Community discussions

MikroTik App
 
gerni1970
just joined
Topic Author
Posts: 5
Joined: Mon Mar 13, 2023 9:12 am

Open SSID gets wrong VLAN

Mon Mar 13, 2023 9:42 am

Hi
I run a hAPax2 with basicly 4 SSIDs, IoT, Guest and 2 Client WLANs. AP gets Mgmt-IP via DHCP on VLAN1 (Untagged) the Clienst WLANs are also on VLAN1.
Now the strange thing. When Guest-SSID is unencrypted it gets an IP-Address in VLAN1 and is able to access AP via Winbox. When it is encrypted it lands on VLAN10 and it works like expected.
On my Client-SSID I'm not able to get access to AP via Winbox or SSH or even ping it. As soon as I connect to an open SSID i get access to Client VLAN and AP.
Here my configuration:

# mar/13/2023 08:41:19 by RouterOS 7.8
# software id = F7Y9-BEGS
#
# model = C52iG-5HaxD2HaxD
# serial number = HE308H06726
/interface bridge
add admin-mac=48:A9:8A:53:14:11 auto-mac=no name=bridge priority=0xA000
/interface vlan
add interface=bridge name=Guest vlan-id=10
add interface=bridge name=IoT vlan-id=66
add interface=bridge name=vlan1 vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 datapath
add bridge=bridge disabled=no interface-list=all name=VLAN1 vlan-id=1
add bridge=bridge disabled=no name=IoT vlan-id=66
add bridge=bridge disabled=no name=Guest vlan-id=10
/interface wifiwave2
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Austria .mode=ap .ssid=gerniap \
    datapath=VLAN1 datapath.bridge=bridge .vlan-id=1 disabled=no name=gerniap_2GHz security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Austria .mode=ap .ssid=\
    gerniap datapath=VLAN1 datapath.bridge=bridge .vlan-id=1 disabled=no name=gerniap_5GHz security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=OPEN datapath.bridge=bridge .vlan-id=1 mac-address=4A:A9:8A:53:14:19 master-interface=gerniap_5GHz name=OPEN \
    security.authentication-types="" .encryption=""
add comment="WLAN_Password: 1234ABCD" configuration.mode=ap .ssid=WRT-Guest datapath.bridge=bridge .vlan-id=10 disabled=no mac-address=\
    4A:A9:8A:53:14:15 master-interface=gerniap_5GHz name=WRT-Guest
add configuration.mode=ap .ssid=WRT-IoT datapath=IoT datapath.bridge=bridge .vlan-id=66 disabled=no mac-address=4A:A9:8A:53:14:16 master-interface=\
    gerniap_2GHz name=WRT-IoT-2GHz security.authentication-types=wpa2-psk .encryption=""
add configuration.mode=ap .ssid=WRT-WLAN datapath=VLAN1 disabled=no mac-address=4A:A9:8A:53:14:18 master-interface=gerniap_2GHz name=WRT-WLAN-2Ghz \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=WRT-WLAN datapath=VLAN1 datapath.bridge=bridge .vlan-id=1 disabled=no mac-address=4A:A9:8A:53:14:17 master-interface=\
    gerniap_5GHz name=WRT-WLAN-5GHz security.authentication-types=wpa2-psk,wpa3-psk
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=gerniap_5GHz
add bridge=bridge comment=defconf interface=gerniap_2GHz
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=66
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge untagged=bridge vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input src-address=10.0.0.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vienna
/system ntp client
set enabled=yes
/system ntp client servers
add address=3.at.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-dst-ip-address=8.8.8.8/32 filter-interface=WRT-WLAN-5GHz filter-operator-between-entries=and filter-src-ip-address=10.0.0.65/32
 
gerni1970
just joined
Topic Author
Posts: 5
Joined: Mon Mar 13, 2023 9:12 am

Re: Open SSID gets wrong VLAN

Mon Mar 20, 2023 9:21 am

Nobody has seen this strange behavior?
Is this such an unusual setup for a Home-AP?
Kind Regards
Gernot
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Open SSID gets wrong VLAN

Mon Mar 20, 2023 4:24 pm

Strange behaviour is what is absolutely expected due to the admins STRANGE configuration. The router is just following commands. :-0
Where did you get the config advice from ( which link )?

1. Thats because no one in their right mind assigns a vlan1 to the bridge.
2. Why are you using vlans in wifi datapath etc etc............ keep wifi for wifi settings......... way to complicated for no gain.
3. Ether1 is your WAN port but you tag it with your IOT vlan - WTF?
4. You state the AP gets its management IP. ??????????? The AP is on the router it doesnt get a managment IP???? If it was a separate AP okay......
5. You state 4 SSIDs, but do you see the problem ~~ you actually have 7 WLANS, 2 normal and 5 virtual and FIVE SSIDs

vlan1 / wifi2 / name=gerniap_2GHz / ssid=gerniap
vlan1 / wifi1 / name=gerniap_5GHz / ssid=gerniap
vlan1 / WLAN - master wifi1 / name=OPEN / ssid=OPEN
vlan 1 / WLAN - master wifi2 / name=WRT-WLAN-2Ghz / ssid=WRT-WLAN
vlan 1 / WLAN - master wifi1 / name=WRT-WLAN-5GHz / ssid=WRT-WLAN
vlan 10 / WLAN - master wifi1 / name=WRT-Guest / ssid=WRT-Guest
vlan 66 / WLAN - master wifi2 / name=WRT-IoT-2GHz / ssid=WRT-IoT


6. What is really bad is the SECURITY implications of having an OPEN wifi on the main vlan???
7. You HAVE NOT CREATED ANY SUBNETS??? ( no IP pools, no dhcp server, no dhcp server-networks and NO IP addresses )
8. Why is 10.0.0.0 allowed access on input chain. Simply because you have no IPs defined anywhere so it makes no sense.
9. Why is your IP DHCP Cient set to the BRIDGE??

FIXED EXCEPT YOU CAN DO THE 4 SUBNETS

# serial number = {REMOVED for public viewing }

/interface bridge
add admin-mac=48:A9:8A:53:14:11 auto-mac=no name=bridge priority=0xA000 vlan-filtering=yes

/interface vlan
add interface=bridge name=Guest vlan-id=10
add interface=bridge name=IoT vlan-id=66
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=Open99 vlan-id=99

/interface wifiwave2 { removed all datapath and vlan entries }

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=100
add bridge=bridge comment=defconf interface=ether3 pvid=100
add bridge=bridge comment=defconf interface=ether4 pvid=100
add bridge=bridge comment=defconf interface=ether5 pvid=100
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add bridge=bridge comment=defconf interface=gerniap_5GHz pvid=100
add bridge=bridge comment=defconf interface=gerniap_2GHz pvid=100
add bridge=bridge interface=OPEN pvid=99
add bridge=bridge interface=WRT-WLAN-2Ghz pvid=100
add bridge=bridge interface=WRT-WLAN-5Ghz pvid=100
add bridge=bridge interface=WRT-Guest pvid=10
add bridge=bridge interface=WRT-IoT-2GHz pvid=66


/interface bridge vlan
add bridge=bridge tagged=bridge untagged=WRT-IoT-2GHz vlan-ids=66
add bridge=bridge tagged=bridge untagged=WRT-Guest vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,gerniap_5GHz,gerniap_2GHz,WRT-WLAN-2Ghz,WRT-WLAN-5Ghz vlan-ids=100


/interface list member
add interface=Guest list=LAN
add interface=IoT list=LAN
add interface=vlan100 list=LAN
add interface=Open99 list=LAN

add comment=defconf disabled=yes interface=ether1 list=WAN

/tool mac-server
set allowed-interface-list=NONE { mac-server by itself is not a secure access method }

/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by anav on Mon Mar 20, 2023 4:48 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Open SSID gets wrong VLAN

Mon Mar 20, 2023 4:31 pm

@anav... vlan VID 1 (also 0 and 4095) is for you (and also for me) like ChatGPT for someone... :lol:

A good habit is use only VID from 10 to 990
 
gerni1970
just joined
Topic Author
Posts: 5
Joined: Mon Mar 13, 2023 9:12 am

Re: Open SSID gets wrong VLAN

Tue Mar 21, 2023 9:51 am

Hey Thank you for your explanations.
I use it as AP-Only and therefor I don't need any DHCP-Pools or IP-Adresses. Interface Eth1 is the Uplink. Other Interfaces are not connected.
I want to use the open SSID for Guest Access. I think I have to use CLI for configuration more often then WinBox.

Kind Regards
Gernot
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Open SSID gets wrong VLAN

Tue Mar 21, 2023 2:23 pm

Nice of you to mention that now LOL, but now that I read it you did say homeAP................
Its still a completely hosed setup.

As I said get rid of datapath and vlans in wifi, keep wifi to wifi settings!!, and you only define the management vlan!

FINALLY WHAT IS THE MANAGEMENT VLAN or subnet ??? Where does the router get its IP from??

Another issue why are you feeding a HYBRID PORT to the MT AP/switch.
Normally any sane person uses all tagged vlans and a trunk port out and a trunk port in, between two smart devices. ????
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Open SSID gets wrong VLAN

Tue Mar 21, 2023 2:40 pm

NO FIREWALL RULES REQUIRED Going to assume you get an IP address on the 192.168.8.0/24 and will fix it to 192.168.88.2
It would appear that the above device is not getting fed from a trunk port

# software id = F7Y9-BEGS
#
# model = C52iG-5HaxD2HaxD
# serial number = {removed for security reasons}
/interface bridge
add admin-mac=48:A9:8A:53:14:11 auto-mac=no name=bridge priority=0xA000 vlan-filtering=yes
/interface vlan
add interface=bridge name=BaseVLAN vlan-id=99 { we assign a vlan to the incoming untagged data for config purposes }
/interface list
add comment=defconf name=BASE
/interface wifiwave2 (removed datapath and vlan entries)
/interface bridge port
add bridge=bridge interface=ether1 pvid=99 {hybrid port}
add bridge=bridge comment=defconf interface=ether2 pvid=99
add bridge=bridge comment=defconf interface=ether3 pvid=99
add bridge=bridge comment=defconf interface=ether4 pvid=99
add bridge=bridge comment=defconf interface=ether5 pvid=99
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add bridge=bridge comment=defconf interface=gerniap_5GHz pvid=99
add bridge=bridge comment=defconf interface=gerniap_2GHz pvid=99
add bridge=bridge interface=OPEN pvid=99
add bridge=bridge interface=WRT-WLAN-2Ghz pvid=99
add bridge=bridge interface=WRT-WLAN-5Ghz pvid=99
add bridge=bridge interface=WRT-Guest pvid=10
add bridge=bridge interface=WRT-IoT-2GHz pvid=66
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=WRT-IoT-2GHz vlan-ids=66
add bridge=bridge tagged=ether1 untagged=WRT-Guest vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether1,ether2,ether3,ether4,ether5,gerniap_5GHz,gerniap_2GHz,WRT-WLAN-2Ghz,WRT-WLAN-5Ghz,OPEN vlan-ids=99
/interface list member
add comment=defconf interface=BaseVLAN list=BASE
/ip address
add ip-address=192.168.88.2 interface=BaseVLAN network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/system clock
set time-zone-name=Europe/Vienna
/system ntp client
set enabled=yes
/system ntp client servers
add address=3.at.pool.ntp.org
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
gerni1970
just joined
Topic Author
Posts: 5
Joined: Mon Mar 13, 2023 9:12 am

Re: Open SSID gets wrong VLAN

Thu Mar 23, 2023 6:32 pm

Thats exacty I want.
I will try it this weekend, when I get my private maintenace window 😀.
Many Thanks
 
gerni1970
just joined
Topic Author
Posts: 5
Joined: Mon Mar 13, 2023 9:12 am

Re: Open SSID gets wrong VLAN

Wed Mar 29, 2023 11:01 pm

HI,
I finally did clear all the config and did it from scratch like in your description.
Nevertheless I had to add the vlan-id for Guest-WLAN and IoT-WLAN in /interface/wifiwave2 for connectivity, otherwise my clients don't get an address from DHCP-Server on my Firewall.
Many Thanks for bringing me on the way for a clearer configuration. Now I have configured a static IP-Adress and its reachable via WLAN and LAN.

Who is online

Users browsing this forum: carcuevas and 33 guests