Community discussions

 
msivak
just joined
Topic Author
Posts: 1
Joined: Thu May 16, 2019 3:52 pm

CRS - AP with multiple VLANs

Fri May 17, 2019 11:04 pm

Hi everybody. I know this is a common theme, but I just can't find any answer to what I am doing wrong.

I am using CRS328 as a router connected to a remote cAPac access point. The idea is to have two VLANs: 10 - trusted network (wifi all ethernet ports, access to internet and management) and 66 - untrusted (wifi, just internet, but no access to home network or managment). CRS328 should be the router, dhcp and DNS server for all networks and vlans.

The setup is pretty simple:

- CRS328 uses one SFP port as uplink, ether1-23 are trusted network ports (pvid=10) and ether24 is trunked port leading to wifi (both vlans - 10 and 66)
- cAPac uses ether1 as uplink in bridge mode and has couple of physical and virtual SSIDs defined with use-tag and the proper vlan-id.
Inet -- sfp1plus -- CRS328's bridge1 -- ether24 [tagged 10, 66] ---- cAPac's ether1 -- bridge1 -- virtual APs [vlans 10 and 66]
                                     -- ether1..23 [untagged 10, pvid=10] -- home network

Now my issues:

- The configuration I have has one dhcp server too many (I would prefer just two - home for ether vlan 10 and guest for vlan 66). But devices on home wifi won't get IP unless I keep it like this
- Devices on guest wifi (vlan 66) do not get any IP and are not able to talk to the CRS328 even when static ip is used (I did not see anything using Torch either)

I haven't yet enabled vlan-filtering or disabled inter-vlan routing, because I want to solve this basic issue first.

I did try to follow the following howtos:
https://wiki.mikrotik.com/wiki/Manual:C ... ed_VLANs_2
https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

Thanks anybody who has any idea how to configure this properly as I am rather new to Mikrotik.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS - AP with multiple VLANs

Sun May 19, 2019 9:44 pm

The name vlan-filtering is a bit confusing. Actually, with the default setting vlan-filtering=no on the bridge, not only that the whole section /interface bridge vlan is ignored, but also the pvid settings in /interface bridge port are ignored, because the VLAN tag processing in the bridge software is off. So tagless ingress frames stay tagless, and tagged ones stay tagged (unless you'd set up some VLAN ID manipulation on the switch chip, using the /interface ethernet switch configuration sub-tree. Which means that currently the hosts connected to ether1-ether23 get address assignment from the dhcp server attached to interface=bridge rather than from the dhcp server attached to interface=vlanhome.

To debug the config, start by setting hw=no in all rows in /interface bridge port on the CRS, to make sure that the switch chip doesn't interfere in any way.

Then, run /tool sniffer quick interface=ether24 at the CRS, and /tool sniffer quick interface=ether1 on the cAP AC to see whether tagged frames with VLAN ID 1000 (or 66, I don't know which one is correct given the difference between the configuration exports and the OP text) carrying the DHCPDISCOVER packets from the guest WLAN clients are being sent out the ether1 of the cAP ac and whether they arrive to ether24 of the CRS still tagged.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 3473
Joined: Mon Dec 04, 2017 9:19 pm

Re: CRS - AP with multiple VLANs

Sun May 19, 2019 10:13 pm

Also, what is the idea behind the following settings on the cAP ac?
/interface bridge filter
add action=drop chain=forward in-interface=wlan-guest-5
add action=drop chain=forward out-interface=wlan-guest-5
add action=drop chain=forward in-interface=wlan-guest-24
add action=drop chain=forward out-interface=wlan-guest-24


I would understand if it looked as follows:
/interface bridge filter
add action=drop chain=forward in-interface=wlan-guest-5 out-interface=wlan-home-5
add action=drop chain=forward in-interface=wlan-guest-5 out-interface=wlan-home-24
add action=drop chain=forward in-interface=wlan-guest-24 out-interface=wlan-home-5
add action=drop chain=forward in-interface=wlan-guest-24 out-interface=wlan-home-24
add action=drop chain=forward in-interface=wlan-home-5 out-interface=wlan-guest-5
add action=drop chain=forward in-interface=wlan-home-5 out-interface=wlan-guest-24
add action=drop chain=forward in-interface=wlan-home-24 out-interface=wlan-guest-5
add action=drop chain=forward in-interface=wlan-home-24 out-interface=wlan-guest-24

I.e. where the purpose would be to prevent L2 forwarding between home and guest wlans (which wouldn't happen anyway as the /interface vlan is configured to use VLAN so it only forwards to the air frames tagged with the appropriate VLAN ID and untags them prior to transmitting them over the air).

So the way you've set it up you've completely blocked the traffic of the guest WLAN interfaces, so no wonder that the clients cannot communicate.



Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 52 guests