Community discussions

MikroTik App
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 9:18 pm

I've a network with 2 VLAN's (apart from the default VLAN 1). The VLAN 101 is for Guest and 102 is for management. For some reason I cannot get my wAP configured to have 2 WIFI's, one for the guest and the other one for management. To simplify it, I've disconnected the wAP from the main network and I'm now trying to configure the wAP isolated on its own device. Hope anybody can help me with this.

I've setup to virual wlan's, vlan101 has not vlan config and with vlan102 I'm trying to configure the VLAN. I'm doing this so that I can compare what is working and not working.
On the vlan102 wlan interface I don't get an IP address from the DHCP server that I've configured on the wAP itself. In the final setup the DHCP server is located somewhere else in the network.
Connecting on the vlan101 interface, I do get an IP address from the correct pool, but getting the IP takes a long time, too long in my view.

What am I doing wrong? Is this approach to simulate it on a single device achievable? And finally if I've a working setup I want to migrate this to a CAPSMAN configuration. But one step at the time for now.
# oct/28/2021 20:11:23 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge
add name=bridgevlan101 vlan-filtering=yes
add name=bridgevlan102
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=\
    TestVLAN102 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan102 vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_vlan101 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool_vlan102 ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan101 disabled=no interface=bridgevlan101 name=\
    dhcp1
add address-pool=dhcp_pool_vlan102 disabled=no interface=bridgevlan102 name=\
    dhcp2
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridgevlan101 interface=wlan3 multicast-router=disabled
add bridge=bridgevlan102 interface=wlan4 multicast-router=disabled
add bridge=bridgevlan101 interface=vlan101 multicast-router=disabled
add bridge=bridgevlan102 interface=vlan102 multicast-router=disabled
/interface bridge vlan
add bridge=bridgevlan101 tagged=wlan3,ether1 vlan-ids=101
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=bridgevlan101 list=LAN
add interface=bridgevlan102 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.0
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=dhcp
add topics=wireless
Looking forward to some suggestions on how to address this.
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 9:28 pm

You want to create a Bridge and assign all Interfaces to it.
Ether1, WLAN1, WLAN2, WLAN3, WLAN4, VLAN101, VLAN 102


Then everything should work, like you expect !
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 9:41 pm

You want to create a Bridge and assign all Interfaces to it.
Ether1, WLAN1, WLAN2, WLAN3, WLAN4, VLAN101, VLAN 102


Then everything should work, like you expect !
Ok, thanks for the suggestion, testing it right now.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 9:50 pm

As I can only set one dhcp server on the bridge, I cannot fully simulate this on one wAP. Because now all the virtual wlans are getting an IP address from the same server.

How do I do the VLAN tagging when using one bridge?

On the wlan config I set "use tag" with vlanid 101 or 102 (depending on which wlan interface).
On the bridge I do not configure any vlan filtering or what soever?
And under the ether1 port I put to VLANs, 101 and 102.

Is this how is should work?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 9:52 pm

Oh am sorry..

VLAN101, VLAN 102 are not assigned to the bridge.
Then you can assign the DHCP-Server to the VLAN101, VLAN 102-Interfaces
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:04 pm

Hhmm, not working. I don't get an IP address assigned on either one of the two virtual wlans.

both wlan interface use a vlan tag 101 and 102, no vlans on the bridge and the bridge itself doesn't do vlan filtering.

This is the config:
# oct/28/2021 20:11:23 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge
add name=bridgevlan101 vlan-filtering=yes
add name=bridgevlan102
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=\
TestVLAN102 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan102 vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_vlan101 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool_vlan102 ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool_vlan101 disabled=no interface=bridgevlan101 name=\
dhcp1
add address-pool=dhcp_pool_vlan102 disabled=no interface=bridgevlan102 name=\
dhcp2
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridgevlan101 interface=wlan3 multicast-router=disabled
add bridge=bridgevlan102 interface=wlan4 multicast-router=disabled
add bridge=bridgevlan101 interface=vlan101 multicast-router=disabled
add bridge=bridgevlan102 interface=vlan102 multicast-router=disabled
/interface bridge vlan
add bridge=bridgevlan101 tagged=wlan3,ether1 vlan-ids=101
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=bridgevlan101 list=LAN
add interface=bridgevlan102 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.0
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=dhcp
add topics=wireless
Suggestion on what I'm doing wrong?
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:08 pm

I still have a CAPac somewhere...

I will configure it and send you the Export.
Give me 20 minutes
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:09 pm

I still have a CAPac somewhere...

I will configure it and send you the Export.
Give me 20 minutes
Thanks, you support is really appreciated.

Extra info, when I remove the "Use Tag" and put VLAN ID to 1, I do get an IP address on the wlan interface.
This has something to do with the VLAN configuration on the bridge somehow.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:12 pm

some reading: viewtopic.php?t=175678&hilit=vlan#p860112

Start with the "great tutorial" mentioned there , it's a must read !
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:44 pm

Found a big mistake :

This is wrong
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0

This is right!
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.1/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridgevlan102 network=172.16.1.0
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 10:57 pm

This is how i configured the CAPac in the LAB...


Step 0: Configure WLAN's
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=TestVLAN101 vlan-id=101 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=TestVLAN102 vlan-id=102 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

Step 1: Create Bridge
/interface bridge
add name=bridge1
Step 2: Create VLAN-Interfaces
/interface vlan
add interface=bridge1 name=bridge1_vlan101 vlan-id=101
add interface=bridge1 name=bridge1_vlan102 vlan-id=102
Step 3: Assign IP-Addresses
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.1/24 interface=bridge1_vlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridge1_vlan102 network=172.16.1.0
Step 4: Create DHCP-Server
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1_vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1_vlan102 name=dhcp3
Step 5: Assign Interfaces to Bridge
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 11:45 pm

Found a big mistake :

This is wrong
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.0/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.0/24 interface=bridgevlan102 network=172.16.1.0

This is right!
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.1/24 interface=bridgevlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridgevlan102 network=172.16.1.0
THanks for the catch, good point, That is indeed a mistake. I updated the config, see total overview below, but still the wlan client device doesn't get an IP address!
# oct/28/2021 22:41:53 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge
add name=bridgeVLAN101 vlan-filtering=yes
add name=bridgeVLAN102 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=TestVLAN101 vlan-id=101 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=TestVLAN102 vlan-id=102 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan102 vlan-id=102
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool7 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool8 ranges=172.16.1.100-172.16.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool7 disabled=no interface=bridgeVLAN101 name=dhcp1
add address-pool=dhcp_pool8 disabled=no interface=bridgeVLAN102 name=dhcp2
/interface bridge port
add bridge=bridge interface=wlan1
add bridge=bridge disabled=yes interface=wlan2
add bridge=bridgeVLAN101 interface=wlan3 multicast-router=disabled
add bridge=bridgeVLAN102 interface=wlan4 multicast-router=disabled
/interface bridge vlan
add bridge=bridgeVLAN101 tagged=wlan3,ether1 vlan-ids=101
add bridge=bridgeVLAN102 tagged=wlan3 untagged=ether1 vlan-ids=102
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=172.16.0.1/24 interface=bridgeVLAN101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridgeVLAN102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
add disabled=no interface=bridgeVLAN101
/ip dhcp-server network
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.0
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Amsterdam
/system logging
add topics=dhcp
add topics=wireless
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 11:46 pm

This is how i configured the CAPac in the LAB...
.....................
Thanks, will give this a try tomorrow. THanks for your support sofar.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Oct 28, 2021 11:46 pm

some reading: viewtopic.php?t=175678&hilit=vlan#p860112

Start with the "great tutorial" mentioned there , it's a must read !
Thanks, started reading already. Always good to do some catch up reading, there is always something new to learn :-)
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Oct 29, 2021 10:16 am

This is how i configured the CAPac in the LAB...
.....................
Thanks, will give this a try tomorrow. THanks for your support sofar.
This seems to be working, I've two virtual wlans and I can connect on both of them getting the correct IP address assigned. This is really good. Surprised to see a complete different configuration as what I was trying to do, but happy there is something working.

There is no internet connection at the moment. But this is probably due to the fact that the switch I'm using at the moment is not configured with VLAN's. So now I need to move the wAP to real setup and see if it is working. If it is working, I need to move this configuration into a CAPSMAN configuration :-) Thanks for the support at this moment in time.

This is the full config I'm using which is basically a copy of the config provided by ConnyMercier.
# oct/29/2021 09:17:50 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=TestVLAN102 vlan-id=102 vlan-mode=use-tag wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge1 name=bridge1_vlan101 vlan-id=101
add interface=bridge1 name=bridge1_vlan102 vlan-id=102
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=172.16.0.100-172.16.0.254
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1_vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1_vlan102 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.1/24 interface=bridge1_vlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridge1_vlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/system clock
set time-zone-name=Europe/Amsterdam
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Oct 29, 2021 2:31 pm

I'm having a working setup right now, this is the config:
# oct/29/2021 12:27:52 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=\
    802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    TestVLAN101 vlan-id=101 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan4 ssid=\
    TestVLAN102 vlan-id=102 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge1 name=bridge1_vlan101 vlan-id=101
add interface=bridge1 name=bridge1_vlan102 vlan-id=102
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1 ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2 ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1_vlan101 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1_vlan102 name=dhcp3
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan3 pvid=101
add bridge=bridge1 interface=wlan4 pvid=102
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=bridge1_vlan101,ether1,wlan3 vlan-ids=\
    101
add bridge=bridge1 disabled=yes tagged=bridge1_vlan102,ether1,wlan4 vlan-ids=\
    102
/interface list member
add interface=ether1 list=WAN
add interface=bridge1_vlan101 list=VLAN
add interface=bridge1_vlan102 list=VLAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.0.1/24 interface=bridge1_vlan101 network=172.16.0.0
add address=172.16.1.1/24 interface=bridge1_vlan102 network=172.16.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=192.168.0.254 gateway=172.16.0.1 \
    netmask=24
add address=172.16.1.0/24 dns-server=192.168.0.254 gateway=172.16.1.1 \
    netmask=24
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WIFI and VLAN's - driving me crazy

Sun Oct 31, 2021 6:06 pm

You want to create a Bridge and assign all Interfaces to it.
Ether1, WLAN1, WLAN2, WLAN3, WLAN4, VLAN101, VLAN 102


Then everything should work, like you expect !
Vlans are not bridge ports.
Ether ports and WLAN port Are bridge interfaces...........

Is the WAPAc acting as a router or simply an access point switch?

Personally I would have three vlans and nothing dhcp related to the bridge, its confusing otherwise.
However If this is an Access Point, what is the purpose of the 192.168.88.1 network???? If its nowhere else in your network then you dont need a third subnet on this device.
Furthermore the WAPAC should have a IP address on the management VLAN.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Mon Nov 01, 2021 10:09 am

You want to create a Bridge and assign all Interfaces to it.
Ether1, WLAN1, WLAN2, WLAN3, WLAN4, VLAN101, VLAN 102


Then everything should work, like you expect !
Vlans are not bridge ports.
Ether ports and WLAN port Are bridge interfaces...........

Is the WAPAc acting as a router or simply an access point switch?

Personally I would have three vlans and nothing dhcp related to the bridge, its confusing otherwise.
However If this is an Access Point, what is the purpose of the 192.168.88.1 network???? If its nowhere else in your network then you dont need a third subnet on this device.
Furthermore the WAPAC should have a IP address on the management VLAN.
Thanks for your feedback. Regarding your question of the wAP AC is acting as router or access point switch. To my understanding and that is how I'm using it it is an access point switch.

I agree in my test setup the 192.168.88.1 is not really required. I kept in in the test setup so that I can still make a connected to the wAP in case a make mistakes in the configuration, it happend to often that I could access the device due to a misconfiguration.

The DHCP server on my network is running on the device (Cradlepoint) responsible for the internet connection, that is where all the VLANs come together. THis device is responsible for handing out IP addresses on the network. In my test setup, I don't have a DHCP server, that is why for now it is configured on the Mikrotik itself, but that should removed once in the final setup.

The final solution that I'm trying to build is that each wifi access points as two wlan's and each one with its own vlan and this configuration needs to be managed from the CAPSMAN. This is what I'm trying to setup and having challenges.

So which config should be done in the CAPSMAN, this seems to be straight forward, but how does the CAPS client needs to be configured from a VLAN point of view, from a bridge point of view, etc. etc.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Mon Nov 01, 2021 11:50 am

You have to manually configure the wired part of CAP client before CAPsMAN takes over provisioning the wireless part. CAPsMAN only does what you currently have under /interface wireless ...

For testing purposes you can configure wireless part manually and transition it to CAPsMAN later. As to the wired part: did you study (thoroughly) the VLAN bible?

The wireless config shown in post #1 is almost fine (master wireless interfaces lack vlan-id=XX vlan-mode=use-tag and all wireless interfaces should be tagged member ports of bridge ... tagged for corresponding VIDs that is).
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Wed Nov 03, 2021 11:39 pm

It keeps driving me crazy, I don't know what the issue is, I tried so many things. I've read the VLAN bible, understand all the VLANs, tagging, native VLAN, etc. etc. But still, something doesn't make sense in my config.

I've connected the wAP device to a switch, that switch supports VLANs and 101 and 103 are configured with DHCP. When I connect the MacBook and configure VLAN on the MacBook I get the corresponding IP addresses assigned.

When connecting with an iPad/iPhone to the Mikrotik wifi I don't get an IP address at all. I don't understand why. Any suggestions on the following config:
# nov/03/2021 22:35:16 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(28dBm), SSID: CAPsVLAN101, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/caps-man datapath
add arp=enabled bridge=bridge1 local-forwarding=yes name=DataPathVLAN101 \
    vlan-id=101 vlan-mode=use-tag
add bridge=bridge1 local-forwarding=yes name=DatapathVLAN103 vlan-id=103 \
    vlan-mode=use-tag
/caps-man configuration
add datapath=DataPathVLAN101 name=CAPsVLAN101 ssid=CAPsVLAN101
add datapath=DatapathVLAN103 name=CAPsVLAN103 ssid=CAPsVLAN103
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1_VLAN101 ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2_VLAN103 ranges=172.16.1.100-172.16.1.200
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4 Ghz CAPS Config" \
    hw-supported-modes=gn master-configuration=CAPsVLAN101 name-format=\
    prefix-identity name-prefix=CAP- slave-configurations=CAPsVLAN103
add action=create-dynamic-enabled comment="5 Ghz CAPS Config" disabled=yes \
    hw-supported-modes=ac master-configuration=CAPsVLAN101 \
    slave-configurations=CAPsVLAN103
/interface bridge port
add bridge=bridge1 interface=vlan101 multicast-router=disabled
add bridge=bridge1 interface=vlan103 multicast-router=disabled
add bridge=bridge1 interface=ether1 multicast-router=disabled
add bridge=bridge1 interface=dynamic multicast-router=disabled
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
/interface wireless cap
# 
set caps-man-addresses=192.168.0.216 discovery-interfaces=*3E enabled=yes \
    interfaces=wlan1
/ip address
add address=192.168.88.1/24 disabled=yes interface=bridge1 network=\
    192.168.88.0
add address=172.16.0.1/24 disabled=yes interface=vlan101 network=172.16.0.0
add address=172.16.1.1/24 disabled=yes interface=vlan103 network=172.16.1.0
/ip dhcp-client
add interface=vlan101
add interface=vlan103
add disabled=no interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Nov 04, 2021 3:15 am

If you are using the WAPAC as an accesspoint/switch then stop configuring it like a router and use the bridge vlan method and it will work very easily.

a. use bridge
b. assign all vlans to the bridge
c. configure bridge port settings etherports and wlans
d. configure bridge vlan settings
e. set IP address of the wapac to be on the management vlan
f. ensure ip discovery is the managment vlan
g. ensure winbox macserver is set to the management vlan
h. ensure one ip route exists to the management vlan gateway IP of the device
Done!

Us this guide for access point........ (see access point example)
viewtopic.php?t=143620
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Thu Nov 04, 2021 11:17 pm

Finally got something working :-) Below is the current config. Comments if this is the right and/or best config are always welcome.
Next step is to move this config into, under CAPSMAN :-)
# nov/04/2021 19:57:03 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add fast-forward=no name=bridge101 protocol-mode=none
add name=bridge103
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=mikrotik-off wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/caps-man datapath
add arp=enabled bridge=bridge101 local-forwarding=yes name=DataPathVLAN101 \
    vlan-id=101 vlan-mode=use-tag
add bridge=bridge101 local-forwarding=yes name=DatapathVLAN103 vlan-id=103 \
    vlan-mode=use-tag
/caps-man configuration
add datapath=DataPathVLAN101 name=CAPsVLAN101 ssid=CAPsVLAN101
add datapath=DatapathVLAN103 name=CAPsVLAN103 ssid=CAPsVLAN103
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan-101 ssid=\
    vlan101 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:31 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan-103 ssid=\
    vlan103 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool1_VLAN101 ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2_VLAN103 ranges=172.16.1.100-172.16.1.200
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4 Ghz CAPS Config" \
    hw-supported-modes=gn master-configuration=CAPsVLAN101 name-format=\
    prefix-identity name-prefix=CAP- slave-configurations=CAPsVLAN103
add action=create-dynamic-enabled comment="5 Ghz CAPS Config" disabled=yes \
    hw-supported-modes=ac master-configuration=CAPsVLAN101 \
    slave-configurations=CAPsVLAN103
/interface bridge port
add bridge=bridge101 ingress-filtering=yes interface=wlan-101 pvid=101
add bridge=bridge101 interface=vlan101
add bridge=bridge103 interface=wlan-103
add bridge=bridge103 interface=vlan103
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
/interface wireless cap
set caps-man-addresses=192.168.0.216 discovery-interfaces=wlan1 interfaces=\
    wlan1
/ip dhcp-client
add interface=vlan101
add interface=vlan103
add interface=bridge101
add disabled=no interface=vlan5
/ip firewall filter
add action=accept chain=input connection-state=established,related disabled=\
    yes
add action=accept chain=input disabled=yes in-interface-list=VLAN
add action=accept chain=forward connection-state=established,related \
    disabled=yes
add action=accept chain=forward connection-state=new disabled=yes \
    in-interface-list=VLAN out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 8:49 am

Using multiple bridges is not the way to go. You should use single VLAN-aware bridge.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 10:47 am

Using multiple bridges is not the way to go. You should use single VLAN-aware bridge.
Thanks for the feedback. I've now a working CAPSMAN solution using one bridge, but:
1) VLAN filtering on the CAPS client bridge is not enabled.
2) In the CAPSMAN config I've 2 datapath for VLAN 101 and 103, but both have no tagging and vlan id 1, this is strange to me but it is working.

If I add VLAN filtering on the CAPS client bridge, it is not working anymore, the WIFI client device doesn't get an IP address.

This is the config of the CAPS client:
# nov/05/2021 09:46:22 by RouterOS 6.48.3
# software id = WPUN-FGW8
#
# model = RBD23UGS-5HPacD2HnD
# serial number = CD4F0E12686E
/interface bridge
add admin-mac=2C:C8:1B:5B:6F:E0 auto-mac=no name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(30dBm), SSID: CAPsVLAN101, local forwarding
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX disabled=no frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik-5B6FE2
set [ find default-name=wlan2 ] band=5ghz-onlyac frequency=auto installation=outdoor mode=ap-bridge ssid=MikroTik-5B6FE3
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=vlan101 multicast-router=disabled
add bridge=bridge1 interface=vlan103 multicast-router=disabled
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=vlan101 vlan-ids=101
add bridge=bridge1 disabled=yes tagged=vlan103 vlan-ids=103
/interface list member
add interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
/ip dhcp-client
add disabled=no interface=vlan5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=NetMetal-WF01
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 11:59 am

We'd have to see also the CAPsMAN config (/capsman export[/i), without it we can't correlate local configuration of wired part from CAP device and remote configuration of wireless from CAPsMAN.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 12:06 pm

We'd have to see also the CAPsMAN config (/capsman export[/i), without it we can't correlate local configuration of wired part from CAP device and remote configuration of wireless from CAPsMAN.


This is the CAPSMAN config:

# nov/05/2021 11:06:07 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/caps-man configuration
add datapath=DataPathVLAN101 name=CAPsVLAN101 ssid=CAPsVLAN101
add datapath=DatapathVLAN103 name=CAPsVLAN103 ssid=CAPsVLAN103
/caps-man datapath
add arp=enabled bridge=bridge1 local-forwarding=yes name=DataPathVLAN101 vlan-id=1 vlan-mode=no-tag
add bridge=bridge1 local-forwarding=yes name=DatapathVLAN103 vlan-id=1 vlan-mode=no-tag
/caps-man interface
add configuration=CAPsVLAN101 disabled=no l2mtu=1600 mac-address=2C:C8:1B:5B:6F:E2 master-interface=none name=CAP--NetMetal-WF01-1 radio-mac=2C:C8:1B:5B:6F:E2 radio-name=\
    2CC81B5B6FE2
add configuration=CAPsVLAN103 disabled=no l2mtu=1600 mac-address=2E:C8:1B:5B:6F:E2 master-interface=CAP--NetMetal-WF01-1 name=CAP--NetMetal-WF01-1-1 radio-mac=\
    00:00:00:00:00:00 radio-name=2EC81B5B6FE2
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-disabled comment="2.4 Ghz CAPS Config" hw-supported-modes=gn master-configuration=CAPsVLAN101 name-format=prefix-identity name-prefix=CAP- \
    slave-configurations=CAPsVLAN103
add action=create-dynamic-enabled comment="5 Ghz CAPS Config" disabled=yes hw-supported-modes=ac master-configuration=CAPsVLAN101 slave-configurations=CAPsVLAN103
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 4:29 pm

CAPsMAN datapath settings are completely VLAN-unaware.

It should have been something like this:
/capsman datapath
add local-forwarding=yes name=DataPathVLAN101 vlan-id=101 vlan-mode=use-tag
add local-forwarding=yes name=DataPathVLAN103 vlan-id=103 vlan-mode=use-tag

(n.b. setting property bridge doesn't make any difference with local-forwarding, it's for CAPsMAN forwarding). If VLAN stuff is not done properly on CAPsMAN device, then nothing's gonna work actually ...


L2 settings (for VLAN) on CAP device are all off. Did you read through VLAN on ROS bible to see how it's done properly?
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 8:06 pm

Based on the comments about single bridge to be used, I was trying to configured this differently but without any luck. Yes, I've read the VLAN bible. In my current configuration I've copied the AccessPoint example from VLAN bible.

I see the registration of the two clients in the registration tab page, but the clients are NOT getting any IP address. I absolutely don't understand why not. I would love to understand what I'm doing wrong. Who can help me with the magic trick??
Screenshot 2021-11-05 at 19.10.23.png
I even have move the external DHCP server now to the same mikrotik device to prevent any issues on that interface.

Why does the client device not get an IP address? Has this something to do with masquerading? I've added a config for this, is this the correct config?
# nov/05/2021 18:58:14 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 \
    protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=vlan101 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    vlan103 vlan-id=101 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool3 ranges=192.168.201.2-192.168.201.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=vlan101 name=dhcp1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=103
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=101
add bridge=bridge1 tagged=ether1 vlan-ids=103
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan5 list=BASE
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=vlan5 \
    interfaces=wlan1
/ip address
add address=192.168.201.1/24 interface=vlan101 network=192.168.201.0
/ip dhcp-client
add disabled=no interface=vlan5
/ip dhcp-server network
add address=192.168.201.0/24 dns-server=8.8.8.8 gateway=192.168.201.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-vlan
/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=vlan101
add distance=1 dst-address=192.168.103.0/24 gateway=vlan103
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 8:44 pm

My advice regarding any wifi pertains to a non capsman setup.
For the life of me I dont understand why you keep trying to add capsman as it adds needless complexity.
Just get the vlan to work first, as per the linked reference. If you need capsman after that, then add it..........at your own risk LOL.

(1) For now remove the ingress and other changes you have made to the top level Bridge identification.
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 \
protocol-mode=none vlan-filtering=yes

The only change to the default bridge line should be setting vlan-filtering to yes, at the end.
identified, configured the vlans to ether1 and not the bridge for the interface setting.

(3) You have two IP pools but 3 vlans...............???? (okay I see late vlan5 is Internet??)

(4) You have 3 vlans and only one DHCP server (still missing one)

(5) You have 3 vlans and only one DHCP server network. (still missing one)

(6) In your Bridge vlan settings you are missing tagging the bridge as well.
/interface bridge vlan
add bridge=bridge1 tagged=ether1.????? vlan-ids=101
add bridge=bridge1 tagged=ether1,?????? vlan-ids=103
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=5

(7) Interface list members......... (note changed since realized vlan5 is actually a WANVLAN...
disregard next
VLAN5 should be also be listed as a VLAN member
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan5 list=VLAN
add interface=vlan5 list=BASE


NEW Improved version............
/interface list member
add interface=ether1 list=WAN
ad interface=vlan5 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan103 list=BASE (assuming 103 is the management vlan)

(8) You have three vlans but only one IP address (in this case you may be missing two)

(9) Finally at DHCP client , it is noted that vlan5 is actually a vlan for your WAN connection ????

(10) You have routes for your LAN subnets that I have no clue why they are there.

(11) The final straw that seems wrong. should be out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-vlan


(12) Is this device attached to an ISP modem? If so where are the firewall rules??


IN SUMMARY
Please provide a detailed network diagram to show connectivity between devices........
and the Subnets/vlans expected.

I dont understand your ISP connection at all......
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 9:23 pm

I made the suggested changes, see config below, but still the wifi client doesn't get an IP address.

Explanation on the network config:
- VLAN101 and VLAN103 are for the wifi, one guest and one office wifi network.
- VLAN5 is for the devices/management network
- The ethernet/WAN interface as tagged data for VLAN5, VLAN101 and VLAN103.
- There are multiple DHCP servers on the network behind the ethernet1/WAN interface. The IP addresses for the various VLANs should come from that DHCP server.
- As this is not working, I've added for VLAN101 a DHCP server on the Mikrotik device, to see if that makes a difference (which is does not).
- So for VLAN101 there are now two DHCP server, one on the main network and one on the Mikrotik device.
- That is the reason why you only see one DHCP server, I can add more but that doesn't change the situation as it is not working for WIFI VLAN101
- I agree with you that CAPSMAN makes it more complex, hence in the previous config it was already disabled. I'm already nog using it anymore.

Below also a screenshot from the Winbox config.
Screenshot 2021-11-05 at 20.12.40.png
Again, what is strange is that the WIFI client is connected as I can see it in the registration tab page. But there is Leases record in the DHCP server tab page. My conclusion is therefore that somehow the WIFI client reach the DHCP server, or the reply from the DHCP server is not reaching the WIFI client.
# nov/05/2021 20:12:48 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=vlan101 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    vlan103 vlan-id=101 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool3 ranges=192.168.201.2-192.168.201.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=vlan101 name=dhcp1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=103
/ip neighbor discovery-settings
set discover-interface-list=WAN
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=101
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=103
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan5 list=WAN
add interface=vlan5 list=VLAN
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=vlan5 \
    interfaces=wlan1
/ip address
add address=192.168.201.1/24 interface=vlan101 network=192.168.201.0
/ip dhcp-client
add disabled=no interface=vlan5
/ip dhcp-server network
add address=192.168.201.0/24 dns-server=8.8.8.8 gateway=192.168.201.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=192.168.101.0/24 gateway=vlan101
add distance=1 dst-address=192.168.103.0/24 gateway=vlan103
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/system logging
add topics=dhcp
add topics=firewall
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
You do not have the required permissions to view the files attached to this post.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 9:28 pm

When I check (Torch) the wlan1 interface, I see the DHCP request coming, see screenshot.
But the DHCP request is not on VLAN101 which I expect is should be. I believe that that is the reason when the WIFI client cannot reach the DHCP server.
Screenshot 2021-11-05 at 20.25.07.png
But I don't know how to fix this. The wlan1 interface is configure as "no tag" and VLAN ID = 1. So how and when is the VLAN101 tag being added to the wlan1 traffic so that it can reach the DHCP server on VLAN101?

Maybe this is were we should focus on fixing the problem?
You do not have the required permissions to view the files attached to this post.
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Fri Nov 05, 2021 10:56 pm

I've added the two VLANs created on the ethernet interface to the same bridge and now it seems to be working :-)

Despite the fact it is working, would this be the correct config?

This is the config:
# nov/05/2021 21:53:42 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=vlan101 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=\
    vlan103 vlan-id=101 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool3 ranges=192.168.201.2-192.168.201.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan101 name=dhcp1
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=103
add bridge=bridge1 interface=vlan101 pvid=101
add bridge=bridge1 interface=vlan103 pvid=103
/ip neighbor discovery-settings
set discover-interface-list=WAN
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1 vlan-ids=101
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=103
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan5 list=WAN
add interface=vlan5 list=VLAN
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=vlan5 \
    interfaces=wlan1
/ip address
add address=192.168.201.1/24 interface=vlan101 network=192.168.201.0
/ip dhcp-client
add disabled=no interface=vlan5
/ip dhcp-server network
add address=192.168.201.0/24 dns-server=8.8.8.8 gateway=192.168.201.1
/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=vlan101
add distance=1 dst-address=192.168.103.0/24 gateway=vlan103
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/system logging
add topics=dhcp
add topics=firewall
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Mon Nov 08, 2021 9:31 am

On one access point i've working and stable solution using one bridge as recommended above (see config below). Next problem happens. When connecting a second access point to the switch, I add vlan5, vla101 and vlan103 to the ether1 and vlan101 and vlan103 to the bridge (on the 2nd device) I get the following error message:

vlan103: bridge port received packet with own address as source address (e4:8d:8c:72:d5:2e), probably loop

I've been reading on STP, RSTP and MSTP but I'm not sure if this is the solution to the problem. Any suggestions from somebody?

The VLAN's, ether1 and the bridge on the 1st AP all have the same MAC address. The VLAN's, ether1 and bridge on the 2nd AP have all the same but different MAC address compared to the 1st AP. Is this the correct configuration? Should all VLAN's etc not have their own MAC address?
# nov/08/2021 07:30:15 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=mstp region-name=Test \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=outdoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan5 vlan-id=5
add interface=ether1 name=vlan101 vlan-id=101
add interface=ether1 name=vlan103 vlan-id=103
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile1 supplicant-identity="" wpa2-pre-shared-key=geenwachtwoord
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge security-profile=profile1 ssid=vlan101 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:72:D5:30 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile=profile1 ssid=vlan103 vlan-id=101 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=101
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan3 pvid=103
add bridge=bridge1 interface=vlan101 pvid=101
add bridge=bridge1 interface=vlan103 pvid=103
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan1 vlan-ids=101
add bridge=bridge1 tagged=ether1,bridge1 untagged=wlan3 vlan-ids=103
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add interface=vlan101 list=VLAN
add interface=vlan103 list=VLAN
add interface=vlan5 list=WAN
add interface=vlan5 list=VLAN
add interface=bridge1 list=LAN
/ip dhcp-client
add disabled=no interface=vlan5
/ip route
add distance=1 dst-address=192.168.101.0/24 gateway=vlan101
add distance=1 dst-address=192.168.103.0/24 gateway=vlan103
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/system logging
add topics=dhcp
add topics=firewall
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Mon Nov 08, 2021 7:19 pm

That's because your VLAN config is still a huge mess. Seems like you managed to misunderstand all the suggestions by @anay and myself.

I suggest you to reset gear to defaults and start doing VLAN stuff from scratch. First do the bridge stuff, show us the result for review. Forget about wireless (both capsman and local config) until you get ether ports, bridge and VLANs right.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WIFI and VLAN's - driving me crazy

Mon Nov 08, 2021 7:23 pm

Use this as a guide............
viewtopic.php?t=143620

Again, please provide a network diagram, I have no idea why you are trying to use DHCP with VLANs on this device and then pass them up through the WAN connection to god knows what??

IF I was to guess, this WAPC is strictly supposed to be an Accesspoint/Switch and thus should have very little setup other than wifi, and bridge/vlans.
What is before the WAP? Another MT router?, an ISP router?
 
rgroothuis
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Tue Sep 06, 2016 12:11 am

Re: Virtual WIFI and VLAN's - driving me crazy

Wed Nov 10, 2021 9:58 am

Looking backwards, I was making things more complicated as they should be. Indeed the VLAN config was not done correctly. Putting VLANs into a bridge on both APs caused looping problems as well. I reviewed the whole situation again, after a good night sleep, started from scratch again and now I've a good and stable working solution. A solution with and without CAPSMAN.

Below the current working config for the CAPSMAN and the CAPs client.

CAPSMAN:
# nov/10/2021 08:55:08 by RouterOS 6.48.1
# software id = TMGN-VZVM
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 69A50578307F
/caps-man channel
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce \
    frequency=5180,5200,5220,5240 name=5Ghz-Channels-40Mhz skip-dfs-channels=\
    yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels skip-dfs-channels=yes \
    tx-power=7
/caps-man datapath
add local-forwarding=yes name=datapath101 vlan-id=101 vlan-mode=use-tag
add local-forwarding=yes name=datapath103 vlan-id=103 vlan-mode=use-tag
/caps-man configuration
add channel=2.4Ghz-Channels datapath=datapath101 name=Test-2.4Ghz-Gast \
    ssid=Test
add channel=2.4Ghz-Channels datapath=datapath103 name=Test-2.4Ghz-Beheer \
    ssid=Test-Beheer
add channel=5Ghz-Channels-40Mhz datapath=datapath101 name=Test-5Ghz-Gast \
    ssid=Test
add channel=5Ghz-Channels-40Mhz datapath=datapath103 name=\
    Test-5Ghz-Beheer ssid=Test-Beheer
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=outdoor mode=ap-bridge ssid=MikroTik wireless-protocol=\
    802.11
/caps-man interface
add configuration=Test-2.4Ghz-Gast disabled=no l2mtu=1600 mac-address=\
    2C:C8:1B:5B:6F:B6 master-interface=none name=MikroTik-1 radio-mac=\
    2C:C8:1B:5B:6F:B6 radio-name=2CC81B5B6FB6
add configuration=Test-2.4Ghz-Beheer disabled=no l2mtu=1600 mac-address=\
    2E:C8:1B:5B:6F:B6 master-interface=MikroTik-1 name=MikroTik-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=2EC81B5B6FB6
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile1 supplicant-identity="" wpa2-pre-shared-key=geenwachtwoord
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(5dBm), SSID: Test, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge security-profile=profile1 ssid=vlan101 wireless-protocol=802.11
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment="==>> 2.4Ghz WIFI Config" \
    hw-supported-modes=gn master-configuration=Test-2.4Ghz-Gast \
    name-format=identity name-prefix=cap- slave-configurations=\
    Test-2.4Ghz-Beheer
add action=create-dynamic-enabled comment="==>> 5Ghz WIFI Config" \
    hw-supported-modes=ac master-configuration=Test-5Ghz-Gast \
    name-format=identity name-prefix=cap- slave-configurations=\
    Test-5Ghz-Beheer
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 disabled=yes tagged=ether1,bridge1 untagged=wlan1 \
    vlan-ids=101
add bridge=bridge1 disabled=yes tagged=ether1,bridge1 untagged=*A vlan-ids=\
    103
add bridge=bridge1 disabled=yes tagged=bridge1,ether1 vlan-ids=5
/interface list member
add interface=ether1 list=WAN
add list=VLAN
add list=VLAN
add list=WAN
add list=VLAN
add interface=bridge1 list=LAN
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.0.216 discovery-interfaces=\
    wlan1 enabled=yes interfaces=wlan1
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=WIFI01-Test
/system logging
add topics=dhcp
add topics=firewall
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
/tool sniffer
set file-name=capture filter-interface=all memory-limit=1000KiB
CAPs client:
# nov/10/2021 08:30:02 by RouterOS 6.47.9
# software id = WJ7F-ZQU9
#
# model = RBD23UGS-5HPacD2HnD
# serial number = CD4F0E556CB9
/interface bridge
add admin-mac=2C:C8:1B:5B:6F:B4 auto-mac=no name=bridge1
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(7dBm), SSID: WsvHelius, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no frequency=auto installation=\
    outdoor mode=ap-bridge ssid=vlan101-2
# managed by CAPsMAN
# channel: 5220/20-Ce/ac(17dBm), SSID: WsvHelius, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto \
    installation=outdoor mode=ap-bridge ssid=MikroTik-5B6FB7
add mac-address=2E:C8:1B:5B:6F:B6 master-interface=wlan1 mode=station name=wlan26
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=Europe/Amsterdam
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WIFI and VLAN's - driving me crazy

Wed Nov 10, 2021 4:14 pm

CAP config is more or less fine with a couple of remarks:
  • /interface wireless cap
    set bridge=bridge1 caps-man-addresses=192.168.5.6 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1,wlan2
    No need to configure IP address of CAPsMAN as it is located in same L2 network and CAPsMAN client can find it using broadcasts. This property has to be set-up if CAPsMAN is located in different IP subnet and thus CAP can not find it automatically.
  • currently bridge acts as a dumb switch between ether1, wlan1 and wlan2 ports. Which in this case is more or less fine. However, if your CAP would have multiple wired ports which would connect different (untrusted) devices, then it would be much better to configure VLANs on CAP properly. The missing setup is pretty simple:
    /interface bridge vlan
    add bridge=bridge tagged=ether1 vlan-ids=101,103
    /interface bridge
    set [ find name=bridge] vlan-filtering=yes
    
    CAPsMAN provisioning takes care of setting VLAN properties for wlan1 and wlan2 interfaces (and others as each virtual AP gets its own interface). The code snippet above just makes sure bridge interface never sees any tagged frames.

How are CAP and CAPsMAN connected? ether1 of CAP connected to ether1 of CAPsMAN? How does management work? CAPsMAN only allows tagged frames on ether1 ingress (VLANs 101, 103 and 5 which is disabled) while CAP requires untagged on ether1 for management (it's IP address is set directly on bridge interface). Actually CAPsMAN device lacks all "logical" VLAN config (i.e. interfaces under /interface vlan) and IP config ... or is it only missing from export?

Who is online

Users browsing this forum: Amazon [Bot], grusu, Vojta and 33 guests