Community discussions

MikroTik App
 
bcollie
just joined
Topic Author
Posts: 10
Joined: Mon Jun 28, 2021 3:49 pm

ROAS+CRS+AP+VLANs

Fri Mar 04, 2022 12:54 pm

So far I haven't found a YT video that covers the network I am creating - hopefully my missing links in understanding will appear here from the Gurus.

Network structure:
RB4011 as ROAS
CRS328 as central switch
Several hAPacLite as switch + dual WLAN with multiple SSIDs - hAPacLites are connected to the CRS and managed by CAPsMAN on the RB4011
Various direct connected devices to other CRS ports

Aim:
Separation by VLAN/Firewall rules of WiFi traffic and other devices (direct connected to CRS)

Method:
VLANs for 'simple' devices on CRS ports, PC's, cameras, NAS, printers etc. - these should be 'straightforward' from what I have learned so far.
However I am starting with the 'hardest bits' first - assigning VLANs to the SSIDs off the hAPacLite devices.

Progress:
From the YT material, the CRS328 is THE place to set 'VLAN filtering' to 'On'.
Similarly, the VLAN table is needed for the CRS.

For ports with downstream hAPacLite, I see that the CRS only needs 'Tagged' ports.

However the hAPacLites need 'Tagged' on the Uplink to the CRS, and 'Untagged' on the WLAN or Virtual WLAN ports.

Challenge:
Big question is whether 'VLAN filtering' is needed to be "set=Yes" on the hAPacLites - I suspect not.

Grateful for any real world experiences/advice/configuration data.

Thank you.

Edit:
It looks like I did need to set 'VLAN filtering=On' in the hAPacLite.
Also, in CAPsMAN on the RB4011 router, I have to set 'VLAN Mode=use tag' for every 'CAP Interface' i.e. including all the virtual interfaces created for the multiple SSIDs.
I had already set the 'VLAN ID' appropriately for all these CAP Interfaces.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: ROAS+CRS+AP+VLANs  [SOLVED]

Fri Mar 04, 2022 3:55 pm

Configuring VLANs in ROS is pretty well covered in this tutorial. Study it, understand it, and if you still fail to implement things the way you wish, come back with concrete questions.

And my suggestion: as you're going the VLAN way ... have all traffic on links between LAN interface devices (RB4011, CRS328, APs) all tagged ... do the tagging/untagging on border interfaces ...
For WiFi clients these are wireless interfaes on APs ... being bridge members, configure wireless interfaces (both real and virtual) as bridge port members with appropriate PVIDs set. For wired clients that's appropriate switch ports (both on CRS and on APs if they are used as switch/AP combo).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: ROAS+CRS+AP+VLANs

Sat Mar 05, 2022 11:37 am

Also, helpful articles :
CapsMAN and VLANs: https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
Bridge VLAN filtering and Management Access: https://help.mikrotik.com/docs/display/ ... NFiltering
Challenge:
Big question is whether 'VLAN filtering' is needed to be "set=Yes" on the hAPacLites - I suspect not.
No, there is no any real need to do that...

Who is online

Users browsing this forum: diasdm and 18 guests