Code: Select all
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Access Point
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.43.13
# Date: April 15, 2021
# Notes: Start with a reset (/system reset-configuration)
# Thanks: mkx, sindy
###############################################################################
#######################################
# Naming
#######################################
# name the device being configured
/system identity set name="AccessPoint"
#######################################
# VLAN Overview
#######################################
# 10 = BLUE
# 20 = GREEN
# 30 = RED
# 99 = BASE (MGMT) VLAN
#######################################
# WIFI Setup
#
# Example wireless settings only. Do
# NOT use in production!
#######################################
# Blue SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=BLUE_SSID frequency=auto mode=ap-bridge disabled=no
# Green SSID
/interface wireless security-profiles add name=GREEN_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan2 ssid=GREEN_SSID master-interface=wlan1 security-profile=GREEN_PROFILE disabled=no
# Red SSID
/interface wireless security-profiles add name=RED_PROFILE authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan3 ssid=RED_SSID master-interface=wlan1 security-profile=RED_PROFILE disabled=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Blue, Green, Red VLAN
add bridge=BR1 interface=wlan1 pvid=10
add bridge=BR1 interface=wlan2 pvid=20
add bridge=BR1 interface=wlan3 pvid=30
# egress behavior, handled automatically
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1 [find vlan-ids=10]
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=172.22.11.3/24 interface=BASE_VLAN
# The Router's IP this AP will use
/ip route add distance=1 gateway=172.22.11.1
#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Code: Select all
# jan/02/1970 00:12:17 by RouterOS 6.49.6
# software id = XF1X-2MLJ
#
# model = RBOmniTikG-5HacD
# serial number = E
/interface bridge
add name=bridgeVLAN20 vlan-filtering=yes
add name=bridgeVLAN30 vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan20 vlan-id=20
add interface=ether1 name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=AE-secu supplicant-identity="" wpa2-pre-shared-key=S
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=.v.-secu supplicant-identity="" wpa2-pre-shared-key=K
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=AE-Friends-secu supplicant-identity="" wpa2-pre-shared-key=L
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=germany disabled=no distance=indoors frequency=auto mode=ap-bridge \
security-profile=.v.-secu ssid=.v. wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled master-interface=wlan1 multicast-buffering=disabled name=AE-5 \
security-profile=AE-secu ssid=AE wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled master-interface=wlan1 multicast-buffering=disabled name=AE-5-Friends \
security-profile=AE-Friends-secu ssid=AE-friends wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge hw=yes comment=defconf interface=ether2
add bridge=bridge hw=yes comment=defconf interface=ether3
add bridge=bridge hw=yes comment=defconf interface=ether4
add bridge=bridge hw=yes comment=defconf interface=ether5
add bridge=bridge hw=yes comment=defconf interface=wlan1
add bridge=bridge hw=yes interface=ether1
add bridge=bridgeVLAN30 hw=yes interface=AE-5-Friends
add bridge=bridgeVLAN30 hw=yes interface=vlan30
add bridge=bridgeVLAN20 hw=yes interface=AE-5
add bridge=bridgeVLAN20 hw=yes interface=vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether1,bridge vlan-ids=1