Community discussions

MikroTik App
 
disqk
just joined
Topic Author
Posts: 2
Joined: Tue Sep 27, 2022 9:46 pm

Separate guest and iot network config, over wireless backhaul, CAPsMAN

Thu Sep 29, 2022 1:50 pm

Hi, recently set up two Audience devices with the following setup:
- Separate SSIDs on 2 and 5ghz
- wlan3 (second 5gig radio) acting as backhaul (I don't know if I set it up correctly... it was a mix of the "wps sync" button/feature and instinct)
- A separate vwlan for iot devices (smart bulbs, etc) currently bridged
- Everything is bridged, single DHCP
- On one (slave) device, physical ports are also bridged into the "LAN"
- On the master device, one physical port is used as WAN input. Other port is connected to an unmanaged switch, used by apple tv and such, so it's in the main LAN network, and not IOT. (Just having two ports is a drag though!)
- WLANs are managed by CAPsMAN (I'll attach the configs below)

What I want to do:
- IOT-only vwlan should have its own network (VLAN? just subnet?) separate ip block (and separate dhcp server) and egress should be limited (both as QoS/speed and as ACLs to destinations)
- Another, separate guest-only vwlan. Just a "copy" of the IOT setup but without the egress limits.

I tried setting up a second bridge on the main AP for the IOT, but couldn't get the second dhcp server running ("Network" tab etc. was all set up, tried multiple times, with and without capsman) it just wasn't giving out IPs. Setting a manual IP to my device worked, but I need the DHCP to work.

Another question is if I setup VLANs for all these, how will the wlan3 mesh-link going to work? Should I just set everyhing up (including my main bridge) as separate vlans, add them to a trunk bridge and route it somehow? Don't have any other RouterOS device to test things before applying them so I don't want to get locked out or break it more than necessary and take half a day reverting it.

Attaching the configs. Export1 is the main AP, export2 is the follower AP. RouterOS 7.5. Any suggestion appreciated.
You do not have the required permissions to view the files attached to this post.
 
disqk
just joined
Topic Author
Posts: 2
Joined: Tue Sep 27, 2022 9:46 pm

Re: Separate guest and iot network config, over wireless backhaul, CAPsMAN

Fri Sep 30, 2022 12:11 pm

The solution was basically to set DHCPs on the VLANs, mostly. But use a separate bridge for "Wifi LAN + Ethernet LAN" because we want those together.

Main Audience:
- CAPsMAN, datapaths, set up your VLAN ids
- Interfaces / VLAN, add the vlans, use a single bridge "bridge"
- Set ".1" IPs to each vlan
- Set DHCP servers on the VLAN interfaces
- Add another "bridge_lan" (protocol=none) and add the LAN vlan + single ether port (the other one is for WAN) to it. Move the DHCP server to serve on that bridge instead of the LAN vlan. Move the ".1" IP from "vlan_lan" to "bridge_lan".
- Set another network/ip (89.1 and 89.2) for wlan3 in both interfaces (not sure if needed but doesn't seem to hurt)
- Bridge / VLANs, don't need to use it (I have it in my configs, but disabled)

"Follower" (ooh new term from cloud infra) Audience:
- Add the VLANs to Interfaces / VLAN again, use the correct tag IDs again, single bridge.
- "bridge_lan" setup (again with protocol=none, not sure if it matters) to bridge the LAN vlan + both ethernet ports.
- Use same bridge names so that CAPsMAN can set the wlans correctly. Use the same VLAN names for convenience.
- Set IP on the vlans + bridge_lan to your liking, not every single one has to have one I think. Set IP (89.2) for wlan3

Some resources:
https://wiki.mikrotik.com/wiki/Manual:W ... VLAN_Trunk (it's not very clear what the interfaces represent)
https://www.youtube.com/watch?v=v2_4MXiIapA

Hope this helps someone :)
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: giovanniv, Kanzler, shadarim and 41 guests