Community discussions

MikroTik App
  4. RouterOS
  5. General

hAP AC Lite with VLANs/ssid issue

Post Reply
 
dashie
just joined
Topic Author
Posts: 8
Joined: Sat Jan 15, 2022 7:59 pm

hAP AC Lite with VLANs/ssid issue

Sat Jan 15, 2022 8:16 pm

I am trying to get one of the initial chains/ssid to work with a VLAN (I will have at least two other virtual ones with vlan too after that) but I can't get it to work.

I have managed to make the admin interface/ip to use a vlan, but over wireless, nothing, no dhcp and if I set an IP manually, I can't even ping the gateway.

Any hints on what to try or change ? My config:
Code: Select all
# jan/15/2022 19:05:41 by RouterOS 7.1.1
#
# model = RB952Ui-5ac2nD

/interface bridge
add admin-mac=08:55:31:C1:9B:3A auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes

/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=france distance=indoors frequency=auto installation=indoor mode=ap-bridge name=5GHz ssid=MikroTik-C19B3E station-roaming=enabled wireless-protocol=802.11

/interface vlan
add interface=ether1 name=MGMT vlan-id=140
add interface=ether1 name=lan vlan-id=110

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="XXX1" supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=XXX2 supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="XXX3" supplicant-identity=MikroTik

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=france disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name="XXX1 (2.4)" security-profile="XXX1" ssid="XXX1" station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled

/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks

/routing ospf instance
add name=default-v2

/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface="XXX1 (2.4)" pvid=110
add bridge=bridge comment=defconf ingress-filtering=no interface=5GHz pvid=110

/ip neighbor discovery-settings
set discover-interface-list=all

/ip settings
set accept-redirects=yes max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=140
add bridge=bridge tagged=ether1,bridge vlan-ids=110

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.40.4/24 interface=MGMT network=192.168.40.0

/ip dns
set allow-remote-requests=yes servers=192.168.40.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.40.1

/snmp
set contact=x@y enabled=yes location=Salon trap-version=2

/system clock
set time-zone-name=Europe/Paris

/system identity
set name=ap-home-01

/system ntp client
set enabled=yes

/system ntp client servers
add address=162.159.200.123
add address=62.210.244.146
Top
 
dashie
just joined
Topic Author
Posts: 8
Joined: Sat Jan 15, 2022 7:59 pm

Re: hAP AC Lite with VLANs/ssid issue

Thu Jan 20, 2022 9:32 am

I had to redo the config from scratch since I didn't used SafeMode and that hw doesn't have console port...
tried this time to add:
- ether2 trunked (like ether1 which is the uplink)
- a virtual wlan, on a guest vlan
(note: the default/master will be used with a vlan, but since there is no option, I guess the setup for this one should be different that the virtual wlan which does have a vlan setting ?)

but unfortunately nothing better.

I have kept some of the default config (default dhcp server and ssid) for now so I can sort-of easily get back to it..

Also from some of my observations: the IP Address on the MGMT vlan works only if the VLAN is associated to ether1 and not bridge; Tried the virtual wlan with vlan tag or service tag or no, nothing change.

Any ideas on what to try ?
Code: Select all
# jan/02/1970 00:44:31 by RouterOS 7.1.1
#
# model = RB952Ui-5ac2nD
/interface bridge
add admin-mac=08:55:31:C1:9B:3A auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="uplink; trunk"
set [ find default-name=ether2 ] comment="old AP; trunk"
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    country=france disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=5G ssid=MikroTik-C19B3E wireless-protocol=802.11
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=france disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name="lan (2.4G)" ssid=MikroTik-C19B3F \
    wireless-protocol=802.11
/interface vlan
add interface=ether1 name=MGMT vlan-id=140
add interface=ether1 name=guest vlan-id=120
add interface=ether1 name=iot vlan-id=130
add interface=ether1 name=lan vlan-id=110
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:C1:9B:3F \
    master-interface="lan (2.4G)" multicast-buffering=disabled name=\
    "guest (2.4G)" ssid=guest vlan-id=120 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface="lan (2.4G)"
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2 vlan-ids=140
add bridge=bridge tagged=ether2,ether1 vlan-ids=110
add bridge=bridge tagged="ether1,bridge,ether2,guest (2.4G)" vlan-ids=120
add bridge=bridge tagged=ether1,ether2 vlan-ids=130
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.40.4/24 interface=MGMT network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.40.1 routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1953
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: hAP AC Lite with VLANs/ssid issue

Thu Jan 20, 2022 10:03 am

A good start using VLAN's is this tutorial:
viewtopic.php?f=23&t=143620
Top
 
dashie
just joined
Topic Author
Posts: 8
Joined: Sat Jan 15, 2022 7:59 pm

Re: hAP AC Lite with VLANs/ssid issue

Thu Jan 20, 2022 1:32 pm

Thanks you, managed to make it work using one of the tutorials.

Here is my config (main IP through MGMT vlan, and three SSID each having a dedicated vlan, two ports are trunked: ether1 and ether2)
Code: Select all
/interface bridge
add admin-mac=08:55:31:C1:9B:3A auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=140
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUNKS
add name=Management
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=lan supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=iot supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=france disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name="lan (2.4)" security-profile=lan ssid=lan wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=france disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name="lan (5)" security-profile=lan ssid=lan wireless-protocol=802.11
add disabled=no mac-address=0A:55:31:C1:9B:40 master-interface="lan (2.4)" name="guest (2.4)" security-profile=guest ssid=guest
add disabled=no mac-address=0A:55:31:C1:9B:41 master-interface="lan (5)" name="guest (5)" security-profile=guest ssid=guest wds-default-bridge=bridge wps-mode=disabled
add disabled=no mac-address=0A:55:31:C1:9B:3F master-interface="lan (2.4)" name="iot (2.4)" security-profile=iot ssid=iot
add disabled=no mac-address=0A:55:31:C1:9B:3E master-interface="lan (5)" name="iot (5)" security-profile=iot ssid=iot wds-default-bridge=bridge wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="lan (2.4)" pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="lan (5)" pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="guest (2.4)" pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="iot (2.4)" pvid=130
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="guest (5)" pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface="iot (5)" pvid=130
/ip neighbor discovery-settings
set discover-interface-list=Management
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2 vlan-ids=110
add bridge=bridge tagged=ether1,ether2 vlan-ids=120
add bridge=bridge tagged=ether1,ether2 vlan-ids=130
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=140
/interface list member
add interface=ether1 list=TRUNKS
add interface=ether2 list=TRUNKS
add interface=MGMT list=Management
/ip address
add address=192.168.40.4/24 interface=MGMT network=192.168.40.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.40.1 routing-table=main suppress-hw-offload=no
/system identity
set name=ap-home-01
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19318
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: hAP AC Lite with VLANs/ssid issue

Thu Jan 20, 2022 2:26 pm

To be clear is your MT Device A ROUTER, or is there a router upstream and in effect you are using this device as an access point (or AP/switch)??
What is connected to ether1 and ether2 ???

Assuming its not a router but a simple AP/Switch

/interface bridge
add admin-mac=08:55:31:C1:9B:3A auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT vlan-id=140
NEED TO DEFINE THE OTHER VLANS HERE
/interface list
add name=Management {ONLY NEED ONE INTERFACE LIST}
/ip neighbor discovery-settings
set discover-interface-list=Management
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=110
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=120
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=130
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=140
/interface list member
add interface=MGMT list=Management {this is the only entry required}
/ip address
add address=192.168.40.4/24 interface=MGMT network=192.168.40.0 {this is the IP address of the device good}
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan {remove this from static settings not required}
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.40.1 routing-table=main suppress-hw-offload=no {required route - good}
/system identity
set name=ap-home-01
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Management


The only other comment would add is that all the bridge ports you can also add ingress-filtering=yes and for the two trunk ports, frame-types=only-allow-tagged ............

what I would consider doing as well (since you have two unused ports 3,4)

Take port 4, its already off the bridge, which is good, and follow this article so that you can always access the device OFF the bridge, if something gets screwed up while configuring it normally as you do.
viewtopic.php?t=181718
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], fadelliz78, nichky and 43 guests
  4. RouterOS
  5. General