Community discussions

MikroTik App
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Devices cannot connect to both APs

Tue Sep 21, 2021 1:27 am

I am using a hAC2 and a hAC Lite connected to a CRS326 and an RB4011. Routing is handled entirely on the RB4011.

On the hAC2, I have 4 VLANs - 100 (wired), 101 (trusted network), 102 (Guest network) 103 (zero trust network - printers etc). There are 4 SSIDs - 1 5ghz and 2.4 for Trusted, and a 2.4 for each of the other 2 vlans.

From my wired connections, all access works. Devices are assigned DHCP on VLAN100, and can reach the internet regardless of which port I attach to. From the wireless, however, there seems to be a problem. Previously, the hACLite was working - devices could get out to the internet, get DHCP, etc, just fine. However, once I resolved some configuration issues on the hAC2, devices only seem to work when connected to it.
# sep/20/2021 16:20:38 by RouterOS 6.48.4
# software id = 40YP-NNZA
#
# model = RB4011iGS+
# serial number = F03A0EA13426
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Ethernet to Centurylink"
set [ find default-name=sfp-sfpplus1 ] comment="Main fiber trunk"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.10-192.168.100.199
add name=dhcp_pool1 ranges=192.168.101.10-192.168.101.199
add name=dhcp_pool2 ranges=192.168.102.10-192.168.102.199
add name=dhcp_pool3 ranges=192.168.103.10-192.168.103.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan102 name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan103 name=dhcp4
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 pvid=100 trusted=yes
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=101
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=102
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=103
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.1/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.1/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.1/24 interface=vlan103 network=192.168.103.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.5 client-id=PS5 mac-address=00:E4:21:55:17:A1 server=\
    dhcp1
add address=192.168.100.4 client-id=1:80:fa:5b:25:76:6a mac-address=\
    80:FA:5B:25:76:6A server=dhcp1
add address=192.168.101.4 client-id=Imperius mac-address=A4:34:D9:28:48:8A \
    server=dhcp2
add address=192.168.100.8 client-id=1:0:d8:61:88:4d:40 mac-address=\
    00:D8:61:88:4D:40 server=dhcp1
add address=192.168.101.11 client-id=WorkLaptop mac-address=1C:4D:70:C2:9F:5C \
    server=dhcp2
add address=192.168.103.65 client-id=BrotherPrinter mac-address=\
    28:56:5A:66:4B:E8 server=dhcp4
add address=192.168.101.88 client-id=Nest mac-address=18:B4:30:BF:99:BA \
    server=dhcp3
add address=192.168.101.8 client-id=SarahLaptop mac-address=7C:B2:7D:E6:11:85 \
    server=dhcp2
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.100.1
add address=192.168.101.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.101.1
add address=192.168.102.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.102.1
add address=192.168.103.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.103.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=\
    1935,3478-3480,3659,10000-10099,42127 in-interface=bridge1 protocol=tcp \
    to-addresses=192.168.100.5
add action=dst-nat chain=dstnat dst-address-type="" dst-port=\
    3074,3478-3480,3659,6000 in-interface=bridge1 protocol=udp to-addresses=\
    192.168.100.5
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainRouter
/tool sniffer
set filter-ip-address=192.168.100.201/32
Switch configCRS326
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Guest Bedroom Wireless"
set [ find default-name=ether5 ] comment="Office Wireless"
set [ find default-name=ether6 ] comment="Khellendros desktop PC"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes
add bridge=bridge1 interface=ether5 trusted=yes
add bridge=bridge1 interface=ether6 pvid=100 trusted=yes
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 \
    vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=102
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=103
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.200 interface=vlan101 network=192.168.101.200
add address=192.168.102.200 interface=vlan102 network=192.168.102.200
add address=192.168.103.200 interface=vlan103 network=192.168.103.200
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainSwitch
/system routerboard settings
set boot-os=router-os
/tool traffic-monitor
add interface=bridge1 name=tmon1

hAC2 (Main Wireless - currently working)
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys \
    name=Public supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Networked \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Guest \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
    disabled=no installation=indoor mode=ap-bridge security-profile=Public \
    ssid=OuterHeaven-2.4 vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=\
    indoor mode=ap-bridge security-profile=Public ssid=OuterHeaven vlan-id=\
    101 vlan-mode=use-tag wps-mode=disabled
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
    mac-address=2E:C8:1B:A7:AF:FF master-interface=wlan1 multicast-buffering=\
    disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
    103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    push-button-virtual-only
add comment="Internet-allowed security devices" disabled=no keepalive-frames=\
    disabled mac-address=2E:C8:1B:A7:AF:FE master-interface=wlan1 \
    multicast-buffering=disabled name=wlan4 security-profile=Guest ssid=\
    Foxhound vlan-id=102 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=\
    0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Internet-allowed security devices"
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
set *A comment="No-Internet VLAN103"
set *B comment="Internet-allowed security devices"
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.99
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=ether2 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
    vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1,wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=103
/interface wireless cap
set interfaces=wlan2,wlan1
/ip address
add address=192.168.100.202/24 interface=vlan100 network=192.168.100.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.0 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.100.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.101.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.102.1 netmask=24
add address=192.168.103.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.103.1 netmask=24
/ip dns
set servers=192.168.0.1,8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MikrotikWirelessMain
hAC Lite (Currently not working)
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
    disabled=no installation=indoor mode=ap-bridge ssid=OuterHeaven-2.4 \
    vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no mode=ap-bridge \
    ssid=OuterHeaven vlan-id=101 vlan-mode=use-tag wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
/interface wireless
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
    mac-address=0A:55:31:F9:EF:A7 master-interface=wlan1 multicast-buffering=\
    disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
    103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    push-button-5s
add comment="Secured network devices" disabled=no keepalive-frames=disabled \
    mac-address=0A:55:31:F9:EF:A8 master-interface=wlan1 multicast-buffering=\
    disabled name=wlan4 security-profile=Guest ssid=Foxhound vlan-id=102 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Secured network devices"
/interface wireless nstreme
set *B comment="No-Internet VLAN103"
set *C comment="Secured network devices"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether3 pvid=100
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=ether2 pvid=100 trusted=yes
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
    vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=101
add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=103
/ip address
add address=192.168.100.201/24 interface=vlan100 network=192.168.100.0
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 gateway=192.168.101.1
/system clock
set time-zone-autodetect=no time-zone-name=America/Denver
/system identity
set name=Cuddle-Access
The logs on the hAC Lite show a mix of:
 
AE:58:32:6A:0A:C7@wlan2: connected, signal strength -53
AE:58:32:6A:0A:C7@wlan2: disconnected, received deauth: sending station leaving (3)

and
AC:67:84:AD:5B:B7@wlan2: connected, signal strength -24
AC:67:84:AD:5B:B7@wlan2: disconnected, received disassoc: sending station leaving (8)
I saw this topic regarding the message, but resolution was unclear. Average time from connection to disconnection is about 18-20 seconds.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Devices cannot connect to both APs

Tue Sep 21, 2021 11:02 am

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan3wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=103

You have incorrect setup of bridge port VLAN membership on hAP ac lite.

BTW, on APs you don't need bridge1 to be member of anything but VLAN 100 (I assume that's your management VLAN) ... and hence you don't need VLAN interfaces vlan101, vlan102 and vlan103. hAP ac2 is set up correctly, so compare both configurations and make them as similar as it gets.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Devices cannot connect to both APs

Tue Sep 21, 2021 6:18 pm

Caps_man would have made that a lot simpler.

Set your SSIDs and VLAN tags in configuration. Set the WAPs to caps-mode and the VLANs are handled.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices cannot connect to both APs

Wed Sep 22, 2021 8:25 pm

Okay late to the game but I will play.

First 4011
(1) why is ether1 part of the bridge remove it.

(2) Bridge Port:
a. why is the sfp port named a trunk port but you have a pVID on it. That makes it either an access port or a hybrid port (not trunk).
Remove the pvid is my suggestion
b. bridge ports , ether1 is not on the bridge remove the second line,
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged

(3) bridge vlans, remove any untagged setting and ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=100,101,102,103

(4) Interface list members incomplete
/interface list
add name=WAN
add name=LAN
add name=Manage

/interface list members
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan101 list=LAN
add interface=vlan102 list=LAN
add interface=vlan103 list=LAN
add interface=vlan100 list=Manage

(5) WHERE ARE YOUR FIREWALL RULES, without them you should not connect to the internet.
(6) DST NAT rules wont work unless you have some firewall rules plus the in-interface is ether1 or in-interface-list=WAN to work.

(7) Modify
/ip neighbor discovery-settings
set discover-interface-list=Manage

(8) /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
Last edited by anav on Wed Sep 22, 2021 8:46 pm, edited 4 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices cannot connect to both APs

Wed Sep 22, 2021 8:40 pm

Switch next
Are we to assume that the ether3 and ether5 connections to wireless devices are to SMART devices (able to read vlan tags - I will assume yes)
Also assuming that vlan100 is the trusted vlan that the admin uses to configure devices!!!

(1) Vlan settings - minor tweaking)
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge1 interface=ether5 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge1 interface=ether6 pvid=100 trusted=yes ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether3 ingress-filtering=yes frame-types=admit-only-tagged

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101,102,103

(2) get rid of this.
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.200 interface=vlan101 network=192.168.101.200
add address=192.168.102.200 interface=vlan102 network=192.168.102.200
add address=192.168.103.200 interface=vlan103 network=192.168.103.200
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69

THE ONLY ADDRESS YOU NEED IS THE ADDRESS OF THE SWITCH ITSELF WHICH SHOULD EITHER BE ON A MANAGMENT VLAN/SUBNET or the TRUSTED SUBNET that the admin uses to configure the devices.!!!
add address=192.168.100.???/24 interface=vlan100 network=192.168.100.0

(3) Change this from
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
TO
/ip neighbor discovery-settings
set discover-interface-list=Manage

(4) Add
/interface list
add list=Manage

/interface list members
add interface=vlan100 list=Manage

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices cannot connect to both APs

Wed Sep 22, 2021 8:48 pm

Phuck capsman. this is for non caps twit setups........

HA AC2 and LITE should mirror the switch in design
the ONLY difference is that the WLAN are added as access bridge ports.

What you need to do is REMOVE VLAN settings in wifi settings, no mode, no vlans etc.
USE BRIDGE PORT settings
ex
./interface bridge port
add bridge=bridge1 interface=wlan2 pvid=101 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=wlan1 pvid=101 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether1 trusted=yes ingress-filtering=yes frame-types=admin-only-tagged
add bridge=bridge1 interface=ether3 pvid=100 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether4 pvid=100 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether5 pvid=100 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=wlan3 pvid=103 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=wlan4 pvid=102 ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether2 trusted=yes pvid=100 ingress-filtering=yes frame-types=admin-only-priority-and-untagged

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=100
add bridge=bridge1 tagged=ether1 untagged=wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1, untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1, untagged=wlan3 vlan-ids=103

done!
Note: in your config you were missing bridge port setting for ether5 ??
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Devices cannot connect to both APs

Wed Sep 22, 2021 9:20 pm

@JancariusSeiryujinn,

What @mkx is saying, is set the PVID of the Bridge Port to 100. Also you don't need all those VLAN interfaces ()...
After assigning the PVID 100 to the Bridge port ( CPU ), set the IP address to your Bridge and access to the HAP will be by using untagged traffic on the VID 100 .... ( management access using untagged traffic)
Also any access port with PVID 100 will be able to access the HAP as well, this is because all ports with the same PVID can reach each other... More specifically, the Bridge will even skip that tag/untag process for ports with the same PVID...
* Bridge is not needed as tagged member for the VID 100 anymore...

Otherwise, VLAN interface only for VID 100 on the Bridge interface must be created, Bridge must be tagged member for that VID, IP address must be set for the VLAN created on the Bridge...
Last edited by Zacharias on Wed Sep 22, 2021 9:29 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices cannot connect to both APs

Wed Sep 22, 2021 9:22 pm

This should be up and running in 5 minutes once you have changed the configs.
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Devices cannot connect to both APs

Thu Sep 23, 2021 12:49 am

/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan3wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=103

You have incorrect setup of bridge port VLAN membership on hAP ac lite.

BTW, on APs you don't need bridge1 to be member of anything but VLAN 100 (I assume that's your management VLAN) ... and hence you don't need VLAN interfaces vlan101, vlan102 and vlan103. hAP ac2 is set up correctly, so compare both configurations and make them as similar as it gets.
Damn it, that seemed to be it. I must have screwed that up after my initial setup since it worked at first. I cleared the extra 3 VLAN interfaces since as you said, they aren't needed. Adjusting the tagging fixed those.

In another topic I was told to use either the vlan assignment from the wireless or the pvid, but not both, which is why the PVID is set at 1. I'm not sure of the functional difference between doing it one way or the other.

Okay, going down through this
First 4011
(1) why is ether1 part of the bridge remove it.
The entire Mikrotik bridge system confused me and when I was setting it up, I thought I had to have every interface passing traffic in the bridge. On the router though, honestly, I think I could just set the bridge to All ports and it wouldn't make a difference.
(2) Bridge Port:
a. why is the sfp port named a trunk port but you have a pVID on it. That makes it either an access port or a hybrid port (not trunk).
Remove the pvid is my suggestion
b. bridge ports , ether1 is not on the bridge remove the second line,
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged
K done.
(3) bridge vlans, remove any untagged setting and ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=100,101,102,103
Okay, this is I guess a good opportunity to ask - What does untagged as a setting actually do? I thought I needed to define ether1 as untagged here so that the tags would be stripped on their way out to the ISP router.
(4) Interface list members incomplete
/interface list
add name=WAN
add name=LAN
add name=Manage

/interface list members
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan101 list=LAN
add interface=vlan102 list=LAN
add interface=vlan103 list=LAN
add interface=vlan100 list=Manage
(5) WHERE ARE YOUR FIREWALL RULES, without them you should not connect to the internet.
My original design included a firewall appliance sitting in front of the RB4011, but my purchase fell through. The ISP modem is providing basic firewall atm, but yes, I need to set this up.
(6) DST NAT rules wont work unless you have some firewall rules plus the in-interface is ether1 or in-interface-list=WAN to work.
Hmm. As in NAT won't function without access control?
(7) Modify
/ip neighbor discovery-settings
set discover-interface-list=Manage
Done.
(8) /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
Done. What exactly did this do?

Switch next
Are we to assume that the ether3 and ether5 connections to wireless devices are to SMART devices (able to read vlan tags - I will assume yes)
Also assuming that vlan100 is the trusted vlan that the admin uses to configure devices!!!
Ether 3/5 are the hAC2 and hAClite respectively. Correct on VLAN100.
(1) Vlan settings - minor tweaking)
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge1 interface=ether5 trusted=yes ingress-filtering=yes frame-types=admit-only-tagged
add bridge=bridge1 interface=ether6 pvid=100 trusted=yes ingress-filtering=yes frame-types=admin-only-priority-and-untagged
add bridge=bridge1 interface=ether3 ingress-filtering=yes frame-types=admit-only-tagged

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101,102,103
Done.
(2) get rid of this.
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.200 interface=vlan101 network=192.168.101.200
add address=192.168.102.200 interface=vlan102 network=192.168.102.200
add address=192.168.103.200 interface=vlan103 network=192.168.103.200
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69

THE ONLY ADDRESS YOU NEED IS THE ADDRESS OF THE SWITCH ITSELF WHICH SHOULD EITHER BE ON A MANAGMENT VLAN/SUBNET or the TRUSTED SUBNET that the admin uses to configure the devices.!!!
add address=192.168.100.???/24 interface=vlan100 network=192.168.100.0
Removed VLAN101-103 interfaces and associated addresses. They were left over from when I was making sure every device could reach every other device on each VLAN .
[(3) Change this from
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
TO
/ip neighbor discovery-settings
set discover-interface-list=Manage

(4) Add
/interface list
add list=Manage

/interface list members
add interface=vlan100 list=Manage

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
Done.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Devices cannot connect to both APs

Thu Sep 23, 2021 3:27 am

Noted that my text was not perfect on the bridge port lines for the devices.........
for a trunk port its ingress-filtering=yes frame-types=admit-only-VLAN-tagged {i forgot the word vlan}

Repost the three configs so we can see what state they are in for a final tweaking...........

In general:
Bridge port settings describe the behaviour on ingress.
Untagging ports in the bridge vlan settings describes behaviour on egress.

What I am doing with Management interface is ensuring all configurable devices are reachable wherever the admin is located on vlan100.
If you want to reduce access to just the admin (not all users on vlan100) then we massage the RB4011 firewall rules.............depends what you want!

By the way if you have spare ports on RB4011 and other devices, I like to have an emergency access port in case the bridge configuration goes down for whatever reason and you need to config.access the device still!!

Take ether4 on each device as an example.
Remove ether4 from bridge and rename it ether4-emerg

Add
/ip address
add address=192.168.100.???/24 interface=vlan100 network=192.168.100.0
add address=192.168.66.2 interface=ether4-emerg network=192.168.66.0

Add
/interface list members
add interface=vlan100 list=Manage
add interface=ether4-emerg list=Manage

Now you can plug in a laptop to ethernet 4 of any of the devices set the laptop IP address to 192.168.66.3 or .5 etc. and gain access to the config of the router via winbox.
 
JancariusSeiryujinn
just joined
Topic Author
Posts: 13
Joined: Tue Sep 07, 2021 10:42 am

Re: Devices cannot connect to both APs

Wed Oct 06, 2021 9:45 am

Sorry for the delayed response, I had a bunch of things come at work. The only issue I'm still having is that my static DHCP assignments don't seem to work. I can set a static IP on the device of course and that works fine, but the DHCP assignment is ignored in favor of dynamic IPs.

Also question: I know what my IPs for the devices are, but how do I save them in Managed devices in Winbox?
# oct/06/2021 00:34:51 by RouterOS 6.48.4
# software id = 40YP-NNZA
#
# model = RB4011iGS+
# serial number = F03A0EA13426
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Ethernet to Centurylink"
set [ find default-name=sfp-sfpplus1 ] comment="Main fiber trunk"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=Manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.100.10-192.168.100.199
add name=dhcp_pool1 ranges=192.168.101.10-192.168.101.199
add name=dhcp_pool2 ranges=192.168.102.10-192.168.102.199
add name=dhcp_pool3 ranges=192.168.103.10-192.168.103.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan102 name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan103 name=dhcp4
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 \
    trusted=yes
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!Manage
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=100
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=101
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=102
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether1 vlan-ids=103
/interface list member
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan101 list=LAN
add interface=vlan102 list=LAN
add interface=vlan103 list=LAN
add interface=vlan100 list=Manage
/ip address
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
add address=192.168.101.1/24 interface=vlan101 network=192.168.101.0
add address=192.168.102.1/24 interface=vlan102 network=192.168.102.0
add address=192.168.103.1/24 interface=vlan103 network=192.168.103.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.5 client-id=PS5 mac-address=00:E4:21:55:17:A1 server=\
    dhcp1
add address=192.168.100.4 client-id=1:80:fa:5b:25:76:6a mac-address=\
    80:FA:5B:25:76:6A server=dhcp1
add address=192.168.101.4 client-id=Imperius mac-address=A4:34:D9:28:48:8A \
    server=dhcp2
add address=192.168.100.8 client-id=1:0:d8:61:88:4d:40 mac-address=\
    00:D8:61:88:4D:40 server=dhcp1
add address=192.168.101.11 client-id=WorkLaptop mac-address=1C:4D:70:C2:9F:5C \
    server=dhcp2
add address=192.168.101.88 client-id=Nest mac-address=18:B4:30:BF:99:BA \
    server=dhcp3
add address=192.168.101.8 client-id=SarahLaptop mac-address=7C:B2:7D:E6:11:85 \
    server=dhcp2
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.100.1
add address=192.168.101.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.101.1
add address=192.168.102.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.102.1
add address=192.168.103.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=\
    192.168.103.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=\
    1935,3478-3480,3659,10000-10099,42127 in-interface=bridge1 protocol=tcp \
    to-addresses=192.168.100.5
add action=dst-nat chain=dstnat dst-address-type="" dst-port=\
    3074,3478-3480,3659,6000 in-interface=bridge1 protocol=udp to-addresses=\
    192.168.100.5
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainRouter
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/tool sniffer
set filter-ip-address=192.168.100.201/32

Switch configCRS326
# oct/06/2021 00:34:32 by RouterOS 6.48.4
# software id = 80CZ-07M7
#
# model = CRS326-24G-2S+
# serial number = CD010ED2525C
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="Guest Bedroom Wireless"
set [ find default-name=ether5 ] comment="Office Wireless"
set [ find default-name=ether6 ] comment="Khellendros desktop PC"
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
/interface list
add name=Manage
add name=Wireless
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfp-sfpplus1 trusted=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether5 trusted=yes
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=100 trusted=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!Manage
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,ether3,ether5,bridge1 untagged=ether6 \
    vlan-ids=100
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=101
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=102
add bridge=bridge1 tagged=ether3,ether5,sfp-sfpplus1,bridge1 vlan-ids=103
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=ether6 list=Manage
add interface=vlan100 list=Manage
add interface=ether3 list=Wireless
add interface=ether5 list=Wireless
/ip address
add address=192.168.100.200/24 interface=vlan100 network=192.168.100.0
/ip arp
add address=192.168.100.2 interface=vlan100 mac-address=2C:56:DC:3A:A4:3A
add address=192.168.100.1 interface=vlan100 mac-address=2C:C8:1B:9B:A1:69
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MainSwitch
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/tool traffic-monitor
add interface=bridge1 name=tmon1

hAC2 (Main Wireless - currently working)
# oct/06/2021 00:34:30 by RouterOS 6.48.4
# software id = IEWC-ASHD
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0EE28D33
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
add interface=bridge1 name=vlan101 vlan-id=101
add interface=bridge1 name=vlan102 vlan-id=102
add interface=bridge1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap eap-methods="" mode=dynamic-keys \
    name=Public supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Networked \
    supplicant-identity=""
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Guest \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
    disabled=no installation=indoor mode=ap-bridge security-profile=Public \
    ssid=OuterHeaven-2.4 vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no installation=\
    indoor mode=ap-bridge security-profile=Public ssid=OuterHeaven vlan-id=\
    101 vlan-mode=use-tag wps-mode=disabled
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
    mac-address=2E:C8:1B:A7:AF:FF master-interface=wlan1 multicast-buffering=\
    disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
    103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    push-button-virtual-only
add comment="Internet-allowed security devices" disabled=no keepalive-frames=\
    disabled mac-address=2E:C8:1B:A7:AF:FE master-interface=wlan1 \
    multicast-buffering=disabled name=wlan4 security-profile=Guest ssid=\
    Foxhound vlan-id=102 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=\
    0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Internet-allowed security devices"
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
set *A comment="No-Internet VLAN103"
set *B comment="Internet-allowed security devices"
/ip pool
add name=dhcp ranges=192.168.0.50-192.168.0.99
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=ether2 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=ether2,ether3,ether4,ether5 \
    vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1,wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1,wlan3 vlan-ids=103
/interface wireless cap
set interfaces=wlan2,wlan1
/ip address
add address=192.168.100.202/24 interface=vlan100 network=192.168.100.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.0 netmask=24
add address=192.168.100.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.100.1 netmask=24
add address=192.168.101.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.101.1 netmask=24
add address=192.168.102.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.102.1 netmask=24
add address=192.168.103.0/24 dns-server=192.168.0.1,8.8.8.8 gateway=\
    192.168.103.1 netmask=24
/ip dns
set servers=192.168.0.1,8.8.8.8
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=America/Denver
/system identity
set name=MikrotikWirelessMain
hAC Lite
# oct/05/2021 11:07:40 by RouterOS 6.47.9
# software id = 08KQ-8HG3
#
# model = RB952Ui-5ac2nD
# serial number = C5600D9E46A4
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-emergency
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united states" \
    disabled=no installation=indoor mode=ap-bridge ssid=OuterHeaven-2.4 \
    vlan-id=101 vlan-mode=use-tag wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no mode=ap-bridge \
    ssid=OuterHeaven vlan-id=101 vlan-mode=use-tag wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan100 vlan-id=100
/interface list
add name=Manage
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys name=Printer \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
/interface wireless
add comment="No-Internet VLAN103" disabled=no keepalive-frames=disabled \
    mac-address=0A:55:31:F9:EF:A7 master-interface=wlan1 multicast-buffering=\
    disabled name=wlan3 security-profile=Printer ssid=OuterPrinter vlan-id=\
    103 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    push-button-5s
add comment="Secured network devices" disabled=no keepalive-frames=disabled \
    mac-address=0A:55:31:F9:EF:A8 master-interface=wlan1 multicast-buffering=\
    disabled name=wlan4 security-profile=Guest ssid=Foxhound vlan-id=102 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan3 comment="No-Internet VLAN103"
set wlan4 comment="Secured network devices"
/interface wireless nstreme
set *B comment="No-Internet VLAN103"
set *C comment="Secured network devices"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether3 pvid=100
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=ether2 pvid=100 trusted=yes
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=\
    ether2,ether3,ether4,ether5-emergency vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=101
add bridge=bridge1 tagged=ether1 untagged=wlan4 vlan-ids=102
add bridge=bridge1 tagged=ether1 untagged=wlan3 vlan-ids=103
/interface list member
add interface=ether5-emergency list=Manage
add interface=ether1 list=Manage
add interface=ether2 list=LAN
add interface=vlan100 list=LAN
add interface=wlan2 list=WAN
add interface=wlan1 list=WAN
add interface=wlan3 list=WAN
add interface=wlan4 list=WAN
/ip address
add address=192.168.100.201/24 interface=vlan100 network=192.168.100.0
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 gateway=192.168.101.1
/system clock
set time-zone-autodetect=no time-zone-name=America/Denver
/system identity
set name=Cuddle-Access

Who is online

Users browsing this forum: Amazon [Bot] and 29 guests