We have a new CRS328-24P-4S+ in our office with a few APs. We need to setup several segregated wireless networks. I followed the guide on https://wiki.mikrotik.com/wiki/Manual:C ... Forwarding

We had an initial (non-VLAN) configuration, but I believe I successfully adopted the config in a way that it could coexists with the new VLANs / wireless networks - although it doesn't.

The current reality is that wireless networks can be discovered, clients can attach to them, but no traffic is getting through.

DHCP server definitely doesn't answer, but even if I assign a static IP on the client, the gateway cannot be seen.

I can ping the VLAN interfaces on the router from a client connected over untagged LAN.

Any hints where this could have gone wrong?

Attached an export hide-sensitive.

You are missing the Bridge-VLAN and the Bridge-Port PVID

Step 0: Untagged-Traffic
In your current Configuration, Untagged-Traffic will be assigned a default VLAN-ID of 1
This can be changed in the Bridge-Configuration or your can assign a Tag for each Port
individually via "/interface bridge port"

Exemple :




Step 1: Assign Bridge vlan
You also need to add VLAN-Filtering rules
Basic-Exemple :

Additional Information about VLAN`s

viewtopic.php?t=143620
https://help.mikrotik.com/docs/display/ ... NFiltering
https://help.mikrotik.com/docs/display/ROS/VLAN
https://help.mikrotik.com/docs/display/ ... VLAN+Table

FYI -> ether4_ap_pince isn´t assigned to the Bridge

Thank for the replies! I had the assumption that Capsman related ports doesn't have to be tagged.

So, basically, if I want to enable all wireless LANs on all AP's then I have to tag all VLANs on all ports where an AP is attached?

this one clearly breaks the configuration:

> add vlan-ids=1,10,20,30 tagged=bridge,ether2_ap_iroda_lelkeszi,ether3_ap_iroda_titkarsag,ether14_ap_out,ether18_sw_church untagged=ether9_ws_imsi,ether13_printer

... I'll experiment tonight a bit more

Tipp / Trick :
If you decide to segregate your Network with VLAN's,
I recommend you also have a Network / VLAN dedicated for a Administration-Network.
It's usually considered "Best-Practice" and add another Layer of security* to your Network.

You can then use this "Administration-Network" to Manage the CAP's / Wireless network via Capsman.
Depending on the extent or size of your Network, you may even want to create an own Network/VLAN for Capmans!

So, basically, if I want to enable all wireless LANs on all AP's then I have to tag all VLANs on all ports where an AP is attached?

Answer: If you want to access differnet VLAN via the Wireless, you will indeed have to configure the Switch-Port for all VLAN's (aka.Hybrid)

I'm a bit lost..

I'm fine with interfaces handling untagged traffic as before, so assigning VLAN 1 for untagged traffic is ok so far. Hence I suppose this below is not relevant for now.
For /interface bridge vlan there is no configuration now, I have a dynamic entry:



If I do
1. the good side: my untagged ports remain ok and wireless networks are there
2. the bad side: I cannot connect to any of the wireless netoeks

I need to tune this a bit I guess

You need to include the "bridge" in the Tagged-List...
If you don't , the "Device" can't communicate with the VLAN

Exemple:
add vlan-ids=10 tagged=bridge,ether2_ap_iroda_lelkeszi,ether3_ap_iroda_titkarsag,ether14_ap_out,ether18_sw_church bridge=bridge

Exemple:
add vlan-ids=10 tagged=bridge,ether2_ap_iroda_lelkeszi,ether3_ap_iroda_titkarsag,ether14_ap_out,ether18_sw_church bridge=bridge

I realized this approximately at the same time as you wrote it, hence the update of my previous post... but still no fun.

The Question is what is Working ?

Do the Devices in the Network get an IP-Address on any of the VLAN ?

Grrrrr, it is a client issue too... I'm connected remotely (over ZeroTier) to a Linux workstation, that has both wired and wireless interface. So basically when i configure something (connected over untagged ether port), I can check in an other terminal if wireless is working. And it was not... and I was super confused after a while, because the old wlan (untagged, to be deprecated) didn't work too. At that moment I got a bit scared, that would have meant, that nobody had wifi anymore, so looked at DHCP leases.. and I saw that a mobile was just offered with an IP... so it seemed to be ok. Then I reloaded the wireless cards kernel module on the workstation and tada the machine got an IP on the brand new `office` network! (`media` works too)

Nevetheless `hotspot` still fails, I guess there is something here with the security -- on the other hand this is something that needs to be looked that in connection with the /ip hotspot extension, since I would like to have there a captivity portal.

What I don't like at the moment that I can 'cross' ping the gateway of the various VLANs, eg. from office to media -- I'll need to look at how to put here some restrictions.

Many thanks for the help so far!

I'm glad it finally worked !


You will need some Foward Firewall-Rules to restric trafic between VLAN's
Be carefull not to Lock yourself out ! (maybe use Safe-Mode)

Be carefull not to Lock yourself out ! (maybe use Safe-Mode)

Yes definitely, Safe-Mode was/is my best friend in this whole activity It's really flaky to configure the router 1200km away, over a ZeroTier link to a workstation.