Cannot connect to guest wifi (VLAN) on cAP ac

EuNTielamr · Mon Nov 29, 2021 9:54 pm

Hello all

I am trying to configure a guest wifi on my cAP ac but sadly had not luck with it. I did manage to configure my main private wifi. Both are provided as tagged VLAN over eth1. However clients are not able to connect to the guest wifi.

I already read quite a few threads in this forum regarding similar issues. I specifically looked into this post viewtopic.php?t=143620#p706999 and the attached config file but I must be missing something.

My cAP ac is currently configured from scratch after resetting without default configuration. I am trying to configure the VLANs the "new way" via the bridge ports. Here is some basic information about my network:

Ubiquity router 10.0.0.1/24

Mikrotik cAP ac 10.0.0.30/24

VLAN infrastructure 10.0.0.0/24

VLAN private 10.10.0.0/24

VLAN guest 10.50.0.0/24

Here is the configuration.

# jan/02/1970 08:57:59 by RouterOS 6.48.3
# software id = MES7-EWHA
#
# model = RBcAPGi-5acD2nD
# serial number = <redacted>
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan_infrastructure vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    WIFI-PRIVATE supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    WIFI-GUEST supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=germany disabled=no mode=ap-bridge name=wlan_private_2ghz \
    security-profile=WIFI-PRIVATE ssid=WIFI-PRIVATE
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=germany disabled=no mode=ap-bridge name=wlan_private_5ghz \
    security-profile=WIFI-PRIVATE ssid=WIFI-PRIVATE
add disabled=no keepalive-frames=disabled mac-address=<redacted> \
    master-interface=wlan_private_2ghz multicast-buffering=disabled name=\
    wlan_guest_2ghz security-profile=WIFI-GUEST ssid=WIFI-GUEST \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=<redacted> \
    master-interface=wlan_private_5ghz multicast-buffering=disabled name=\
    wlan_guest_5ghz security-profile=WIFI-GUEST ssid=WIFI-GUEST \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_private_2ghz pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_private_5ghz pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_guest_2ghz pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan_guest_5ghz pvid=50
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=2
add bridge=bridge tagged=ether1 vlan-ids=50
/ip address
add address=10.0.0.30/24 interface=vlan_infrastructure network=10.0.0.0
/ip route
add distance=1 gateway=10.0.0.1

Best regards

EuNTielamr · Tue Nov 30, 2021 11:34 am

Well I solved the issue it seems. Turns out I did not configure my router properly to have the guest VLAN 50 on the port connected to the AP. I thought I tripple checked that but apparently always overlooked it. Silly me

Well if anyone finds anything to optimize in my config I will gladly take the advice. Thanks for dropping by.

anav · Wed Dec 01, 2021 10:13 pm

Sure, how many vlans are involved?
I see home wifi and guest wifi is the trusted vlan or managment vlan the same as the home wifi.
Clue the Access point should have an IP address on the subnet of the trusted vlan.
I will assume vlan 2 is the trusted vlan.

(1) Missing vlans. You need two identify all the vlans on the capac, the ones coming from the router over the TRUNK PORT (carry vlans). Ether1 is a trunk port.

/interface vlan
add interface=bridge name=vlan_infrastructure vlan-id=2
add interface=bridge name=vlan_private vlan-id=10
add interface=bridge name=vlan_guest vlan-id=50

(2) Bridge ports look great!

(3) Bridge vlans Also GOOD!
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 vlan-ids=2
add bridge=bridge tagged=ether1 vlan-ids=50

I prefer manually inserting the untagging to cross match my bridge ports and they show up when I print the config/export!!
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=2
add bridge=bridge tagged=ether1 untagged=wlan_private_2ghz,wlan_private_5ghz vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wlan_guest_2ghz, wlan_guest_2ghz vlan-ids=50

(4) IP address Good!

(5) IP route Good!

(6) What I would add ( to make winbox access the capac more easily from anywhere the admin is allowed to come from and go on the managment network).

/interface list
add name=manage
/interface list members
add interface=vlan_infrastructure list=manage
/tool mac-server mac-winbox
set allowed-interface-list=manage

(7) Finally consider using ether2 for emergency access
-rename ether2 to ether2-emerg
-ensure NOT on bridge
-assign ip address 192.168.5.2 network 192.168.5.0

/interface list members
add interface=vlan_infrastructure list=manage
add interface=ether2-emerg list=manage

Now if the bridge connection every screws up you can plug your laptop into ether2 using an IPv4 address of lets say 192.168.5.5 and gain full access to the capac.
If capac is readily accessible easy, if not suggest when installing to run an ethernet wire from ether 2 to somewhere more easily accessible.

Cannot connect to guest wifi (VLAN) on cAP ac [SOLVED]

Cannot connect to guest wifi (VLAN) on cAP ac

Re: Cannot connect to guest wifi (VLAN) on cAP ac [SOLVED]

Re: Cannot connect to guest wifi (VLAN) on cAP ac

Who is online