Hi All,
I want to share my experiences.
It seems I managed to successfully configure the VLANs according to suggestions.
There was some modification, and first I used a "test" router (hAP) as R3. This is because R3 is far away from me and I did not want to walk from one building to another and back, everytime I screw up the config.
(Yes I, know the "Safe Mode", but sometimes I forget to use it.)
Currently I use this config on R2:
Interface Config:
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan200 vlan-id=200
(VLAN 100 - R1 Network, VLAN 200 - Isolated Network For IP Cameras)
Ethernet:
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe <- This interface is connected to R1 (pppoe)
set [ find default-name=ether2 ] name=ether2-switch <- dummy switch (R2->SW->R3)
set [ find default-name=ether4 ] name=ether4-telekom <- This interface connected to R1 (separet eth cable for VLAN)
Bridge Config:
/interface bridge
add name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2-switch internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wifi1-2ghz internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wifi2-5ghz
add bridge=bridge1 interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether4-telekom pvid=100 trusted=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2-switch untagged=ether4-telekom vlan-ids=100
add bridge=bridge1 tagged=ether2-switch,bridge1 vlan-ids=200
Please note that I have my original network untouched (VLAN ID 1, by default). This is the next in the todo list.
Additionally I've set a DHCL clinet for vlan100 interface, insted of adding IP Address manually.
[admin@MikroTikAc3] > /ip/dhcp-client/print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 vlan100 no no bound 192.168.1.246/24
[admin@MikroTikAc3] > /ip/dhcp-client/export
/ip dhcp-client
add add-default-route=no interface=vlan100 use-peer-dns=no use-peer-ntp=no
And also I set up a DHCP server for camera van:
[admin@MikroTikAc3] > /ip/dhcp-server/print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME
# NAME INTERFACE ADDRESS-POOL LEASE-TIME
0 dhcp1 bridge1 dynamic dhcp 30m
1 dhcp2 vlan200 dhcp_pool4 30m
R3 Configuration:
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan200 vlan-id=200
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=100
add bridge=bridge1 interface=wlan1 pvid=100
add bridge=bridge1 interface=ether3 pvid=200
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=200
DHCP Clients:
[admin@MikroTik] > /ip/dhcp-client/print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 bridge1 no no bound 172.16.3.198/22
1 vlan100 no no bound 192.168.1.227/24
2 vlan200 no no bound 10.200.0.2/24
But there are some part of the suggested configuraition I don't really understand. (Or I don't understand how VLANs works....)
This part of suggested configuration did not worked:
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10
add bridge=bridge tagged=ether1,wlan3 vlan-ids=20
What is the point behind adding WLAN* interface as tagged? If I understand well, tagging interface means that the interface is a "trunk" interface not an "access" one.
Insted of this I configured wlan1 PVID to 100.
The situation is similar in R2 configuration.
I had to configure PVID for the ISP's (ether4) interface:
/interface bridge port
.....
add bridge=bridge1 ingress-filtering=no interface=ether4-telekom pvid=100 trusted=yes
In the suggested configration ether4 is added as tagged interface:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,wifi1-2ghz,ether4,wifi2-5ghz vlan-ids=10
add bridge=bridge1 tagged=bridge1,wifi1-2ghz,ether4,wifi2-5ghz vlan-ids=20
R1 is not aware of VLANs, so I don't see the meanings of adding as tagged.
Can you see anything bad in my configuration? I'm not so familiar with VLANs (yet), so there my be some configuration parts which could be antipatern.
Interesting thing that my first thought is also working: Creating EOIP tunnel between the R2 and R3 and separate bridges on both side. (R2: EOIP and ether4, R3: EOIP and WIFI+ETH2)
Thanks for the help.!