Community discussions

MikroTik App
 
sogware
just joined
Topic Author
Posts: 3
Joined: Thu Dec 22, 2022 10:53 pm

Chained VLAN

Fri Dec 23, 2022 12:03 am

Hello all,

I've done some simple RouterOS configurations until now, but the following is a little above my head.
Image

I need to provide internet access to a third person who has his own hardware (Generic AP in the picture). I have an hAP AC2 connected to the internet via a bridged modem.
Because of physical limitations I need to connect the 3rd person AP via a wAP AC2.

My (limited) knowledge tells me this should be possible, but VLANs always makes me confused.
I couldn't find a setup like this in the forum or on the internet, so any help on how to tackle this problem is really appreciated!

Thanks in advance!

Paul
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Chained VLAN

Fri Dec 23, 2022 4:41 pm

post your hapac and wapac settings.
/export file=anynameyouwish ( minus MT serial numbers and any public WANIP information )
 
sogware
just joined
Topic Author
Posts: 3
Joined: Thu Dec 22, 2022 10:53 pm

Re: Chained VLAN

Tue Dec 27, 2022 11:39 am

Hi Anav,

Sorry for the late reply (something to do with Christmas and stuff).

This is my config for the hAP AC2:
# dec/27/2022 10:16:33 by RouterOS 7.6
# software id = CZPL-D6U6
#
# model = RBD52G-5HacD2HnD
# serial number = BEEB0B3D88E9
/interface bridge
add admin-mac=C4:AD:34:20:DF:9B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=SSID-10 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=SSID-10 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.3 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTPS dst-address=204.168.X.X \
    dst-port=443 protocol=tcp to-addresses=192.168.88.2
add action=dst-nat chain=dstnat comment=SSH dst-address=204.168.X.X \
    dst-port=22 protocol=tcp to-addresses=192.168.88.2 to-ports=22
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.88.2 \
    out-interface=bridge protocol=tcp src-address=192.168.88.0/24
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=*9 pref-src="" \
    routing-table="VPN Indica" scope=30 suppress-hw-offload=no target-scope=\
    10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/system clock
set time-zone-name=Europe/Amsterdam
It is pretty default stuff with some port forwarding.
The wAP AC2 is in factory reset state at the moment.

I think I need to create VLAN 10 & 20, make port 5 on hapac and port 1 on wapac a trunk for [10,20], make port 2 on wapac an access port for VLAN 20. Then add a DHCP server and pool on VLAN 20... Please guide me in the right direction! ;-)

Thanks in advance!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Chained VLAN

Tue Dec 27, 2022 8:54 pm

# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=C4:AD:34:20:DF:9B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=SSID-10 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=SSID-10 wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
add name=guest-dhcp ranges=192.168.28.100-192.168.28.254
/ip dhcp-server
add address-pool=default-dhcp interface=VLAN10 name=home
add address-pool=guest-dhcp interface=VLAN20 name=guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether4 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=ether5 ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge comment=defconf interface=wlan1 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=wlan2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 untagged=ether2,ether3,wlan1,wlan2 vlan-ids=10

/interface list member
add interface=VLAN10 list=LAN
add interface=VLAN20 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=VLAN10 network=\
192.168.88.0
add address=192.168.28.1/24 comment=defconf interface=VLAN20 network=\
192.168.28.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.3 gateway=\
192.168.88.1
add address=192.168.28.0/24 comment=defconf dns-server=192.168.28.1 gateway=\
192.168.28.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept all LAN traffic" in-interface-list=LAN
add action=drop chain=input comment="drop all else"

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="internet traffic"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTPS dst-address=204.168.X.X \
dst-port=443 protocol=tcp to-addresses=192.168.88.2
add action=dst-nat chain=dstnat comment=SSH dst-address=204.168.X.X \
dst-port=22 protocol=tcp to-addresses=192.168.88.2 to-ports=22
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.88.2 \
out-interface=bridge protocol=tcp src-address=192.168.88.0/24


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WAPAC2

/interface bridge
add ingress-filtering=no name=bridge-wap
/interface ethernet
ether1 name=ether1-Incoming
ether2 name=ether2-Toguest
/interface vlan
add interface=bridge-wap name=HOME vlan-id=10

/interface list
add name=management
/interface wireless
{ ASSUMING WLAN1 and WLAN2 also using vlan10 }
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge comment=defconf interface=wlan1 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge comment=defconf interface=wlan2 ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 untagged=wlan1,wlan2 vlan-ids=10

/ip neighbor discovery-settings
set discover-interface-list=management
/interface list member
add interface=HOME list=management
/ip address
add address=192.168.88XX/24 comment=defconf interface=HOME network=192.168.88.0 { "IP of WAPAC on home subnet }
ip dns
set allow-remote-requests=yes servers=192.168.88.3 comment="dns through trusted subnet gateway"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 comment="ensures route avail through trusted subnet gateway"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
++++++++++++++++++++++++++++++++++++++++

After each config is entered go back to bridge entry and set vlan-filtering=yes
 
sogware
just joined
Topic Author
Posts: 3
Joined: Thu Dec 22, 2022 10:53 pm

Re: Chained VLAN

Wed Dec 28, 2022 12:29 pm

Thank you so much!
I will try it this evening...

Who is online

Users browsing this forum: Google [Bot] and 43 guests