EASY SWITCH or AP/SWITCH SETUP ( ANY RoS Device)

anav · Sat Jan 15, 2022 8:29 pm

{ linked from New User Pathway To Success Config Success - viewtopic.php?t=182373 }

USING ROS DEVICE AS AN AP/SWITCH
Having seen enough requests lately for this requirement its clear there is a need for an article, or at least a common place to look for links for useful stuff.
See the example DEVICE setup below.

PRACTICAL APPROACH
For WIFI capable devices, as BPWL has noted, one could elect to choose - WISP AP- mode in quickset to start and then clean it up as per the posts/links below. (Use of quickset other than selecting a mode is generally a bad idea)

RECOMMENDED
To avoid getting into too many lockouts and issues during configuring I always recommend use of SAFE MODE, and also when entering any MT device for the first time with all its default settings, I recommend to create an independent entry point to the router for config purposes. OFF BRIDGE access - viewtopic.php?t=181718

AP SWITCH
For those looking for a bare bones AP - Switch Setup this is it (courtesy of pukkita).
viewtopic.php?p=905562#p905562

Another Similar post from Jotne
viewtopic.php?p=893722&hilit=ap+switch#p693337

One from Vecernik87 My favourite unicorn pony.
viewtopic.php?p=893722&hilit=ap+switch#p693336

This is an internet link provided by Richard....
https://tehnoblog.org/mikrotik-router-h ... nt-bridge/

NEED VLANS?
VLANS ON THE SWITCH (hex etc.) - viewtopic.php?t=143620#p706997
VLANS ON THE AP - (capac etc.) - viewtopic.php?t=143620#p706999
VLANS on the AP/SWITCH - (hapac etc.) - viewtopic.php?t=143620#p706998

EXAMPLE (ANY RoS) DEVICE SETUP

Note1: homeVLAN is the trusted subnet (where the admin works or accesses devices for config purposes)
Note2: Ingress filtering and frame-types-allowed are applied on BRIDGE PORTS!
Note3: If you dont have WLANS, then just ignore them in the example.
Note4: ONLY the managment vlan needs to be identified (with interface=bridge) as the other vlans are simply acting as conduits for traffic and not going through the cpu-bridge.

Finally, you will see two extra IP ADDRESS entries, besides the one required for the MT device itself (from the trusted subnet), one is designed for a wired "off bridge access" to the device (emergaccess) which involves assigning an etherport for this purpose.
The other IP Address, (testaccess) is designed to be an "off bridge" wifi access to the device. Both are made to be able to config the device in case the bridge configuration causes any issues.
[ "Off Bridge" access explained: viewtopic.php?t=181718 ]

.....

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=cerv49 vlan-id=49  { optional, I put this here as a communication piece to myself and any reader }
add interface=bridgegym name=homeVlan vlan-id=12  { mandatory, management vlan must be identified in /interface vlan }
add interface=bridgegym name=mediaVlan vlan-id=40   { optional, I put this here as a communication piece to myself and any reader }
/interface list
add name=management
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add keepalive-frames=disabled mac-address=xx.xx.xx.xx  master-interface=mediaWlan multicast-buffering=disabled \
    name=testaccess security-profile=testprofile ssid=capacbackdoor wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
add interface=testaccess list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
add address=192.168.24.1/24 interface=testaccess network=192.168.24.0  comment="vWLAN access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set winbox address=y.y.y.y/24,z.z.z.z/24,s.s.s.s/24
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

bpwl · Thu Jan 27, 2022 12:20 pm

We both know the problems with the mysterious "Quickset" and avoid using it.
But some prefer it, even if it works like dark (undocumented) magic.

This requirement for a simple network-connected AP is so common here that I tried to find the Quickset equivalent setup.

And yes, the ("WISP AP" mode=bridge ) comes very close to this setup.
All interfaces to bridge, no DHCP server, IP address and optional DHCP client, WLAN setup.
Only a second WLAN interface will have to be done manually.

(It is not perfect, one remaining DHCP Lease was still there, but other things have been cleaned up).

anav · Thu Jan 27, 2022 2:17 pm

concur bpwl, wisp mode is what I haved used on capacs successfully.

shurik3 · Wed Feb 02, 2022 9:34 pm

concur bpwl, wisp mode is what I haved used on capacs successfully.

Hi guys!

thank you for the "collection".

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes

since clean newer ROS ingress-filtering=yes by default, also VLANs and Ports... does it matter?

anav · Wed Feb 02, 2022 10:20 pm

concur bpwl, wisp mode is what I haved used on capacs successfully.
Hi guys!

thank you for the "collection".

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes

since clean newer ROS ingress-filtering=yes by default, also VLANs and Ports... does it matter?

I am not sure what you are referring to but NO, I do not apply any other filtering on the bridge other then selecting vlan-fitering=yes.
I apply ingress filtering and frame-types-allowed= ON BRIDGE PORT SETTINGS.

shurik3 · Thu Feb 03, 2022 12:15 am

Hi guys!

thank you for the "collection".

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes

since clean newer ROS ingress-filtering=yes by default, also VLANs and Ports... does it matter?
I am not sure what you are referring to but NO, I do not apply any other filtering on the bridge other then selecting vlan-fitering=yes.
I apply ingress filtering and frame-types-allowed= ON BRIDGE PORT SETTINGS.

Hmm, is there a reason not to enable ingress filtering on the bridge itself?

anav · Thu Feb 03, 2022 12:30 am

I am not sure what you are referring to but NO, I do not apply any other filtering on the bridge other then selecting vlan-fitering=yes.
I apply ingress filtering and frame-types-allowed= ON BRIDGE PORT SETTINGS.
Hmm, is there a reason not to enable ingress filtering on the bridge itself?

I am not knowledgeable enough to comment, and thus since I dont know its effects, I avoid it.

anav · Thu Mar 17, 2022 11:59 pm

@bpwl For a wireless wire type connection between two switches, I am presuming there is not much different on the
mechanics of the configuration in terms of passing VLANS and trusted subnet etc................ but I wonder what mode and submodes.......

Its not one flat network being passed but lets say X number of vlans and possiby VOIP traffic to make it interesting.
MODE QUICKSET:
---> ptp CPE at one device (connected to main router) and ptp AP at the other switch
OR
---> Wisp AP at both.

Since i have no clue on the difference between Station Mode and AP mode, its not clear how to proceed.

Bridge Mode = Access Point Wifi that will only associate with one client.
Station Mode = Client Wifi that will only associate with any acceptable AP

WDS Slave Mode = Access Point Wifi like AP bridge, scans for same SSID on clients and uses WDS link.
Station WDS = Same as Station but creates proprietary WDS link to AP

WIFI WIRELESS MODES:
1. bridge at switch1 & station at switch 2 (limits connectivity to one client for the AP - hopefully via SSID?)
OR
2. WDS Slave at switch 1 & Station WDS at switch2

++++++++++++++++++++++++++++++++++++

ignoring Station Bridge (mode) as its not understood and hopefully not needed.

bpwl · Fri Mar 18, 2022 1:24 am

@anav .... it remains confusing , and it (Quickset) is not documented. And the naming doesn't help either: Is WISP AP the AP used by a Wireless ISP provider for distribution to WISP CPE devices? No it's not. It's a Home AP with more options. And actually the "WISP AP -bridge mode" is the 'dumb AP' implementation so many need in their local network (just a ethernet-wireless transparant bridge).
So I do not reverse engineer all those Quicksets to find out what is really in there. And I don't grasp the naming convention anyway.

As RouterOS is like a Lego set of blocks, I prefer to play with the blocks, not with some pre-assembled glued sets (Quickset).

For me there are 2 worlds in MT for multi AP networks with wifi links. The WDS setup (like with other brands), and the MT proprietary bridge extension (which I do find superior to WDS, in ease of use and performance, actually my main reason to stick with MT.) I do transfer a multivlan network over multiple wifi links with just "AP bridge" , "ROS bridge" and "Station bridge" as building blocks.

I do avoid WDS as it does not support aggregation (confirmed in a MUM presentation by MT) and the WDS MAC table seems to be a separate setup with unclear master/slave nodes (only used it on others brands with the master eventually ending up on the weakest link). It does have it's value in a WDS/mesh setup. But I hate the "ptp link" and "local wifi" combination in the same radio.

So my focus is on "AP bridge" , and "station bridge" wifi settings, with "Bridge" mode the licence-3 level limited AP-bridge. Using nv2 or 802.11 SSID as connection is an extra option for the wifi link that is transparent to the bridge network design. Some radio's are setup as ptp (ptmp) links, other radio's (even on other MT devices) serve the wifi to local clients. The requirements for ptp and local are very different.

"AP-bridge"/"Bridge" , "Station bridge" and "ROS bridge" just form a L2 network that transports VLANs as needed even in VLAN unaware modus. Broadcast/multicast and inter-wifi-device chatty conversations can be mitigated. Using "station", or setting the bridge function to disabled at the AP, is breaking this L2 transparent network. (Maybe on purpose towards end-user devices)

Quickset is using mode "station" and routing even masquerading and firewalling too often to be a great pool of interesting starting points for this setup.

So combining 2 switches with a wifi link: use "AP bridge" (or "bridge" for a licence level 3) mode on one side , and use "Station bridge" on the other side of the wifi link.
The chain is : 'switch' - ether - ROS bridge -WLAN "AP bridge" - WLAN "station bridge" - ROS bridge - ether - 'switch2'.

More options are possible with "repeater setup" or WDS settings but will cost in performance.

EASY SWITCH or AP/SWITCH SETUP ( ANY RoS Device)

EASY SWITCH or AP/SWITCH SETUP ( ANY RoS Device)

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( NOT ROUTER) )

Re: EASY SWITCH or AP/SWITCH SETUP ( ANY RoS Device)

Who is online