Community discussions

MikroTik App
 
timchi
just joined
Topic Author
Posts: 6
Joined: Tue Jul 05, 2022 1:06 pm
Location: Sweden

VLAN with Access Point

Tue Nov 22, 2022 8:02 pm

Hi, I have a PFSense Router with 3 Mikrotik network switches ( CRS112-8P, CRS326-24G-2S+RM both connected via Fibre to a CRS328-24P-4S+RM), 3 Unifi Access Points one for each switch and I am trying to set up 3 VLANs with a combination of the Access Points doing the tagging based upon which WIFI network a client joins and port based tagging. I am testing on the CRS112-8P-4S

My problem is that when I turn on egress tagging the VLAN traffic from the Access point it filtered out (but untagged works - which I want), but my Interface port 3 traffic gets tagged correctly. But when I turn it egress tagging my Access Point has all traffic (both tagged and untagged) but my interface port tagging does not work.

On this switch, Trunk port is SFP9, I want port 3 tagged with VLAN ID 20, and I want the access point to transmit and receive VLAN ID 20 & 30, as well as untagged.

Any help would be greatly appreciated.

You can see below that /interface ethernet switch egress-vlan-tag
has the rule "add disabled=yes tagged-ports=sfp9 vlan-id=20" - which I causes the above problem.
# nov/22/2022 18:45:11 by RouterOS 6.49.6
# software id = DXMK-IZJY
#
# model = CRS112-8P-4S
# serial number = HCB*******
/interface bridge
add admin-mac=DC:2C:6E:E6:47:9E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full poe-out=forced-on speed=100Mbps
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp9 ] advertise=1000M-full auto-negotiation=no
set [ find default-name=sfp10 ] auto-negotiation=no rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp11 ] disabled=yes
set [ find default-name=sfp12 ] disabled=yes
/interface vlan
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name="vlan30 Guest" vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface bridge vlan
add bridge=bridge disabled=yes vlan-ids=1-4094
/interface ethernet switch egress-vlan-tag
add disabled=yes tagged-ports=sfp9 vlan-id=20
add disabled=yes tagged-ports=sfp9 vlan-id=30
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether3,ether4
/interface ethernet switch mac-based-vlan
add new-customer-vid=20 src-mac-address=00:40:AD:BD:43:63
/interface ethernet switch port
set 1 egress-vlan-tag-table-lookup-key=according-to-bridge-type
set 2 allow-fdb-based-vlan-translate=yes
/interface ethernet switch vlan
add disabled=yes ports=ether3 vlan-id=20
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
 
timchi
just joined
Topic Author
Posts: 6
Joined: Tue Jul 05, 2022 1:06 pm
Location: Sweden

Re: VLAN with Access Point

Tue Jan 17, 2023 2:03 pm

I presume what I am trying to do is actually possible with Router OS?
 
t4thfavor
just joined
Posts: 18
Joined: Tue Apr 13, 2021 4:40 pm

Re: VLAN with Access Point

Thu Jan 19, 2023 2:35 pm

It’s possible, I have a hex poe doing something similar right now, and I have a regular hex in the lab with a very basic bridge vlan config that is working with filtering enabled that I can share in a little bit today. I’ll post this so I can find my way back here when I have the config handy.\
Here is the most relevant parts of my config, the hex poe has two tagged trunk ports, and several untagged access ports, the two trunks are redundant links to my house, so one will always be disabled.
I set the PVID on the trunk ports so that it becomes the native vlan, and the device plugged into it is a Cisco router, so I don't have the other side to show you. That said, I've done vlans without bridging on devices that have one port, and it worked in a similar manner.
/interface bridge
add admin-mac=64:D1:54:8C:7D:2F auto-mac=no name=bridge pvid=55 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Chance Radio"
set [ find default-name=ether2 ] comment="Backup Link to house" poe-out=\
    forced-on rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-full comment="Trunk to House"
/interface vlan
add interface=bridge name=AUXLAN vlan-id=56
add interface=bridge name=LAN1 vlan-id=55
add interface=bridge name=WAN1 vlan-id=1076
add interface=bridge name=WAN2 vlan-id=1075
add interface=bridge name=WLAN vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface bridge port
add auto-isolate=yes bridge=bridge interface=ether2 internal-path-cost=11 \
    path-cost=11 priority=0x90 pvid=55
add bridge=bridge interface=ether3 pvid=55
add bridge=bridge interface=ether4 pvid=3
add bridge=bridge interface=ether5 pvid=3
add bridge=bridge interface=ether1 pvid=1076
add auto-isolate=yes bridge=bridge interface=sfp1 pvid=55
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp1,ether2 vlan-ids=3
add bridge=bridge tagged=bridge,sfp1,ether2 vlan-ids=55
add bridge=bridge tagged=bridge,sfp1,ether2 vlan-ids=56
add bridge=bridge tagged=bridge,sfp1,ether2 vlan-ids=1075
add bridge=bridge tagged=bridge,sfp1,ether2 vlan-ids=1076
/interface list member
add interface=bridge list=LAN
add interface=LAN1 list=LAN
add interface=WLAN list=LAN
add interface=AUXLAN list=LAN
 
timchi
just joined
Topic Author
Posts: 6
Joined: Tue Jul 05, 2022 1:06 pm
Location: Sweden

Re: VLAN with Access Point

Thu Jan 19, 2023 5:51 pm

Thanks for the information. Is it always necessary to have the traffic tagged on the trunk?
 
t4thfavor
just joined
Posts: 18
Joined: Tue Apr 13, 2021 4:40 pm

Re: VLAN with Access Point

Fri Jan 20, 2023 4:08 pm

If you want to have the vlan traverse the trunk to an upstream device, then yes, you need to tag it. If the port is an access port with no vlan aware device on it, then it should be untagged.
 
timchi
just joined
Topic Author
Posts: 6
Joined: Tue Jul 05, 2022 1:06 pm
Location: Sweden

Re: VLAN with Access Point

Sat Jan 21, 2023 12:14 pm

Why do you quote whole preceding post? Does it help you to answer? Do you repeat what your interlocutor says when you discuss face to face? Just use "Post Reply" button.
Yes I want both tagged and untagged both ways on the trunk. This is I think where I get stuck with some of the configuration, I have made a config which allows just tagged or just un-tagged - both hasn't been working. But I am going to compare you setup to mine.

Thanks!
Last edited by BartoszP on Sun Jan 22, 2023 9:27 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN with Access Point

Sat Jan 21, 2023 1:53 pm

Your confusing terms, a trunk port is vlan tagged only, an access port is untagged only and hybrid contains both tagged and untagged vlans.
The other caveat is that access and hybrid can only contain ONE untagged vlan.
 
timchi
just joined
Topic Author
Posts: 6
Joined: Tue Jul 05, 2022 1:06 pm
Location: Sweden

Re: VLAN with Access Point

Sun Jan 22, 2023 10:47 am

Why do you quote whole preceding post? Does it help you to answer? Do you repeat what your interlocutor says when you discuss face to face? Just use "Post Reply" button.
Thanks for the clarification! As I was writing it I was a bit unsure. So yeah, I want a hybrid port. Basically the same setup I have on one of my switches that I moved over to SWOS and is working perfectly.
Last edited by BartoszP on Sun Jan 22, 2023 9:28 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic

Who is online

Users browsing this forum: Amazon [Bot] and 106 guests