Vlan configuration issue

charifch · Wed Mar 09, 2022 5:16 pm

Good morning,
I am running into a very weird problem. I have setup my mikrotik router with 2 vlans and I am using Port 2 to send the vlans to another building throug ethernet cable. In that building there is an unmanaged switch that distributes to 2 levell. In each of these levels, I have a TPlink multi ssip AP (that deals with vlans)... Please see picture attached.
When I configure the multi ssid AP with vlan 10 and vlan 100 and connect to vlan100 wirelessly everything works fine except I dont see Iot devices connected to the unmanaged switch (NAS). If I replace in tplink multi ssid ap the vlan 100 number by vlan 1, I still get the same IP address and then I can see the NAS, printer ...etc.
For wired clients plugged to the managed switch likemy PC, everything works fine also, and it can ping the NAs also.
Here is my config if you can please have a look and tell me what I am doing wrong.
Many thanks
Image link: https://domaineschefchaouni.synology.me ... r7gsFX8Wgk

/ip pool
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=dhcp_pool2 disabled=no interface=BR1 name=defconf
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN

add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=100
add bridge=BR1 tagged=BR1 untagged=ether5,ether2 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=e1f10fac4c39.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    !192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5000 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=80 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5006 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=6690 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=5001 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=443 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=16881 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=32400 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10

404Network · Wed Mar 09, 2022 5:35 pm

YOu should be using a managed switch in the other building..............

charifch · Wed Mar 09, 2022 5:54 pm

Well...thank you for your reply which is a natural one, but costy as we have unmanaged switches that do work fine. I would just like ton understand shy I have to input vlan 1 in the AP instead of 100 in order to be able to ping the vlan100 devices plugged in the unmanaged switches.

mkx · Wed Mar 09, 2022 6:09 pm

The config you're showing is a trimmed ... as things are often broken due to some unexpected setting it is fair to people willing to help to publish complete setup, not only the part you think it's important ...

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2 vlan-ids=100
add bridge=BR1 tagged=BR1 untagged=ether5,ether2 vlan-ids=10

The quoted part says that router strips VLAN tags on egress for both VLAN ID 10 and 100 (the later is implicit untagged member of said VLAN in vlan section shown above). And adds VLAN tag to untagged frames on ingress with VID 100.

So if you configure AP to use tagged VLAN 100, it won't accept packets from router since they will be untagged. And many vendors (including MT with default setup) use VLAN ID 1 as a placeholder for untagged ...

If you struggle (it seems you do) with VLAN setup, then study this tutorial.

BTW, using dumb switches isn't really breaking your LAN, but doesn't help either.

charifch · Thu Mar 10, 2022 5:46 pm

Thank you very much for your reply.
Are you basiclly saying that there is nothing wron with this configuration and I just have to use vlan 1 in my AP configuration if I want to tage the vlan 100 coming from mikrotik?

Thanks

404Network · Thu Mar 10, 2022 6:39 pm

Hmm, okay lets ignore the unmanaged switch then and assume it is FULLY capable of passing vlan tags, I would never assume this and thus why not advising use of unmanaged switch.
However if you are going to send both vlans to the switch then dont send them untagged. SEND THEM TAGGED, and hopefully the APs will also get them and handle them appropriately
If the unmanged switch cannot handle vlan tags, then you are stuck to using a single subnet in that other building.

EXAMPLE...........
/interface bridge port
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,untagged=ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2 vlan-ids=10

tdw · Thu Mar 10, 2022 7:19 pm

No! The OP has untagged devices attached to the unmanaged switch, the main network should remain untagged on the connection from the Mikrotik to the switch.

Whilst piggybacking a tagged network on top of this setup is not ideal, as all the regular attached devices will receive the VLAN-encapsulated packets, it will usually work as most unmanaged switches will pass all ethertypes, including 802.1Q VLAN.

The AP should connect its main SSID to untagged traffic and the secondary SSID to the tagged traffic with the appropriate VLAN ID.

404Network · Thu Mar 10, 2022 8:40 pm

Okay understood!

ONLY ONE untagged subnet can be sent from the Mikrotik device.
SO what you are saying is that ETHER2 is a hybrid port and VLAN100 is the one that other devices on the switch need access to........

EXAMPLE...........
/interface bridge port
add bridge=BR1 in-interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=100

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2 vlan-ids=10

mkx · Thu Mar 10, 2022 9:49 pm

The last config snippet by @404Network makes sense.

charifch · Mon Mar 14, 2022 6:37 pm

Hi guys,
I have changed a bit the config as suggested. Every item which connects to one of SSIDs gets its ip and access to the internet like it should but you can access the NAS only if you put vlan 1 instead of 100 in the vlan configuration AP. Any tought why is it behaving like that?

Thanks a lot

anav · Mon Mar 14, 2022 6:42 pm

Two scenarios.
A. the NAS is vlan capable in which case it should be able to read the vlan traffic.

B. More likely its not a smart device and thus will ONLY be able to see the untagged subnet which is that associated with vlan100.

C. The only device that will be able to read vlan10 is any smart device attached to the unmanaged switch,

E. Where the heck is vlan1 coming from ????

charifch · Tue Mar 15, 2022 5:12 pm

Hi Anav thank you for your help but:
1) NAS gets the correct IP address on vlan 100 and connects to the internet and everything works great. It is the wirelessly connected devices on the AP that do not see it.
2) Wirelss connencted devices (phones / laptops...etc) gets the correct subnet according to the ssid they connect to with no worries.
3) The vlan 1 in mikrotik is normally the one attached to BR1 but bizarrely, when used in AP it points to vlan100. When we use vlan100 in AP config, we get .0.x address but we don't see the NAS. When we use vlan1 in AP config, we still get 0.x address but we do see the NAS.
I am lost
Thanks

anav · Tue Mar 15, 2022 6:42 pm

Of course, you are setting up the access point incorrectly.
Once past the MT, there is no VLAN100 its a basic flat subnet available and hiding in that traffic is also vlan10 which only vlan aware devices will see and can make use of.
So dont declare vlan100 on the Access point, doesnt exist external to it.

Start with that subnet for the WLAn associated , and then add vlan10 after and attach it to the required WLAN........

charifch · Wed Mar 16, 2022 7:57 pm

Thank you so I have used 1 as vlan for the "mikrotik vlan 100" in the AP configuration, and it seems to see the rest of the network now.
Regarding the ehter 2 or ether 3 ports, they are defaulted to 0.x adress as per config, but when I attach an aP to one of these ports, it happens that some applications have trouble running (but most work). Is it related to the untagged vs tagged traffic?
Example: if I connect on the AP with my phone on vlan 1 (0.xaddress) everything works except let's say one application that communicate with the outside world (like a remote surveillance site). But if i connect on vlan 10 on that AP, this same application works. As vlan10 traffic is tagged, i suspect this is causing the problem but just wondering.

Here is the config:

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5 untagged=ether2,ether3 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0

anav · Wed Mar 16, 2022 8:56 pm

Change this
/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
to this
/interface bridge port
add bridge=BR1 interface=ether2 pvid=100

Buckeye · Wed Mar 16, 2022 9:36 pm

Regarding the ether 2 or ether 3 ports, they are defaulted to 0.x adress as per config, but when I attach an aP to one of these ports, it happens that some applications have trouble running (but most work). Is it related to the untagged vs tagged traffic?
Example: if I connect on the AP with my phone on vlan 1 (0.xaddress) everything works except let's say one application that communicate with the outside world (like a remote surveillance site). But if i connect on vlan 10 on that AP, this same application works. As vlan10 traffic is tagged, i suspect this is causing the problem but just wondering.

It would help if you explained what the "some applications" are that "have trouble running", and what the symptoms are. We are not mind readers.

My guess is that it is more likely to be an issue with a firewall (possibly on the device you are connecting to) that doesn't want to talk to a device outside its subnet, or that there is some protocol that expects to be on the same broadcast domain (mDNS) etc.

But you haven't posted a complete config. I see nowhere that you have /interface vlan add ...

If you want help, make it as easy as possible for the people trying to help. That means providing a network diagram, complete export, and an example of the error messages you are getting.

Read these two threads:
NEW USER POSTING FOR ASSISTANCE
Getting the most out of this forum

charifch · Fri Mar 18, 2022 12:14 pm

Thank you very much Anav for your answer. Removing the ingress option apparently did not help. What I notice is that the issue happens ont ether 3 APs (which are only on vlan100) and on ether 2 vlan 100 APs (on vlan10 it works).
Do you have an idea why ? MAny thanks

anav · Fri Mar 18, 2022 1:21 pm

My guess is the unmanaged switch is not fully capable of transmitting vlan tags in such a way that this all works..................
Other than that paste the lastest config of the router and the AP please.

tdw · Fri Mar 18, 2022 1:39 pm

Unlikely. The OP states it is working with VLAN 10 which is tagged, but not with untagged traffic.

anav · Fri Mar 18, 2022 3:23 pm

Have to see the configs in any case in their current state.

mkx · Fri Mar 18, 2022 4:03 pm

My guess is the unmanaged switch is not fully capable of transmitting vlan tags in such a way that this all works..................

Usually switches that don't know anything about VLANs don't interfere with VLAN tags.
The only big problem that dumb switches might cause with VLAN tagged frames is to drop them or truncate them ... remember, 802.1q adds 4 byte long header and the usual full-frame ethernet frame size increases from 1500 to 1504 bytes. If L2 MTU of a switch isn't at least 1504 bytes, such switch will experience buffer overrun and will drop the frame or it will simply strip the tail which contains 4-byte CRC/FCS and final receiver of such truncated frame will not be able to check CRC.

Other than that, 802.1q header doesn't interfere with dumb switch as it comes after usual ethernet header (which contains src-MAC-address and dst-MAC-address) ... which is basically the only part of ethernet frame about which dumb switch cares about.

Buckeye · Fri Mar 18, 2022 10:21 pm

From OP

I am running into a very weird problem. I have setup my mikrotik router with 2 vlans and I am using Port 2 to send the vlans to another building throug ethernet cable. In that building there is an unmanaged switch that distributes to 2 levell. In each of these levels, I have a TPlink multi ssip AP (that deals with vlans)... Please see picture attached.
When I configure the multi ssid AP with vlan 10 and vlan 100 and connect to vlan100 wirelessly everything works fine except I dont see Iot devices connected to the unmanaged switch (NAS).

From later post

My guess is the unmanaged switch is not fully capable of transmitting vlan tags in such a way that this all works..................
Usually switches that don't know anything about VLANs don't interfere with VLAN tags.

This is a case where details matter. Because a vlan-aware switch with all ports configured as access ports in the same vlan (usually vlan 1, but it really makes no difference) will not pass tagged frames, but as @mkx stated, a "dumb" non-vlan-aware switch will.

My experience is that every "consumer plug and play, port expanding ethernet switch" made in the last 15 years will pass at least one ethenet tag transparently (every consumer switch is pretty simple inside, if you have ever opened one), there's a dedicated switch ASIC and some transformers.) And most have L2 MTU > 2000, (baby jumbo/giant) so they don't truncate L3 MTU packets even when multiple stacked vlan tags are present.

On the other hand, I had an ASUS RT-N16 with Shibby Tomato firmware, and even though it didn't have vlans "configured" it was non vlan-transparent, because it by default had all 4 LAN ports configured as access ports in vlan 1, and any enther frame with 0x8100 in the ethertype field was filtered out (dropped).

The mention of "I dont see Iot devices connected to the unmanaged switch (NAS)", and the fact that many NAS devices do have vlan-aware switches makes anav's hypothesis worth considering.

At the switch ASIC level, most have the ability to be set to vlan-transparent mode, just like (I assume) the switches in MikroTik routers are probably vlan-transparent when vlan-filtering is not turned on (but I haven't specifically tested my hEX S).

@charifch, is it only the vlan-aware devices that are connected to other "switch" ports on the NAS that don't work with tagged vlan 10? (and note that if the packets are tagged, only vlan-aware devices will be able to use the tagged vlans directly).

What type of NAS device is it that has a built in switch?

charifch · Sun Mar 20, 2022 12:22 am

Thank you guys for your insights, I canot connect remotely to this office so 8 will be passing all requested informations on Monday morning. Have a very good weekend

charifch · Sun Mar 20, 2022 8:29 pm

Hi Guys,
Sorry for late reply, so indeed on vlan10 everything seems to work just fine. Problem happens on vlan100 untagged AP (ether3) and also ether 2 and 5. Don't forget that on the ether2 port that is ocnfigured as a trunk port, I had to configure the AP with vlan1 in order to see vlan100 items (Synology NAS, printers...etc) wirelessly. I could not see these network elements if I used 100 as vlan id in the TPlink AP.

So regarding the AP configuration, it is wuite simple, I am usinge 2 ssids (one with vlan 1 that connects to vlan 100, and another one with vlan10 that connects to vlan 10 of the mikrotik.

Regarding the mikrotik configuration, here it is:

/interface lte
set [ find ] name=lte1
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=100
add interface=BR1 name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=1492 name=vlan-IAM vlan-id=881
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE-IAM user=\
    xxxxxxxxxx
/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=BASE
/interface lte apn
add apn=xxxxxxxxx name="yyyyyyyyy"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=dhcp_pool2 disabled=no interface=BR1 name=defconf
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN
/system logging action
add email-to=w@w name=email target=email
/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
/interface list member
add interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    !192.168.0.1 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address=!192.168.0.1 dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10
/ip route
add check-gateway=ping distance=1 gateway=PPPoE-IAM
add distance=2 gateway=192.168.8.1

Thank you very much for your help

anav · Sun Mar 20, 2022 11:41 pm

/ip neighbor discovery-settings
set discover-interface-list=!dynamic
set to BASE

Nothing wrong with bridge ports only thing I would do for ether3 is add ingress-filtering=yes and frame-types=admit-only-priority-and-untagged
It looks like both ether2 and ether5 are hybrid ports ?????
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10

Fix this
/interface list member
add interface=BR1 list=LAN {remove this line not required}
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN

not sure why you insist on repeating mistakes and not following directions.......
Be it duplicates in firewall rules improper hairpin nat format etc............

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop

What does this accomplish?? First you are missing the two default rules after the allow established
- drop invalid
- accept ICMP
+++++++++++++++++++++++
Then you allow VLAN both home and guest full access to the router, okay for initial setup but you can do better.
Then you allow LAN full access but THERE ARE NO MEMBERS OF interface LAN, so its really not all that useful is it.
Then you
Then you allow BASE VLAN to the router, but you already did and thus this is redundant.
If you dont understand basic firewall rules and order of matching, you really need to slow down.......

What you want to do is ONLY allow the admin to the router probably for configuration through winbox.
SO after the first 3 default rules. THESE ONES>>>>>>>>>>
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

Then add admin access to the router........
add chain=input action=accept in-interface-list=BASE dst-port=winbox port src-address-list=authorized ***
*** authorized is a list of admin devices on vlan100, admin desktop, laptop, ipad, iphone etc.....

Then add user access for ONLY the services all users need.
add chain=input action=accept in-interface-list=VLAN dst-port=53 udp
add chain=input action=accept in-interface-list=VLAN dst-port=53 tcp

Now on the authorized list if you have an off bridge access on ether4, then add ether4 to the base interface list (and remove from bridge).

+++++++++++++++++++++++++++++++++++++++

As for the forward chain clean that up and this is what should be left.
add action=accept chain=forward comment="defconf: accept in ipsec policy" \ { disable if not using ipsec do not remove }
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \ { disable if not using ipsec do not remove }
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
connection-nat-state=dstnat
add action=drop chain=forward comment=Drop

The sourcnat rule
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
!192.168.0.0/24 src-address=192.168.0.0/24

Buckeye · Mon Mar 21, 2022 8:16 am

Photo from OP so it is easier to reference.

charifch_photo_2022-03-09_12-29-07.jpg

And how I interpret your config from this post

charifch_20220320_bridge_config.png

How do you know you have your TP-Link set up correctly?

It still isn't clear what isn't working. You say that things connected to vlan 10 via wireless work correctly, but for vlan 100 (the "native" vlan on your hybrid trunk connected to the dumb switch) something (what exactly?) is not working. Does the TP-Link wireless have a "client isolation" or "guest" mode that limits what it can access? UniFi access points do have such a feature, and if you want things on the SSID to be able to communicate with each other, you must turn that feature off.

Some troubleshooting steps:

Plug two PC into the dumb switch. Verify that each PC can ping the other one connected to the same dumb switch. This is to confirm that windows is able to respond to ping from the same subnet. Note the TTL reported by ping.

Move one of the PCs to ether3 of the router. The PC should get the same address it had before. Verify that each PC can ping the other. The TTL should be the same (it shouldn't be going through the router, it is a layer 2 connection).

From a device connected to the SSID associated with the BASE vlan, verify you get an ip address in the 192.168.0.0/24 network, and that you can ping the a PC connected to either ether3 or the dumb switch. If you can connect with a wireless connection from one of the same PC's that would be the best test, as fewer variables. The ping TTL should be the same (if pinging the same device).

If that does not work, then it is most likely you have a configuration problem in the wifi setup.

If you configure bridge port 4 as an access port for vlan 10 instead of vlan 1 as it currently is, then you should be able to connect a PC to ether4, and then see if you can access the things you expect to be able to access from the "guest" vlan. If it works there correctly, but not when you connect to the TP-Link guest SSID, then there is a configuration error in the TP-Link wireless access point setup. You are essentially using the bridge to untag vlan 10 for your PC so it can access vlan 10 with a wired connection. You have to connect directly to the Router (not the dumb switch) because you are using vlan 100 as the native vlan on the switch, and the PC doesn't know how to deal with IEEE 802.3 tagged ethernet frames (which vlan 10 are on the switch, and since it is a dumb switch, it can't change anything related to vlans, it isn't even aware of them, it is just passing ethertype 0x8100 protocol frames straight though just like it does with other enthertypes like 0x0800 (IP) or 0x0806 for ARP, etc.).

To change ether4 from vlan 1 access port to vlan 10 access port:

First backup your config and save off your router to your PC. Also save latest full export

Then assuming the config you posted is still the same from a connection not on ether4 make the following changes:

/interface bridge port set bridge=BR1 ingress-filtering=yes interface=ether4 pvid=10
/interface bridge vlan
set bridge=BR1 tagged=BR1,ether2,ether5 untagged=ether4 vlan-ids=10

Then when you plug a PC into ether4, it should get an address from vlan 10 (192.168.10.0/24) and will be "connected to vlan 10".

charifch · Mon Mar 21, 2022 9:12 pm

Hi guys,
I will take time tomorrow to implement the advised changes from Anav and get back to you.
I have been able to do the requested tests from buckeye. Here are the answers:

How do you know you have your TP-Link set up correctly? (Every device that connects to any of SSids of the TPLINK gets the correct subnet, only issue was when using vlan 100 on tplink NAS , printer,,,etc was not visible, though when using vlan1, everything is visible)

It still isn't clear what isn't working. You say that things connected to vlan 10 via wireless work correctly, but for vlan 100 (the "native" vlan on your hybrid trunk connected to the dumb switch) something (what exactly?) is not working. Does the TP-Link wireless have a "client isolation" or "guest" mode that limits what it can access? UniFi access points do have such a feature, and if you want things on the SSID to be able to communicate with each other, you must turn that feature off.

Only checked option is wmm and short GI o TPlink. What does not work actually is an application that controls a door in another site.

Some troubleshooting steps:

Plug two PC into the dumb switch. Verify that each PC can ping the other one connected to the same dumb switch. This is to confirm that windows is able to respond to ping from the same subnet. Note the TTL reported by ping.

Move one of the PCs to ether3 of the router. The PC should get the same address it had before. Verify that each PC can ping the other. The TTL should be the same (it shouldn't be going through the router, it is a layer 2 connection).

For ether 2 3 and 5 each of the phones sees each other and TTLs are similar. They do not get the same address when you move from one access point to another though because the lease is being blocked by the router for 10 minutes. I have done a wireless test on a AP plugged on the dumb switch.

From a device connected to the SSID associated with the BASE vlan, verify you get an ip address in the 192.168.0.0/24 network, and that you can ping the a PC connected to either ether3 or the dumb switch. If you can connect with a wireless connection from one of the same PC's that would be the best test, as fewer variables. The ping TTL should be the same (if pinging the same device).

This works

If that does not work, then it is most likely you have a configuration problem in the wifi setup.
Regarding anav question, the ether 2 is an hybrid port connected to a switch that widens the network to other APs. The ether 5 is directly connected to a multi ssid AP (with vlan 10 and vlan 100), maybe there is a more elegant way to implement it.

Buckeye · Mon Mar 21, 2022 10:09 pm

What does not work actually is an application that controls a door in another site.

Does the application work correctly from a PC with wired connection to the dumb switch (and its wifi if any turned off)?

A: application does work from wired connection, but not from wireless connection to "vlan 100"
B: application does not work from either wired connection or wireless connection to "vlan 100"
C: neither of the above (specify where application does work and where it does not)

Choose one of A, B or C. If C more explanation is needed.

anav · Mon Mar 21, 2022 11:22 pm

Can you tell me what model of TP LINK and also provide a network diagram to show what the TPLink is connected to physically and vlans.........

Tue Mar 22, 2022 4:25 pm

Thank you very much for your reply.
Are you basiclly saying that there is nothing wron with this configuration and I just have to use vlan 1 in my AP configuration if I want to tage the vlan 100 coming from mikrotik?

Thanks

i think using vlans without manageable equipment does not make too much sense

charifch · Tue Mar 22, 2022 9:09 pm

Can you tell me what model of TP LINK and also provide a network diagram to show what the TPLink is connected to physically and vlans.........

HI Anav,
TPlink model is TL-WA901ND

Image link: https://domaineschefchaouni.synology.me ... LBgJpGOYwk

charifch · Tue Mar 22, 2022 9:22 pm

What does not work actually is an application that controls a door in another site.
Does the application work correctly from a PC with wired connection to the dumb switch (and its wifi if any turned off)?

A: application does work from wired connection, but not from wireless connection to "vlan 100"
B: application does not work from either wired connection or wireless connection to "vlan 100"
C: neither of the above (specify where application does work and where it does not)

Choose one of A, B or C. If C more explanation is needed.

HI Buckeye, application is android or iphone app. It works on tablets and phone and i am still wondering how to install it on a pc in order to do the test in a wired way. I will check how to do this and let you know.
Thanks

Buckeye · Wed Mar 23, 2022 2:18 am

HI Buckeye, application is android or iphone app. It works on tablets and phone and i am still wondering how to install it on a pc in order to do the test in a wired way. I will check how to do this and let you know.

Does the application work from the Android when connected to either SSID? (the one on vlan 10 (guest) or vlan 100 (untagged) vlan?

Does it work when connected to your mobile data plan?

Buckeye · Wed Mar 23, 2022 2:25 am

i think using vlans without manageable equipment does not make too much sense

While I agree that using vlans "because you can" is not a good reason, my understanding is that the TP-Link access point requires multiple vlans to support multiple SSIDs.

Buckeye · Wed Mar 23, 2022 5:22 am

TPlink model is TL-WA901ND

For some reason, your images don't display for me. So reproduced here.

charifch_20220322_5_AP_2_SSID_dumb_switch.png

See page 28 of TL-WA901ND/TL-WA801ND User Guide

If I am reading that correctly, the ethernet of the access point is expecting the vlans associated with SSIDs to all be tagged. But evidently the management interface itself is untagged and it isn't obvious how it is done internally, because you can evidently configure any vlan between 1-4095 to be associated with each SSID.

But if that is a requirement, I don't think you are going to be able to use the dumb switch as your connection to the access point. You will need to use a link from the MikroTik router to the TL-WA901ND and configure both vlan10 and vlan100 as tagged on that port, and you also want vlan100 to be usable by your non-vlan aware devices. If you had vlan aware switches it would work easily.

To see if this would work, you can reconfig the ether4 port (I don't think it is currently being used)

Idea here is to set ether4 with tagged 10 and 100 and untagged PVID1

/interface bridge vlan set bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,ether5 vlan-ids=100
/interface bridge vlan set bridge=BR1 tagged=BR1,ether2,ether4,ether5 vlan-ids=10

after changing your vlan config portion would look like this

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5 pvid=100
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether4,ether5 vlan-ids=10

Then move the cable in ether5 to ether4 and unplug your other access points, and see if it works "correctly" when connected through the access point connected to ether4.

If so, you at least know it is "possible" to get your access points to work, but you will need to either get "smart" switches, or run extra cables so you can connect the TP-Link access points to ports where both vlan10 and vlan100 are tagged.

Buckeye · Wed Mar 23, 2022 5:51 am

i think using vlans without manageable equipment does not make too much sense

After seeing the documentation for the TP-Link access points that apparently can't be configured with a single SSID connected with a untagged vlan (at least when in Multi-SSID mode), I agree that trying to do this with dumb switches is probably not going to be successful (at least if other ports on the switch are supposed to have vlan-unaware devices on them). So what @chechito said makes sense here.

And what is being done in in the op is not good practice (essentially every port on every switch is a clone of the hybrid port)

From the OP

Well...thank you for your reply which is a natural one, but costy as we have unmanaged switches that do work fine. I would just like ton understand shy I have to input vlan 1 in the AP instead of 100 in order to be able to ping the vlan100 devices plugged in the unmanaged switches.

I think this is a case where you thought they worked fine, but now there is a case where they don't because the TP-Link access points are expecting tagged frames for every SSID, but the PCs are expecting untagged for the same vlan (100), and that's not possible with dumb switches (and you can't connect a tagged port and untagged port for the same vlan to the dumb switch, as it will create a L2 loop, and your network would stop working until you removed the loop).

mkx · Wed Mar 23, 2022 8:10 am

... (and you can't connect a tagged port and untagged port for the same vlan to the dumb switch, as it will create a L2 loop, and your network would stop working until you removed the loop).

That's not the case here, it has nothing to do with dumb switches. The problem with such setup is that the VLAN-aware device can transmit frame, belonging to some VLAN, either tagged or untagged but not both. In OP's case MT will either transmit frame tagged with VID 100 (making TPlink AP happy) or untagged (making other devices happy). But ... things might work if the rest of devices are Windows PCs with brain-dead drivers which tend to strip off 802.1q headers first and then decide what to do while transmitting frames untagged ... in this case configuring MT with port as tagged for VID 100 on egress and setting PVID 100 on ingress might even allow things to work ... until one innocent victim of this half-broken setup tries to use device which properly expects untagged frames on ingress (e.g. some linux PC or Mac or linux-based NAS or something similar). Because the whole setup looks like somebody trying to unscrew a screw using pliers ...

So yes, using dumb switches and hoping hybrid LAN will just work is hazardous, so ... kids, don't do this at home.

charifch · Wed Mar 23, 2022 9:07 am

HI Buckeye, application is android or iphone app. It works on tablets and phone and i am still wondering how to install it on a pc in order to do the test in a wired way. I will check how to do this and let you know.
Does the application work from the Android when connected to either SSID? (the one on vlan 10 (guest) or vlan 100 (untagged) vlan?

Does it work when connected to your mobile data plan?

Hi.
It works on vlan10 ssid but not on vlan100 ssid when using my mobile.
It does work also with my data plan

Buckeye · Wed Mar 23, 2022 10:26 am

It works on vlan10 ssid but not on vlan100 ssid when using my mobile.
It does work also with my data plan

What are the "simple access points" in the diagram?

What if you disconnect the TP-Link access points, do the "simple access point" 5Ghz work with the application? I.e. if you don't want to disconnect the TP-link access points, if you change the SSID on the "simple" to a "TESTVLAN100" SSID and then connect to that SSID, does that work with the Application? I don't think the TP-Link Multi-SSID access points will work with vlans

Two "options" I see, depending (I would choose opt 2). Get two 5 port vlan-aware Gb switches, and configure the MikroTik router with a trunk port to them. Then configure two switches with 3 (2 for second switch) trunk ports, and one access port for vlan 100, and connect the vlan 100 access port to the existing switch (assuming the existing dumb switches have many ports, like 16-24, since you claimed that cost was an issue). Then you use your existing switches as they were, with all "vlan 100 access" in a much more secure setup. The smart switches would then connect to the TP-Link Multi-SSID switches. For the smart switches you could use CSS106-5G-1S, or some small MikroTik router with a switch chip, or even a TP-Link SG105E or SG108E (to have a few more vlan-aware ports).

charifch_20220323_opt1.png

charifch_20220323_opt2.png

Buckeye · Wed Mar 23, 2022 10:28 am

But ... things might work if the rest of devices are Windows PCs with brain-dead drivers which tend to strip off 802.1q headers first and then decide what to do while transmitting frames untagged ... in this case configuring MT with port as tagged for VID 100 on egress and setting PVID 100 on ingress might even allow things to work ... until one innocent victim of this half-broken setup tries to use device which properly expects untagged frames on ingress (e.g. some linux PC or Mac or linux-based NAS or something similar). Because the whole setup looks like somebody trying to unscrew a screw using pliers ...

I won't claim that brain-dead Windows drivers don't exist, only that I have never seen one that behaves like what you claim in the standard out of the box configuration. If you are saying that if someone goes into the Windows driver properties and tries to config vlans, that it may do odd things, that's another thing. That wouldn't surprise me. But I have never seen a windows PC that with "standard" setup, would see anything but the untagged frames when plugged into a hybrid link. What I have seen is that the tagged frames are just ignored, just like frames with Decnet Phase IV ethertype 0x6003 are ignored, unless there is something registered to deal with them.

mkx · Wed Mar 23, 2022 10:31 am

I won't claim that brain-dead Windows drivers don't exist, ...

... and I'm not saying that all Windows drivers are brain-dead.

Buckeye · Wed Mar 23, 2022 10:32 am

... (and you can't connect a tagged port and untagged port for the same vlan to the dumb switch, as it will create a L2 loop, and your network would stop working until you removed the loop).
That's not the case here, it has nothing to do with dumb switches.

I may not have been as clear as I could have been. Here is what I was trying to say I don't think would work.

Trying to get both tagged and untagged frames on same dumb switch.png

mkx · Wed Mar 23, 2022 10:43 am

I may not have been as clear as I could have been. Here is what I was trying to say I don't think would work.

Doh ... it never ocurred to me that one might want to do such a "hybrid" setup. Yup, MT might barf on the "own MAC address received" error or something like that. Or, with xSTP enabled, it would simply shut off one of ports.
With proper frame-types set on MT ports I don't think there would be endless loop though. ROS doesn't do Q-in-Q just like that, one has to make it work. But with sloppy config it's likely that things would just break flat.

charifch · Wed Mar 23, 2022 11:21 am

To isolate the problem and forget the dumb switch issue, this problem happens also on the TPlink WA901ND plugged directly in the Eth5 port of the mikrotik so without dumb switch. Vlan100 does not let you use the app whether vlan10 does. This is what makes me wonder it is not a matter of dumb switch...

mkx · Wed Mar 23, 2022 11:47 am

The thread is getting long so it's not entirely clear to me what exactly you tested before posting the last post. But: dumb switch or not, having some VLAN both tagged and untagged doesn't fly. If AP needs VLAN 100 tagged for proper selection of SSID, then MT has to be taged for that VLAN as well ... on the port that connects towards AP that is. If you need untagged at the same time for any othe reason (e.g. AP management), then it has to be different VLAN on MT side (AP doesn't know anything about how those packets are treted by other devices in LAN) and port connecting AP needs to be hybrid ... tagged for VID 10 and 100 and untagged for the third VLAN (egress) and PVID set to the value of the third VLAN ID (ingress).

So I suggest you to try to create simplest possible lab setup, consisting of MT and single TPlink AP. Then draw the setup you want to have (physical layout will be trivial, single cable connecting MT and TPlink), logical layout will be a bit more complex: which VLAN ID need to be tagged (plural) and which VLAN untagged. Then configure both devices (MT and TPlink) appropriately.

Buckeye · Wed Mar 23, 2022 12:04 pm

To isolate the problem and forget the dumb switch issue, this problem happens also on the TPlink WA901ND plugged directly in the Eth5 port of the mikrotik so without dumb switch. Vlan100 does not let you use the app whether vlan10 does. This is what makes me wonder it is not a matter of dumb switch...

What is the Simple AP using the untagged vlan 100? What ip address does the Android get when connected to Simple AP?

charifch_simple_AP_on_untagged_lan.png

Does the app work there?

What is different about vlan 10 on the TP-link AP is that it is tagged on ether5 (unless you have changed something), where vlan 100 is the PVID (what untagged frames will be associated with when received on ether5). And ether5 is also set as untagged on egress for vlan 100

This is from the latest (I believe) post #24 viewtopic.php?t=183962#p920271 of your export posted on 2022-03-20 (Sunday)

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
.

What ip address does the Android get when connected to guest SSID (on vlan 10) ?

What ip address does the Android get when connected to BASE SSID (on vlan 100) ?

charifch · Wed Mar 23, 2022 6:58 pm

To isolate the problem and forget the dumb switch issue, this problem happens also on the TPlink WA901ND plugged directly in the Eth5 port of the mikrotik so without dumb switch. Vlan100 does not let you use the app whether vlan10 does. This is what makes me wonder it is not a matter of dumb switch...
What is the Simple AP using the untagged vlan 100? What ip address does the Android get when connected to Simple AP? 192.168.0.X

charifch_simple_AP_on_untagged_lan.png

Does the app work there? No it does not

What is different about vlan 10 on the TP-link AP is that it is tagged on ether5 (unless you have changed something), where vlan 100 is the PVID (what untagged frames will be associated with when received on ether5). And ether5 is also set as untagged on egress for vlan 100

This is from the latest (I believe) post #24 viewtopic.php?t=183962#p920271 of your export posted on 2022-03-20 (Sunday)

/interface bridge port
add bridge=BR1 ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 ingress-filtering=yes interface=ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether5 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
.

What ip address does the Android get when connected to guest SSID (on vlan 10) ? 192.168.10.X

What ip address does the Android get when connected to BASE SSID (on vlan 100) ? 192.168.0.X

Hi Buckeye, please see my answers above

Buckeye · Thu Mar 24, 2022 2:31 am

100% agree with @mkx's advice to try to reproduce the problem with the "simplest possible lab setup". That makes troubleshooting much easier because there are fewer possible causes.

@charifch What firmware is running on the TP-Link TL-WA901ND access points? Were they flashed with OpenWRT? Because the documentation (as I read it) makes it sound like the TP-Link expects all vlans specified to be linked to SSID to be tagged, but the results you are reporting seem to indicate that it is using untagged for vlan 100.

What is the Simple AP using the untagged vlan 100? What ip address does the Android get when connected to Simple AP? 192.168.0.X
Does the app work there? No it does not
What ip address does the Android get when connected to guest SSID (on vlan 10) ? 192.168.10.X
What ip address does the Android get when connected to BASE SSID (on vlan 100) ? 192.168.0.X

Netgate forum thread Interface and VLAN config for TP-LINK TL-WA801ND

So at this point, given what you have reported, it seems it is more likely to be a firewall issue than ethernet framing, but it's only guess made based on very incomplete information.

There are so many things that you have not specified, that it makes remote troubleshooting nearly impossible. Do you have the ability to tap the link between the TL-WA901ND and capture packets with wireshark from a machine that can capture raw frames (even a Raspberry Pi 4 and a switch with a mirror/span port would allow this), but I don't know if you have any testing tools. I don't know ROS well enough to know what can be done with /tools/Packet Sniffer, so I would trust results from tapping the external link with higher confidence than anything done on the (still unspecified) Mikrotik router. Having a pcap trace file with the connection to the remote door via vlan10 and comparing to the trace with vlan 100 would probably show you where to focus your attention.

I also don't know enough about the ROS firewall to know how to troubleshoot that either.

Things you have not ever specified, or if you have, I didn't see.

What MikroTik router you have, and what Firmware is loaded.

What firmware is loaded on TL-WA901ND and show how vlan 100 is configured on it.

What model the dumb switches are.

What the "simple AP" is.

charifch · Thu Mar 24, 2022 8:13 pm

100% agree with @mkx's advice to try to reproduce the problem with the "simplest possible lab setup". That makes troubleshooting much easier because there are fewer possible causes.

@charifch What firmware is running on the TP-Link TL-WA901ND access points? Were they flashed with OpenWRT? Because the documentation (as I read it) makes it sound like the TP-Link expects all vlans specified to be linked to SSID to be tagged, but the results you are reporting seem to indicate that it is using untagged for vlan 100.

It is using the stock firmware, not openwrt. I believe it is working with untagged vlan because the pvid is 100 on the hybrid port so for the multi ssid AP it sees it as its 1 pvid.

What is the Simple AP using the untagged vlan 100? What ip address does the Android get when connected to Simple AP? 192.168.0.X it gets .0.x address wiich is the one from vlan100
Does the app work there? No it does not
What ip address does the Android get when connected to guest SSID (on vlan 10) ? 192.168.10.X
What ip address does the Android get when connected to BASE SSID (on vlan 100) ? 192.168.0.X

Netgate forum thread Interface and VLAN config for TP-LINK TL-WA801ND

So at this point, given what you have reported, it seems it is more likely to be a firewall issue than ethernet framing, but it's only guess made based on very incomplete information.

There are so many things that you have not specified, that it makes remote troubleshooting nearly impossible. Do you have the ability to tap the link between the TL-WA901ND and capture packets with wireshark from a machine that can capture raw frames (even a Raspberry Pi 4 and a switch with a mirror/span port would allow this), but I don't know if you have any testing tools. I don't know ROS well enough to know what can be done with /tools/Packet Sniffer, so I would trust results from tapping the external link with higher confidence than anything done on the (still unspecified) Mikrotik router. Having a pcap trace file with the connection to the remote door via vlan10 and comparing to the trace with vlan 100 would probably show you where to focus your attention.

I also don't know enough about the ROS firewall to know how to troubleshoot that either.

Things you have not ever specified, or if you have, I didn't see.

What MikroTik router you have, and what Firmware is loaded. i use hex-S v6.49.2

What firmware is loaded on TL-WA901ND and show how vlan 100 is configured on it. (whether you use vlan id 1 or 100 on the main ssid, you get the same subnet .0.X

What model the dumb switches are. hp switch 1405-5g

What the "simple AP" is.

Hi there,
A bit though for me to undertake the requested testing but what is very weird is that it works on the vlan10 for guests but not on vlan100 .
How can I know if it is a firewall issue?

Buckeye · Thu Mar 24, 2022 10:17 pm

@charifch What firmware is running on the TP-Link TL-WA901ND access points? Were they flashed with OpenWRT? Because the documentation (as I read it) makes it sound like the TP-Link expects all vlans specified to be linked to SSID to be tagged, but the results you are reporting seem to indicate that it is using untagged for vlan 100.

It is using the stock firmware, not openwrt. I believe it is working with untagged vlan because the pvid is 100 on the hybrid port so for the multi ssid AP it sees it as its 1 pvid.

Netgate forum thread Interface and VLAN config for TP-LINK TL-WA801ND

So at this point, given what you have reported, it seems it is more likely to be a firewall issue than ethernet framing, but it's only guess made based on very incomplete information.
Hi there,
A bit though for me to undertake the requested testing but what is very weird is that it works on the vlan10 for guests but not on vlan100 .
How can I know if it is a firewall issue?

I "roller brush painted" your response so it is in red. When you answer in a quote, and don't make your response stand out, it makes it very hard to follow what was the question and what was the answer.

TP-Link's documentation is not very clear in my opinion, but the FAQ and what is one page 28 of the manual I linked seems to say that the connection to the access point should have things tagged, and they don't say anything about vlan 1 being special. But the example in the FAQ is showing vlan 2 being configured, and the example configuration for the connection to the router does not look correct to me (it has all vlans to the router being sent untagged, but has PVID set to 1, which would make any return untagged traffic be associated with pvid 1).

The Netgate forum comments about TP-Link were not very complimentary, and the Netgate forum should be relatively AP vendor neutral, since they don't sell access points.

I really don't have much experience with debugging RouterOS firewall rules, but I would start with looking at the output of the following command from the command line

/ip firewall filter print stats

Or using winbox, open ip firewall and click the Filter Rules tab and pay attention to the rules that have the red X

You can zero the counters to see what is incrementing.

Probably someone else has a better idea.

But the only reason I think it is the firewall is because you claim that the only place it happens in from your main network (vlan 100) and you said you couldn't try with a PC, and you claimed that the still unspecified "simple AP" behaved the same as the TP-Link. But I really don't have any more time to spend on this thread, because we aren't making any headway, and you either don't understand what troubleshooting I am suggesting you do, or you don't want to make any changes because you don't have a lab situation, and things are "mostly working". Debugging a remote production network is not an easy task, especially when you are getting multiple people's suggestions, and there is a high latency for communications. If this is a business need, you may want to consider hiring someone that know what they are doing that can work with you in real time.

charifch · Sat Mar 26, 2022 7:23 pm

Thank you for your help guys,
I have ended up cleanin the firewall rules with no luck, but is is tiedier like this.
It allowed me to understand that the issue was coming from the tagged vs untagged status of vlan 100 on the hybrid port.
And I also understoood about the replication of the hybrid port through the dumb switch which can cause issues, so I have ordered a few manageable switch to replace the dumb ones.
Thank you very much and sorry for the time you spent on this.

Have a good week end

charifch · Fri Apr 15, 2022 4:03 pm

Hello guys, I finally ended up thanks to your advice buying smart switchs to replace the dumb one. Now I think pretty everythin is in order, meaning All network is visible form any connected device to vlan 100.
The only problem that I really cannot understand is this android application called Door Entry by biticino that works only on the vlan10 (the tagged one - guest) and not the management vlan (untagged). It gets lots of trouble connecting to the internet.
Here is the network diagram: (link: https://domaineschefchaouni.synology.me ... L8gMA_Wcgk )

scan0002.pdf

For information, if I try to modify Et5 and tag vlan 100 it works but I then loose connectivity to the printers that are conected to vlan 100 and who do not handle clan tags.

Here is my configuration:

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=100
add interface=BR1 name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=1492 name=vlan-IAM vlan-id=881

/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=BASE
/interface lte apn
add apn=www.iamgprs1.ma name="apn iam"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
add name=DefConf_POOL ranges=192.168.88.2-192.168.88.254
add name=HOME_POOL ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=DefConf_POOL disabled=no interface=BR1 name=defconf
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN
/system logging action
add email-to= name=email target=email
/interface bridge port
add bridge=BR1 interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=100
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether3,ether5,ether2 vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether5 vlan-ids=10
/interface list member
add disabled=yes interface=BR1 list=LAN
add interface=PPPoE-IAM list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
add list=BASE
add list=VLAN
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.88.1/24 comment=defconf interface=BR1 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=e1f10fac4c39.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Base VLAN Access to Guest VLAN" \
    in-interface=BASE_VLAN out-interface=GUEST_VLAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10
/ip route
add check-gateway=ping distance=1 gateway=PPPoE-IAM
add distance=2 gateway=192.168.8.1

Thanks for your help and the energy you spent on this thread.

anav · Fri Apr 15, 2022 6:25 pm

Now just imagine on March 09, you had followed my advice and got the switch and the next day March 10th were up running!
Its too bad I cannot get paid for all the grief I saved you from, had you followed my advice LOL.

=====================================================================

Since I have a short memory i will pretend I am seeing this config for the first time.

(1) two vlans but FOUR POOLS, you are missing two vlans!!
(2) Three dhcps servers............... but two vlans and four pools. configs like this drive me crazy......

(3)FROM /interface bridge ports......
ether2 is an access port going to a dumb device (base vlan)
ether3 is an access port going to a dumb device (also base vlan)
ether4 is a trunk port
ether5 is an access port going to a dumb device (also base vlan)

(4) FROM /interface bridge vlans.......
dumb devices all access ports on base vlan for ether ports 2,3,5
ether2 is in reality a hybrid port with vlan10 being tagged
ether5 in reality is a hybrid port with vlan10 being tagged
ether 4 nothing assigned???

So the question remains why is ether2 or ether5 a hybrid port......
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If the switches are managed you ONLY NEED TO BREAK OUT ACCESS PORTS on a port going directly to a dumb device.
Hence ether2,ether5 should carry both vlans TAGGED to the managed switch or smart AP

Furthermore your diagram is hard to read but it looks to me like
ETHER2 is going to a smart switch thus a trunk port
ETHER5 is going to a smart AP and thus a trunk port
ETHER3 is unclear and it looks like its only carrying vlan100 so an access port.

Where is ether4 in your diagram??

charifch · Fri Apr 15, 2022 7:16 pm

Sorry Anav, and thank you again but it took me one month to order the switch and get them shipped to my location. Thus the delay...
Regarding your questions

Now just imagine on March 09, you had followed my advice and got the switch and the next day March 10th were up running!
Its too bad I cannot get paid for all the grief I saved you from, had you followed my advice LOL.

=====================================================================

Since I have a short memory i will pretend I am seeing this config for the first time.

(1) two vlans but FOUR POOLS, you are missing two vlans!! ---> 2 pools are not used they were part of a previous config I tried and abandonned
(2) Three dhcps servers............... but two vlans and four pools. configs like this drive me crazy...... -> same for the extra dhcp. I will get this trimmed right now

(3)FROM /interface bridge ports......
ether2 is an access port going to a dumb device (base vlan)
ether3 is an access port going to a dumb device (also base vlan)
ether4 is a trunk port
ether5 is an access port going to a dumb device (also base vlan)

(4) FROM /interface bridge vlans.......
dumb devices all access ports on base vlan for ether ports 2,3,5
ether2 is in reality a hybrid port with vlan10 being tagged ------> correct
ether5 in reality is a hybrid port with vlan10 being tagged ------> correct
ether 4 nothing assigned??? ------------> not used

So the question remains why is ether2 or ether5 a hybrid port......------> because they are connected to access points that broadcast 2 different ssid (one for each of the vlans)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If the switches are managed you ONLY NEED TO BREAK OUT ACCESS PORTS on a port going directly to a dumb device.
Hence ether2,ether5 should carry both vlans TAGGED to the managed switch or smart AP -----> ok but how then non vlan aware devices connect to the vlan100 ssid that is untagged wirelessly?

Furthermore your diagram is hard to read but it looks to me like
ETHER2 is going to a smart switch thus a trunk port ------> correct
ETHER5 is going to a smart AP and thus a trunk port ------> correct
ETHER3 is unclear and it looks like its only carrying vlan100 so an access port ----> correct

Where is ether4 in your diagram?? ----> not used

anav · Fri Apr 15, 2022 7:42 pm

You are missing the point................ ROUTER TO SMART DEVICE - use trunk port ONLY. ( smart device = smart switch or smart AP)

SMART SWITCH TO SMART DEVICE - use trunk port only (another smart switch or smart AP).

SMART SWITCH TO DUMB DEVICES - use access type port settings from smart switch
SMART AP To DUMB DEVICES - use vlans to direct traffic the appropriate WLAN

charifch · Sat Apr 16, 2022 2:29 am

Perfectly undertood Anav and thank you for precising it because it is what I did first time, but I noticed for example that when I setup ether 5 with taggin vlan100 and vlan10 the following scenario:
When I connect a PC directly on Ther 3 I was able to see and ping the printers connected to vlan100 SSId in AP2 (the smart AP connected to ether5). But, when I connect with my phone on AP1 which is a simple AP connected to Ether3, I was not able to see the printers connected wirelessly to ether 5. Same behaviour when I connect on Ap3 or Ap4. This is what made me untag vlan100.
Do you know what can be the cause of that?

Thanks

anav · Sat Apr 16, 2022 4:33 am

Well, its probably due to a messy firewall situation and if organized the reason would be clearer.
The only reason two different vlans can see each other is because the router can route between them.

If devices are on the same vlan they will be able to see each other.

In your rules you allow base vlan access to guest vlan.
Thus
Vlan100 users should have access to Vlan10 users by virtue of L3 routing in firewall rules.
Vlan100 users have access to all Vlan100 users by virtue of L2 being in same vlan
Vlan10 users have access to all Vlan10 users by virtue of L2 being in the same vlan

What I dont see is any rule that would allow vlan10 users to access vlan100 users.

charifch · Sat Apr 16, 2022 12:41 pm

Vlan 10 users cannot see vlan100 users because it is a guest network and thus have to be isolated.
But the issue happens only between mobile phones on vlan100 connected to APs on ether 3 or 2 that cannot reach printers also members of vlan100 and connected to ap of ether 5.
On wired devices no problem

anav · Sat Apr 16, 2022 1:32 pm

Vlan 10 users cannot see vlan100 users because it is a guest network and thus have to be isolated.
But the issue happens only between mobile phones on vlan100 connected to APs on ether 3 or 2 that cannot reach printers also members of vlan100 and connected to ap of ether 5.
On wired devices no problem

Sometimes other vendor APs have settings that can block wifi users from accessing wired users, so it may be something there....
Model number and vendor?

charifch · Sun Apr 17, 2022 1:22 am

They are Tplink . For the ether 2 connected ones which are smart APs they are tlwa901nd.
But I really think the issue is not related to APs because when I untag vlan100 in ether2 and ether5 the problem disappears on the network side but the android app problem arises. When I tag vlan100 and vlan10 , the network problem arises (vlan100 wireless devices connected to ether5 are not visible to vlan100 wireless devices of ether 2 or 3 and vice versa) and the android app problem is resolved. So there is a configuration parameter that I am missing when I take vlan100 and vlan10 and I don't know what it is...

charifch · Tue Apr 19, 2022 1:13 pm

Hello Guys,
I have tried and change the whole configuration to make it work during the week end. The good news is that now everything works (android app and visibiity of the whole network).
What I did is remove vlan100 and use only the bridge for LAN and the guest network on vlan 10.
PLease see the new config below. The only problem that I still do not understand is that, I need to make Ether 2 and ether 5 (the trunk ports connected to smart switches or smart AP) in admit all mode, and not admit only tagged as per Anav's advice. If i use only tagged vlan option on these trunk ports I loose connectivity to the smart device.
Thank you to point out to me if I do anything wrong.

/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=1492 name=vlan-IAM vlan-id=881
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE-IAM user=\
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface lte apn
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN
/system logging action
add email-to=h@gmail.com name=email target=email
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=ether2,ether5,bridge vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=PPPoE-IAM list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=lte1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
    192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=e1f10eca5397.sn.mynetname.net list=MyWANIP
/ip firewall filter
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10
/ip route
add check-gateway=ping distance=1 gateway=PPPoE-IAM
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2500
set www-ssl certificate=https-cert disabled=no
/system clock
set time-zone-name=Africa/Casablanca
/system logging
add action=email prefix="ccc" topics=interface,info
/system scheduler
add comment="Reconnexion IAM" interval=1d name="Reconnexion Internet" \
    on-event=pppoe-reconnect policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/29/2021 start-time=05:30:00
/system script
add comment=Reconnexion-Internet dont-require-permissions=no name=\
    pppoe-reconnect owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    log info message=\"pppoe-reconnect-script start\"\r\
    \n/interface pppoe-client disable PPPoE-IAM\r\
    \n:delay 3s\r\
    \n/ip firewall connection remove [find]\r\
    \n/interface pppoe-client enable PPPoE-IAM\r\
    \n/log info message=\"pppoe-reconnect-script done\""
/tool e-mail
set address=74.125.141.108 from=hhhhh@gmail.com port=587 \
    start-tls=yes user=domaineschefchaouni@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

tdw · Tue Apr 19, 2022 7:38 pm

The only problem that I still do not understand is that, I need to make Ether 2 and ether 5 (the trunk ports connected to smart switches or smart AP) in admit all mode, and not admit only tagged as per Anav's advice. If i use only tagged vlan option on these trunk ports I loose connectivity to the smart device.

Because they are hybrid with the "main" network untagged and guest network tagged. Whilst some purists want everything to be tagged there is nothing inherently wrong using hybrid rather than tagged if it makes sense for your use case. The TP-Link APs appear to not make it obvious that in multi-SSID mode VLAN 1 is always untagged and any other VLAN IDs are tagged.

anav · Tue Apr 19, 2022 7:40 pm

I use TPLINK APS (smart ones) without issue. I do not send them any untagged vlans, only tagged vlans as they are smart APs.

mkx · Tue Apr 19, 2022 7:44 pm

The TP-Link APs appear to not make it obvious that in multi-SSID mode VLAN 1 is always untagged and any other VLAN IDs are tagged.

Many vendors use something which is often referred to as "native VLAN" ... and quite a few fix VLAN ID 1 to that use. And those who fix the VLAN ID, don't talk about it loudly ... which is one of reasons to stay away from VLAN ID 1 whenever explicitly setting VLAN ID. So essentially VLAN ID 1 is often sinonymous for untagged ...

Speaking of the devil, default configuration on ROS uses VLAN ID 1 as native VLAN as well ... and it's hidden as well, one has to try a bit harder to see it in configuration.

anav · Tue Apr 19, 2022 7:52 pm

Most consumer smart switches use vlan1 as native idea, that is not a reason for screwed up MT hybrid configuration.
Either a smart device can handle incoming tagged vlans or it cant.

anav · Tue Apr 19, 2022 7:55 pm

Most consumer smart switches use vlan1 as native idea, that is not a reason for screwed up MT hybrid configuration.
Either a smart device can handle incoming tagged vlans or it cant.

The only reasons I have see for a hyrid port is two fold.
1. Some VOIP phones that come with two ethernet connections, one from the switch or router and the second to a PC.
a. the VOIP can read tagged vlans and consumes this vlan.
b. the untagged vlan gets passed through to the PC.

2. Ubquiti shitty products that come default expecting the managment VLAN to be untagged and the rest of the traffic as vlans, instead of all of them tagged from source (smart switch or router).

Buckeye · Wed Apr 20, 2022 7:31 am

2. Ubquiti (UniFi) products that come default expecting the management VLAN to be untagged and the rest of the traffic as vlans, instead of all of them tagged from source (smart switch or router).

I don't have any TP-Link access points, but your comment about how UniFi access points, when in factory default state, use "standard ethernet frames" to allow configuration makes me wonder how the initial configuration of TP-Link "smart" Access Points is done. "standard ethernet frames" is exacty what untagged frames are.

So how do TP-Link access points allow configuration, if they don't support untagged access? I am not trying to get into an heated argument, I am just trying to understand.

I understand the advantages of using tagged only trunk ports between switches, as it can prevent accidentally mixing vlans via mismatched "native" vlans, But I can understand why UniFi does use untagged frames for the initial configuration. And yes, they can be configured to use a tagged vlan for management, but I think they "expect" that vlan 1 will always be untagged, so if you want a tagged vlan, you must choose a vlan other than 1. But doesn't Omada behave very similar to UniFi? From what I have heard, it's nearly a "clone" of UniFi, so I wouldn't be surprised it it does allow connections from untagged networks.

charifch · Wed Apr 20, 2022 5:01 pm

Thank you but is there a way to tag also the pvid 1 of the bridge in order to have the trunks set correctly as per Anav's advice with accepting only tagged traffic?
And another question: If the answer is no and I were to add a second vlan, and I wanted to make the ether 2 and 5 pure trunk ports by seleting the only tagged traffic option in the port configuration, what address would get the smart device connected to the port (AP or switch), would it keep a 192.168.0.x address if i keep pvid=1 (which does not happen when I remove the admit all option) , will it get a 192.168.10.x address if i use pvif=10 in the port? It seems like there is no more connectivity at all when I alow only tagged traffic.

Thanks

anav · Wed Apr 20, 2022 5:16 pm

On TP LINK APS, switches just like on MT, the native untagged vlan IS ALWAYS 1 and is maintained throughout unless a port is designated as an access port or hybrid port or WLAN port..........
Once you assign pvid to a port on a switch, it replaces the one, which is what happens on an access port or hybrid port.
For the TP LINK access points, one assigns the vlans to the WLANs and it automatically tags and untags the WLAN port.

The trunk ports with tagged vlans retain their transparent native vlan1, all the data vlans going over this port need to be tagged.
For the access port, the port going over this port needs to be untagged.

I use many vendors switches and and APs and they work this way.
RoS is consistent with this as well, The bridge retains the native vlan1... '

Charifch, WE NEVER TAG VLAN1, we dont touch it............ not on RoS not switch not on AP.
What we do is only replace vlan1 WHEN we assign a pvid to a port.
If you need help with a specific vendor switch or AP, except ubiquiti shit,......... let me know.

That is why when you look at switch port details, you will always see vlan1 staying untagged on trunk ports and not used at all for access or hybrid ports.
Its never seen tagged.

charifch · Wed Apr 20, 2022 5:34 pm

I am in agreement with your words Anav, but my question is:
I have my bridge with PVID=1.
I have a GUest VLAN with PVIID=10.
I have the tplink AP connected to ether 5 (with pvid=1) getting its adress from the MT router.
I I configure the ether 5 in admit tagged traffic only , I loose connectivity to the tplink and it does not get any address.
If i configure it with admit all, it gets the bridge subnet as expected.
=> I understand from what you are saying is that this is normal behaviour because vlan 1 is untagged by default.
If I were to add another vlan, would I need to tag it in the ether 5 port too, and still leave the "admit all" option? So we never use the admit only tagged traffic option ?

anav · Wed Apr 20, 2022 7:23 pm

I am in agreement with your words Anav, but my question is:
I have my bridge with PVID=1.
I have a GUest VLAN with PVIID=10.
I have the tplink AP connected to ether 5 (with pvid=1) getting its adress from the MT router.
I I configure the ether 5 in admit tagged traffic only , I loose connectivity to the tplink and it does not get any address.
If i configure it with admit all, it gets the bridge subnet as expected.
=> I understand from what you are saying is that this is normal behaviour because vlan 1 is untagged by default.
If I were to add another vlan, would I need to tag it in the ether 5 port too, and still leave the "admit all" option? So we never use the admit only tagged traffic option ?

I give the TPLINK the IP address ON the trusted subnet. I attach the TP LINK to the trunk port carrying lets say 2 vlans (home which is also trusted, and guest). I dont set vlan1 on the TPLINK, but I will quickly look to see if there were any other funny settings.
The tplink assigns access ports to the WLANS when you assign the vlan to the WLAN.

anav · Wed Apr 20, 2022 7:28 pm

Okay I do set the management vlan on the TPLINK to the trusted subnet, on this example to vlan11
>>>>>>>>>>>>>

tplinkMVlan.JPG

charifch · Fri Apr 22, 2022 1:13 pm

Hi Anav,
I have applied exactely your instructions but it looks like the TPlink AP WA901-ND is unable to get the IP address from the MT when I tag vlan 100 and vlan10 on ether5. It does get the IP address which it is supposed to get when I set the ether 5 to admit all traffic but not when I choose only tagged traffic. Any idea why? For netgear switch plugged on ether2 in trunk mode, it gets its programmed address (192.168.0.2 static), but the AP which is supposed to get (192.168.0.3) never gets it.
Here is the config:

/interface lte
set [ find ] mac-address=CCCCCCCCCCCCCC name=lte1
/interface bridge
add admin-mac=CCCCCCCCCCCCCCCC auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled \
    channel-width=20/40mhz-XX country=xxxxxxxx disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=CCCCCC \
    vlan-id=100 wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=CCCCCCCCCCC disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=CCCC \
    wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=100
add interface=bridge name=GUEST_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface lte apn
set [ find default=yes ] apn=CCCCCCCC
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=ccccccccccccccc master-interface=wlan1 name=\
    wlan3 security-profile=guest ssid=GUEST
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.254
add name=BASE_POOL ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN
/system logging action
add email-to=CCCCCCCCCCC name=email target=email
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=100
add bridge=bridge comment=defconf interface=ether4 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1 pvid=100
add bridge=bridge comment=defconf interface=wlan2 pvid=100
add bridge=bridge interface=wlan3 pvid=10
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge,ether5 untagged=wlan3 vlan-ids=10
add bridge=bridge tagged=ether2,bridge,ether5 untagged=wlan1,ether3,wlan2 \
    vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=lte1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.0.2 comment="Netgear Switch RDC Tadla" mac-address=\
    C8:9E:43:9C:43:B3 server=BASE_DHCP
add address=192.168.0.3 client-id=1:d8:d:17:b7:73:2 comment="PA RDC Tadla" \
    mac-address=D8:0D:17:B7:73:02 server=BASE_DHCP
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.0.1 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8 domain=8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=cccccccccccccc list=MyWANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    GUEST_VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.8
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.8
/system clock
set time-zone-name=xxxxxxxxxxxxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Fri Apr 22, 2022 4:17 pm

Not sure what you are doing but this is a really old 300N access point.
Whichever is your trusted LAN aka vlan100, find an unused IP address on the router check dhcp leases.
Then add the mac address of the AP tot he router and manually enter in the IP address with the mac address in DHCP leases for the vlan subnet.

Then go to the AP and switch its lan settings to the IP address above........... should work.
............

tpl.JPG

anav · Fri Apr 22, 2022 4:23 pm

I dont think you understand what your doing take this line......

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
ingress-filtering=yes interface=ether2 pvid=100

On one hand you are saying this is a Trunk port by only allowing vlan tagged traffic.
In other words it is talking to another smart device and passing traffic both in and out of the port with vlan tags.

Then you state oh this port is an Access port with pvid of 100.
Meaning, that any traffic originating from the dumb device attached to the port should have its traffic tagged with 100 upon entry to the port and untagged upon exit of the port going back to the dumb device.

You cant have both here............

SAME issue with etherport 5!!!

You reallly need to read this article over again......
viewtopic.php?t=143620

++++++++++++++++++++++++++++++++++++++++

charifch · Fri Apr 22, 2022 4:39 pm

Ok so I shall then keep PVID=1 for Ether 2 and 5?
When I do so, the Switch on Ether 2 gets an IP address from the GUEST_VLAN (192.168.10.X) and I have no understanding why, even when assigingn a static IP address on the base vlan to the switch
And is it possible that this approach works with the netgear switch only and not with this old AP? Because, it looks like the AP definitely does not want to take any address when connected to ether 5 or ether 2 (tried permutating them)

anav · Fri Apr 22, 2022 6:54 pm

What do you mean keep vlan=1 for ports, we dont even think about vlan1 for ports,
Its the default vlan for the bridge and is left alone.

Once you have setup your AP as suggested do the people on the vlans 10 and 100 get internet traffic.
In other words do not ask the AP to get any address, give it its adddress manually on vlan100 as explained.

If push comes to shove I can do a skype session to have a look at your desktop etc.....

The only other thing I can think of that may be interfering is the fact that you have the bridge giving out DCHP on all ports as well.
The next step would be to change that to a VLAN so its only goes on ports you want it to go out on.

charifch · Fri Apr 22, 2022 7:52 pm

Well to be honest I lost and made you loose so much time ...sorry.
If you feel you can do a skype session just let me know I would be very grateful. My email if you want to reach direct: charifch@yahoo.fr
I will look into your last 2 posts though just to make sure I cannot handle it alone

Thanks

tdw · Fri Apr 22, 2022 9:25 pm

You are both going around in circles, in no particular order:

The TL-WA901ND does not have an option to explicitly set a management VLAN ID which the EAPxxx models do, so it is likely that managment access is always untagged. It is not clear if using an SSID with associated an VLAN ID 1 leads to tagged or untagged packets, however https://www.tp-link.com/us/support/faq/418/ implies that TP-Link have conflated 'VLAN ID 1' with 'untagged'.

Untagged VLANs have no ID on the wire, they are regular ethernet packets with no VLAN header between the ethernet addresses and payload data. Having a PVID usually means 'insert a VLAN header with the specified ID to packets with no VLAN header on ingress' and 'remove the VLAN header containing the specified ID from the packet' on egress. The VLAN ID at each end can be completely different as each end has no knowledge of what ID the other is using.

There is a "feature" in many devices in that they will often accept tagged packets with the same VLAN ID which is applied to untagged packets on ingress. For example if a device has a port with a PVID of 42 it will not only add a VLAN header with the ID 42 to untagged packets on ingress, it will also accept already tagged packets where the ID is 42. However on egress any VLAN headers with the ID 42 are removed from the packets, so it is possible for packets in one direction to be tagged and in the other direction untagged which works for devices which can handle both cases but breaks those which expect untagged only. This can lead to some devices communicating, and others not, despite them all appearing to be part of the same network.

Mikrotiks will exhibit this performance with ingress-filtering=no or ingress-filtering=yes frame-types=admit-all. The OpenWRT UI fibs for devices with Atheros fast (100Mbit) switch chips as they are incapable of hybrid operation, a port with a PVID set actually leaves packets with that ID tagged on egress but will accept both untagged and tagged with that ID on ingress.

A Mikrotik bridge-to-CPU port is no different from any ports added under /interface bridge port, it has pvid=, ingress-filtering= and frame-types= the only difference being the are specified as part of the bridge itself under /bridge. So by default when creating a bridge the bridge-to-CPU port is untagged with VLAN ID 1, untagged packets from-CPU-to-bridge have a VLAN header with ID 1 inserted, and any packets from-bridge-to-CPU have VLAN headers with ID 1 removed. If you want to make the bridge-to-CPU port truly tagged-only it must have ingress-filtering=yes frame-types=admit-only-vlan-tagged which causes pvid= to be ignored.

anav · Fri Apr 22, 2022 10:22 pm

In that case, we set both vlans tagged to ether5 and if you recall the oP has the bridge giving out dhcp on all ports as well.
Thus we give the AP a static fixed address on the MT for 192.168.88 network and put that into the LAN settings for the AP.
That should do it............

tdw · Fri Apr 22, 2022 11:47 pm

Per my previous post the TL-WA901ND likely only has untagged managment access, and as the OP has a combined base/trusted/management VLAN it should be untagged on the Mikrotik port (so the AP management works), and the AP multi SSID settings use VLAN 1 (as on this particular TP-Link AP this means untagged).

The guest VLAN should be tagged on the Mikrotik port and the AP multi SSID settings use the same VLAN ID as the Mikrotik. As the Mikrotik bridge port is hybrid it should have ingress-filtering=yes frame-types=admit-all

Buckeye · Sat Apr 23, 2022 12:50 am

Untagged VLANs have no ID on the wire, they are regular ethernet packets with no VLAN header between the ethernet addresses and payload data. Having a PVID usually means 'insert a VLAN header with the specified ID to packets with no VLAN header on ingress' and 'remove the VLAN header containing the specified ID from the packet' on egress. The VLAN ID at each end can be completely different as each end has no knowledge of what ID the other is using.

My reading of the IEEE 802.1Q spec is that the internal workings of the "bridge" (they never use the word switch) is that the spec treats the bridge device as a black box, i.e. the spec says nothing about the internal implementation, only the required external behavior for given inputs. So I never like assuming that the frames exists as they do on the wire while they are inside the bridge device, only that the bridge device classifies every received frame into a single vlan, and guarantees that the frame is only allowed to exit on a port that is a member of the specified vlan. I am reasonably sure implementatios exist where that isn't the case, instead having queue heads for each vlan/mac address. And I find that users being introduced to vlans get confused when someone uses the terminology "the frame gets tagged" when arriving at an untagged port. So I usually use the term classified as or assigned to vlan when decribing an access port. There may be implementations that do store the frame as a complete "bitstream" with an ethernet header and vlan tag, but the spec doesn't require that, only that when exitiing an iterface that is supposed to tag the vlan, that the bridge will insert that tag (and re-compute the FCS).

There is a "feature" in many devices in that they will often accept tagged packets with the same VLAN ID which is applied to untagged packets on ingress. For example if a device has a port with a PVID of 42 it will not only add a VLAN header with the ID 42 to untagged packets on ingress, it will also accept already tagged packets where the ID is 42. However on egress any VLAN headers with the ID 42 are removed from the packets, so it is possible for packets in one direction to be tagged and in the other direction untagged which works for devices which can handle both cases but breaks those which expect untagged only. This can lead to some devices communicating, and others not, despite them all appearing to be part of the same network.

This and vlan 0 (priority only) tags are another confusing (an in my experience, infrequently used) feature as well.

In SwOS (from my CSS106-5G-1S switches), you can specify "leave as-is" for egress tagging. Without actually using wireshark and something like scapy, I am not sure what happens when a tagged frame is received on a port with pvid set to the same value, and the action is set to "leave as-is". Literally I would expect it to pass the frame "as-is", but that could cause problems on a hybrid port where multiple vlans exist, and one is connected to a device that expects the vlan corresponding to the specified pvid to have the tag removed. Especially if the frame was received on a port where that vlan was expected to be tagged. Likewise with priority only tags. I don't know if windows can deal with those correctly or not.

Mikrotiks will exhibit this performance with ingress-filtering=no or ingress-filtering=yes frame-types=admit-all. The OpenWRT UI fibs for devices with Atheros fast (100Mbit) switch chips as they are incapable of hybrid operation, a port with a PVID set actually leaves packets with that ID tagged on egress but will accept both untagged and tagged with that ID on ingress.

It sounds like this is a case like I discussed above, if I am understanding your words correctly.

A Mikrotik bridge-to-CPU port is no different from any ports added under /interface bridge port, it has pvid=, ingress-filtering= and frame-types= the only difference being they are specified as part of the bridge itself under /bridge. So by default when creating a bridge the bridge-to-CPU port is untagged with VLAN ID 1, untagged packets from-CPU-to-bridge have a VLAN header with ID 1 inserted, and any packets from-bridge-to-CPU have VLAN headers with ID 1 removed. If you want to make the bridge-to-CPU port truly tagged-only it must have ingress-filtering=yes frame-types=admit-only-vlan-tagged which causes pvid= to be ignored.

Does ROS use vlan 1 to commuicate to the switch chip (to program the registers)? If so, what mac address is used when communicating with the switch chip itself? Is this different than the admin-mac=xxx auto-mac=no? Or does the CPU discover the mac from the switch chip when the switch chip initializes and may send a broadcast announcing itself.

tdw · Sat Apr 23, 2022 4:24 pm

My reading of the IEEE 802.1Q spec is that the internal workings of the "bridge" (they never use the word switch) is that the spec treats the bridge device as a black box, i.e. the spec says nothing about the internal implementation, only the required external behavior for given inputs. So I never like assuming that the frames exists as they do on the wire while they are inside the bridge device

Yes, hence my description of what happens on the wire. Offhand I don't know if Linux moves data around within a packet buffer, if any VLAN information is stored separately in the buffer header or chained in a linked list, or some other mechanism. Persusing the /net/bridge source code would provide a definitive answer.

In SwOS (from my CSS106-5G-1S switches), you can specify "leave as-is" for egress tagging. Without actually using wireshark and something like scapy, I am not sure what happens when a tagged frame is received on a port with pvid set to the same value, and the action is set to "leave as-is". [stuff cut] It sounds like this is a case like I discussed above, if I am understanding your words correctly.

For hardware switch chips it depends on the implementation. The gigabit Qualcomm/Atheros chips treat "leave as-is" on egress to be "remove the VLAN header if the VLAN ID matches the configured PVID". The fast ethernet chips have a fundamental design flaw as "leave as-is" does just that, tagged packets within the switch fabric always leave tagged.

Does ROS use vlan 1 to commuicate to the switch chip (to program the registers)? If so, what mac address is used when communicating with the switch chip itself? Is this different than the admin-mac=xxx auto-mac=no? Or does the CPU discover the mac from the switch chip when the switch chip initializes and may send a broadcast announcing itself.

No. The configuration registers have a separate data path, usually SPI/I2C for standalone switch chips or memory/IO-mapped if part of a SoC, the switch-to-CPU packet data is passed over a GMII/RGMII/MII interface.
To muddy the waters Mikrotik acutally hide the physical setup. Whilst the ether1-5 interfaces in the UI correspond to the physical ports there is only a single(#) ethernet link between the switch chip and CPU interface, vendor propietary headers are included in the packet to provide additional information such as which port a packet arrived on or should be sent from. If you install OpenWRT on a Mikrotik board you typically have a single(#) ethernet interface shown in the UI and you have no choice but to configure the switch and VLANs to segregate ports, even for a basic 1xWAN + 4xLAN setup.
(#) some models do have more than one

anav · Sat Apr 23, 2022 4:59 pm

If there is no management vlan on this older AP, then will assume that it has to be on a hybrid port as stated.
It should simply work then if one sets the IP address manually on the LAN settings of the TPLINK AP, to that of the bridge network, DHCP 192.168.88.x or whatever it is manually via mac address and DHCP leases. Still tag the vlans over the port.

Suggesting the following
/interface bridge ports
add bridge=bridge interface=ether5

tdw · Sat Apr 23, 2022 5:26 pm

Or if the OP only requires a single base/management/trusted network plus a guest network in a VLAN the configuration in post 61 viewtopic.php?t=183962#p927539 was fine, it just needed ingress-filtering=yes on all bridge ports, frame-types=admit-all on ether2 & ether5 plus frame-types=admit-only-untagged-and-priority-tagged on ether3 & ether4 for completeness.

charifch · Sat Apr 23, 2022 5:40 pm

Hello guys,
So after reading all this I realised that everyone was right. Main problem coming from the AP which is oudated.
So first solution from tdw definitely work by simplifying the problem: use LAN for vlan100 and tag vlan10 on 2 hybrid ports. That works with AP and with switch no problem.
Second one from Anav is under test now, by removing dhcp from bridge and untagging vlan100 on ether5. Will let you knwo as soon as it is tested.

Buckeye · Sun Apr 24, 2022 5:21 am

No. The configuration registers have a separate data path, usually SPI/I2C for standalone switch chips or memory/IO-mapped if part of a SoC, the switch-to-CPU packet data is passed over a GMII/RGMII/MII interface.

Of course you are correct. I guess my "mental" image of a separate switch connected with a single trunk was too literal.

To muddy the waters Mikrotik acutally hide the physical setup. Whilst the ether1-5 interfaces in the UI correspond to the physical ports there is only a single(#) ethernet link between the switch chip and CPU interface, vendor propietary headers are included in the packet to provide additional information such as which port a packet arrived on or should be sent from. If you install OpenWRT on a Mikrotik board you typically have a single(#) ethernet interface shown in the UI and you have no choice but to configure the switch and VLANs to segregate ports, even for a basic 1xWAN + 4xLAN setup.
(#) some models do have more than one

Yes, the MT7621A has two and it isn't clear when not using the SFP port how those two are used.

mkx · Sun Apr 24, 2022 12:24 pm

Yes, the MT7621A has two and it isn't clear when not using the SFP port how those two are used.

The same way as in hEX (RB750Gr3) ... depending on RJ45 port configuration (member of bridge vs. stand alone). It seems that with ROS v7 (latest versions) actual behaviour corresponds to documentation, at least in hEX.

charifch · Sun Apr 24, 2022 7:16 pm

Hello guys,
I wanted to give you a final heads up on this matter that is solved now thanks to Anav and tdw.
First, as tdw suggested it, the AP plugged into ether 5 and into one of the managed switch plugged into ether2 has to be in an unmanaged access, that Is why tdw pointed out the fact of changing the lan address to the base vlan and to keep only one guest_vlan, which worked perfectly with no problem.

Anav found a way to keep the config the same. Basically, the solution was to move the bridge dhcp to the BASE_VLAN and then for ether 5 which is connected to the AP, we configure it as hybrid (with base_vlan pvid with vlan100 untagged) and ether 2 which is connected to a managed switch we configure it as a trunk (where we tag both vlans).#

Here is the config:

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=
set [ find default-name=ether2 ] mac-address=
set [ find default-name=ether3 ] mac-address=
set [ find default-name=ether4 ] mac-address= name=\
    ether4-access
set [ find default-name=ether5 ] mac-address=
set [ find default-name=sfp1 ] mac-address=
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=100
add interface=bridge name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=XXXX name=vlan-IAM vlan-id=XXX
/interface pppoe-client
add add-default-route=yes disabled=no interface=XXX name=PPPoE-IAM user=\
    
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface lte apn
add apn=XXXXXX name="apn iam"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=BASE_VLAN name=defconf
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/queue simple
add max-limit=2M/4M name=Queue_GUESTVLAN target=GUEST_VLAN
/system logging action
add email-to=XXXXXXXX name=email target=email
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=100
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=ether2,ether5,bridge vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ether5,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PPPoE-IAM list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=ether4-access list=BASE
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 comment=defconf interface=BASE_VLAN network=\
    192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.5.1/24 interface=ether4-access network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=XXXXXXX list=MyWANIP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN Port 53 tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN Port 53 UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop Input"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    GUEST_VLAN
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=80,5000,443,5001,5006,6690,16881,32400 protocol=tcp \
    to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=9025-9040 protocol=tcp to-addresses=192.168.0.10
add action=dst-nat chain=dstnat dst-address-list=MyWANIP dst-address-type=\
    local dst-port=1194 protocol=udp to-addresses=192.168.0.10
/ip route
add check-gateway=ping distance=1 gateway=PPPoE-IAM
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2500
set www-ssl certificate=https-cert disabled=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Who is online