Community discussions

MikroTik App
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Virtual WLAN and VLAN's

Wed Mar 16, 2022 3:08 pm

So, after successfully creating a proper home wireless network with a help from this forum, and it's great members i was thinking about creating one virtual wireless network for my CCTV cameras.

Right now I have hAP ac lite as an access point for my cameras because my ISP1 router was unable to handle such load (constant reboots and so on).

Now I have two ISP, and the second one is a lot faster then first one, and all my devices are connected to ISP2 except CCTV. (ISP1 is only for IPTV right now, and for failover)

I would like to create virtual AP on 2.4 GHz WiFi interface on my cAP ac so i can remove hAP ac lite. I have hAP ac3 as main router, and cAP ac as AP working in WISP AP mode (bridge)

I tried to add VLAN and Virtual AP to cAP ac and it was working, devices connects, get's an IP but internet was unavailable. (I created DHCP server at cAP ac)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Wed Mar 16, 2022 6:41 pm

post configs on hapac3 and capac.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Mar 16, 2022 8:31 pm

I tried that on some equipement that i have at the office and it's not used at the moment so if anything goes wrong no big deal :lol: , same AP, only the router is Hex S.

I will post config tomorrow.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Virtual WLAN and VLAN's

Wed Mar 16, 2022 11:04 pm

Still using the same airtime.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 17, 2022 6:57 am

Ok, so i only changed settings in cAP ac and here is config for that AP (Note: it's working in WISP AP mode (bridge) so no Firewall rules etc.) I followed this youtube tutorial
# mar/17/2022 05:47:05 by RouterOS 7.1.3
# software id = 
#
# model = RBcAPGi-5acD2nD
# serial number = 
/interface bridge
add name=bridge1
add name=bridge2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name= supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name= supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment="2.4 GHz" country=\
    croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
     ssid="" wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac comment="5 GHz" country=\
    croatia disabled=no installation=indoor mode=ap-bridge security-profile=\
     ssid="" wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile= ssid=Gosti vlan-id=10 vlan-mode=use-tag \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface wireless nstreme
set wlan1 comment="2.4 GHz"
set wlan2 comment="5 GHz"
/interface vlan
add interface=wlan3 name=VLAN10_GOSTI vlan-id=10
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge2 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=VLAN10_GOSTI
add bridge=bridge2 interface=wlan3
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.10.1/24 interface=bridge2 network=192.168.10.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system routerboard settings
set cpu-frequency=auto
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 17, 2022 10:23 pm

Is it necessary to create VLAN on main router ? Because AP is like wifi antena for the main router. So one VLAN (can be VLAN1) is used for real wifi interface, and another VLAN for virtual interface
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Thu Mar 17, 2022 11:01 pm

Without the config of the other router there is lacking context.
This is the example I use................
viewtopic.php?t=182276

As to the linked video, its okay but old.......
-Using two bridges is the first thing I would drop like a lead weight.
-No need for wan and lan this is simply acting as an AP/Switch
-Dont use wifi settings for vlan tagging etc................ remove.
-Assigning of vlans to wlans is done at /interface bridge port settings.
-the Device address is associated with the trusted subnet (aka vlan) NOT the bridge
-if you only have GUEST vlans on this device, you still need to send a trusted vlan to the device for ADMIN config purposes.
-the only vlan that needs to be identified on this device /interface vlans (with interface bridge) is the trusted vlan.
-the only interface list need is Management
-the only interface list member to that is trusted vlan
-also trusted vlan is the IP route
-also trusted vlan is the IP neigbour discovery --> interface list entry
-also trusted vlan is the tools macserver Winbox mac server --> interface list entry

All smart devices should have their IP on the trusted subnet and thus be accessible to the admin for config purposes.
For a home setup it could the main LAN, and on a business setup a separate management vlan. Do not use vlan1 that is a default vlan that bridges have in the background.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 6:42 am

So here is the config of the main router:
# mar/18/2022 05:27:12 by RouterOS 7.1.3
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=   interface=ether1 network=
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.229 client-id=1:a4:d7:3c:3:3e:ad comment=Printer \
    mac-address=A4:D7:3C:03:3E:AD server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
I also removed changes that I made by following that tutorial so I can start from the begining. I will also study informations from the link You provided.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 11:36 am

I've read posts and configurations from the links you provided, so in "main" router default VLAN1 is replaced by VLAN99 (base) and then 3 more VLANs are added to config.

I would need only one, and in my case, only ether5 would need to be trunk port (Home WiFi on for eg. VLAN99 (base VLAN instead of the default 1, or it can stay as 1 as this is for home use, and CCTV on VLAN10 or something)

At home I have spare hAP ac lite and Hex S so i will try some of this configurations during the weekend. (Using spare equipement so if i mess something up there is no problem :lol: )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 1:34 pm

No, nothing replaces the default vlan1 for the bridge. it stays there in the background
You create a management vlan IF YOU NEED ONE, otherwise use a trusted subnet.
I dont mix apples and oranges, so as soon as I have vlans, if there was any subnets not in vlan format, like typically people use on the bridge (DHCP by the bridge), I get rid of and put in a vlan.
Typicallly if that is wehre the admin resides that becomes the trusted subnet.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 3:39 pm

Since this is just for home use and just for simplicity, can trusted subnet be the default one ? And by default that is VLAN 1 ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 5:45 pm

No no and NO.
If you want the current home subnet as the trusted subnet then make it a vlan like 20 or something.
Leave vlan1 alone please. It should not carry data.

So
/interface vlan
add interface=bridge name=default-subnet vlan-id=20
add interface=bridge name=cctv-subnet vlan-id=10
any others???
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Mar 18, 2022 11:36 pm

@anav

His latest export doesn't have vlan-filtering on, so he isn't going to be able to use any tagged vlans with standard non-vlan-aware devices.

You should be pointing him to your new user success thread, or the one on setting up a vlan-aware bridge.

But I think he needs to be pointed to some vlan background info.

I understand that you like "cookie cutter" general solutions, and that is good in general, but you provide no "reasons" as to why he shouldn't use vlan 1. I am not as adverse to using vlan 1 as you are. In a home situation, I don't think it makes any difference. Is it best practice? NO. But many things in a home environment are not best practice (usually no physical security for example), the router is just exposed to anyone in the home. Anyone with physical access can reset the router, or move cables. The point is, what is the reason that you feel so protective of vlan 1? Yes, there may be some control plane traffic there, but so what? How exactly does than affect a home user?

@gigabyte091 if you want to know why @anav doesn't want to use vlan 1, search google for "should I use vlan 1"

And if you want to understand what vlans are, this is a gentle but good introduction: Virtual Local Area Networks (VLANs)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 1:58 pm

He wants to use capac, presumably with at least two vlans and possibly a third (as it comes with a 2gh and 5gh chain) and its typical to run a few virtual WLANs

Like 2.4ghz iot, 2.4gh media 5ghz home, 5gh guests etc...... Thats four vlans, FIVE if there is a separate management vlan.
Moving to on all vlan structure allows the OP max flex in adding networks both wired and wireless to the home setup.

All we are doing with the vlan setup is mimicking a managed switch for the most part and there are just some unique setups (cookie cutter) that ensures this happens smoothly.
For the beginner, if vlans are needed, its better to NOT use the bridge for any dhcp, ip pool etc, and keep it apples to apples and do it all on vlans, far less confusing!!
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 3:13 pm

Yes, my config is default for now, it's spare equipement that i manage to rescue from being thrown into e-waste (brand new equipement... I see no reason for throwing that...)

Right now I'm created managment port on router, I'm following @anav tutorial from this topic , and that is working.

I've read why not to use VLAN1 and now I can see why is @anav so against it. I will follow your advice and I will not use VLAN1 for anything. I would like to learn the right way.

So if you say it's easier for the beginner to go all VLAN then ok, i mean, you are right, maybe I add guest network or something in the future (but for now, guests connects to another ISP router, so they are not even connected to "main" network)

For managment port I have 192.168.10.0/24 network, can I add dhcp server with, for eg. 2 or 3 available IPs ? so i don't have to manually change NIC settings everytime i want to connect ?

@buckeye

Thank you for the article about VLANs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 5:01 pm

Well its not necessarily the RIGHT way, there are many successful ways to configure these devices. I am just fond of a clear and easy path for the beginner.
Once one gets more familiar with MT functionality, then exploring is up to the user. :-)

As for now, its a good time to get a diagram published so your network is better appreciated.
What I see now is three devices, hapac3 router (wired and wireless), haplite wif (2.4) plus 3 ethernet ports (but only 10/100), capac wifi (2.4/5) +1 extra etherport (good for off bridge access IMHO)

Plan your setup.
What do you need for wifi (iot, guest, media, video, HOMEwifi)
What do you need for wired lans, home, guest, iot, nas, other?
Now you have an idea of how many vlans you want to have (note home VLAN works for both home wifi and home wired so only one vlan required, same for any other duplication).
Setup all vlans to the bridge on the hapac3
Use the hap lite as a viable 2.4 ghz device (probably two WLANs)
Use the hapac as a viable 2.4 and 5ghz WIFI device.
Use the hapac3 for 2.4 and 5ghz wifi

Plan location of wifi devices for coverage required.
Plan frequency/channels for wifi to ensure separation (non-interference) from the internal APs, and look at external wifi interference as well.

The hap lite and capac ether1 will be Trunk port to hapac3, use ether2 on both units for OFF BRIDGE ACCESS.
To config both use this link and example........... viewtopic.php?t=182276

***** As to your question, NO need to anything fancy with off bridge, you can plug in any device with any IP within the address scope you assign to a particular device (.2 to .254), no need for any dhcp etc.........

Note: If your home lan is trusted you dont necessarily need a management vlan. Up to you.

++++++++++++++++++++++++++++++++++

Seeing as you are port limited more than anything else, and you do not want to continue to use the haplite........then
hapac3
ether1 - fast ISP (primary) ether2 - slow ISP (secondary for failover),
ether3 - capac, ether4-HOMELAN, ether 5 off bridge.

If you want to have a management vlan separately then get a managed switch such that
ether1 - fast ISP (primary) ether2 - slow ISP (secondary for failover),
ether3-HOMELAN, ether 4- off bridge, ether -5 switch

Switch (if an RoS device) - ether1 from hapac3 (located next to hapac3)
ether2 - capac, ether3 - managment vlan (if required), ether4 - off bridge
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 8:12 pm

So right now, I have two routers, for learning purposes:
-> hEXs is "main router", it's without WiFi interfaces, it has internet connection on ether1 (right now it's connected to ISP2 or as you said, slow ISP) and it's running Mikrotik's default configuration.
-> hAP ac lite, configured as WISP AP bridge mode, not router, connected to hEXs on ether5 (because im using poe out on hEXs)

This setup is for learning purposes because if i mess things up it doesn't matter. When I learn more then i will configure my home network.

So here is network diagram, i will update it when i change something.
Drawing2.jpg
For wifi, for now I plan to create:
- Home WiFi, so my wife's phone, laptop, my phone, laptop, PS4, chromecast, xiaomi tv stick 4k and central heating thermostat. (2.4 and 5 GHz)
- Security WiFi, cameras and alarm system (2.4 GHz)
- Guest WiFi, all other devices, and it will be limited to 20/20 Mbps

For wired lan:

- Home network where i will connect my desktop PC and wife's work PC for now.

My home network can be trusted, but for learning purposes i can create separate VLANs.
My routers are locked in network cabinet in some kind of utility room that is also locked and under cctv so i think that it is more secure than average, ports that are not used are disabled and ether2 on my AP is also disabled.

I also have HP aruba 8 port managed switch, and im waiting for mikrotik's switch (have to wait until may due to chip shortages)

I would like to go trought all possible scenarios that i might need in the future.

But yes, you are right, for my home network, im quite port limited, i think that on hap ac3 i have only one port available.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 10:44 pm

Hapac3 is not a problem, since you wont be using that in your office, there is no need for a home ethernet wired port there.
Thus you need
WAN , ether1-fast ISP, ether2-slow ISP, ether3-capac -ether4 to managed switch, ether-5 OFF BRIDGE.

The managed switch could also then connect to another managed switch as required. Assuming keeping hex as a backup router.

Although the hapac3 wifi is wasted if thats the router you are using in some hole in the closed off space LOL.
You should get a better WIRED only router RB5009 ;-)

At the managed switch you can hookup to the rest of the house as required.
Having a second managed switch at your desk gives you flexibility to try things......such as have both a home vlan and management vlan available just by switching the ethernet cable (if you decide to have a management vlan.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sat Mar 19, 2022 11:40 pm

Well its not necessarily the RIGHT way, there are many successful ways to configure these devices. I am just fond of a clear and easy path for the beginner.
Once one gets more familiar with MT functionality, then exploring is up to the user. :-)
@anav I agree with you that having a set of rules and standard configs can make it easier to manage, or to provide a working setup for someone that doesn't want to take the considerable time to understand well enough to "build a configuration from scratch".

Andreas Spiess had a 2022 New Years video on his youtube channel How To Use Rules to Increase Your Efficiency that is worth watching.

One problem I see frequently (I am not referring to this thread) are Frankenstein chimera configurations, where someone has copy/pasted parts of totally unrelated configurations but they don't understand enough to know how the pieces should fit together or how they are interdependent. Then they come with a mess, and want help with a part that they think will solve the problem, i.e. a case of the The X/Y Problem. This is one reason I dislike "recipes" with no explanations.

I see the don't use vlan 1 as a generally good rule, just like "don't use 192.168.0.0/24, 192,168.1.0/24 or 192.168.88.0/24 for your home network. Not because they won't work, but because they are default values, and can lead to unintended problems. If you don't intend to ever use a vpn, which rfc1918 subnet you choose makes little difference, but it is easier to recommend avoiding common subnets than to have problems later when you decide you want to connect to home with a vpn, but find that you can't connect from your favorite coffee shop because they happened to choose the same default subnet that you did. In fact, you may want to make a note of the ip address you get on your mobile phone from the networks you are most likely to be connecting from, and be sure to choose something different for your home networks.

No matter what subnet you choose, it is possible that someone else will have chosen the same value, but you can greatly reduce the chance of a collision by avoiding the subnets that are the default values used by the major vendors.
Last edited by Buckeye on Sun Mar 20, 2022 9:24 am, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 12:53 am

So right now, I have two routers, for learning purposes:
-> hEXs is "main router", it's without WiFi interfaces, it has internet connection on ether1 (right now it's connected to ISP2 or as you said, slow ISP) and it's running Mikrotik's default configuration.
-> hAP ac lite, configured as WISP AP bridge mode, not router, connected to hEXs on ether5 (because im using poe out on hEXs)

This setup is for learning purposes because if i mess things up it doesn't matter. When I learn more then i will configure my home network.
---snip---
I also have HP aruba 8 port managed switch, and im waiting for mikrotik's switch (have to wait until may due to chip shortages)
It is good you have extra routers to learn with. It makes experimenting possible without having to worry about breaking internet access for everyone in the house.

You mentioned that you have multiple ISPs. Do you plan to keep both? If so, you may want to learn about connecting to both IPS through a single router as suggested by @anav, although depending on the speeds involved, neither the hEX S or hapac3 may be able to deal with the load. The RB5009 recommended by @anav should be a good choice, although its new enough that not everything is optimized at this time, but that should get better in the future as the software support for the new processor and switch chip gets more attention. You could redeploy the hEX as a vlan-aware switch or as a "lab" router for testing.

The only MikroTik devices I currently have are an RB760iGS (hEX S) and two CSS106-5G-1S SwOS switches. I have a mutt network, with TP-Link (TL-SG108E) and Netgear (GS908E) "smart" vlan-aware switches, several Ubiquiti ER-X routers (similar to the hEX), and multiple "dumb" switches. I find vlans to be very useful, and on my hEX S and my ER-X routers, I have the switch chips in vlan-aware (vlan-filtering) mode, so I can have multiple ports on the routers be members of the same vlan. You should be able to add your HP switch without any problems, hopefully it is a 2530-8G Gb not a 2530-8 (100M). However, you will need to learn how vlans are configured on the Aruba switch, since there is no "standard" way to do that, every vendor has their own method, but the underlying vlans are all IEEE 802.1Q based at this time and will work on the wire with each other.

On the hEX S I am using v7.2rc4 because there are bug fixes related to the bridge features I am using. Since your network is for learning, you may want to consider using the testing release tree, but it is less tested than stable releases, but it does have fixes that the stable release tree does not have.

Configuring your hapac3 and hEX S with vlan-filtering bridge may take a bit more time to setup initially, but it makes future changes easier, especially if you want to add an access port for one of the vlans, directly on the router. It puts a layer of abstraction between the vlan interfaces and the ports they exist on.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 6:53 am

@anav

hapac3 right now is in the bedroom on the second floor because antena for the wifi link is mounted on the roof.

I'm waiting for warmer weather so i can run the cable from the antenna to the network cabinet. In network cabinet at the moment there is ISP1 router ( i know, not good for wifi but hey, for guests it's good for now hehe), and 24V DC UPS power supply for all equipement, routers, APs and cooling fan for the cabinet.

When I learn enough then i will redo whole network.

For now, any changes i made will be on the hex s and hapac lite.

@buckeye

Yes, plan is to keep both ISP until fiber internet become available (in about 2-3 years hopefully). "Slow" ISP is here just as a redundancy for my wife. If "Fast" ISP goes down she can connect to "Slow" ISP. As for the speeds, "Fast" ISP is about 165/130 Mbps DL/UL, and "Slow" ISP is 23/1.25 Mbps DL/UL. I could order the RB5009 if needed. It would be nice to have automatic failover. I already searched a little for informations about that topic.

As for the switches, i ordered CSS106-1G-4P-1S (RB260GSP) but as I said, i have to wait until may for it to arrive. Aruba I have is 1930 instant on JL680A, 8×1Gig rj45 and 2×SFP

As for configuring hexS with vlan-filtering, i would like that for sure. I will update FW on routers with this testing FW.

In the future, probably hexS or RB5009 would be main router, and capac would be downstairs AP and hapac3 would be upstairs AP.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 9:16 am

Little update, I changed subnets from default to something else so there is no "default" subnets. I hope that i will later this day manage to find some time to start with @anav tutorial.
Drawing3.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 9:19 am

Yes, plan is to keep both ISP until fiber internet become available (in about 2-3 years hopefully). "Slow" ISP is here just as a redundancy for my wife. If "Fast" ISP goes down she can connect to "Slow" ISP. As for the speeds, "Fast" ISP is about 165/130 Mbps DL/UL, and "Slow" ISP is 23/1.25 Mbps DL/UL. I could order the RB5009 if needed. It would be nice to have automatic failover. I already searched a little for informations about that topic.

As for the switches, i ordered CSS106-1G-4P-1S (RB260GSP) but as I said, i have to wait until may for it to arrive. Aruba I have is 1930 instant on JL680A, 8×1Gig rj45 and 2×SFP

As for configuring hexS with vlan-filtering, i would like that for sure. I will update FW on routers with this testing FW.

In the future, probably hexS or RB5009 would be main router, and capac would be downstairs AP and hapac3 would be upstairs AP.

I just looked and it seems that RB5009 are in short supply, so you will probably be using your hEX S for your main router for at least the next 6 months, unless you want to pay dearly. When you get fiber internet in the future, you will probably want to upgrade to a more powerful router than the hEX S, but the hEX S will probably be able to deal with your current internet. But if you are expecting to do a lot of inter-vlan routing, then the hEX may be a bottleneck, and will probably be a problem. So it will probably be best to try to keep hosts that will be transferring a lot of data between them on the same vlan and subnet (it is best practice to have only as single subnet per (v)lan, then dhcp will work). Within a subnet the CPU won't be involved, it will all be handled at layer 2 by the switch ASIC. So if you have a NAS, and your main comsumer is your PC, it would put the least load on your hEX if the PC and the NAS are on the same subnet, because then, no routing is needed, and things will be switched at L2 by the switch ASICs in the hEX S, hapac2 and JL680A. No CPU involvement from the hEX will be needed (as long as your bridge is configured correctcly, and it is allowing the switch ASIC to do the heavy lifting).

If you haven't seen it, @anav has a good startling point with links to other useful info in this NEW USER PATHWAY TO CONFIG SUCCESS but maybe you are not a new user, since you have quite a bit of MikroTik kit already.

But the first thing you need to do is decide what vlans you want to use, and make a plan so you will have a blueprint to work off of. And update your diagram with the switch, vlans and ip addresses you plan to use. I prefer to have my third octet of the ip address match the vlan id, but that is just a naming convention that makes it a bit easier to keep things straight. Maybe even create a google spreadsheet with a row for each vlan (including 1, even if you don't plan to use it, it will be the default vlan) Then create a column for every port on every device you have and put a T(agged) or U(ntagged) or E(xcluded), or just leave blank if a port isn't a member of that vlan. Having a document makes finding configuration mistakes easier (at least it does for me).

I would suggest creating an "off bridge" port to work from as @anav suggests, then from a PC connected to that "off bridge" port, configure the vlans on the bridge. And backup frequently... I lost some work because I didn't, and I should have know better. Then create vlan trunk port on the hEX and the JL680A and connect them with a patch cable. Create some access ports on the JL680A, and at least one access port on the hEX. Then you should be able to put a PC on the access port on the hEX and a PC on the access port in the same vlan on the JL680A, and the two PCs should be able to ping each other. This should be true even if there is no "connection to the hEX CPU/routing engine" and even if the pc's can't get an ip address via dhcp, they should configure themselves APIPA link local ip addresses "randomly" chosen from the 169.254.0.0/16 address block. You could open a cmd prompt on each PC, and use ipconfig to get the ip address each PC has assigned itself, and your should be able to ping the other PC if you know its address. Then you can configure a dhcp server on the hEX and if you ipconfig /release ipconfig /renew the PC's should get an IP address from the hEX dhcp server. Then the PCs should be able to ping the hEX (al least if it is configured correctly) and the firewall allows it. And each PC should be able to ping the other PC with the ip address the hEX leased it.

This post has some links to other things I found helpful when learning about the ROS way of dealing with vlans. But I would recommend loading v7.2rc4 if you are going to use vlans with the vlan-filtering single bridge method (at least on the hEX S).

You may want to search for the pdf manual for the JL680A. There are also some youtube videos on setting it up. I know I would use the local management myself (instead of cloud), since it appears that has a lot more features.

But then you could start playing with vlans between your MikroTik and the HP switch. (Note Well: HP means something different than most vendors when they use the term trunk. They mean "Link Aggregation" or what MikroTik calls Bonding. So don't get confused by the term trunk when you are working with your HP switch.)

Good luck, and happy learning.
Last edited by Buckeye on Sun Mar 20, 2022 10:39 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 9:31 am

Little update, I changed subnets from default to something else so there is no "default" subnets. I hope that i will later this day manage to find some time to start with @anav tutorial.
This may seem like nitpicking, but 172.0.0.0/24 is in the public address space. the rfc1918 172 ip block is 172.16.0.0/12 (or 172.16.0.0 - 172.31.255.255)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 2:43 pm

@buckeye

Yes, I tried to buy RB5009 online and it's unavailable... And it's unknown when it will arrive... So hEX s it is :)

For now i just want to learn how to do vlans and everything that is required to make it work propertly.

So this is VLAN table I made as you suggested. (This is for test setup but same will be configured later on real network)
hEXs test.png
VLAN1 is present but not used, none of the ports are member oh that VLAN.
VLAN 10 is "general" home network where PC, Home WiFI and other equipement connects and maybe it should be managment network also ? I mean, it's trusted network.
VLAN 15 will be guest WiFi network (ports not needed, this will be WiFi only)
VLAN 20 will be CCTV network (maybe one port on the router, not sure for now)

I tagged ether5 for all VLANs as that port will be trunk port for AP (access ports are wifi interfaces on hapac lite so i will untag vlans as needed on that interfaces if i understood correctly)
I untagged ether 3 and 4 as they will be access ports on the router so i can connect devices to that vlan.

I also changed managment network subnet to 172.16.0.0/24 so it's not i public address space and i assigned ether2 earlier to be managment port and it's off the bridge, i followed anav's tutorial for that.

Here is test setup network diagram, i will update it as i progress or made any changes.
Drawing4.jpg
Also hex s and hapac lite are updated to 7.2rc4

Also link for anav tutorial that you provided is not working, error 404
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 4:34 pm

So I tried to config router using config from @anav tutorial.

I added VLANs that i need, added my addresses and now this is configuration from HEXs
# mar/20/2022 15:24:28 by RouterOS 7.2rc4
# software id =
#
# model = RB760iGS
# serial number = 
/interface bridge
add ingress-filtering=no name=Test_network vlan-filtering=yes
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] comment="Managment port" name=ether2-mgmt
/interface vlan
add interface=Test_network name=CCTV_network vlan-id=20
add interface=Test_network name=Guest_network vlan-id=15
add interface=Test_network name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.5
add name=dhcp_pool3 ranges=172.16.5.2-172.16.5.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether2-mgmt name=dhcp1
add address-pool=dhcp_pool3 interface=bridge name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
    interface=Home_network pvid=10
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
    interface=Guest_network pvid=15
add bridge=Test_network frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_network pvid=20
add bridge=Test_network interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=Home
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=Test_network tagged=ether1,Test_network untagged=\
    Home_network,ether4 vlan-ids=10
add bridge=Test_network tagged=ether1,Test_network untagged=Guest_network \
    vlan-ids=15
add bridge=Test_network tagged=ether1,Test_network untagged=CCTV_network \
    vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2-mgmt list=LAN
add interface=Home_network list=Home
add interface=Guest_network list=Home
add interface=CCTV_network list=Home
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.5.1/24 comment=defconf interface=bridge network=172.16.5.0
add address=172.16.0.1/24 comment=Managment interface=ether2-mgmt network=\
    172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.16.5.0/24 dns-server=172.16.5.1 gateway=172.16.5.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=MikroTik_eth_router
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
Windows reports internet access but can't access internet. Right now there is no ports added to new bridge, that is correct ? ports stay in old bridge ? or do i need to reasign them to new bridge ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 5:21 pm

Bucky eye is well meaning but he isnt give you correct information in terms of requirements.
Specifically the Hex S is not really a good choice for future fiber.
The hapac2 at the same price is far better and will meet expectations of 1Gig.
The Hapac3 will as well just slightly less throughput.

My recommendation is the RB4011 or the RB5009 for wired only, but a HAPAC2 will do nicely for the same price as the hex S. (just dont turn the wifi on ;-) )
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 5:38 pm

As for the config.

Not sure what you are doing but it appears you are mixing apples and oranges.
Management Port is NOT an off bridge port.........

hence hex S should look like
ether1 - WAN
ether2 - off bridge completely different IP structure all you need is to set IP address --> 192.168.77.1/24 interface=ether2-offbridge network=192.168.77.0 { only used when required }
ether3 - Trunk port carrying three vlans
ether4 - wired to your laptop on vlan 10 home network.

Trusted network = vlan10 = home

Interface list + members
wan = ether1 (or name of interface if done through pppoe or vlan etc.......)
lan = vlan 10 name, vlan 15 name, vlan 20 name
home = vlan 10 name, ether2

Ip neighbours discovery interface list = home
Tool mac-server mac-winbox interface list= home

+++++++++++++++++++++++++++++++++++++++++++
not sure why you have a fetish for bridges and your vlans are ALL wrong.........
ONE BRIDGE, no other work.

Identify the 3 vlans, all with interface= name of bridge
vlan 10 , vlan 20, vlan 30 all get IP pool, IP address, Dhcp server, dhcp server network.

Why is ether 1 on any bridge ????????
Keep ether2 off the bridge,
Use ether 4 to the laptop pvid=10 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
Ether3 is the trunk port ingress-filtering=yes frame-types=admin-only-vlan-tagged

/interface bridge vlans
add bridge=bridgename tagged=bridgename,ether3 untagged=ether4 vlan-ids=10
add bridge=bridgename tagged=bridgename,ether3 vlan-ids=15
add bridge=bridgename tagged=bridgename,ether3 vlan-ids=20
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 5:52 pm

I followed configuration from this topic viewtopic.php?t=182276

So i presume there is no default configuration present ? while I have default configuration so that's why I have two bridges. I will redo the configuration.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 6:41 pm

New configuration done:
# mar/20/2022 17:24:19 by RouterOS 7.2rc4
# software id = 
#
# model = RB760iGS
# serial number =
/interface bridge
add admin- auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
Internet present on ether4, also i get 172.16.10.X address and can connect to winbox
managment port on ether2, have internet but can't connect if i choose IP address in winbox (router visible in winbox), but if i choose MAC address i can connect.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 7:45 pm

I followed configuration from this topic viewtopic.php?t=182276
WHY ???
That is for an access point or switch, you are using the HEX as ROUTER ??? Not the same thing!!!
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 9:00 pm

Yea, i realized that later... my mistake... I've made new configuration. Now I have to configure hapac lite using instructions from that topic I presume ? Just modify it to suite my needs.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 20, 2022 10:49 pm

Also link for anav tutorial that you provided is not working, error 404
Thanks for letting me know. I forgot to add the link, now fixed in the original post (edited).
 
Changed
[url]NEW USER PATHWAY TO CONFIG SUCCESS[/url]
to
[url=https://forum.mikrotik.com/viewtopic.php?p=906567]NEW USER PATHWAY TO CONFIG SUCCESS[/url]
Which displays like this NEW USER PATHWAY TO CONFIG SUCCESS
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 12:30 am

Yea, i realized that later... my mistake... I've made new configuration. Now I have to configure hapac lite using instructions from that topic I presume ? Just modify it to suite my needs.
Yup!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 12:41 am

Everything remaining in black is good!
Seems fine you have an off bridge access on ether2, the only thing I dont understand is the parts of the original default config hanging around like a bad smell. :-)

/interface bridge
add admin- auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254 What is this for ???
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf What is this for ???
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 ( what is ether 3 connected to??? )
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=10 (assuming attached to your PC )
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \ ( assuming attached to switch or other smart device )
interface=ether5
add bridge=bridge comment=defconf interface=sfp1 (what is sfp1 connected to ???)
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN what is this for...........
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\ ( what is this for? )
192.168.88.0

add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
( what is this for )
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan ( what is this for?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 12:56 am

Internet present on ether4, also i get 172.16.10.X address and can connect to winbox
managment port on ether2, have internet but can't connect if i choose IP address in winbox (router visible in winbox), but if i choose MAC address i can connect.
Think about it.
What is the input firewall rule that says something like " everything not from the LAN interface list is blocked. "
Is ether2 part of the LAN interface.......... NO.

So you could just prior to the LAN rule put this
add chain=input action=accept in-interface=ether2

Not sure if you do this but if you want to access winbox by IP you need to put the IP and PORT together XX.YY.ZZ.BB:port#
I normally just use mac address.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However, the fix above is cheap and not the better path! lets improve the overall security of your router and access to the config.
This default rule - which says in a back handed way. Drop everything not coming from the LAN.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


Means that all LAN users can access the router for required services such as DNS and possibly NTP but ALSO can access the winbox port.
This is fine as default setting but once you know a bit more you want to ensure that only the admin has access to winbox.

So replace the rule above with, now at least only users on the trusted subnet and now your eth2 have access.
add chain=input action=accept in-interface-list=Home

But we can do better still, we should only allow the admin not the entire trusted subnet have potential access to the config.
So we create an address list of IPs that are allowed (set admin devices as static fixed leases in DHCP server etc.........)
Thus our rule would look like

add chain=input action=accept in-interface-list=home dst-port=winboxport src-address-list=authorized

where src-address list is a firewall address list like so.
add address=IP of admin desktop list=authorized
add address=IP of admin laptop list=authorized
add address=IP of admin ipad list=authorized
add address=IP of admin smart phone list=authorized
add address=IP of OFF bridge (use something you will remember like 172.16.0.69)

++++++++++++++++++++++++++++++++++++++

Okay so now only the admin has access to the input chain and ONLy to the winbox port.
But we need to give back the services for all LAN users.
THus
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Good so far, but there is something we are missing.............
Going back to the original rule which was weirdly stated using the ! question mark symbol.........which is to be avoided in general by the new user for any other parts of the config.
It said block all not coming from LAN...........which means block all from WAN as well, which we DO VERY MUCH WANT>

The best way to accomplish this is to use a DROP rule at the end of the input chain. This blocks all WAN to router traffic and any other LAN to Router traffic ....
add chain=input action=drop comment="drop all else"

CAUTION< you will lock yourself out of the router it you put this in first.
Ensure this is the LAST firewall rule you put in and AND ensure before doing so that you as admin can login to to winbox from the home lan and from eth2 with the new rules in place.
Last edited by anav on Mon Aug 08, 2022 5:43 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 5:55 am

This is how I interpret the config in viewtopic.php?t=184164#p920254 Edited with corrected link to the correct latest config.

gigabyte091_20200320_1724.png
In other words, the way the config was in the post, if you plugged a PC into ether3, my guess is that your PC (if configured to obtain its ip address via dhcp) would have gotten an address from the 192.168.88.0/24 default-dhcp pool associated with the implicit PVID 1. The one that @anav hates and avoids.

That isn't consistent with what your "table" in viewtopic.php?t=184164#p920231 specifies for ether3, which I understood you wanted in vlan10, like ether4. If you plugged into ether4, I would have expected the PC to get an address from the 172.16.10.0/24 dhcp_pool1 pool. (but probably not get a dns server from the router, because /ip dhcp-server network entries you added don't have dns-server=<ip address> compare to the one from the defconf
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Mon Mar 21, 2022 9:17 am, edited 2 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 8:28 am

This is how I interpret the config in viewtopic.php?t=184164#p920240
The config, posted in that post, is garbage:
  1. user has two bridges, default bridge without VLAN filtering and Test_network with vlan-filtering enabled.
  2. ports ether3, ether4, ether5 and sfp1 are members of bridge, so no VLANs there
  3. a few VLAN interfaces anchored to Test_network interface
  4. bridge Test_network connects untagged ends of the very same VLAN interfaces, also connects ether1
  5. /interface bridge vlan is attempt to make port membership correct ... but thus section is mainly (only!) for egress ... without proper L2 (bridge port membership) this (L2.5) config can't make things work

Which means your analysis posted in image of a table is not valid.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 8:52 am

I copied the wrong link... I edited the post with the correct "latest" config, that had many of those errors corrected.

@mkx Sorry for wasting your time by posting the wrong link. I scrolled back but somehow scrolled over the latest.

It should have been this viewtopic.php?t=184164#p920254
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 5:23 pm

In brief: too many cooks spoil the broth, gig and I are on the same wavelength! :-)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 7:49 pm

Ufff, so many new informations hehe, sry for not posting, busy day at work...

Soooo i updated configuration (After reading posts ofcourse so i can see what is happening).

I forgot to assign ether3 to VLAN10, my mistake, that is corrected now, tested and working.
I deleted default configuration (all hopefully) so here is updated configuration again:
# mar/21/2022 18:31:11 by RouterOS 7.2rc4
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.254 client-id=1:f4:30:b9:d7:5:5a comment="Admin laptop" \
    mac-address=F4:30:B9:D7:05:5A server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
    in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
@mkx
yea i know that was shit, i was using wrong tutorial.

All of this is going into PDF and i store it for later use (also wireguard tutorial is in pdf now, and wifi config), I also read other links and topics provided before atempting to do any configuration so i can understand what am i doing here as there is no point for me to blindly entering commands into terminal without knowing what are they doing.

Also i think that just copiyng command without understanding would be highly disrespectful to anybody who is trying to help me here. I know this is a piece of cake for all of you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 8:06 pm

Not a piece of cake for sure.............

The only overall suggestion I highly recommend is that ORGANIZE your firewall rules.
PUT ALL THE INPUT CHAIN RULES TOGETHER FOLLOWED BY THE FORWARD CHAIN RULES.

(1) /interface list member
add comment=defconf interface=bridge list=LAN


You can remove bridge from membership list of LAN
its fully covered by vlans being members.....

(2) /ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
INSERT--> add action=drop chain=input connection-state=invalid <-- INSERT
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp


In other words move the RULE at the end up into the correct order.

(3) I would put simpy the letters winboxport# here not the actual winbox port number you use. I would not publish it.
IF it is need 8291, CHANGE IT FROM DEFAULT@

add action=accept chain=input comment="Winbox access" dst-port=8291 \

(4) This rule should go after the forward chain IPSEC default rules and BEFORE the forward chain ALLOWED/ ESTABLISHED RULE

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes


(5) Lets make your forward chain, cleaner and safer........

We are going to dismantle this very ugly default rule (but works well for the new beginner). What is basically says drop all traffic from WAN to LAN (good!!) but allow port forwarding to occur (good!)
However it misses any LAN to LAN?WAN traffic we dont want to all, or stated differently it allows ALL LAN to LAN traffic and ALL LAN to WAN traffic (not good).
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


Thus we are going to make the port forwarding part of the rule very clear and easy to understand
add chain=forward action=accept connection-nst-stat=dstnat

Since we eliminate all LAN to LAN and LAN to WAN traffic, NORMALLY we add this rule......
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN { to permit internet traffic from the lan }

Finally we want to drop all else (all LAN to LAN and all LAN to WAN) we have not expressly permitted above and most importantly of all DROP ALL WAN to LAN traffic!!!
add chain=forward action=drop comment="drop all else"

NOTE: if you wanted to allow VLANX to VLANY then make the appropriate rule prior to the drop all else rule.
If you wanted all to access a shared device then make an appropriate rule for that.
Last edited by anav on Mon Mar 21, 2022 11:25 pm, edited 1 time in total.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 10:47 pm

Unfortunately, i can't make any changes until wednesday because tomorrow i'm going on a business trip but when i return i will continue with changes.

As for the port, i tried to enter exactly what you wrote but terminal was giving me an error so i input port number.

This configuration is for learning purposes only and in real configuration port will be changed ofcourse.

It's a good thing that you explained a little bit of firewall rules. I always put default config here, i saw on couple of sites and here on the forum that it's good enough.

I don't think that i will need vlans to communicate with each other because guest network will be only internet access, home network have all other devices excluding cctv and security. I could try to create rule just for learning and testing
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 21, 2022 11:26 pm

yup no rush.
If you change the default winbox port you may have to relog in.
I use mac address and rarely if ever use IPaddress:port# at the winbox login
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 9:29 am

One question, which router should i buy, RB5009 or RB4011 ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 10:30 am

One question, which router should i buy, RB5009 or RB4011 ?

If you need rock-solid solution now, then get RB4011 and make sure its factory installed software is 6.4x.y ... then keep ROS at v6.

If you can play a bit and wait for v7 and RB5009 become stable (as in behaviour, not as marketing name), then get RB5009 ... but don't complain if you'll experience any type of glitches in next full year.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 11:04 am

I would rather have rock solid solution right now. And rb5009 is not available... So rb4011 is better solution right now.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 12:53 pm

I ordered RB4011 as there is no RB5009 available, and it's unknown delivery time.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 1:00 pm

Nice the RB4011 on the latest long term 6 firmware is your best bet. I went to ver7 on the one I have to use wireguard.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 5:42 pm

Yea, and it has 10 ports plus sfp (i have sfp to rj45 adapter) so every room is connected directly to the router, no need for switch. I also bought RB260GSP so i can connect AP (its poe out)

Tomorrow when i return i will continue with configuration on AP.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 6:21 pm

Yea, and it has 10 ports plus sfp (i have sfp to rj45 adapter) ...

I'm sure you're aware that device has two switch chips built in, each connecting half of RJ45 ports. Each of switch chips is in turn connected to CPU, SFP+ port as well. So any traffic between any pair of these 3 entities (switch1, switch2, sfpplus1) has to pass CPU. So plan physical connections wisely to minimize burden on CPU.

In this regard, RB5009 is much better (single switch chip connecting all ports).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 6:25 pm

Mkx do you mean that intervlan traffic between ports should drive one to ensure the maximum traffic should be hosted within the same port half......
Aka if the maximum traffic is HOuse Users accessing NAS, then both the users vlan and the NAS port or the VLAN that the NAS is on should be on one side..
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 6:35 pm

With v6, RB4011 doesn't do any VLAN in hardware, so with VLANs in picture, one doesn't have to plan physical connections :wink:
But without VLANs (i.e. one single LAN) in v6 (or with VLANs in v7, where VLANs are offloaded to HW), one should take care to connect devices which communicate with each other most, to same group of ports (either ether1-ether5 or ether6-ether10) so that switch chip does most of work. So yes, by all means connect heavy users of domestic SAN to same group of ports as SAN itself. Or connect multicast source and sinks (IP TV on my mind here) to same group of ports ... although this is not so gross, IP TV streams are relatively modest at around 10Mbps give or take.
It's been said numerous times: SFP+ port is ideal to be used as all-routed port ... either to connect towards ISP or to connect to larger swtich (as trunk port). But it is not as useful as "yet another switched port".
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 8:29 pm

RB4011 is indeed a good choice...
If it is a home Router, i would suggest you try V7 and Bridge Hardware Offloading...
If something does not work as expected you can always downgrade...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 22, 2022 10:28 pm

RB5009 is unavailable right now, and it's unknown when it will be available. RB4011 was available but in small quantities (about 5 was available) so i took a chance and buy it.

I do have IPTV but it's connected to other ISP router (it's their service) so that won't be an issue.

So I have 6 ports in my rooms in total (2 in each room)

One port is for IPTV and one port is for my wife's work PC, so i could use for eg.

Ether6 to 9 to be home network, ether10 as trunk port for APs, so majority of traffic would be on one switch chip.

Ether5 could be vlan for wife's work PC.

ether4 for network video recorder. That would be the only link between two switch chips because VLAN20 would go through ether10 and ether4. I have 7 cameras, 2 mbps bandwith, and it's recording on motion so i presume that shouldn't be a problem for the router ?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 6:35 pm

So i managed to continue configuring AP, i tried to use @anav AP/switch config (i used vlan id's and everything from my main router) and i get 3 separate WiFi, but can't get IP... (At least mgmt port is working...)

Here is my sad attempt at configuring AP:
# jan/02/1970 01:12:40 by RouterOS 7.2rc4
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=KucniWifi \
    security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=KucniWifi multicast-buffering=disabled name=\
    Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10 vlan-ids=\
    10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
    vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=Mreza_za_Goste_15 list=Home
add interface=CCTV_mreza_20 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.254/24 interface=ether1 network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 7:54 pm

A few things.......

(1) Only the trusted subnet has to be defined under vlans. I prefer to do all of them if nothing else to communicate to yourself or the reader what is traveling through the device. (no change required).
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10

(2) The only items that need to be added to the HOME interface list are
a. the trusted subnet
b. any port you designated as an OFF bridge access.

Should look like ( MODIFY your setup!! )
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=ether2 list=Home


(3) THE MAIN PROBLEM - Your IP address is incorrectly assigned to ether1. FIX ASAP!!
Corrected
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.254/24 interface=Home_network network=172.16.10.0

EDIT: Fixed due to Bucks keen eye!!!


(4) MISSING TWO ITEMS....... ADD!!

A. /ip neighbor discovery-settings
set discover-interface-list=Home

B. /ip tool
/ip tool mac-server mac-winbox
set allowed-interface-list=Home
Last edited by anav on Thu Mar 24, 2022 9:28 pm, edited 3 times in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 8:41 pm

(3) THE MAIN PROBLEM - Your IP address is incorrectly assigned to ether1. FIX ASAP!!
Corrected
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.254/24 interface=bridgeAP network=172.16.10.0
@anav, I realize you know more about this than me, but can you explain why the address should be added to bridgeAP instead of Home_network? Since this is for vlan 10 (not the base PVID 1).

e.g. like this: add address=172.16.10.254/24 interface=Home_network network=172.16.10.0

From config:

/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 9:24 pm

Because I screwed up Buckeye! ( my apologies there giga.......)
Good eye (pun intended) and thanks!.............. note to self, dont try and address multiple problems in the same time frame.
As per the User article it should be an IP address on the Trusted subnet. Not sure what I was thinking !!!

This is indeed still wrong
add address=172.16.10.254/24 interface=ether1 network=172.16.10.0
and the correction as you pointed out should be......
add address=172.16.10.254/24 interface=Home_network1 network=172.16.10.0
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 9:39 pm

So I did the changes and my devices still can't get IP address. I also changed 172.16.10.254 to 253 because my laptop is on 254.

Here is the config:
# jan/02/1970 01:12:40 by RouterOS 7.2rc4
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=KucniWifi \
    security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=KucniWifi multicast-buffering=disabled name=\
    Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10 vlan-ids=\
    10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
    vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=Mreza_za_Goste_15 list=Home
add interface=CCTV_mreza_20 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
Regarding adding VLANs 15 and 20 instead only 10, is it okay if i do that way in the future ? As you said, it's maybe easier to know what is happening.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Thu Mar 24, 2022 10:13 pm

.................... good just one more step.........

/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0

Did you assign the address .253 manually on the AP, (its what I would do).

Next step is to go to the Router and DHCP leases, with the mac address of the AP and add your AP to the vlan manually, as a fixed static IP.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 12:53 am

Regarding adding VLANs 15 and 20 instead only 10, is it okay if i do that way in the future ? As you said, it's maybe easier to know what is happening.
If you do that, the hap ac lite will try to route within the hap ac lite, because it will have "connected" routes to all subnets.

In my opinion, if you want to have a single place to control inter-vlan routing, it would be better to do all intervlan routing from the same device where the firewall is defined.

I didn't think you wanted to allow guest to log into the hap ac lite anyway.

Edit: I don't even think you need the vlan interface for 15 an 20 on the hap ac lite. Since it is essentially just acting as a L2 bridge with one interace to manage it from.

In other words, I think these lines are NOT needed:
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10

as they represent the hap ac lite routing block's connection to the bridge, and we won't be doing routing on the hap ac lite, just bridging(switching) at the ethernet mac layer. Inter-vlan routing and firewalling will be delegated to the hEX (or RB4011 when it is configured).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 4:26 am

Interesting discussion, I concur they are not required, but thought it was not harmful in at least having them there as explanation.
Seems like that might not be the case. Good tip, I will look into it and modify my useful article if necessary.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 8:49 am

.................... good just one more step.........

/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0

Did you assign the address .253 manually on the AP, (its what I would do).

Next step is to go to the Router and DHCP leases, with the mac address of the AP and add your AP to the vlan manually, as a fixed static IP.

Yes, I manually assigned 172.16.10.253/24 on the AP but... I didn't assign static IP on the router... I forgot about that... Will do that when i'm back from work.

@Buckeye

So I just need to add trusted subnet, in my case Home_network @ 172.16.10.0/24, and then i add into HAP's bridge new configured virtual wifi interfaces and untagged them with the correct ID ? And Hex will send all VLAN's from his ether5 which is tagged for all VLANs(10,15,20) to ether1 on hap lite where are ether1 and bridgeAP tagged so they accept all VLANs . And then virtual wifi interfaces are access ports, i untagged them with vlan's i want on that interface. I hope i understand correctly.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 10:17 am

So I just need to add trusted subnet, in my case Home_network @ 172.16.10.0/24, and then i add into HAP's bridge new configured virtual wifi interfaces and untagged them with the correct ID ? And Hex will send all VLAN's from his ether5 which is tagged for all VLANs(10,15,20) to ether1 on hap lite where are ether1 and bridgeAP tagged so they accept all VLANs . And then virtual wifi interfaces are access ports, i untagged them with vlan's i want on that interface. I hope i understand correctly.
To be honest, I haven't looked at how this works, my assumption was that there would still be a single bridge, but that part of it would be software based but with an "internal" trunk to the switch chip.

I drew this up, before I really read your post closely.
gigabyte091_hAP_ac_lite.png
Then I found this @pcunite Access Point setup and after skimming it, it think it is reasonably close to your config, with the exception that they have a more proper Management only vlan, where yours is using the "home" vlan as the management access vlan.

But I will defer to others on this, because I have no way to test, since all I have is the hEX S with no wifi.

Note that you could enable other ports on the hAP ac lite to be access ports for vlans of your choosing, but if in a work environment, you would probably want the other ports disabled, or limited to being access ports for the guest vlan. In a home, I don't think that is a requirement, but how it is configured is up to your discretion.
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 10:31 am

Damn, that is really detail schematics :shock: :shock:

I can test whatever is needed, no problem at all.

Regarding other ports, i can configure it for the sake of learning but in reality, when i setup proper network, i will use cAP ac, they have 2 ports, one trunk and one will be managment so... Right now i have only one cAP ac, but when all equipement arrive and i have some spare time, i will make proper network.

I will draw network diagram later
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 10:45 am

Damn, that is really detail schematics :shock: :shock:
I stole most of that from the hap ac lite block diagram. These block diagrams exist for all MikroTik routers that I have been interested in.
Look in the product page https://mikrotik.com/product/RB952Ui-5a ... -downloads
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Mar 25, 2022 5:37 pm

So in HexS under Leases i added IP address i reserved for AP = 172.16.10.253. I added MAC address and choose dhcp server dhcp1 but there is no connection. Status is waiting

Here is new HexS config:
# mar/25/2022 16:27:35 by RouterOS 7.2rc4
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.254 client-id=1:zz:zz:zz:zz:zz:zz comment="Admin laptop" \
    mac-address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ server=dhcp1
add address=172.16.10.253 mac-address=YY:YY:YY:YY:YY:YY \
    server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
    in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 12:15 am

So in HexS under Leases i added IP address i reserved for AP = 172.16.10.253. I added MAC address and choose dhcp server dhcp1 but there is no connection. Status is waiting
Given your situation, I would partition the problem.
  • Wired access to each vlan on RB760iGS
  • Wired access to each vlan via trunk link to hEX ac Lite ethernet ports
  • Wireless accesss to each vlan via trunk link and bridge to SSIDs
First make sure dhcp is working on every vlan when connected through the RB760iGS. If it doesn't work there, it won't work from the other side of a trunk port and wifi bridge. You should be able to connect a PC into RB760iGS port 4 and get an address from dhcp1 server in the 172.16.10.0/24 network. But if you plan to use the laptop across multiple vlans, the following section may cause a problem, but I don't know for sure what the following does

/ip dhcp-server lease
add address=172.16.10.254 client-id=1:zz:zz:zz:zz:zz:zz comment="Admin laptop" \
mac-address=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ server=dhcp1
add address=172.16.10.253 mac-address=YY:YY:YY:YY:YY:YY \
server=dhcp1

so I looked in DHCP Server documentation and I don't see any answer.

I am not understanding the documentation and how it relates to actual behavior on v7.2rc5 on an RB760iGS

DHCP Documentation from help.mikrotik.com

There seems to be only a small intersection between what /ip dhcp-server lease add [tab] shows and what the documentation shows here ROS/DHCP#DHCP-Parameters
[demo@MikroTik] /ip/dhcp-server/lease> add 
address                 client-id        disabled             queue-type 
address-lists           comment          insert-queue-before  rate-limit 
allow-dual-stack-queue  copy-from        lease-time           routes     
always-broadcast        dhcp-option      mac-address          server     
block-access            dhcp-option-set  parent-queue         use-src-mac
I assume it is assigning a static mapping between a MAC address and what address the dhcp-server will return to a client with that MAC address, but the documentation needs to be updated, and the dhcp-server in v7.2rc5 needs some additional work if many of the options in the documentation work in v6 (I have never used ROS v6, so I am only assuming that the documentation was copied from v6, and that it isn't all working yet in v7).

/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1

Shouldn't you be specifying a dns-server with each dhcp-server?

If a PC plugged into ether4 works, and can get to the internet, the next step will be to test the other vlans by reconfiguring bridge port ether3 to use a different pvid (and probably you will need to change the bridge vlan setting for the vlan specified by the pvid applied to ether3). Then verify that the PC connected to ether3 can get an ip address from the Guest and CCTV pools (when set to the appropriate pvid / vlan) After you have that working, then we will move to the hAP ac Lite (and start with adding access ports for each vlan using the available ethernet ports). Then when that's working we can move to the wifi.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 8:36 am

So I tried to asign every VLAN to ether4 and i get IP with correct format (172.16.15.x for VLAN_15, 172.16.20.x for VLAN_20), and i get internet access (I'm writing this while on VLAN20) so i can presume that there is no problem with wire connection on hexs. (I untagged every VLAN on desired port and i changed PVID in port settings)
VLAN_10.jpg
VLAN_15.jpg
VLAN_20.jpg
Regarding specifying dns-server in dhcp server, i don't know, but it's working without it.
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 9:12 am

Ok, i tried to untag ether3 on switch/AP and nothing, can't get IP, so something is wrong with switch settings ? I have aruba smart switch so i can test if i can get all vlans on him.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 10:01 am

So I tried to asign every VLAN to ether4 and i get IP with correct format (172.16.15.x for VLAN_15, 172.16.20.x for VLAN_20), and i get internet access (I'm writing this while on VLAN20) so i can presume that there is no problem with wire connection on hexs. (I untagged every VLAN on desired port and i changed PVID in port settings)

Regarding specifying dns-server in dhcp server, i don't know, but it's working without it.
I wouldn't untag multiple vlans on the same port, maybe that's not what you did, but what you said makes it sound like there were multiple vlans on the port. PVID only tells the switch what to do with incoming untagged ethernet frames. Having multiple vlans definged for the bridge port but untagging them all can lead to interesting results. I've seen it done on TP-Link SG108E switches to have asymmetric vlans for "port isolation", but that's not the way port isolation is usually implemented.

If you use ipconfig /all it will display more info, like this:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : 
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : 
   IPv4 Address. . . . . . . . . . . : 192.168.101.196(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 07, 2022 11:40:33 PM
   Lease Expires . . . . . . . . . . : Sunday, March 27, 2022 5:35:26 PM
   Default Gateway . . . . . . . . . : 192.168.101.1
   DHCP Server . . . . . . . . . . . : 192.168.101.1
   DHCPv6 IAID . . . . . . . . . . . : 247214171
   DHCPv6 Client DUID. . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.101.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Can you tell us what is not working? Is it that you are not getting an IP address from the dhcp server when you connect to the wifi on the hap ac lite?

If that's the case, we need to add some access ports on the switch on the hap ac lite, and connect wired connections there to see if dhcp works. That will tell us if the problem is the trunk link or something with the wifi setup or link to the bridge. And I won't be of much help there.

First, can you connect to the hap ac lite from the a PC connected to vlan 10? Can you ping 172.16.10.253 (the management interface on the hap ac lite) from a PC connected to the HEX vlan 10?

I just saw this:
Ok, i tried to untag ether3 on switch/AP and nothing, can't get IP, so something is wrong with switch settings ? I have aruba smart switch so i can test if i can get all vlans on him.
Can you post updated hap ac lite config? before and after if you make change below.

Try the following on the hap ac lite

/interface bridge port
add interface=ether2 pvid=10
add interface=ether3 pvid=15
add interface=ether4 pvid=20

/interface bridge vlan
set bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether2 vlan-ids=10
set bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15,ether3 vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20,ether4 vlan-ids=20
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 11:04 am

Okey, so to clarify what i did:

First I untagged ether4 for VLAN15, then i changed PVID to 15, plugged the laptop into ether4, i get IP address and internet access.
Then i untagged ether4 for VLAN20, then i changed PVID to 20, plugged the laptop into ether4, i get IP address and internet access.

I didn't untag all vlans at the same time as i presume that won't work.

When i tried to ping 172.16.10.253 i get destination host unreachable.

When i tried to untag ports on switch/AP i cant get IP address
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 11:32 am

Here is config before changes (just my test)
# jan/02/1970 07:34:35 by RouterOS 7.2rc5
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=KucniWifi \
    security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=KucniWifi multicast-buffering=disabled name=\
    Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
    wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
    vlan-ids=10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15 \
    vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
And here is after @anav config changes (Note: when i tried to input for eg. add interface=ether3 pvid=10 when i hit enter it asked me to provide bridge so i put bridgeAP. When i tried to input other command it asked me for a nubmer at the end, i just hit enter and then i saw that none of the interfaces were untagged so i untag them manually)
# jan/02/1970 07:42:53 by RouterOS 7.2rc5
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=KucniWifi \
    security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    Mreza_za_Goste_15 security-profile=Guest ssid=Gosti vlan-id=15 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=KucniWifi multicast-buffering=disabled name=\
    Kucna_mreza_10 security-profile=Home ssid="Kucni wifi" vlan-id=10 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wmm-support=enabled \
    wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP interface=ether3 pvid=10
add bridge=bridgeAP interface=ether4 pvid=15
add bridge=bridgeAP interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
    vlan-ids=10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15,ether4 \
    vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20,ether5 \
    vlan-ids=20
/interface list member
add interface=Kucna_mreza_10 list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 12:19 pm

how are you getting connected to the hap ac lite?

Is link status up on trunk between hex and hap?

/interface ethernet print detail

if you issue /interface bridge host print on the hap and the hex can you see more than one ethernet mac address for each vid

https://jcutrer.com/howto/networking/mi ... ress-table

what about /ip arp print
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 12:42 pm

Here is config before changes (just my test)
---snip---

And here is after @anav config changes (Note: when i tried to input for eg. add interface=ether3 pvid=10 when i hit enter it asked me to provide bridge so i put bridgeAP. When i tried to input other command it asked me for a nubmer at the end, i just hit enter and then i saw that none of the interfaces were untagged so i untag them manually)
Yes, I had several errors there... sorry.

As far as the number I think you have to use [ find ... ] but I haven't quite figured out the syntax in every case.

Using WinBox makes modifying existing things easier than the command line, at least on a one off situation.

For example from another post I made today.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 1:46 pm

So on hAP ac lite i have ether2 as managment port with diferent address (172.16.50.1) and that is how i connect to AP and make any changes.

Here you can see what i get when i list interfaces:
Ether_list_1.jpg
Ether_list_2.jpg
For ether5 (trunk port on hex) i see one mac address for each vid and they are the same.

For ether1 on hac ac lite i only see one mac address and that is only for vid 10

for arp print on hap ac lite i get:

0 DC 172.16.10.1 mac address Home_network
1 DC 172.16.50.2 mac address ether1

On hexs:

# ADDRESS MAC-ADDRESS INTERFACE
0 D 172.16.20.254 Same MAC CCTV_network
1 D 172.16.15.254 Same MAC Guest_network
2 DC 172.16.10.253 Different MAC Home_network
3 DC 172.16.10.254 Same MAC Home_network
4 DC 172.16.10.254 Same MAC Guest_network
5 D 192.168.1.106 No MAC ether1
6 DC 192.168.1.1 Different MAC ether1
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 5:20 pm

Why are you putting vlans inside wifi settings?
They only need to be connected to the WLAN at the bridge port setting.............

Further why do you have FIVE WLANS?
What are the other two for??

Here is a fixed up config.... You dont need to identify the other vlans as they are simply going through the ap/switch from ether1 to their respective bridge port.
Also, they do not need to be tagged to the bridge either! Added refinements to bridge ports.......
The five wlans have been reduced to THREE set wlan1, set wlan2, add virtual wlan
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=Mreza_za_Goste_15 \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=Kucna_mreza_10 \
    security-profile=Home skip-dfs-channels=all ssid=Kucni_WiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address= \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV vwds-cost-range=0\
   wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes\
    interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged ingress filtering=yes
    interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged  ingress-filtering=yes \
    interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged  ingress-filtering=yes\
    interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP interface=ether3 pvid=10  frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridgeAP interface=ether4 pvid=15  frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=bridgeAP interface=ether5 pvid=20  frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
    vlan-ids=10
add bridge=bridgeAP tagged=ether1 untagged=Mreza_za_Goste_15,ether4 \
    vlan-ids=15
add bridge=bridgeAP tagged=ether1 untagged=CCTV_mreza_20,ether5 \
    vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
Last edited by anav on Mon Mar 28, 2022 2:04 am, edited 3 times in total.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 8:03 pm

Because im an idiot... i added three virtual wireless interfaces... and i didn't use real interfaces at all... So i assign vlans at bridge port settings only, i don't touch anything else

Tommorow i will change configuration (i will leave ether3,4 and 5 for now just for testing, later i will disable them as they are not needed)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Mar 27, 2022 11:58 pm

Correct................ it all depends if your fingers obey the brain when making the changes. :-)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 1:50 am

And here is after @anav config changes
Since it doesn't seem that firewall is enabled, I don't know if this makes any difference or not. But it probably is affecting the ability of mac-winbox to work with vlan-10

So this is more of a question, than a suggestion.

Shouldn't Kucna_mreza_10 be replaced with Home_network as the home interface list member?

And since you currently have vlan interfaces for 15 and 20, at least while debugging perhaps add the lines in red
This should send out the L2 LLDP (CDP like) Then it is possible it may be visible with /ip neighbor print although my RB760iGS doesn't display my CSS106-5G-1S switch or ER-X (but I may have sending discovery turned off on it).

Here's a new modifier I discovered that will make seeing "interesting" MAC table entries. But if the MAC addresses have aged out, they may not still be loaded, so you should have something sending broadcast (even pinging a non-existent ip in each vlan from the RB760iGS should trigger it to send ARP broadcast to attempt to find the device with the ip address, and that should be sufficient to get the MAC address of the RB760iGS loaded into the bridge/switch of the hap ac lite, then you should be able to see the hEX S mac address from the hap on all three vids

/interface bridge host print where external to see only MAC addresses that are not local to the device you are issuing the command from.
ip arp print to see any ip address associated with the MAC addresses

----------

/interface vlan
add interface=bridgeAP name=CCTV_network vlan-id=20
add interface=bridgeAP name=Guest_network vlan-id=15
add interface=bridgeAP name=Home_network vlan-id=10

---------------

/ip neighbor discovery-settings
set discover-interface-list=Home

/interface list member
add interface=Home_network list=Home
add interface=Guest_network list=Home
add interface=CCTV_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
---snip---
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 1:55 am


Since it doesn't seem that firewall is enabled, I don't know if this makes any difference or not. But it probably is affecting the ability of mac-winbox to work with vlan-10

So this is more of a question, than a suggestion.
Shouldn't Kucna_mreza_10 be replaced with Home_network as the home interface list member?
(1) CORRECT, good catch!!
The trusted subnet is the VLAN not the WLAN LOL..............

This is what it should be!
/interface list member
add interface=Home_network list=Home
Last edited by anav on Mon Mar 28, 2022 1:58 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 1:56 am

/interface list member
add interface=Home_network list=Home
add interface=Guest_network list=Home
add interface=CCTV_network list=Home
add interface=ether2 list=Home
(2) No, the only required member of the interface list is the trusted subnet.
It will show up properly in winbox and is accessible from the trusted subnet only for configuration purposes.
There is no security reason to let all vlans see mac address of managed devices.
Same goes why ether2 is there as well.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 2:54 am

(2) No, the only required member of the interface list is the trusted subnet.
It will show up properly in winbox and is accessible from the trusted subnet only for configuration purposes.
There is no security reason to let all vlans see mac address of managed devices.
Same goes why ether2 is there as well.

ether2 is how he has been configuring the hap, the other isn't working... it's his "off bridge" connection at this time. At least that was what I understood from this post.
So on hAP ac lite i have ether2 as managment port with different address (172.16.50.1) and that is how i connect to AP and make any changes.

I agree with you, once the problem has been discovered and fixed, then the vlan interfaces should be removed.

This was only a suggestion for when troubleshooting, since there is still an apparent L2 issue, at least if I understand what gigabyte091 said his testing procedure was.

My understanding was that he added on the hap ac lite, an access port for vlan 10 on ether3, an access port for vlan 15 on ether4, and an access port for vlan 20 on ether5. But when he connected a PC to those ports, the PC did not get an ip address via dhcp. But when he plugged the same device into an access port on the hex, it did get an ip address. I am not understanding why that is, and if that doesn't work, the root cause needs to be fixed before adding wifi setup to the mix. At least that would be my troubleshooting plan.

The following is from the second config he posted in this post. And my eyes don't see any reason it shouldn't work for wired connections on hap ports 3-5.

This is as it was posted, with the "relevant" parts bolded. ether1 is the trunk to the hex, 3-5 are access ports, one for each vlan.

/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Kucna_mreza_10 pvid=10
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=Mreza_za_Goste_15 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
interface=CCTV_mreza_20 pvid=20
add bridge=bridgeAP interface=ether3 pvid=10
add bridge=bridgeAP interface=ether4 pvid=15
add bridge=bridgeAP interface=ether5 pvid=20

/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Kucna_mreza_10,ether3 \
vlan-ids=10
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=Mreza_za_Goste_15,ether4 \
vlan-ids=15
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=CCTV_mreza_20,ether5 \
vlan-ids=20

Since the dhcp server is on the hex, this should all be L2 on the hap when a PC is plugged into a hap access port.

On the ER-X I would use tcpdump, I am sure there is way to capture traffic with ROS, but since gigabyte091 has an aruba switch, my next test would be connecting a switch on the trunk link as a tap and use wireshark to see what is really going across the wire. But that adds another unknown to the equation (the aruba switch), so if we can use ROS, and someone that's done it wants to chime in, please do. Doing it at the switch with mirror would be the most likely to see the traffic, but I don't know if that is compatible with the bridge setup or not (and why in general I use external taps when troubleshooting; I am not changing the device under test)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 8:00 pm

So I think I made all change but no luck... still not working... I'm in temptation to delete all config and start over line by line...
# jan/02/1970 17:00:03 by RouterOS 7.2rc5
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Home \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Guest \
    supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=CCTV \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=\
    croatia disabled=no frequency=2437 mode=ap-bridge name=GostiWiFi \
    rate-set=configured security-profile=Guest skip-dfs-channels=all ssid=\
    GostiWiFi supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=\
    enabled wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge name=KucniWifi \
    security-profile=Home skip-dfs-channels=all ssid=KucniWiFi \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:63:DC:11 \
    master-interface=GostiWiFi multicast-buffering=disabled name=\
    CCTV_mreza_20 security-profile=CCTV ssid=CCTV wds-cost-range=0 \
    wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=20
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=KucniWifi pvid=10
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=GostiWiFi pvid=15
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged \
    interface=CCTV_mreza_20 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=KucniWifi,ether3 \
    vlan-ids=10
add bridge=bridgeAP tagged=ether1 untagged=GostiWiFi,ether4 vlan-ids=15
add bridge=bridgeAP tagged=ether1 untagged=ether5,CCTV_mreza_20 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system package update
set channel=testing
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Mar 28, 2022 9:14 pm

Hi giga,
That looks 100% correct!!

The only difference comparing to my capac is that I define all three vlans could be any name
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
add interface=bridgeAP name=guest vlan-id=15
add interface=bridgeAP name=cctv vlan-id=20

Dont think it would make a difference in your case but worth a shot.
perhaps the right approach is a fresh re-install of the latest firmware and just copy what you have back........... :-(
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Tue Mar 29, 2022 12:10 am

I feel reluctant to ask this, but are you sure the cable is connected from ether5 of the RB760iGS to port ether1 of the RB952Ui-5ac2nD?

I have done my share of troubleshooting something when I had a cable plugged into the wrong port.

Are the hex and the hap next to each other on a bench, or at opposite ends of the house?

What we know from this post is unfortunately not much, because I assumed that /interface ethernet print detail was similar to the output of ethtool, but it is not. There is no link status info or current speed info, just what the defaults are. The correct command would have been

/interface ethernet monitor ether5 once

and

/interface ethernet print stats-detail from=ether5

This is the problem with previous knowledge about other vendors equipment, it leads to invalid assumptions about the way that things will work on the new equipment, and confirmation bias makes you see the things that match, and ignore the things that don't.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 29, 2022 9:44 am

I'm sure because I'm supplying power to the hAP ac lite (ether1 poe in) from HexS poe out port (ether5) and they are on top of each other connected with a 50cm (or about 1.64 feet) cat6 eth cable.

I will buy new cable just to be sure... and test cable so i'm sure it's not hardware problem (i once had one wire broken inside cable... poe was working but data not...)
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Tue Mar 29, 2022 10:31 am

I'm sure because I'm supplying power to the hAP ac lite (ether1 poe in) from HexS poe out port (ether5) and they are on top of each other connected with a 50cm (or about 1.64 feet) cat6 eth cable.

I will buy new cable just to be sure... and test cable so i'm sure it's not hardware problem (i once had one wire broken inside cable... poe was working but data not...)
What do the previous commands display when issued from the hex, and from the hap (except using ether1 instead of ether5) display? It seems unlikely (but possible) that the cable is bad, but the output from

On hex
/interface ethernet monitor ether5 once
/interface ethernet print stats-detail from=ether5

On hap
/interface ethernet monitor ether1 once
/interface ethernet print stats-detail from=ether1

should tell us for sure.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Mar 29, 2022 7:04 pm

So here is results from hex:
[admin@MikroTik] > /interface ethernet monitor ether5 once
                      name: ether5
                    status: link-ok
          auto-negotiation: done
                      rate: 100Mbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,
                            1000M-full
  link-partner-advertising: 10M-half,10M-full,100M-half,100M-full
  
  [admin@MikroTik] > /interface ethernet print stats-detail from=ether5
Flags: X - disabled, R - running; S - slave 
 0 RS name="ether5" driver-rx-byte=46 228 driver-rx-packet=182 
      driver-tx-byte=3 372 846 driver-tx-packet=47 440 rx-bytes=5 434 448 
      rx-packet=34 rx-too-short=0 rx-64=84 174 rx-65-127=84 rx-128-255=55 
      rx-256-511=4 rx-512-1023=0 rx-1024-1518=24 rx-too-long=0 rx-broadcast=11 
      rx-pause=0 rx-multicast=84 296 rx-fcs-error=0 rx-align-error=0 
      rx-fragment=0 rx-jabber=0 rx-drop=0 tx-bytes=4 465 300 tx-packet=67 
      tx-64=42 811 tx-65-127=2 325 tx-128-255=6 409 tx-256-511=37 
      tx-512-1023=323 tx-1024-1518=124 tx-broadcast=3 412 tx-pause=0 
      tx-multicast=48 550 tx-collision=0 tx-excessive-collision=0 
      tx-multiple-collision=0 tx-single-collision=0 tx-deferred=2 
      tx-late-collision=0 tx-drop=0 tx-fcs-error=0
  
And from hap ac lite:
[admin@MikroTik] > /interface ethernet monitor ether1 once
                      name: ether1
                    status: link-ok
          auto-negotiation: done
                      rate: 100Mbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 10M-half,10M-full,100M-half,100M-full
  link-partner-advertising: 10M-half,10M-full,100M-half,100M-full
  
 [admin@MikroTik] > /interface ethernet print stats-detail from=ether1
Flags: X - disabled, R - running; S - slave 
 0 RS name="ether1" driver-rx-byte=50 055 driver-rx-packet=536 
      driver-tx-byte=33 968 driver-tx-packet=555 rx-bytes=52 199 rx-too-short=0 
      rx-64=293 rx-65-127=167 rx-128-255=66 rx-256-511=2 rx-512-1023=8 
      rx-1024-1518=0 rx-1519-max=0 rx-too-long=0 rx-broadcast=126 rx-pause=0 
      rx-multicast=392 rx-fcs-error=0 rx-align-error=0 rx-fragment=0 
      rx-overflow=0 tx-bytes=36 188 tx-64=547 tx-65-127=2 tx-128-255=6 
      tx-256-511=0 tx-512-1023=0 tx-1024-1518=0 tx-1519-max=0 tx-too-long=0 
      tx-broadcast=1 tx-pause=0 tx-multicast=554 tx-underrun=0 tx-collision=0 
      tx-excessive-collision=0 tx-multiple-collision=0 tx-single-collision=0 
      tx-excessive-deferred=0 tx-deferred=0 tx-late-collision=0  
That's with old cable
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 1:05 am

I see no indication of problems with the cable. The hap ac lite is limited to 100Mbps, so the link speed is being negotiated correctly and there appears to be traffic, although not a lot.

If you manually set the ip address of a PC to 172.16.10.250/24 with gateway of 172.16.10.1 and plug it into the hap ac lite ether3 port, can the PC (172.16.10.250) ping either 172.16.10.1 or 172.16.10.253 ?

While the PC is still plugged into the hap ac lite ether3 port, can you ping the PC (172.16.10.250) from either the hex or a device plugged into the hex vlan 10 access port?

If you issue

/interface ethernet print stats

And then do the pings, then press "D" for dump new stats, do you notice any changes?

Also to see the traffic from the switch ASIC to the CPU use the following command:

/interface ethernet switch print stats

More info in this post.

I am pretty sure when we discover what the issue is, we will feel stupid, because it is probably something simple that is preventing it from working.

For reference on my hex
[demo@MikroTik] > /interface ethernet print stats
                      name:  eth4-BR-SW_U10_T241  ether1-WAN ether2-BR-SW-Base-U1 ether3-BR-SW-U241 ether5-off_bridge_wrk sfp1
            driver-rx-byte:                    0 109 881 491            1 625 786           376 915                     0    0
          driver-rx-packet:                    0     986 952               14 602             4 490                     0    0
            driver-tx-byte:                    0     315 839            9 381 017        12 888 470                     0    0
          driver-tx-packet:                    0       3 534              130 783           155 598                     0    0
                  rx-bytes:                    0 113 829 299            1 684 540           394 811                     0    0
                 rx-packet:                    0       2 673               14 599             4 346                     0    0
              rx-too-short:                    0           0                    0                 0                     0    0
                     rx-64:                    0     421 522                1 932               443                     0
                 rx-65-127:                    0     184 699               10 406             4 020                     0
                rx-128-255:                    0     368 311                  194                11                     0
                rx-256-511:                    0      11 981                2 031                13                     0
               rx-512-1023:                    0         350                    0                 0                     0
              rx-1024-1518:                    0          89                   40                 3                     0
               rx-too-long:                    0           0                    0                 0                     0    0
              rx-broadcast:                    0     357 798                    4                15                     0
                  rx-pause:                    0           0                    0                 0                     0    0
              rx-multicast:                    0     626 481                    0               129                     0
              rx-fcs-error:                    0           0                    0                 0                     0    0
            rx-align-error:                    0           0                    0                 0                     0
               rx-fragment:                    0           0                    0                 0                     0
               rx-overflow:                                                                                                  0
                 rx-jabber:                    0           0                    0                 0                     0
                   rx-drop:                    0           0                    0                 0                     0
                  tx-bytes:                    0     329 975            9 897 657        13 398 530                     0    0
                 tx-packet:                    0       3 522                3 555            12 934                     0    0
                     tx-64:                    0       1 315              117 586           116 058                     0
                 tx-65-127:                    0       2 164                  429            10 062                     0
                tx-128-255:                    0           4               11 840            28 072                     0
                tx-256-511:                    0          11                  928             1 304                     0
               tx-512-1023:                    0           0                    0                91                     0
              tx-1024-1518:                    0          40                    0                 9                     0
              tx-broadcast:                    0           5                3 858             7 718                     0
                  tx-pause:                    0           0                    0                 0                     0
              tx-multicast:                    0           7              123 370           134 944                     0
              tx-collision:                    0           0                    0                 0                     0
    tx-excessive-collision:                    0           0                    0                 0                     0
     tx-multiple-collision:                    0           0                    0                 0                     0
       tx-single-collision:                    0           0                    0                 0                     0
               tx-deferred:                    0           0                    0                 0                     0
         tx-late-collision:                    0           0                    0                 0                     0
        tx-total-collision:                                                                                                  0
                   tx-drop:                    0           0                    0                 0                     0
              tx-fcs-error:                    0           0                    0                 0                     0
[demo@MikroTik] > /interface ethernet monitor ether1-WAN once
                      name: ether1-WAN
                    status: link-ok
          auto-negotiation: done
                      rate: 1Gbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
  link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor ether2-BR-SW-Base-U1  once
                      name: ether2-BR-SW-Base-U1
                    status: link-ok
          auto-negotiation: done
                      rate: 1Gbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
  link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor ether3-BR-SW-U241  once
                      name: ether3-BR-SW-U241
                    status: link-ok
          auto-negotiation: done
                      rate: 1Gbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
  link-partner-advertising: 10M-half,10M-full,100M-half,100M-full,1000M-full
[demo@MikroTik] > /interface ethernet monitor eth4-BR-SW_U10_T241   once
                      name: eth4-BR-SW_U10_T241
                    status: no-link
          auto-negotiation: done
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
  link-partner-advertising:
[demo@MikroTik] > /interface ethernet monitor ether5-off_bridge_wrk  once
                      name: ether5-off_bridge_wrk
                    status: no-link
          auto-negotiation: done
               advertising: 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
  link-partner-advertising:
[demo@MikroTik] >
Last edited by Buckeye on Wed Mar 30, 2022 7:13 am, edited 2 times in total.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 6:32 am

I will try that when I return from work.

My RB4011 is arriving today so i will have another router to use in test if needed.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 5:02 pm

So when i tried to ping, i get 2 request timed out and 2 destination host unreachable. If i input this commands i can see some traffic but that is i don't know, like few bytes only...

Update, i have few new toys if needed for testing
WhatsApp Image 2022-03-30 at 16.00.37.jpeg
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 9:28 pm

So i did one experiment, i wanted to see if this new switch will work with ether5 trunk port and it's working, all VLANs are working.

Laptop gets IP address by DHCP and I have internet access.
Switch VLAN settings 1.jpg
Switch VLAN settings 2.jpg
Switch VLAN settings 3.jpg
Switch VLAN settings 4.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 10:51 pm

So it seems the issue is on the hap ac lite end?

What I don't understand is why you can't ping 172.16.10.253 from a pc with ip address 172.16.10.250/24 connected to hap ac lite ether3 given the following:

Only relevant parts listed:

# model = RB952Ui-5ac2nD
/interface bridge
add ingress-filtering=no name=bridgeAP vlan-filtering=yes
/interface vlan
add interface=bridgeAP name=Home_network vlan-id=10
/interface list
add name=Home
/interface bridge port
add bridge=bridgeAP frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridgeAP tagged=ether1,bridgeAP untagged=KucniWifi,ether3 vlan-ids=10
/interface list member
add interface=Home_network list=Home
/ip address
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 10:58 pm

I think that problem could be on hap side... Is there any chance that there is some kind of firmware problem ?

I mean, it's working with this switch. Then again, this is switchOS, not RouterOS

I'm running 7.2rc5, i will try to repeat test again
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Wed Mar 30, 2022 11:44 pm

I think that problem could be on hap side... Is there any chance that there is some kind of firmware problem ?

I mean, it's working with this switch. Then again, this is switchOS, not RouterOS

I'm running 7.2rc5, i will try to repeat test again
When you say it is working with the switch, I assume you mean the RB760iGS trunk port ether5.

Or did you mean that the hap ac lite is working with the switch too? That would be odd.

As far as firmware on the hap ac lite, I can't say, since I don't have one. I suppose you could downgrade to 6.latest, on the hap ac lite, just to see if it makes any difference. I don't know if vlans would be hardware assisted or not.

I just updated my RB760iGS to 7.2rc6 although there weren't any changes that affected the bridge/vlans/switch for the RB760iGS or hap in the release notes.

I suppose you could try a simple trunk/bridge setup on the RB4011 to see if that behaves differently.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 31, 2022 5:35 am

Yes, i wanted to see if hexS trunk port is working like it should and it's working.

I will try with RB4011 today. And maybe reset hap ac and configure it again ? Maybe there is some small error in config that we missed.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Mar 31, 2022 8:21 pm

Only difference between switch and hap ac lite that i can think of is that i needed to set ip on hap ac lite manually, and hex S.

On switch I only had to assign vlans, tag trunk port, and untag access ports.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Thu Mar 31, 2022 11:12 pm

Only difference between switch and hap ac lite that i can think of is that i needed to set ip on hap ac lite manually, and hex S.

On switch I only had to assign vlans, tag trunk port, and untag access ports.
I am not going to be much help with the hap ac lite, as I don't have one, in fact the only MiktroTik router I have ever touched is the hEX S that I have had for less than 2 months.

But what I find odd is that even without the trunk port involved on the hap ac lite, you can't ping the Home_network vlan interface from a pc connected to ether3 with static ip set.

What is the output of
/ip address print detail
/interface print detail
/interface bridge print detail
/interface bridge port print detail
/interface bridge vlan print detail

Have you tried running /tool sniffer packet print ?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Apr 01, 2022 9:00 am

I will do that today, i didn't have much free time yesterday but today i will try this, and maybe i manage to configure RB4011 for VLANs
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Apr 01, 2022 3:40 pm

So here is output from hap ac lite (using commands from post above)
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=172.16.50.1/24 network=172.16.50.0 interface=ether2 
     actual-interface=ether2 

 1   address=172.16.10.253/24 network=172.16.10.0 interface=Home_network 
     actual-interface=Home_network 
     
   [admin@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave 
 0  RS name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0A ifname="eth0" 
       ifindex=10 id=1 last-link-up-time=jan/03/1970 16:33:04 link-downs=0 

 1     name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0B ifname="eth1" 
       ifindex=11 id=2 link-downs=0 

 2  RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0C ifname="eth2" 
       ifindex=12 id=3 last-link-up-time=jan/03/1970 16:38:31 link-downs=0 

 3   S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0D ifname="eth3" 
       ifindex=13 id=4 link-downs=0 

 4   S name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1598 max-l2mtu=2028 mac-address=48:8F:5A:63:DC:0E ifname="eth4" 
       ifindex=14 id=5 link-downs=0 

 5   S name="CCTV_mreza_20" type="wlan" mtu=1500 actual-mtu=1500 l2mtu=1600 
       max-l2mtu=2290 mac-address=4A:8F:5A:63:DC:11 ifname="ath0-0" ifindex=15 
 8  R  name="Home_network" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1594 
       mac-address=48:8F:5A:63:DC:0A ifname="vlan9" ifindex=18 id=9 
       last-link-down-time=jan/03/1970 16:41:40 last-link-up-time=jan/03/1970 16:41:40 
       link-downs=2 

 9  R  name="bridgeAP" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 
       mac-address=48:8F:5A:63:DC:0A ifname="br0" ifindex=6 id=8 
       last-link-up-time=jan/03/1970 16:33:00 link-downs=0
       
        [admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running 
 0 R name="bridgeAP" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto 
     mac-address=48:8F:5A:63:DC:0A protocol-mode=rstp fast-forward=yes igmp-snooping=no 
     auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=no dhcp-snooping=no 
     
     [admin@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0     interface=ether1 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-only-vlan-tagged 
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes 
       broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no 
       multicast-router=temporary-query fast-leave=no 

 1     interface=ether3 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=10 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes 
       tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query 
       fast-leave=no 

 2 I   interface=ether4 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=15 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes 
       tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query 
       fast-leave=no 

 3 I   interface=ether5 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 
       edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=20 
       frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes 
       tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query 
       fast-leave=no 

 4 I   interface=KucniWifi bridge=bridgeAP priority=0x80 path-cost=10 
       internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none 
       restricted-role=no restricted-tcn=no pvid=15 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 6 I   interface=CCTV_mreza_20 bridge=bridgeAP priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no
       
      [admin@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic 
 0   bridge=bridgeAP vlan-ids=10 tagged=ether1,bridgeAP untagged=KucniWifi,ether3 current-tagged=bridgeAP,ether1 current-untagged=ether3 

 1   bridge=bridgeAP vlan-ids=15 tagged=ether1 untagged=GostiWiFi,ether4 current-tagged=ether1 current-untagged="" 

 2   bridge=bridgeAP vlan-ids=20 tagged=ether1 untagged=ether5,CCTV_mreza_20 current-tagged=ether1 current-untagged="" 

 3 D bridge=bridgeAP vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridgeAP  
And output from hex:
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=172.16.0.1/24 network=172.16.0.0 interface=ether2 
     actual-interface=ether2 

 1   address=172.16.10.1/24 network=172.16.10.0 interface=Home_network 
     actual-interface=Home_network 

 2   address=172.16.15.1/24 network=172.16.15.0 interface=Guest_network 
     actual-interface=Guest_network 

 3   address=172.16.20.1/24 network=172.16.20.0 interface=CCTV_network 
     actual-interface=CCTV_network 

 4 D address=192.168.1.107/24 network=192.168.1.0 interface=ether1 
     actual-interface=ether1 

[admin@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave 
 0  R  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:52 ifname="eth0" 
       ifindex=7 id=1 last-link-up-time=apr/01/2022 14:09:37 link-downs=0 

 1     name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:53 ifname="eth1" 
       ifindex=8 id=2 link-downs=0 

 2  RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:54 ifname="eth2" 
       ifindex=9 id=3 last-link-down-time=apr/01/2022 14:20:10 
       last-link-up-time=apr/01/2022 14:20:12 link-downs=2 

 3   S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:55 ifname="eth3" 
       ifindex=10 id=4 link-downs=0 

 4  RS name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:56 ifname="eth4" 
       ifindex=11 id=5 last-link-down-time=apr/01/2022 14:09:57 
       last-link-up-time=apr/01/2022 14:09:59 link-downs=1 

[admin@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running 
 0 R name="bridgeAP" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=48:8F:5A:63:DC:0A protocol-mode=rstp fast-forward=yes igmp-snooping=no 
     auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=no dhcp-snooping=no 
     
   [admin@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0   H ;;; defconf
       interface=ether3 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 1 I H ;;; defconf
       interface=ether4 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 2   H ;;; defconf
       interface=ether5 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes 
       broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no 

 3 I   ;;; defconf
       interface=sfp1 bridge=bridge priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no 
       restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes 
       tag-stacking=no bpdu-guard=no trusted=no multicast-router=temporary-query fast-leave=no  
       
     [admin@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic 
 0   bridge=bridge vlan-ids=10 tagged=bridge,ether5 untagged=ether3 current-tagged=bridge,ether5 current-untagged=ether3 

 1   bridge=bridge vlan-ids=15 tagged=bridge,ether5 untagged="" current-tagged=bridge,ether5 current-untagged="" 

 2   bridge=bridge vlan-ids=20 tagged=bridge,ether5 untagged=ether4 current-tagged=bridge,ether5 current-untagged="" 

 3 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge 
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 6:12 am

And output from hex:
[admin@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave 
 0  R  name="ether1" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:52 ifname="eth0" 
       ifindex=7 id=1 last-link-up-time=apr/01/2022 14:09:37 link-downs=0 

 1     name="ether2" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:53 ifname="eth1" 
       ifindex=8 id=2 link-downs=0 

 2  RS name="ether3" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:54 ifname="eth2" 
       ifindex=9 id=3 last-link-down-time=apr/01/2022 14:20:10 
       last-link-up-time=apr/01/2022 14:20:12 link-downs=2 

 3   S name="ether4" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:55 ifname="eth3" 
       ifindex=10 id=4 link-downs=0 

 4  RS name="ether5" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 
       l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:0D:34:56 ifname="eth4" 
       ifindex=11 id=5 last-link-down-time=apr/01/2022 14:09:57 
       last-link-up-time=apr/01/2022 14:09:59 link-downs=1
       
I don't understand why your hex isn't showing the bridge and vlans under /interfaces. There is also some inconsistency in the bridge naming, some places the name is "bridge" others it is "bridgeAP".

Did you rename the bridge on the RB760iGS? or past something from the wrong device (the hap ap lite) into the hEX S section?

For comparison here is my RB760iGS
[demo@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; defconf
     address=192.168.88.1/24 network=192.168.88.0 interface=BR-SW actual-interface=BR-SW

 1   address=192.168.89.1/24 network=192.168.89.0 interface=ether5-off_bridge_wrk actual-interface=ether5-off_bridge_wrk

 2 D address=192.168.101.87/24 network=192.168.101.0 interface=ether1-WAN actual-interface=ether1-WAN

 3 D address=192.168.241.94/24 network=192.168.241.0 interface=vlan241 actual-interface=vlan241
[demo@MikroTik] > /interface print detail
Flags: D - dynamic; X - disabled, R - running; S - slave
 0   S name="eth4-BR-SW_U10_T241" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
       mac-address=DC:2C:6E:7B:10:F4 ifname="eth3" ifindex=10 id=4 link-downs=0

 1  R  name="ether1-WAN" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:7B:10:F1
       ifname="eth0" ifindex=7 id=1 last-link-up-time=mar/31/2022 04:59:49 link-downs=0

 2  RS name="ether2-BR-SW-Base-U1" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
       mac-address=DC:2C:6E:7B:10:F2 ifname="eth1" ifindex=8 id=2 last-link-up-time=mar/31/2022 04:59:52 link-downs=0

 3  RS name="ether3-BR-SW-U241" default-name="ether3" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
       mac-address=DC:2C:6E:7B:10:F3 ifname="eth2" ifindex=9 id=3 last-link-up-time=mar/31/2022 04:59:49 link-downs=0

 4     name="ether5-off_bridge_wrk" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026
       mac-address=DC:2C:6E:7B:10:F5 ifname="eth4" ifindex=11 id=5 last-link-down-time=mar/31/2022 18:44:26
       last-link-up-time=mar/31/2022 04:59:51 link-downs=1

 5   S name="sfp1" default-name="sfp1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1596 max-l2mtu=2026 mac-address=DC:2C:6E:7B:10:F6
       ifname="eth5" ifindex=12 id=6 link-downs=0

 6  R  ;;; defconf
       name="BR-SW" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 mac-address=DC:2C:6E:7B:10:F2 ifname="br0" ifindex=13 id=7
       last-link-up-time=mar/31/2022 04:59:37 link-downs=0

 7  R  name="vlan10" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=DC:2C:6E:7B:10:F2 ifname="vlan9" ifindex=15 id=9
       last-link-up-time=mar/31/2022 04:59:37 link-downs=0

 8  R  name="vlan241" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1592 mac-address=DC:2C:6E:7B:10:F2 ifname="vlan8" ifindex=14 id=8
       last-link-up-time=mar/31/2022 04:59:37 link-downs=0
[demo@MikroTik] > /interface bridge print detail
Flags: X - disabled, R - running
 0 R ;;; defconf
     name="BR-SW" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=DC:2C:6E:7B:10:F2 protocol-mode=rstp
     fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=DC:2C:6E:7B:10:F2 ageing-time=5m priority=0x8000 max-message-age=20s
     forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes
     dhcp-snooping=no
[demo@MikroTik] > /interface bridge port print detail
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload
 0   H ;;; defconf
       interface=ether2-BR-SW-Base-U1 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
       horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
       multicast-router=temporary-query fast-leave=no

 1   H ;;; defconf
       interface=ether3-BR-SW-U241 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
       horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=241 frame-types=admit-only-untagged-and-priority-tagged
       ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no
       trusted=no multicast-router=temporary-query fast-leave=no

 2 I H ;;; defconf
       interface=eth4-BR-SW_U10_T241 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto
       horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
       multicast-router=temporary-query fast-leave=no

 3 I   ;;; defconf
       interface=sfp1 bridge=BR-SW priority=0x80 path-cost=10 internal-path-cost=10 edge=auto point-to-point=auto learn=auto horizon=none
       hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes
       unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no
       multicast-router=temporary-query fast-leave=no
[demo@MikroTik] > /interface bridge vlan print detail
Flags: X - disabled, D - dynamic
 0   bridge=BR-SW vlan-ids=241 tagged=BR-SW,eth4-BR-SW_U10_T241 untagged=ether3-BR-SW-U241 current-tagged=BR-SW
     current-untagged=ether3-BR-SW-U241

 1   bridge=BR-SW vlan-ids=10 tagged=BR-SW untagged=eth4-BR-SW_U10_T241 current-tagged=BR-SW current-untagged=""

 2 D bridge=BR-SW vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=BR-SW,ether2-BR-SW-Base-U1
[demo@MikroTik] >
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 8:28 am

So here is hex config, it's on default configuraton with changes for VLANs.
# apr/02/2022 07:26:12 by RouterOS 7.2rc5
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.15.2-172.16.15.254
add name=dhcp_pool3 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Home_network name=dhcp1
add address-pool=dhcp_pool2 interface=Guest_network name=dhcp2
add address-pool=dhcp_pool3 interface=CCTV_network name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=ether2 list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=172.16.0.1/24 interface=ether2 network=172.16.0.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.10.254 list=authorized
add address=172.16.0.2 list=authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox access" dst-port=8291 \
    in-interface-list=Home protocol=tcp src-address-list=authorized
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Service (DNS)" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 8:48 am

From your previous post. I am trying to determine why the hEX S works but the hap ac lite does not.
Gigabyte questions 2022-04-22.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 9:41 am

Are hardware offloaded vlans supported on the hap ac lite?

The output of gigabytes091's /interface bridge port detail has no ports with H at all.

I wonder if the order in which devices are added to the the bridge makes any difference. I think the connection to the radio in the hap ac lite has to be done with a software bridge device, but for the connection between switch ports, and the switch-cpu connection, I would hope that the vlan bridging would be "H" capable, but perhaps it is not on the hap ac lite.

I only have hEX S, and that does now support Hardware assisted with v7.2rc7 that I have loaded (and also with v7.2rc3, I think that was the first firmwares I used on my hEX S)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 11:10 am

So here is the screenshoot from hex interface page and i don't see bridgeAP here nor anywhere else...
hex interface list.jpg
Maybe it's time to start over ? I will update both devices to latest firmware.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 11:15 am

My guess is that you accidentally pasted something from the hap under the part that claimed to be from the hex. The mac addresses are exactly the same, but perhaps you replaced those.

As far as reloading, I would try the hap ac lite first, because that is the one that seems to have the issues.

It seems that the hex is working correctly (both locally and via the trunk through the switch).
Last edited by Buckeye on Mon Apr 04, 2022 1:02 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 11:19 am

Are hardware offloaded vlans supported on the hap ac lite?

No, they are not. hAP ac lite is built around QCA9531 SoC which integrates an AR8227-like switch chip. None of ROS versions so far offload L2 to any of AR switch chips. Sadly.

Which means that lack of "H" flag on vlan-filtered bridge is expected.

hEX S with its MT7261A is different, since some 7.1rc it has support for bridge offloading to hardware with vlan-filtering enabled.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 1:16 pm

I didn't touch mac addresses at all. I will reset hap ac lite and try again, maybe first without wlan
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 4:57 pm

So i tried to config hap ac lite from the beginning, without wifi for now but no luck... still not working...
# jan/02/1970 00:15:33 by RouterOS 7.2rc7
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=Home_network vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/tool mac-server mac-winbox
set allowed-interface-list=Home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 7:25 pm

yeah looks fine to me, small change
add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=20

bridge not tagged for vlans 15,20
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sat Apr 02, 2022 9:39 pm

So... i decided to take my new RB4011 out of the box and try configuration with that router... And ? You may ask... It's f******* works... right now im connected to hap ac lite, VLAN20...

Here is RB4011 config... mix of default config and added vlan settings... i need to clean things up a little i know, this was only proof of concept hehe
# jan/02/1970 00:30:52 by RouterOS 6.47.10
# software id = 
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_home disabled=no interface=Home_network name=\
    dhcp-srv-home
add address-pool=dhcp_guest disabled=no interface=Guest_network name=\
    dhcp-srv-guest
add address-pool=dhcp_cctv disabled=no interface=CCTV_network name=\
    dhcp-srv-cctv
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=15
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether10 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether10 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether10 untagged=ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp-srv-home
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
This is without wifi, i will add that tomorrow.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Apr 03, 2022 12:54 am

So i tried to config hap ac lite from the beginning, without wifi for now but no luck... still not working...
I don't see any issue, but maybe there is an issue with v7 on the hap ac lite. Who knows?

This youtube video Configure VLAN on built-in switch chip in MikroTik by Inquirinity shows him using a hap ac lite with v6.47.1 using the "old" non vlan-filtering method. I actually think this is a pretty good video, he explains what he is doing, shows troubleshooting steps, etc. If you follow it, it makes sense.

In the video, he configures the bridge to be vlan-transparent (carrying tags as is to the switch chip) then configures the switch chip separately to make it vlan-aware so access ports can be configured. That's probably the only way to get "wire speed" intra-vlan between ethernet ports on the hap ac lite (and without cpu intervention).

There is another video Configuring VLAN's on MikroTik RouterBoard using the Switch Chip by MAICT Consult that shows setting up a hap lite as a switch only (and not using the wifi, he doesn't include any connection to the the hap lite cpu from the vlans, so I don't think it would work with wifi as it is set up). But it does show dhcp access through the vlan access ports to the upstream dhcp server on the "internet router", and shows it being verified to work. This is using v6.46.2 on the "switch" ac lite and v6.46.4 on the "router" ac lite. I am not sure exactly what he means by what he says at 10:06 in the video. I would have expected him to use the switch1 cpu port, but he just mentions that the wlan is not connected to the switch, but does not explain what should be done.

But if you are not going to be using the extra ethernet ports on the hap ac lite (i.e. if just using it as an AP), you probably don't need to enable vlan-filtering on the hap ac lite bridge, but I am not sure how the vlans from the cpu to the radios really work in the hap (or any MikroTik router, as I don't have a router with built in wifi). These have to be kept separate, but I don't know if the different SSIDs BSSID are just being time division multiplexed to the radios (my guess is that only a single BSSID will be active at a single moment in time, just like a trunk link will be transmitting a frame for only a single vlan at a single point in time).

Even if vlan-filtering is off, it will still be able to receive tagged vlans as long as the vlan interfaces are configured. But unless you go into the switch, I don't think you will be able to block the "untagged" frames arriving on ether0 from making it to the device, so if you added an ip address to the bridge, it would probably be accessible over the trunk link, i.e. if you plugged a device into any switch port that was not disabled, you could probably access the device at least with winbox (unless it was blocked with firewall or allow list).

The point of this "novel" is that perhaps if you want the hap ac lite to work in the configuration you originally had, to have the best performance, you may need to use the "old fashtoned" way of configuring vlans. And in that case, you may as well use a more stable version of RouterOS, e.g. v6.48.6
Last edited by Buckeye on Mon Apr 04, 2022 6:07 am, edited 2 times in total.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Sun Apr 03, 2022 2:29 pm

It's working on RB4011, it worked right away, as soon as i plugged in the hap ac lite.

RB4011 is on ROS 6.47.10 so im thinking about updating to 6.48.6 long term and leave it until ROS7 gets to long term.

I'm thinking about downgrading hex to 6.48.6 just to see if problem goes away.

Next step is to add WLAN :)

So my plan is to add one or two more cap ac around the house and add 3 vlans, so my home network, guest network and cctv is separated.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Apr 03, 2022 9:25 pm

It's working on RB4011, it worked right away, as soon as i plugged in the hap ac lite.
Somehow I missed the part with about the hap ac lite working via the trunk to the RB4011. I read the comment as the RB4011 was working, and without reading the config, assumed that you had configured the RB4011 as the access porint instead of the hap ac lite, but still connected to the hEX S. I realize that jumping to conclusions and making assumptions is a bad troubleshooting practice.

But now you have me even more confused. Just to make sure I understand correctly, here's a summary of this long thread:

You configured the hEX S with tagged only trunk port on ether5 with vlans 10, 15, and 20, each with a dhcp server. config in this post #68

You configured the hap ac lite with a tagged only trunk port on ether1 with vlans 10, 15, and 20 with no dhcp server. vlan 10 connected to the CPU on vlan 10, and in addition an access port for each of the three vlans. Config in post #85

A pc connected to the hap ac lite's access ports was not able to get a response from the dhcp server on the hEX S. And even when connected to the hap ac lite vlan 10 access port with the PC's ip configuration set statically to a 172.16.10.250 address, it was not able to connect to the L3 interface on the hap ac lite CPU 172.16.10.253 or the hEX S at 172.16.10.254

At this point, to partition the problem, you connected the new CSS326-24G-2S+ with a trunk link on port 25? (isn't that an SFP+ port? Do you have an SFP to RJ45 addapter you put in port 25?) and connected this to the hEX (I have to assume to ether5, since you didn't mention modifying the hEX config). And this connection worked, and you were able to connect to the internet through the hEX S through each of the vlan access ports (vlan 10 on port 1, vlan 15 on port 2, and vlan 20 on port 3). Config in post #94

This showed (if the above assumptions are correct) that the trunk port was configured correctly on the hEX S port 5. And seemed to indicate there was a problem with the hap ac lite.

Then you configured the RB4011 (config in post #113) and connected the hap ac lite port 1 to RB4011 port 10 and you claim that the hap ac lite worked when connected to the RB4011 (I assume the same config that did not work when connected to port 5 of the hEX S), in your words "It's working on RB4011, it worked right away, as soon as i plugged in the hap ac lite" in post #115.

Assuming that the hap ac lite config is still as it was in post #85

Can anyone explain this?
Last edited by Buckeye on Mon Apr 04, 2022 6:00 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Sun Apr 03, 2022 9:38 pm

Nope. Gremlins. A flaky OP LOL.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Mon Apr 04, 2022 7:46 am

Yes, you got it right, topic became so long that i have to read few posts back in order to know what to write :lol: :lol: :lol:

So, yes, I do have several SFP to RJ45 adapters and I used one to make port 25 trunk port on switch.

And yes, it worked as soon I connected hap ac lite to RB4011. For now without wifi, only 3 access ports.

Why is it working ? I really don't know. My plan now is to backup hex config, downgrade it to 6.48.6 and restore configuration. If it works, that would indicate some strange firmware problem I presume ?

If not, then I will add rest of the configuration from hex to RB4011 line by line (i didn't make all the changes yet so config on RB4011 and HEX is NOT the same) and then I will see if any config change breaks anything.

Because I want to know WHY it's not working with hex->hapac but it's working rb4011->hapac.

And if it's a firmware bug then maybe someone more skilled then me can report that to Mikrotik so they can correct it in the future updates
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Virtual WLAN and VLAN's

Mon Apr 04, 2022 8:26 am

Why is it working ? I really don't know. My plan now is to backup hex config, downgrade it to 6.48.6 and restore configuration. If it works, that would indicate some strange firmware problem I presume ?

There were gremlin-type problems discussed in the past on this forum. In such cases the cure was to reset the configuration (change in SW version was not necessary) and then re-do the config ... either manual configuration or import the exported config. Restoring from (binary) backup did not help. Which might indicate that there's some configuration lingering which doesn't show in UI but affects how device operates.

So my advice: reset configuration, install whichever ROS version you want to have (7.2rc or 6.48.6 or anything in between; if you decide to install the devce, you might as well netinstall it to be 100% sure any lingering configuration gets removed) and then configure device from scratch. You know what kind of config it needs because you've got it on your RB4011, no sidesteps are needed now.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Mon Apr 04, 2022 11:10 am

Why is it working ? I really don't know. My plan now is to backup hex config, downgrade it to 6.48.6 and restore configuration. If it works, that would indicate some strange firmware problem I presume ?

There were gremlin-type problems discussed in the past on this forum. In such cases the cure was to reset the configuration (change in SW version was not necessary) and then re-do the config ... either manual configuration or import the exported config. Restoring from (binary) backup did not help. Which might indicate that there's some configuration lingering which doesn't show in UI but affects how device operates.

So my advice: reset configuration, install whichever ROS version you want to have (7.2rc or 6.48.6 or anything in between; if you decide to install the devce, you might as well netinstall it to be 100% sure any lingering configuration gets removed) and then configure device from scratch. You know what kind of config it needs because you've got it on your RB4011, no sidesteps are needed now.
I am aware or problems that doing a factory reset an restoring seem to fix, and in a lab/home situation it may make the most sense. But then we won't learn the root cause.

What has me baffled is
Hex <trunk> hap does not work.
Hex <trunk> switch does work.
RB4011 <trunk> hap does work.

About the only "variable" is that the hap was being powered by the hEX over the trunk link, but output from commands in post #100 and (suspect) output in post #102 (I say suspect because it appears to me that not everything was included, and also appears to me that some output that was really from the hap was pasted into the section that claimed to be from the hex. My objections were noted in post #105 (and I am not claiming this was done on purpose, I have accidentally pasted contents for a clipboard that I thought I had copied from somewhere else into a command prompt, and that's always a pucker moment when the wrong text gets pasted into a production machine).

I just don't like reloading as standard operating procedure, because then if it does "fix" the problem, you never discover the root cause. And I am a firm believer that when something happens once, it will happen again. And I also believe that often the reload/reboot etc. may not be the real reason that the problem was fixed, it may be a coincidence (examples, someone changes the ip address of router's LAN address, and reboots the router, but some dhcp client PC can't connect. Often the reason for this is because there is an ethernet switch between the router and the dhcp clients, and the dhcp clients don't see the link status change, so they have no clue they should do a dhcp renew because their dhcp lease is still valid (the ubiquiti edgerouters default to 86400 seconds (24 hours), so that problem is more likely than with 600 second leases that MikroTik defaults to. If the clients so see link drop, they will do a dhcp request and get a NACK due to wrong network, then start over with a complete DORA sequence. Things like this lead to computer folklore like "I guess my router was tired, because I shut it off and turned it on in the morning, and things started to work. So if your router doesn't work, try turning it off overnight." I am not saying that this is a case like that, but I don't like solutions that can't be explained, because there is a good explanation, it just isn't always obvious (until you discover it).

From a practical point of view, doing a factory reset, and loading from the export is probably the expedient thing to do. And if that doesn't work, then a netinstall.

But before doing that, I would al least be interested if the cable connected to port 10 of the RB2011 could be plugged into the hex port 5, and then trying to plug a PC into the hap on more time, just to verify that it still does not work (and making sure the PC connection is disconnected/reconnected) so dhcp will be triggered. If that doesn't work, reboot the hap, to see if that make a difference.

Then reset/reload.

And keep good notes.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Mon Apr 04, 2022 8:18 pm

Ofcourse, i will try to figure out what happened. I will first try to plug RB4011 to ether5 on hapac lite, but i first have to make ether5 tagged for all VLANs, and reconfigure other ports because right now, ether5 is access port for VLAN20.

I will make backup of all current configurations on all devices. Also i will write all diferences between current hex and rb4011 config.

After that i would like to netinstall ROS 7 on hex and then put same config that i have in rb4011 (modified for hex ofcourse) so i can see if it's working. Then if it's working i will add rest of the configuration to se if something goes wrong. I know that there was member list modification, firewall modifications as well.

In case things don't work on ROS7 then i will netinstall 6.48.6 or 6.47.10 which is currently on RB4011.

So i will take both advices. When this is figured out i will move to wireless.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Tue Apr 05, 2022 6:51 pm

So I connected RB4011 ether10 to hap ether5 (after necessary changes ofcourse) and it's working.

I netinstalled ROS 7.2 on hex s and made same config changes i made on rb4011 aaaand nothing...

I get IP address on hex s for VLANs (but no internet access...) and still nothing if I connect hapac lite to hex...

EDIT: I updated some settings that i forgot, so now i have internet access on all vlans, but hap ac lite is not working...

Here is new hex config:
# apr/05/2022 18:05:21 by RouterOS 7.2
# software id = 2NZF-BKUH
#
# model = RB760iGS
# serial number = D4500FA09027
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_home interface=Home_network name=dhcp-srv-home
add address-pool=dhcp_guest interface=Guest_network name=dhcp-srv-guest
add address-pool=dhcp_cctv interface=CCTV_network name=dhcp-srv-cctv
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=15
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.16.10.253 mac-address=48:8F:5A:63:DC:0A server=dhcp-srv-home
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.15.0/24 dns-server=172.16.15.1 gateway=172.16.15.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Apr 06, 2022 6:38 am

Next step would be installing ROS7.2 on hapac lite, and if that won't work, then i will downgrade to ROS 6.48.6

I don't see any other option... Because now the only difference is ROS version... and hardware ocfourse... (Default configuration + VLAN's on both hex and rb4011)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Apr 06, 2022 8:43 pm

So... ROS 7.2 on both hex and hapac lite... not working as expected :lol: :lol: :lol:

Then I netinstalled ROS 6.48.6 on both hex and hapac lite, copied config line by line for both devices and everything is working :D :D :D hapac is getting vlans on ether3,4,5 as expected.

So now i have to make all modification that @anav suggested earlier and then i have to enable wifi.

But still one big question remaining unanswered... Why this config doesn't work on ros 7 ?? i mean, this is something that is used quite often i presume ?

Here is current config for hex and hapac

hap ac lite:
# jan/02/1970 00:31:38 by RouterOS 6.48.6
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge name=Home_network use-service-tag=yes vlan-id=10
/interface list
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add distance=1 gateway=172.16.10.1
/system identity
set name=RouterOS
Hex:
# apr/06/2022 19:42:21 by RouterOS 6.48.6
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge
add admin-mac=DC:2C:6E:0D:34:53 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=CCTV_network vlan-id=20
add interface=bridge name=Guest_network vlan-id=15
add interface=bridge name=Home_network vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Home
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_home ranges=172.16.10.2-172.16.10.254
add name=dhcp_guest ranges=172.16.15.2-172.16.15.254
add name=dhcp_cctv ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_home disabled=no interface=Home_network name=\
    dhcp_srv_home
add address-pool=dhcp_guest disabled=no interface=Guest_network name=\
    dhcp_srv_guest
add address-pool=dhcp_cctv disabled=no interface=CCTV_network name=\
    dhcp_srv_cctv
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 vlan-ids=15
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Home_network list=Home
add interface=Home_network list=LAN
add interface=Guest_network list=LAN
add interface=CCTV_network list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.10.1/24 interface=Home_network network=172.16.10.0
add address=172.16.15.1/24 interface=Guest_network network=172.16.15.0
add address=172.16.20.1/24 interface=CCTV_network network=172.16.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.15.0/24 gateway=172.16.15.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Wed Apr 06, 2022 9:07 pm

Did you try on
7.2 stable or
7.2rc7 testing ??
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Wed Apr 06, 2022 10:48 pm

Both... 7.2 stable and 7.2rc7 on both devices...

But just one notice, when i was testing with rb4011, hap ac was on 7.2rc7 and rb4011 was on 6.47.10

So i tried all possible solutions, and when hex is not on ros7 then it works like it should...

Every version of ros was netinstalled.

Im curious, if i update rb4011 to ros 7 will it work...
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Thu Apr 07, 2022 5:07 am

The longer this thread gets the less I understand.

In post #94 I thought you had connected the hEX S to the switch. At least that's how I interpreted
So i did one experiment, i wanted to see if this new switch will work with ether5 trunk port and it's working, all VLANs are working.

Laptop gets IP address by DHCP and I have internet access.
Wasn't that ether5 trunk port on the hEX S? Running 7.2rc5 ?

It is much easier to troubleshoot something you can see and touch than relying on someone else's descriptions with latencies due to different schedules.

My guess is that the performance of the hEX S with vlans on 6.48.6 will be slower, but slow and working is better than fast and not working.

My hEX S is running v7.2 stable now, and as far as I could tell the vlans have been working since I first configured them (I think with v7.2rc3). I am connecting to an ER-X running EdgeOS v2.0.9-hotfix.2 with the vlan-aware switch0 configured. I have multiple connections between the hEX S and the ER-X, each providing the other with ip configs via dhcp. But both of my routers in the lab are MT7621A based. But I do have one of the hEX ports connnected to a TL-SG108E (cheap vlan-aware "smart switch"). I just swapped the "uplink" ports so the ER-X is now connected to the TL-SG108E and the hEX is connected to my MikroTik CSS106-5G-1S (but that connection is my "WAN" connection and has no vlans configured, so it only sees the untagged (native) vlan 101, and does not see the tagged vlan 107. The only issues I had were at the start I had an issue with the firewall, a device connected to the hEX would get an ip address via dhcp, but couldn't do anything else. I was a bit surprised that the dhcp worked, but perhaps the dhcp somehow gets past the default firewall. That problem was described in this post in the 2 ways to associate bridge and VLAN thread.

But no issues that I could detect with vlans under the bridge, once I wrapped my head around how the vlan-filtered bridge is configured in MikroTik's RouterOS (which is quite different than the way the vlan-aware switch0 is configured in vyatta/EdgeOS)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Apr 07, 2022 8:09 am

Yea, i know... it's getting a little bit confusing... But i had 7.2rc5 installed, and yes, it was working with a switch... but no with hap ac lite. I had and 7.2rc7 and 7.2 stable on both devices...

As far as i know, when hap ac lite was on ROS7 (7.2rc5 or rc7 or stable) it was working as long as hex was on ROS6. So something on the router side was wrong...

I will update rb4011 to ros7 just to see if same thing happens. Also im planning to buy another cap ac for my garage/workshop so i will have one more device for testing.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Thu Apr 07, 2022 12:02 pm

So, new test results:

RB4011 upgrade from 6.47.10 to 7.2 stable (No netinstall, just regular upgrade), all VLANs are working on hap ac lite (hap ac lite was on 6.48.6)
hAP ac lite upgrade from 6.48.6 to 7.2 stable (No netinstall, just regular upgrade), all VLANs are working as they should...
hEXs on 6.48.6, hap ac lite on 7.2 stable, all VLANs are working as they should...

hEXs on 7.2 stable (No netinstall, just regular upgrade), hap ac lite on 7.2 stable, VLANs working on hEXs ports, on hap ac lite not working...

My head is hurting right now :lol: :lol: :lol:

Why is it working on RB4011 with ROS7 but not with hEXs ??
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Apr 08, 2022 12:15 pm

hEXs on 7.2 stable (No netinstall, just regular upgrade), hap ac lite on 7.2 stable, VLANs working on hEXs ports, on hap ac lite not working...
What does VLANs working on hEXs ports mean? Be specific.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Apr 08, 2022 12:16 pm

How to Report Bugs Effectively From the Introduction: Anybody who has written software for public use will probably have received at least one bad bug report. Reports that say nothing ("It doesn't work!"); reports that make no sense; reports that don't give enough information; reports that give wrong information. Reports of problems that turn out to be user error; reports of problems that turn out to be the fault of somebody else's program; reports of problems that turn out to be network failures. ...

In a nutshell, the aim of a bug report is to enable the programmer to see the program failing in front of them. You can either show them in person, or give them careful and detailed instructions on how to make it fail. If they can make it fail, they will try to gather extra information until they know the cause. If they can't make it fail, they will have to ask you to gather that information for them.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Apr 08, 2022 2:37 pm

So, when i say that VLAN's are working on hEX ports, i mean that when I untag VLAN's 10,15 and 20 on hEX ports 2,3 and 4 i get IP address and internet access.

But when i connect hap ac lite to ether5 which is trunk port then i get nothing.

So you think that this bug should be reported ? I think that it should be reported, you never know who might ran into a same problem.

Today i will add WLAN to the hapac so i can complete test configuration.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Fri Apr 08, 2022 4:40 pm

So, when i say that VLAN's are working on hEX ports, i mean that when I untag VLAN's 10,15 and 20 on hEX ports 2,3 and 4 i get IP address and internet access.

But when i connect hap ac lite to ether5 which is trunk port then i get nothing.
But didn't you say the trunk port worked when connected to the switch? But I never understood the reason for using the SFP port on the switch when you configured the switch (post #94). How did you connect ether5 to the SFP port? Did you use a SFP to RJ45 copper 1Gbps module?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1153
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Virtual WLAN and VLAN's

Fri Apr 08, 2022 6:43 pm

Yes, as I said, i have several SFP to RJ45 1Gbps adapters. Reason to use it ? I just wanted to test them to se if they are working.

And yes, when I connected ether5 from hEXs (trunk port) to Mikrotik switch (with switchOS 2.13 on it) it was working (I configure it before connecting, i posted screenshoots of the configuration).

But when I connected hEXs to hAP ac lite it wasn't working. (NOTE: It wasn't working when ROS 7 was installed on hEXs, it was working with ROS 6)

Little update on WLAN part, so i created 3 wlans, each on different VLAN and it's working without a problem. Here is configuration that i'm using right now, i just need to add @anav suggestions to RB4011 (firewall settings, etc.)
# apr/07/2022 11:45:09 by RouterOS 7.2
# software id = 
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    mode=ap-bridge ssid=CCTV
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40mhz-Ce \
    country=croatia disabled=no mode=ap-bridge ssid=Gazda wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:63:DC:10 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 ssid=Gosti \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge name=Home_network use-service-tag=yes vlan-id=10
/interface list
add name=Home
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=no \
    interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether4 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether5 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=wlan1 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=wlan3 pvid=15
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=wlan2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Home
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3,wlan2 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether4,wlan3 vlan-ids=15
add bridge=bridge tagged=ether1 untagged=ether5,wlan1 vlan-ids=20
/interface list member
add interface=Home_network list=Home
add interface=ether2 list=Home
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.50.1/24 interface=ether2 network=172.16.50.0
add address=172.16.10.253/24 interface=Home_network network=172.16.10.0
/ip dns
set allow-remote-requests=yes servers=172.16.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.16.10.1
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RouterOS
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Virtual WLAN and VLAN's

Sun Aug 07, 2022 10:34 am

I just noticed this

/interface vlan
add interface=bridge name=Home_network use-service-tag=yes vlan-id=10

Is that really what you want?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Virtual WLAN and VLAN's

Mon Aug 08, 2022 5:55 pm

I have never used that setting. So cannot comment on what its purpose is............. maybe for switch based vlans vice bridge vlan filtering??
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Virtual WLAN and VLAN's

Mon Aug 08, 2022 6:34 pm

use-service-tag=yes
Service Tag is used when we need management access in cases that double VLAN tagging is used...
https://wiki.mikrotik.com/wiki/Manual:B ... ling_setup

Who is online

Users browsing this forum: chinhbq and 23 guests