not associated with the bridge vlan filtering as that tends to be where ppl screw up most and lock themselves out of the router. Thus accessing the bridge from a port on the device would be no different from access the bridge from another device, and hence why we use the off bridge method.
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri May 17, 2024 7:12 am

No problem his videos are decent no doubt, but he misses the point and that is a separate connection to the router config, not associated with the bridge vlan filtering as that tends to be where ppl screw up most and lock themselves out of the router. Thus accessing the bridge from a port on the device would be no different from access the bridge from another device, and hence why we use the off bridge method.
I had to modify is methods to get the VLAN filtering to work the AX2 and AX3, so not surprised there are better ways to implement things. Can you point me to directions on how to do this?

Thanks
Andrew
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Fri May 17, 2024 1:26 pm

Sure, when I get time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Sat May 18, 2024 3:13 am

Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Sat May 18, 2024 5:11 pm

Sure, when I get time.
Great, thanks again.
Andrew
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Sat May 18, 2024 5:22 pm

But first, ............... as stated above......
Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
 
mtbdrew
just joined
Topic Author
Posts: 24
Joined: Fri Aug 18, 2023 6:42 pm

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Mon May 20, 2024 10:23 pm

But first, ............... as stated above......
Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
ether1 connects to RB5009
ether2 I want as dedicated management port (This is what I don't know how to do when in switch/AP mode)
ether3-5 connect to PCs and Printers.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19747
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Tue May 21, 2024 12:33 am

But first, ............... as stated above......
Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
ether1 connects to RB5009
ether2 I want as dedicated management port (This is what I don't know how to do when in switch/AP mode)
ether3-5 connect to PCs and Printers.
Ether3, which subnet????
Ether4, which subnet????
Ether4 which subnet????
Ether5- will add an offbridge subnet for your local access, the ap/switch MT, will be accessible also from the management or trusted subnet it gets its IP from.

Who is online

Users browsing this forum: Bing [Bot], holvoetn and 24 guests