Community discussions

MikroTik App
 
Pepcac
just joined
Topic Author
Posts: 4
Joined: Sat Aug 06, 2022 7:03 pm

hAP lite two wireless and VLAN

Sun Aug 07, 2022 9:18 pm

Hello world,

I've read multiple docs and YT tutorials but nothing works out for me. Latest thing I've tried was viewtopic.php?f=23&t=143620.
Reading the documentation makes me feel a little like every bit and peace of the puzzle is documented but nothing about, how to put things together.

What I want to achieve: Distribute wireless and guest wireless in the house with two hAP lite (6.47. long term), one for the basement, one for the attic.
On the ground floor the router is a AVM FritzBox connected to a manageable TP-Link switch on two access ports.
I've configured two trunk ports with VLAN ID 10 for LAN and VLAN ID 20 for guest wireless.
Config was checked with tcpdump and I was able to see the traffic from both networks. So far so good.
Then I've configured eth4 as my management port so that I won't loose connection when playing around.

On eth2 I've connected to the trunk port of the switch.
Now I've added to vlan interfaces on ether2: if-vlan10 and if-vlan20.
For testing purposes, I've enabled DHCP client on both and got an IP from the matching subnets.
So I assume VLAN config on switch side is okay.

Now I've created the wireless and the virtual AP interface.
Both are in ap-bridge mode with different security profiles and VLAN mode is set to "no tag".
The VLAN id is set to 10 on the main wireless and 20 on the virtual ap interface.

After that, I've created two bridges, one for each VLAN: br10 and br20
I've added if-vlan10 and main wireless to br10 and if-vlan20 and the virtual ap interface to br20.
Clients associate with wireless but even if bridges were tested with and without VLAN filtering, no traffic passes the bridges.

If I understand correctly, packets leaving the switch contain VLAN tags, on the wireless side these shouldn't be present since the WLAN clients are not aware of the VLANs and will be separated via SSIDs. So at which point shall the bridge (or shall not) be aware of VLANs?
From my understanding when using VLAN interfaces, VLAN tags should not be longer be present "inside" the router?
Maybe someone can shed some light on that?

BR
Pepcac
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP lite two wireless and VLAN

Mon Aug 08, 2022 2:26 am

Easy Peasy,
Ensure you are consistent with which is the management or trusted or base vlan. All you smart devices should get an IP address (usually manually set in the device) and set as static lease on the main router.

As for the mikrotik devices that you want as basic smart AP/Switches.

This will do the job nicely for you.
viewtopic.php?t=182276

However if not familiar with MT devices, I recommend putting this on the config and then switching to the off bridge port to do further configuring to avoid getting locked out.
viewtopic.php?t=181718
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: hAP lite two wireless and VLAN

Mon Aug 08, 2022 10:20 am

Both are in ap-bridge mode with different security profiles and VLAN mode is set to "no tag".
The VLAN id is set to 10 on the main wireless and 20 on the virtual ap interface.
If vlan-mode is set to no-tag, the vlan-id value is not used. But that's not the source of your problem, just to know for the future.

After that, I've created two bridges, one for each VLAN: br10 and br20
I've added if-vlan10 and main wireless to br10 and if-vlan20 and the virtual ap interface to br20.
Clients associate with wireless but even if bridges were tested with and without VLAN filtering, no traffic passes the bridges.
The thing is that in order that the wireless clients could get an address from the DHCP server on the same Mikrotik, the DHCP server must be attached to the bridge interface, not to the VLAN interface. With your setup, the DHCP server only listens at the VLAN interface - frames from the wireless one can go through the VLAN interface towards ether2 but not "bounce back" to the DHCP server.

But I assume that in the target configuration, the DHCP servers for both networks will be on the Fritz anyway, so it should not be an issue as you will remove the ones on the Mikrotik anyway?

If I understand correctly, packets leaving the switch contain VLAN tags, on the wireless side these shouldn't be present since the WLAN clients are not aware of the VLANs and will be separated via SSIDs. So at which point shall the bridge (or shall not) be aware of VLANs?
From my understanding when using VLAN interfaces, VLAN tags should not be longer be present "inside" the router?
Maybe someone can shed some light on that?
With this setup, a tagged frame ingresses via ether2, the vlan interface removes the tag, and the frame is tagless on the bridge and, subsequently, the wireless interface. But as explained above, the fact that wireless clients do not get IP addresses from the internal DHCP server is not related to tagging/untagging. And "inside the router" is not a single "place", the configuration can be really complex.


One-bridge-per-vlan is an obsolete approach; you can use a single common bridge for both VLANs. If you set vlan-filtering to no on the bridge, and make both wireless interfaces its member ports together with ether2, each wireless interface can be configured with vlan-mode=use-tag and a corresponding vlan-id. That's what these fields are intended for. The VLAN interfaces have to be attached to the bridge in this case, not to ether2, and the DHCP servers must be attached to the VLAN interfaces in this case.


Yet another approach is to set vlan-filtering=yes on the bridge and make the two wireless interfaces access ports for their respective VLANs - in this case, you configure vlan-mode=no-tag on the wireless interfaces themselves, but set the pvid on the corresponding /interface bridge port rows.
 
Pepcac
just joined
Topic Author
Posts: 4
Joined: Sat Aug 06, 2022 7:03 pm

Re: hAP lite two wireless and VLAN

Mon Aug 08, 2022 6:53 pm

Thanks for the replies but I don't get it all, yet. I don't want to copy&past a config without understanding, what's happening, so a few more lines and questions.

First of all, sorry for being not precisely on DHCP. DHCP and DNS should be done by the AVM router.
hAP should only serve as an access point for two WLANs and these shall drop out to ether2 with the appropriate VLAN tags.

sindy, you wrote:
One-bridge-per-vlan is an obsolete approach; you can use a single common bridge for both VLANs. If you set vlan-filtering to no on the bridge, and make both wireless interfaces its member ports together with ether2, each wireless interface can be configured with vlan-mode=use-tag and a corresponding vlan-id. That's what these fields are intended for. The VLAN interfaces have to be attached to the bridge in this case, not to ether2, and the DHCP servers must be attached to the VLAN interfaces in this case.
If I follow your proposal, setting up only one bridge and set wireless interfaces to "VLAN use-tag" then the VLAN tag would be present on the wireless side as well, won't it?
And you want me to create if-vlan10 on the bridge and not on eth2 but make eth2 a port member of br10?

As far as I understand a bridge interface, everything you put into one port will drop out of all other ports. So I am not telling you, that you're wrong, but for my understanding, let's play ethernet frame tagged VLAN10, leaving the switch in my current setup:

- incoming to ether2 with VLAN tag
- from ether2 to if-vlan10 interface ingress still with VLAN tag 10
- egress from if-vlan10 as br10 member port without VLAN tag into br10
- leaving br10 to wireless main without VLAN tag
- leaving wireless main

But apparently, this doesn't work. I don't see traffic "from the other side" of the bridge. Why's that?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP lite two wireless and VLAN

Mon Aug 08, 2022 8:22 pm

Sorry I dont take an OPs word for anything (as assumptions are made and needed facts are often missing), the evidence is in the config
please post
/export and use fake numbers for any actual WANIP or wan gateway IP info etc.....
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: hAP lite two wireless and VLAN

Mon Aug 08, 2022 9:21 pm

If I follow your proposal, setting up only one bridge and set wireless interfaces to "VLAN use-tag" then the VLAN tag would be present on the wireless side as well, won't it?
No, it won't. The tag is added as the tagless frame is received from the air and sent to the wired (well, silicon) side, and removed as the tagged frame received from the wired side is transmitted to the air. That's the role of the vlan-mode and vlan-id items.

for my understanding, let's play ethernet frame tagged VLAN10, leaving the switch in my current setup:

- incoming to ether2 with VLAN tag
- from ether2 to if-vlan10 interface ingress still with VLAN tag 10
- egress from if-vlan10 as br10 member port without VLAN tag into br10
- leaving br10 to wireless main without VLAN tag
- leaving wireless main
This is correct. The frame arrives tagged to ether2, which is the carrier port (tagged end) of the vlan interface; as the frame passes through the vlan interface, it gets untagged, so it reaches the br10 tagless, and it gets broadcast to all the other member ports of br10, which in your particular case means just the main wireless interface with vlan-mode=no-tag. What may be an issue here is STP - when no STA (wireless client) is connected to a wireless AP, the bridge port to which this AP is "connected" is considered down; once the first STA associates, the bridge port goes up, but unless it is forced to edge mode (which is not the default), STP delays forwarding through that port until a timeout for eventual reception of a BPDU frame (from another bridge) expires. And the STA may give up sending DHCPDISCOVER in the meantime, and subsequently disassociate, so the port goes down again. Hence try setting edge=yes on the /interface bridge port row representing the wireless interface.
 
Pepcac
just joined
Topic Author
Posts: 4
Joined: Sat Aug 06, 2022 7:03 pm

Re: hAP lite two wireless and VLAN

Tue Aug 09, 2022 12:33 pm

Okay... I've got it. My assumption that VLAN tags will always be visible on the wireless side was caused by this documentation I came across:
https://wiki.mikrotik.com/wiki/Manual:W ... VLAN_Trunk
But I think the difference is the wireless interface setting ap-bridge, bridge and station bridge.

Now the setup is working. Thanks for your support. :)

Unfortunately I've discovered that the hAP lite cannot be updated due to lack of disk space.
So I will return the devices even if there are workarounds and look for other models.
But these will be MikroTik again.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: hAP lite two wireless and VLAN

Tue Aug 09, 2022 1:01 pm

But I think the difference is the wireless interface setting ap-bridge, bridge and station bridge.
No, it's not there that you should look.


The difference is in the wireless setting VLAN mode "no tag" as is in the mentioned "Wireless VLAN trunk" documentation (then the tagged VLAN will be forwarded untouched), or in @sindy exemple with VLAN mode "use tag" and VLAN id, where that VLAN id tag is filtered and stripped for wireless and is added when received over wireless.
Same thing (filtering, stripping and adding) could be done in the one and only bridge, with bridge VLAN settings. Then the wireless remains on "no tag" as all is done already in the bridge.
 
Pepcac
just joined
Topic Author
Posts: 4
Joined: Sat Aug 06, 2022 7:03 pm

Re: hAP lite two wireless and VLAN

Tue Aug 09, 2022 2:50 pm

Okay... thanks for clarifying that.
Great support and explanations in this forum.
Many thanks to all of you... thumbs up!

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], GoogleOther [Bot], Kanzler, miks and 81 guests