Community discussions

MikroTik App
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Accesspoint only with VLANs

Sun Sep 19, 2021 11:22 am

Hi there,
I am using an hAP ac only as Access-Point. I want to use it only to serve two VLANs as different wifis. My infrastructure should look like this:

                                                                           WIFI1  WIFI2
                                                                           VLAN10 VLAN20
                                                                              ▲    ▲
                                                                              │    │
                                                                              │    │
   ┌─────────────────┐   ┌───────────┐            ┌────────────┐         ┌────┴────┴───┐
   │                 │   │           │    Trunk   │            │  Trunk  │             │
   │ Internet-Router ├───┤ Firewall  ├────────────┤  Switch    ├─────────┤  hAC ap     │
   │                 │   │           │            │            │ VLAN10  │             │
   └─────────────────┘   └───────────┘            └────────────┘ VLAN20  └─────────────┘
                                                                 VLAN90

    VLAN10 = TrustedDevices
    VLAN20 = GuestWLAN
    VLAN90 = Management
- So the webfig should be serves on VLAN90.
- WIFI1 should be VLAN1 (Trusted Wifi Devices)
- WIFI2 should be VLAN20 (Guest Wifi)

What I found out:
Bringing VLAN to the Wifi:
I add a new virtual wifi-Interface and give it the corresponding vlan-tag and set vlan-mode to "use tag".
Next I create two new VLAN-interfaces. One having the newly created wifi as parent, the other having the trunk ether-port as parent. Both with the same vlan-tag.
Next I create a new bridge and add only the two created VLAN-Interfaces to the bridge (PVID set to defalt 1 and admit all).
(VLAN filtering is turned off)
There is no IP added or set. As it should only be a transparent bridge. No IP-service is needed from the MK.

This way I can bring up multiple VLAN-Wifi-bridges. But they all rely on a rinning physical WIFI-Interface in "ap bridge" mode and having an ssid etc. set.
I also found that I can not bring a VLAN-tag to this physical Wifi-interface, cause there is no setting for wifi in physical interfaces. Including the physical wifi-interface in a bridge (as described above) does not seem to work to serve the vlan.
So for the purpose to have this two wifi-networks attached to the two VLANs I have to add two virtual wifi-interfaces, but then I have this physical-wifi-network hanging around.
Am doing things right? How to handle the physical wifi? Should I just set some credentials to it and hide it? This doesn't feel beeing the right way to me.

Well and at last I'd like if there is something I have to know when setting the management on the vlan90? In my first tries the MK did not respond anymore (might be, as there were two routes).

I'dont need routing (this is done by the firewall), I don't need DNS or DHCP (these are served on other machines), I don't need NAT. So really just bringing the VLANs to the Wifis and usinf the third VLAN as management lan.

Thanks a lot!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 1:04 pm

There are multiple ways of dealing with multiple-SSID-per-radio situation. But if we want to stick to VLAN-way, then the most "politically correct" way is to use bridge with vlan-filtering=yes.

In this case you don't set anything regarding VLANs on wireless interfaces (neither master nor slave), everything is done on bridge. When you add wireless interfaces to bridge as pirts, simply set pvid property to it. And enable vlan filtering on bridge. At this moment, wireless traffic will be tagged on bridge, so you need to treat it as such. E.g. add ether interface to same bridge, configured as trunk (all-tagged) port for all involved VIDs.

BTW, properties vlan-mode and vlan-id are available for all wireless interfaces, not only for slave ones.

BTW2: your ASCII-art diagram of LAN topology is a bit too wide and doesn't render correctly on my screen. You might want to post a picture of it to make sure we all understand your target topology.

BTW3: your current hAP config sounds very convoluted (and wrong). Either start off from scratch (applying the advice outlined above) or post text export of your current config for review (inside terminal window execute /export hide-sensitive file=anynameyouwish, fetch resulting file, open it with text editor and copy-paste contents here inside [code] [/code] environment).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 1:42 pm

Including the physical wifi-interface in a bridge (as described above) does not seem to work to serve the vlan.
Ofcorse you can set a VLAN tag on the Physical interface as well...

It would be easier if i could see an export of the configuration...

You can either use-tag on the physical interface and then create VLAN interfaces on the Bridge interface where that Physical wifi exists with the same VLAN tag ofcorse, set IP address on the VLAN interface, DHCP on the VLAN as well and enable VLAN filtering... In the Bridge VLAN Table the BRIDGE must be tagged for the VID used along with the wifi Interface ( the Bridge must be set as tagged for Layer 3 functionality to work, that must be used on the Router side, but it depends on your whole setup)...

Or you can set the PVID of the BRIDGE to be the same as the tag used on the wifi interface, in that case you don't need to create VLAN interfaces, access to the Bridge is through untagged traffic, IP address is on the Bridge and DHCP on the BRIDGE as well and the PVID on the BRIDGE must be set the same as the use-tag VID... In the Bridge VLAN Table only the wifi interface must be set as tagged for that VLAN...

Also you can take a look here
https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 2:11 pm

At first: Thanks for your reply!

Here the output of /export. I also appended a screenshot of the ASCII-Art (added little information to it). With this settings I can bind the two wifis to the vlans. And yes, now I found the vlan-settings for physical interfaces in the webfig. They are hidden behind advanced mode which I did not see at fist. :/

So I'll try it the way you told me. I'd really like to start from scratch, but when I wipe the config network-settings are wiped too and I can't reach it in my network (I did not find it - hoped it would get an dhcp lease). So I started from a default-config and removed unwanted content.
All routing in my setup is done by the firewall (opnsense). No routing or firewalling should done (if possible) in the MK. This makes management easier (I hope)
# sep/19/2021 12:54:14 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add name=Bridge50Wandhydrant
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
add name=bridge60Forrest
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany default-authentication=no disabled=no distance=indoors \
    frequency=auto hide-ssid=yes mode=ap-bridge ssid=Traeger station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether2-master name=vlan50Ether2 vlan-id=50
add interface=ether2-master name=vlan60Ether2 vlan-id=60
/interface wireless
add disabled=no mac-address=6E:3B:6B:12:03:90 master-interface=wlan1 name=\
    Wandhydrant ssid=Wandhydrant vlan-id=50 vlan-mode=use-tag wps-mode=\
    disabled
/interface vlan
add interface=Wandhydrant name=vlan50Wandhydrant vlan-id=50
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface wireless
add default-forwarding=no disabled=no mac-address=6E:3B:6B:12:03:8E \
    master-interface=wlan1 name=Forrest security-profile=Profil_Gast ssid=\
    Forrest station-roaming=enabled vlan-id=60 vlan-mode=use-tag wps-mode=\
    disabled
/interface vlan
add interface=Forrest name=vlan60Forrest vlan-id=60
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=Bridge50Wandhydrant interface=vlan50Ether2
add bridge=bridge60Forrest interface=vlan60Forrest
add bridge=Bridge50Wandhydrant interface=vlan50Wandhydrant
add bridge=bridge60Forrest interface=vlan60Ether2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=Forrest list=discover
add list=discover
add list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
/ip address
add address=192.168.2.99/16 comment=defconf interface=ether2-master network=\
    192.168.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip dns static
add address=192.168.2.99 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1 out-interface-list=*2000015
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Another problem I have is, I want to bring the webfig-gui on vlan90 with 10.10.90.99/24 but I don't get it. Adding vlan-interface with an ip gives me the possibility to ping the adress, but I dont find where I can bind webfig (www) to this interface/ip?

edit: Sorry it is confusing, as the VLANs I use are 50 and 60 and not 10 and 20 as put in the graphics!
You do not have the required permissions to view the files attached to this post.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 2:34 pm

Example, using Bridge VLAN Filtering without VLAN Interfaces... Notice, in your case HAP is not your Main router, so your trunk port should be added as tagged port as well so that you can communicate with the trunk port of the switch...
/interface bridge
add name=bridge2 pvid=100 vlan-filtering=yes
...
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=station-bridge security-profile=profile1 ssid=zacharias wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=* master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=profile2 ssid=test vlan-id=100 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
...
/interface bridge port
add bridge=bridge2 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2
...
/interface bridge vlan
add bridge=bridge2 tagged=wlan2 vlan-ids=100
...
/ip address
add address=192.168.100.1/24 interface=bridge2 network=192.168.100.0
Bridge VLAN filtering with VLAN Interfaces
/interface vlan
add interface=bridge2 name=vlan100 vlan-id=100
...

/interface bridge
add name=bridge2 pvid=1 vlan-filtering=yes
...
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=station-bridge security-profile=profile1 ssid=zacharias wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=* master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=profile2 ssid=test vlan-id=100 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
...
/interface bridge port
add bridge=bridge2 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan2
...
/interface bridge vlan
add bridge=bridge2 tagged=wlan2,bridge2 vlan-ids=100
...
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
Enabling vlan filtering on the Bridge, if not done properly might lock you out of the device...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 3:48 pm

No, no, no ... you've got VLANs wrong again. Here's a good tutorial about VLANs in RouterOS.

Regarding starting from scratch: there's winbox (windows binary, but works well under wine in linux and macOS) which can connect to device via MAC (no IP necessary). A great tool for configuring devices when something goes wrong. Since you only need hAP as switch/AP combo, you should start with blank config, any default comes with lots of config which is either useless or even messes with wanted behaviour in your particular case.
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 6:00 pm

Again thanks a lot... The problem is I don't get it how to configure it. This RouterOS is that much complicated to me... I understand the concepts of vlan in theory. I can work with Access-Ports and Trunks on other systems. But in RouterOS it is not obvious to me how it should be.

Let's say the easiest way I can figure out is:
-One Trunk between Router and Mikrotik
- This Trunk has one VLAN (vlan10) which should be served as wifi1
- lets say I would use ether2 as Trunkport
- lets say also I would like to use bridge1 to connect them

                         Wifi1
                            ▲
                            │
 ┌──────────┐ Trunk┌────────┴───┐
 │  Router  ├──────┤ MikroTik   │
 └──────────┘      └────────────┘
My caveats I find if I start:
- I can add a VLAN-Interface for Wifi1, ether2, bridge1 .... Which should I use
- Additionally I can set VLAN-IDs in the following positions: In the wifi-Interface, in the VLAN-FIltering-Option of the bridge (PVID), in the possible VLAN-Interfaces I can create.
- I don't really understand what this VLAN-Filtering is (I thought the device should handle VLANs as expected).
- The options on the VLAN-Filtering option are not really clear to me.
- As wifi can't handle VLAN-Tags I don't know what exactly does the VLAN-Mode and VLAN-ID there. Is this the setting for an access-port?
- Setting a vlan-interface on top of a bridge means this bridge can handle this vlanID as tagged?
- If I should connect a wifi-Interface without setting the VLAN-settings how should the bridge know the packets should go there?
- When connecting a port (lets say wifi1) to the bridge I can set the PVID. PVID means all untagged data will get this vlan-tag-set. But I thought only for traffic coming from the port I add going into the bridge. Means I have to set the frame-type to admit all, so tagged frames will be sent to the wifi-interface even if there is no VLAN-port? Ingress-Filtering shoule be off cause wifi can not sent tagged traffic?


I like to compare it with my switch:
In theory I would think the wifi-Interface should be seen as an Access-Port, cause the Wifi-Clients don't handle VLAN-Tags. So Wifi would be an Access-Port with untagged vlan10 set.
Ether2 would be Trunk-Port with PVID1 and Tagged VLAN vlan10.
well.... that's it within my switch... But with RouterOS its this complex...

I tried to set it up the way you told me... But the wifi-client does not get the dhcp of the opnsense. With my (wrong) setting I geht the hdcp-leases....

I am that much confused.....


as soon as I disable vlan filtering on the bridge its working again...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 6:10 pm

@randel,

I 've provided you a link with Wireless tagging example along with VLAN filtering, @mkx also posted a link with a nice article about VLANs, that i ve read as well, i think that should be your starting points...

You got a lot of theory questions that need some reading first so that you understand some basics at least...

As for your question about VLAN filtering, what it does, is it makes the Bridge VLAN aware and allows it to process VLAN tags...
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
- As wifi can't handle VLAN-Tags I don't know what exactly does the VLAN-Mode and VLAN-ID there. Is this the setting for an access-port?
Tags the incoming wireless traffic...
- If I should connect a wifi-Interface without setting the VLAN-settings how should the bridge know the packets should go there?
Communication would be with untagged traffic...
All ports with the same PVID, bridge included, can communicate together...
The Bridge, in that case will actually skip the tagging, untagging process since all ports are configured with the same PVID...
I like to compare it with my switch:
In theory I would think the wifi-Interface should be seen as an Access-Port, cause the Wifi-Clients don't handle VLAN-Tags. So Wifi would be an Access-Port with untagged vlan10 set.
The traffic coming to the wireless interface is already tagged, or at least that is how it is considered... If you see my example earlier, the wifi interface is set to accept only VLAN tagged, although the incoming traffic from the wireless clients is not Tagged ofcorse.. I think that has to do with the wireless driver and how it handles the traffic, thats why the wifi interface is set to tagged and is handled as a Trunk port instead of an Access port... @mkx, what you think about that ? That's what it comes to my mind...
When the traffic eggresses to the wireless clients it gets the tag removed, so the client receives untagged traffic...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 6:44 pm

The traffic coming to the wireless interface is already tagged, or at least that is how it is considered... If you see my example earlier, the wifi interface is set to accept only VLAN tagged, although the incoming traffic from the wireless clients is not Tagged ofcorse.. I think that has to do with the wireless driver and how it handles the traffic, thats why the wifi interface is set to tagged and is handled as a Trunk port instead of an Access port... @mkx, what you think about that ? That's what it comes to my mind...
When the traffic eggresses to the wireless clients it gets the tag removed, so the client receives untagged traffic...
If vlan-* properties on wireless interface are set, then wireless driver handles the tagging/untagging. For bridge that means wireless is tagged/trunk port, hence bridge port has to be configured as such. And that means setting VLAN properties in two places (/interface wireless and /interface bridge vlan, the later needs setting of wireless interface to be tagged member of correct VLAN), while omitting vlan-* settings from wireless interface and setting PVID on bridge port does it all in one place.

If wireless driver does not have vlan-* properties set, then it doesn't deal with VLAN tags at all. If ingress frame has VLAN header (for any reason), then also egress frame will have one. Direction (wireless -> wire or the opposite) doesn't matter.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 7:02 pm

Right @mkx...
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 7:13 pm

I really thank you very much... I think now I begin to understand the way RouterOS does VLAN filtering.. I removed all bridges and all I did and started new with vlan10, wifi1 and bridge. But it is still not working. :( I did it as said in the linked tutorial. I compared my /export with the settings from the tutorial, but I don't see the issue.
- one bridge
- vlan filtering activated
- vlan-interface created for ether2
- tagged vlan for wifi1
- added the tagged-vlans to the bridge

Here is my current /export. Can you help me what's going wrong?
# sep/19/2021 18:24:05 by RouterOS 6.48.4
# software id = P3XP-NN1L
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 673706DFA5C2
/interface bridge
add admin-mac=6C:3B:6B:12:03:89 auto-mac=no comment=defconf fast-forward=no \
    name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled vlan-id=10 vlan-mode=\
    use-tag wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=ether2-master name=vlan10 vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=*27
add bridge=bridge interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge tagged=ether2-master,wlan1 vlan-ids=10
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add list=discover
add list=discover
add list=discover
add interface=bridge list=mac-winbox
add interface=wlan2 list=mactel
add interface=ether2-master list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan1 list=LAN
add interface=ether1
add interface=bridge list=LAN
/ip address
add address=192.168.2.99/16 comment=defconf interface=ether2-master network=\
    192.168.0.0
add address=10.10.10.99/24 interface=vlan10 network=10.10.10.0
add address=10.10.10.98/24 interface=wlan1 network=10.10.10.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.26
/ip dns static
add address=192.168.2.99 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1 out-interface-list=*2000015
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set www-ssl disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

grrr... coped the wrong-export
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 7:32 pm

What would you like to achieve?
  1. learn how to do it properly even if it takes a while
  2. get somebody write a few lines of config so you can copy-paste them and be done

If it's a), then read the tutorial I linked and try to really understand. Play a bit until you understand it, without trying (for now) to solve your particular problem. Because the last config you posted indicates you don't understand the Mikrotik way of doing VLANs. And if you selected this path, here's another good tutorial about different bridge personalities. I suggest you to read this first actually.

If it's b), then somebody might give those lines to you. I'm not going to do it because I'm here to help users learn ROS, not to solve their problems.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 7:40 pm

@randel,

Under /interface vlan, you must use the Bridge interface, not ether 2...
Address, DHCP etc ( if used ) should use the VLAN interface ...
Also, if HAP provides Layer 3 services, bridge must be set as tagged member too...
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 9:26 pm

@mkx, to he honest both positions are right. a) sure I want to understand and do it the right way. That's why I have reverted everything I had already working to understand how to do it the right way. On the other hand I have a crying kid wanting to hear her audio-books etc. Also is the wifi-issues just a side-effekt. I am changing the whole network-design and so the wifi had to be adapted. I use the MikroTik only as wifi access, so I think if it is working I will not have to touch it for the next years. (As the last years showed).

@Zacharias, you made my day!! :) Changing the vlan from ether2 to the bridge did it :) I am very happy! But in the Manual (link) was the ether-interface taken, so I thought it would be the way....
add interface=ether1 name=vlan111 vlan-id=111
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 9:39 pm

@Zacharias, you made my day!! :) Changing the vlan from ether2 to the bridge did it :) I am very happy! But in the Manual (link) was the ether-interface taken, so I thought it would be the way.... add interface=ether1 name=vlan111 vlan-id=111
Great news... :D
In the example it was the ethernet interface and not on the Bridge, because there was no Bridge in that specific example... There are cases where we use VLANs directly on ethernet interfaces and we don't even need to create a Bridge... But that is another case...
 
randel
just joined
Topic Author
Posts: 11
Joined: Sat Nov 16, 2019 10:48 pm

Re: Accesspoint only with VLANs

Sun Sep 19, 2021 10:22 pm

Thanks a lot. OK that was not obvious to me. I really would like to understand the way it is handled in RouterOS, but its not that easy to understand I fear.
Well next thing to figure out is how I get the managmement-services into the vlan90... :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Accesspoint only with VLANs

Mon Sep 20, 2021 12:40 am

This is pretty close to what I have on my capac (same deal as hapac less ports)
(1) You will note that I have removed ether5 from the bridge.
I have given it an IP address of 192.168.66.2, what this will allow you to do is access the router EVEN IF THE BRIDGE IS SCREWED DURING CONFIGURATION.
I call it emergency access. All you need to do is give your laptop/pc an IP address of 192.168.66.5 or .10 or .3 etc........... and you will gain access to the router.

(2) Assumed ether2 was the trunk port to the switch, as for the other ports not clear what the intention is??

(3) the hapac only needs an Ip address on the vlan90 subnet, very little other rules apply.
a. interface list called manage to identify the vlan90 and the emergency access (for winmac server).
THis help allow you accessing the hapac from anywhere on the network........
b, ip route pointing to the gateway of vlan90
c. IP DNS server pointing to the gateway of vlan 90

(4) No vlan settings within wifi settings!!
interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=Wandhydrant station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=germany default-forwarding=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=Wandhydrant station-roaming=enabled \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=housewifi vlan-id=10
add interface=bridge name=guestwifi vlan-id=20
add interface=bridge name=manage-90 vlan-id=90
/interface list
add name=manage
/ip neighbor discovery-settings
set discover-interface-list=manage
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Profil_Gast supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master ingress-filtering=yes frame-types=admit-only-tagged  {assuming trunk port to switch}
add bridge=bridge comment=defconf hw=no interface=sfp1 ingress-filtering=yes {purpose of port unknown - if use pvid=10  could go to house PC} 
add bridge=bridge comment=defconf interface=wlan2 pvid=20 ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridge interface=ether4  ingress-filtering=yes   {purpose of port unknown - if use pvid=10  could go to house PC}
add bridge=bridge interface=wlan1  pvid=10 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridge tagged=ether2-master untagged=wlan1 vlan-ids=10  {if sfp1 and ether4 also going to house PCs,would be untagged here}
add bridge=bridge tagged=ether2-master untagged=wlan2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2-master vlan-ids=90
/interface list member
add interface=eth5-emergaccess list=manage
add interface=manage-90 list=manage
/ip address
add address=192.168.??.xx/24 interface=manage-90 network=192.168.??.0  {this is the address of the hapac on the manage-90 vlan subnet}
add address=192.168.66.2/24 interface=eth5-emergaccess network=102.168.66.0
/ip dns
set allow-remote-requests=yes servers=192.168.??.1   {use gateway of manage-90 vlan subnet}
/ip route
add distance=1 gateway=192.168.??.1  {Dst. Address: 0.0.0.0/0 - use gateway of manage-90 vlan subnet}
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Sched_WLAN_aus on-event=WLAN_Aus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2017 start-time=23:00:00
add interval=1d name=Sched_WLAN_an on-event=WLAN_An policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/24/2017 start-time=06:00:00
/system script
add dont-require-permissions=no name=WLAN_Aus owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=yes;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=yes;"
add dont-require-permissions=no name=WLAN_An owner=admin policy=read,write \
    source="#2,4 GHz\
    \n/interface wireless set wlan1 disabled=no;\
    \n\
    \n#5GHz\
    \n#/interface wireless set wlan2 disabled=no;"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=manage
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Accesspoint only with VLANs

Mon Sep 20, 2021 7:59 pm

Well next thing to figure out is how I get the managmement-services into the vlan90... :)
For the HAP:

Create a vlan Interface, name it VLAN90 with vid 90 and set it to the Bridge
Set an address to that interface, what ever that should be...
Create a Bridge VLAN Table rule, with vid 90, Tagged interfaces the Bridge and your Trunk Port ( your trunk port eth2 )
That's it... Now you have management Access using Tagged Traffic ...

Who is online

Users browsing this forum: 4z1st3n, Amazon [Bot], Kanzler and 22 guests