Community discussions

MikroTik App
 
vinet7
just joined
Topic Author
Posts: 1
Joined: Sat Jun 25, 2022 10:55 pm

WLAN and VLAN multipli SSIDs

Tue Jun 28, 2022 11:55 pm

I found this config from another Post:
###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Access Point
# Web:			https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS:		6.43.13
# Date:			April 15, 2021
# Notes:		Start with a reset (/system reset-configuration)
# Thanks:		mkx, sindy
###############################################################################

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="AccessPoint"


#######################################
# VLAN Overview
#######################################

# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN


#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################

# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no

# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no

# Red SSID
/interface wireless security-profiles add name=RED_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan3 ssid=RED_SSID master-interface=wlan1 security-profile=RED_PROFILE disabled=no


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Blue, Green, Red VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=20
add bridge=BR1 interface=wlan3 pvid=30

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=172.22.11.3/24 interface=BASE_VLAN

# The Router's IP this AP will use
/ip route add distance=1 gateway=172.22.11.1


#######################################
# IP Services
#######################################

# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

but its not working. But now i found a solution with my configuration. Maybe you found some mistakes i made?
# jan/02/1970 00:12:17 by RouterOS 6.49.6
# software id = XF1X-2MLJ
#
# model = RBOmniTikG-5HacD
# serial number = E
/interface bridge
add name=bridgeVLAN20 vlan-filtering=yes
add name=bridgeVLAN30 vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan20 vlan-id=20
add interface=ether1 name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=AE-secu supplicant-identity="" wpa2-pre-shared-key=S
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=.v.-secu supplicant-identity="" wpa2-pre-shared-key=K
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=AE-Friends-secu supplicant-identity="" wpa2-pre-shared-key=L
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=germany disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=.v.-secu ssid=.v. wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled  master-interface=wlan1 multicast-buffering=disabled name=AE-5 \
    security-profile=AE-secu ssid=AE wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled  master-interface=wlan1 multicast-buffering=disabled name=AE-5-Friends \
    security-profile=AE-Friends-secu ssid=AE-friends wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge hw=yes comment=defconf interface=ether2
add bridge=bridge hw=yes comment=defconf interface=ether3
add bridge=bridge hw=yes comment=defconf interface=ether4
add bridge=bridge hw=yes comment=defconf interface=ether5
add bridge=bridge hw=yes comment=defconf interface=wlan1
add bridge=bridge hw=yes interface=ether1
add bridge=bridgeVLAN30 hw=yes interface=AE-5-Friends
add bridge=bridgeVLAN30 hw=yes interface=vlan30
add bridge=bridgeVLAN20 hw=yes interface=AE-5
add bridge=bridgeVLAN20 hw=yes interface=vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether1,bridge vlan-ids=1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WLAN and VLAN multipli SSIDs

Sat Jul 02, 2022 5:21 pm

If you post a network diagram, and complete config (hide any public IPs) I will have a look.
Personally I think your config is way overcooked and can be simplified, in most cases one only needs one bridge.
If you are doing vlans then suggest make the bridge LAN simply another vlan.

WHat you have is very strange and have no clue what is on ether1 or other ends of the router ports.
Then you make the mistake of identifying vlan1 in the mix.................
To me a mess. How it works, is beyond my scope of knowledge......

Either keep it as it is if its working or do a complete make-over.

Who is online

Users browsing this forum: Bing [Bot] and 28 guests