Multiple Isolated Wifi networks on a wired AP bridge

deadwalker · Thu Dec 28, 2023 2:18 pm

Hi all,

First of all sorry for my basic question but I´m really a noob when it comes to networking, not limited but also especially with Mikrotiks.

Situation is as follows:

I have a HAP ax3 acting as my main router. It provides 3 Wifi networks which are isolated from each other (private, guest and IOT).
It took me hours and reading through a lot of tutorials to get this going and there is for sure room for improvement but it works.
I bought a HAP ax lite as a wired AP bridge. Using a simple bridge setup I´m able to extend my main Wifi (private) just fine.
I fail to extend my other 2 Wifi networks as I´m not sure how to get this done. I guess I need additional bridges, similiar to the main router setup and configuration of additional DHCP clients getting IPs from the main router....unfortunately I can´t get this to work at all.

Here the configuration from my HAP ax lite (ap bridge). As said the main Wifi (private) is working ok, problems exists with other Wifi networks (e.g. tried guest so far).
I guess it´s related to VLAN tagging, do I need that if I have different bridges?

# 2023-12-28 13:15:46 by RouterOS 7.13
# software id = 3638-CNQF
#
# model = L41G-2axD
# serial number = XXXX
/interface bridge
add name=bridge_Guest
add name=bridge_LAN port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Germany .mode=ap .ssid=\
    wired disabled=no name=2GHz_wired security.authentication-types=\
    wpa2-psk,wpa3-psk .wps=disable
add configuration.mode=ap .ssid=wired_guest disabled=no mac-address=\
    7A:9A:18:15:D3:16 master-interface=2GHz_wired mtu=1500 name=2GHz_guest \
    security.authentication-types=wpa2-psk,wpa3-psk
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_LAN interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=2GHz_wired
add bridge=bridge_LAN interface=2GHz_guest pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.66.3/24 interface=bridge_LAN network=192.168.66.0
add address=192.168.71.99/24 interface=bridge_Guest network=192.168.71.0
/ip dhcp-client
add add-default-route=no interface=bridge_Guest
add add-default-route=no interface=bridge_LAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.66.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=wired_AP
/system note
set show-at-login=no

Thanks for your patience and diligence.

Thu Dec 28, 2023 3:04 pm

There is no need to use multiple bridges when using vlan.
Not on main router nor on wired AP.
One is enough.

See this excellent guide how to setup VLANs properly.
viewtopic.php?t=143620

Read it, digest it, read it again.
Then apply.
You need setups for router/AP combo and AP.

Basically you need a trunk port between router and AP, AP will then be able to use all VLAN tags presented via trunk.

anav · Thu Dec 28, 2023 3:25 pm

For the secondary device acting as an AP/switch follow this advice.
viewtopic.php?t=182276

deadwalker · Tue Jul 16, 2024 2:21 am

Hi all,
Sorry for reactivating such a old thread and thanks holvoetn and anav. The posted guide is in fact a very good starting point.
I have setup my main router accordingly to the Router/Switch setup and all is now properly separated using VLANs on a single bridge. This is working like a charm.

When it comes to connecting the AP (hap ax lite) I´m still a bit confused I have to say.
I followed the AP instructions in the same referred thread with the small difference that I also added in the physical ports besides the Wifi networks.
Currently I fail to really have the networks forwarded on the AP (no internet access).
Secondly I would like to reach the AP under 192.168.66.3 which I made static for the AP on the main router. This doesn´t work and when I apply the config I´m unable to connect to the AP again causing me to need to perform a reset.

I think it´s not much going wrong here but having a hard time finding the solution.
For you guys this is for sure quite obvious. Any help would therefore be greatly appreciated.

My dummy config based on the provided example looks like this.

# name the device being configured
/system identity set name="wired_AP"
#######################################
# VLAN Overview
#######################################
# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################

# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=1-wifi-2GHz ] ssid=wired frequency=auto mode=ap-bridge disabled=no

# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=2-wifi-2GHz_guest ssid=wired_guest master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no

# Red SSID
/interface wireless security-profiles add name=RED_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=3-wifi-2GHz_IOT ssid=wiot master-interface=wlan1 security-profile=RED_PROFILE disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=bridge_LAN protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Blue, Green, Red VLAN
add bridge=bridge_LAN interface=1-wifi-2GHz pvid=10
add bridge=bridge_LAN interface=2-wifi-2GHz_guest pvid=20
add bridge=bridge_LAN interface=3-wifi-2GHz_IOT pvid=30
add bridge=bridge_LAN interface=ether2 pvid=10
add bridge=bridge_LAN interface=ether3 pvid=10
add bridge=bridge_LAN interface=ether4 pvid=10

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=bridge_LAN interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=bridge_LAN tagged=ether1 vlan-ids=10
add bridge=bridge_LAN tagged=ether1 vlan-ids=20
add bridge=bridge_LAN tagged=ether1 vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether1 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=bridge_LAN name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN

/ip address add address=192.168.66.3/24 interface=bridge_LAN network=192.168.66.0

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.66.1


#######################################
# IP Services
#######################################

# As in the example nothing configured but is this really the way to go? 


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=1-wifi-2GHz]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=2-wifi-2GHz_guest]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=3-wifi-2GHz_IOT]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=bridge_LAN ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge_LAN vlan-filtering=yes

anav · Tue Jul 16, 2024 4:49 am

You have a godawful way of showing a config LOL............ I tell that to pcunite all the time

Bridge does not get an address.................. the IP address of the device is the address given via the management base vlan.
I recommend making one port access to config the device OFF the bridge...... works well.

/interface bridge
add ingress-filtering=no name=bridge_LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=trunk
set [ find default-name=ether4 ] name=emergaccess
/interface vlan
add interface=bridge_LAN  name=BASE_VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless
{ as required }
/interface bridge port
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=trunk
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=1-wifi-2GHz pvid=10
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=2-wifi-2GHz_guest pvid=20
add bridge=bridge_LAN ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged interface=3-wifi-2GHz_IOT pvid=30
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge_LAN tagged=ether1  untagged=ether2,ether3,1-wifi-2GHz  vlan-ids=10
add bridge=bridge_LAN tagged=ether1  untagged=2-wifi-2GHz_guest  vlan-ids=20
add bridge=bridge_LAN tagged=ether1  untagged=3-wifi-2GHz_IOT  vlan-ids=30
add bridge=bridge_LAN tagged=ether1,bridge_LAN  vlan-ids=99
/interface list member
add interface=BASE_VLAN list=BASE
add interface=emergaccess list=BASE
/ip address
add address=192.168.0.3/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether4 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.0.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

deadwalker · Tue Jul 16, 2024 11:52 pm

Hi anav,
You are so damn fast in answering! Very much appreciated!
This helped a lot, I got the AP to work and all 3 Wifi networks are working fine now.
One thing which I´m having a hard time to understand is the emergency access and generally the AP access via Winbox.

Please correct me if I´m wrong but with this setup the idea is that you only can connect via Winbox on the emergency access port (ether4) via MAC, correct?
I cannot manage to connect to the AP from .... lets say the private VLAN (pvid 10). Also the AP itself doesn´t seem to have any internet access. I cannot ping the outside world nor can I check for RouterOS updates. Not quite sure if that is intended. Not quite sure I got the vlan tagging correct or maybe the ip adressing part is missing something.

Thanks for your continious help!

anav · Tue Jul 16, 2024 11:57 pm

Sounds like you may have some errors. but not sure.
Post your latest config for review.......

In terms of access to the AP, you should be able to from any PC on the main router, on the 99 network, access the AP via winbox.
If you had a port on the AP (access port) for vlan99 that would also work, however, its better to use an off bridge port.

Most of the pain in the butt happens when you screw something during bridge vlan configuration and its easy to get locked out and start from scratch. Then you would not be able to access from the main router management subnet, nor a local port assigned to vlan99.
Much safer to config from or have an emerg access via an off bridge port.

So you only set the address, take the port off the bridge and then plug in your laptop to that port.
Change your IPV4 settings appropriately and bobs your uncle.

deadwalker · Wed Jul 17, 2024 12:48 am

Ahh while looking just found that there is indeed still a bigger problem. I forgot to turn vlan filtering on the bridge on (typically I do that at the end to be not cut off during configuration). Now after I did that the internet access on the WIfi networks is gone again

So yes quite sure something is not as it should be. Potentially also a problem on my main router as that config is a bit clunky as it has been grown over time.

MainRouter:

mainrouter.rsc

AP Config (really based on your correction) - without the unneccesary commenting

AP.rsc

Thanks for your time!

anav · Wed Jul 17, 2024 12:54 am

1. I see nothing wrong with the AP..............

2. Oops you have main router errors showing, the question here is why do you have bridge filters at all? Remove for now please.
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*9
# no interface
add action=drop chain=forward out-interface=*9
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A

3. Should be set to BASE
/ip neighbor discovery-settings
set discover-interface-list=VLAN

4. There appears to be no trunk port to the AP??? as evidenced by the /interface bridge port settings ?????
5. The /interface bridge vlan settings provide no clues as to what is going on.
6. Set detect internet interface=NONE

7. Simplify (when using all vlans, bridge is not a list member )

/interface list
add name=WAN
add name=LAN
add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=private_VLAN list=LAN
add interface=BASE_VLAN list=LAN
add interface=guest_VLAN list=LAN
add interface=iot_VLAN list=LAN
add interface=wireguardVPN list=LAN

add interface=BASE_VLAN list=BASE
add interface=wireguardVPN list=BASE { to allow admin remote access to config router if necessary )

8. If you manually added netmask to this address line, remove it!
add address=192.168.66.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.66.1 netmask=24

9. Remove this static DNS setting!!!
/ip dns static
add address=192.168.66.1 comment=defconf disabled=yes name=router.lan

10. Firewall rules adjusted

/ip firewall address-list ( using static dhcp leases for local addresses }
add address=192.168.0.A/32 list=Authorized comment="admin local desktop wired"
add address=192.168.0.B/32 list=Authorized comment="admin local laptop wired"
add address=192.168.70.X/32 list=Authorized comment="admin remote wg laptop"
add address=192.168.70.Y/32 list=Authorized comment="admin remote wg smartphone/ipad"
add address=192.168.36.2/32 list=Authorized comment="admin on AP"

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related, Untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="wireguard handshake pderDfels" dst-port=13231 protocol=udp
add action=accept chain=input comment="wireguard handshake VPN" dst-port=51820 protocol=udp
add action=accept chain=input comment="Admin Access" in-interface-list=BASE src-address-list=Authorized
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user access to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { add this very last or you may lock yourself out}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="Admin to subnets" in-interface-list=BASE src-address-list=Authorized out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

Note1: If you want to be able to access router and AP from private subnet,
- add private subnet vlan10? to the BASE interface list
- add ip addresses for admin to the source address list Authorized

Note2: It is not clear what the role of the other wireguard VPN is.........so left it out of firewall rules
Once detailed, it will be easy to make adjustments.

11. Add route for admin on AP....
add dst-address=192.168.36.2 gateway=192.168.0.3 routing-table=main

12. MISSING wireguard allowed IP setttings??? or am I blind?

deadwalker · Thu Jul 18, 2024 12:58 am

Hi anav,

Thanks for the detailed response. I just recognized yesterday, actually before your reply that I haven´t configured a trunk (dumb).
A lot of the other garbage still in is from refactoring the main router from the initial multiple bridge based setup to VLAN. Maybe I should have started from scratch instead.

Let me try to go through one by one:

Thanks to you the AP is so far ok.
Bridge filters are removed. Indeed a leftover.
Done
Trunk port (ether2) was indeed missing as was added now. I hope I did that in the correct manner.
Ok does this look better now in the new export?
Ok deactivated. This actually comes from using the Mikrotik Android app to access the device config. Seems I activated it there by accident.
Simplification completed. Makes sense to remove the bridge
Hey good catch, removed netmask from address.
Mhh I´m honestly not sure where this is coming from. I use Cisco OpenDNS to block down access to certain internet categories. In order to not allow users to simply change their DNS manually I tried something, maybe this is it. I cannot remember. I anyway do that via NAT.
Firewall rules cleaned. Are all the other rules I have not of value anymore (I refer to the currently disabled ones)?
Note1: Ok I added private_VLAN (10) to the BASE interface list. I also added one IP address to the Authorized list. In order to make sure this address stays the same I just went to DHCP Server and made the lease address static.
Note2: The first wireguard is for a roadwarrior setup. The other wireguard is a site2site setup which should be up and running permanently. This was working fine in the past. I think to get this enabled I just add the wireguard to the LAN interface list, correct?
Ok will add that on the AP.
Indeed I removed that from the config with some other scripts and schedules on the router but its there in the new export.

mainrouter.rsc

anav · Thu Jul 18, 2024 5:09 am

Looks much better!

1. Set to NONE mac-server by itself is not a secure protocol
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

2. Modify router to remote router subnet TO:
/ip route
add dst-address=192.168.178.0/24 gateway=wireguard_perDfels routing-table=main

3. Now lets look at bridge ports and bridge vlans

Ports looks okay, modify /interface bridge vlans to: { i prefer manual entry of untagged both are valid, but this way I can cross check with bridge ports to see if both line up )

/interface bridge vlan
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=ether3,ether4,1-wifi5Ghz,2-wifi2GHz vlan-ids=10
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=4-wifi2GHz_Guest vlan-ids=20
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=5k-wifi2GHz_IOT vlan-ids=30
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=ether5 vlan-ids=99

4. Since you are proving NTP from the router adjust this rule!!
add action=accept chain=input comment="user access to services" dst-port=53,123 \
in-interface-list=LAN protocol=udp

jmpaiva · Thu Jul 18, 2024 4:43 pm

For the secondary device acting as an AP/switch follow this advice.
viewtopic.php?t=182276

Thread is no longer available.

Got to this forum as I have a co-worker who is a fan of mikrotik and keeps recommening it.

I'm also considering a router and an aditional AP for the second floor, but want to configure a vlan for IOT devices and I want the adiciotnal AP to replicagte the riginal SSID/Vlans

Btw if someone cares to recommend hw for this, that would be great. If possible something with wifi6 to make a bit more future proof.

Thanks

anav · Thu Jul 18, 2024 6:43 pm

All you require is included in this thread, unless using capsman and thus its slightly different.
So have at it. When you have a working config or close to working config and need help just ask.

deadwalker · Thu Jul 18, 2024 9:13 pm

@jmpaiva: I guess you can just have a look at my latest config to get a good understanding on how it would like in your setup. There are a few small issues still but it´s a good start.
For devices it really depends on what you need, there are quite a lot of devices from Mikrotik. I decided on a HAP ax3 as my main router and a HAP ax lite as Access Point. Especially for the ax lite there are certainly better devices when it comes to WiFi coverage but it´s sufficient for me. Can´t expect much more for such a cheap device.

@anav: I implemented the latest proposed changes and understand that it´s better to add the untagged interfaces manually for clearness. NTP started working now as well.

One major problem is still around. I don´t have internet access on the AP wifi networks. The AP itself has internet access when accessed via the off bridge port.
If connecting to the wifi networks it seems like I don´t get a proper IP from the DHCP server pools but I can´t identify any problems there. Maybe I also srewed some of the tagging up. Really unsure. There are no changes to the config I uploaded yesterday, except the latest ones you posted. Pretty sure it´s a small and stupid problem.

anav · Thu Jul 18, 2024 10:54 pm

HI dead, you know the drill, post both latest configs for main router and AP, we will find the issue!

deadwalker · Thu Jul 18, 2024 11:24 pm

Hi anav,
Really stuck currently, likely very easy.
Here are the mainrouter and ap configs.

mainrouter.rsc

ap.rsc

Thanks a lot! I owe you multiple drinks.

anav · Fri Jul 19, 2024 12:11 am

AP

You added an extra route here, but it should not cause any failures.....should be removed.
/ip route
add comment="ensures route avail through trusted subnet gateway" disabled=no \
dst-address=0.0.0.0/0 gateway=192.168.0.1
add disabled=no dst-address=192.168.36.2/32 gateway=192.168.0.3 \
routing-table=main suppress-hw-offload=no

Other than that I cannot spot anything on the AP.

ROUTER

Could not spot anything on the main router either!

anav · Fri Jul 19, 2024 12:22 am

TRY rebooting both routers.

deadwalker · Fri Jul 19, 2024 1:46 am

Hi anav,
Ok removed the route and rebooted both units. Nothing changed. Still no correct DHCP assignment on any Wifi network from the AP.
I´ll try to have another close look tomorrow.

Thanks,
Nils

jmpaiva · Fri Jul 19, 2024 11:07 am

@jmpaiva: I guess you can just have a look at my latest config to get a good understanding on how it would like in your setup. There are a few small issues still but it´s a good start.
For devices it really depends on what you need, there are quite a lot of devices from Mikrotik. I decided on a HAP ax3 as my main router and a HAP ax lite as Access Point. Especially for the ax lite there are certainly better devices when it comes to WiFi coverage but it´s sufficient for me. Can´t expect much more for such a cheap device.

@anav: I implemented the latest proposed changes and understand that it´s better to add the untagged interfaces manually for clearness. NTP started working now as well.
One major problem is still around. I don´t have internet access on the AP wifi networks. The AP itself has internet access when accessed via the off bridge port.
If connecting to the wifi networks it seems like I don´t get a proper IP from the DHCP server pools but I can´t identify any problems there. Maybe I also srewed some of the tagging up. Really unsure. There are no changes to the config I uploaded yesterday, except the latest ones you posted. Pretty sure it´s a small and stupid problem.

Are you hapoy with the ax3? I hear some People compaining about the wifi

anav · Fri Jul 19, 2024 4:57 pm

jmpaiva, please do not interrupt a thread with an off topic useless question.
If you have a wifi question ask it in the WIFI forum, you are likely to get better responses.

deadwalker · Sat Jul 20, 2024 12:55 am

Hi anav,

I found the problem after having a look at the bridge VLAN settings.
I only added in the trunk port as tagged but need to also tag the bridge_LAN.
Since that I finally have internet on the AP Wifi networks.

Thanks for your continued help. I know that the Mikrotik support is great but this is in fact outstanding.

anav · Sat Jul 20, 2024 2:13 am

PHEW, I thought I was losing my marbles LOL.
A. on the ap /switch device only the vlan99 or managment vlan needs to be tagged to the bridge.
B. on the main router, normally all vlans are tagged on the bridge.

SWITCH
A. This was correct so not sure if the problem was here ??? For the switch we are simply moving vlan traffic from an input trunk port to an an access ether or wifi port and vice versa.
/interface bridge vlan
add bridge=bridge_LAN tagged=trunk untagged=ether2,ether3,1-wifi-2GHz \
vlan-ids=10
add bridge=bridge_LAN tagged=trunk untagged=2-wifi-2GHz_guest vlan-ids=20
add bridge=bridge_LAN tagged=trunk untagged=3-wifi-2GHz_IOT vlan-ids=30
add bridge=bridge_LAN tagged=trunk,bridge_LAN vlan-ids=99

ROUTER
B. Cannot see any issues here either??
/interface bridge vlan
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=\
ether3,ether4,1-wifi5Ghz,2-wifi2GHz vlan-ids=10
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=4-wifi2GHz_Guest \
vlan-ids=20
add bridge=bridge_LAN tagged=bridge_LAN,ether2 untagged=5-wifi2GHz_IOT \
vlan-ids=30

deadwalker · Sat Jul 20, 2024 8:39 am

Hi anav,

Yes the configuration was like shown in your example before.
It´s reproducible that IP assignment doesn´t work anymore as soon as I remove the bride_LAN from the tagged list of a bridge VLAN.
Not sure if there are other issues which might cause this but I don´t think its a problem to have bridge_LAN tagged as well. Or would you disagree with that statement?

anav · Sat Jul 20, 2024 3:37 pm

Not clear
The configuration I just posted was what I gave previously, which you stated did not work.
So the question is what changes did you make to that config for you to get the traffic going??

switch changes?
Router changes?

deadwalker · Sat Jul 20, 2024 4:17 pm

Hi anav,

Here the latest config for completeness. This works and I´m currently unsure how to get rid of the bridge_LAN ond the AP bridge VLANs.

router.rsc

ap.rsc

anav · Sat Jul 20, 2024 4:56 pm

That is wrong, should not work that way as the only vlan requiring tagging on bridge on the AP is the management vlan.

FOUND THE ISSUE on the AP causing this...............

AP
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge_LAN \
protocol-mode=none vlan-filtering=yes

Remove this from the bridge settings and then you can remove the tagging for the vlans on the AP that are not the management vlan.

deadwalker · Sat Jul 20, 2024 5:13 pm

Hi anav,
I actually tried that as well and if I do that and remove the bridge_LAN keeping only trunk port as a tagged member I´m back to the initial situation where I cannot get an IP.
I currently just tried it in the guest VLAN.

anav · Sat Jul 20, 2024 6:52 pm

Makes no sense to me. Limiting frames on the main Bridge setting itself is NOT required ( on both main router and AP). On AP, only vlan needing tagging to bridge is management VLAN.

I would say what you need to do is setup as above describes, reboot both routers, then it should work. If not then the AP should be floating in air because its defying all logic and physics!!

deadwalker · Sun Jul 21, 2024 12:09 pm

Hi anav,
I´m kind of lost here. I really think my latest config reflects what we discussed in this thread. Still it doesn´t work with only a tagged trunk port on the VLANs.
There is for sure a problem somewhere but I think tagging the bridge_LAN as well is not a huge problem so I´ll stick to this config for the time being.
I´ll continue trying to learn so potentially I might find the problem soon. Once I do I´ll post it here.
Thanks for your massive help on this, very much appreciated.
Cheers,
dead

Multiple Isolated Wifi networks on a wired AP bridge

Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge

Re: Multiple Isolated Wifi networks on a wired AP bridge