Community discussions

MikroTik App
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

AX3 wifiwave2 VLAN

Fri May 19, 2023 10:07 am

a new hAP-AX3, routeros 7.9

I want to build a guest WLAN with a vlan to seprate from main home network.

because Apple AirPort use 1003 as gueast vlan , so I choose it,too.

according to routeros documents, in RouterOS 7 use bridge vlan-filtering and bridge port tag are enough?

but I found that must both set datapath vlan-id and brigde ?

here is my configuration, welcome any suggestion.
/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
/interface wifiwave2
/interface vlan
add comment=Guest interface=bridge name=vlan1_iot vlan-id=1003
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa-psk,wpa2-psk name=Guest
/interface wifiwave2
add comment="Guest wifi 5G" configuration.mode=ap .ssid=YFWIFI2_IOT \
    datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:0F:05:27 \
    master-interface=wifi1 name=wifi3 security=Guest
add comment="Guest wifi 2.4G" configuration.mode=ap .ssid=YFWIFI2_IOT \
    datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:0F:05:28 \
    master-interface=wifi2 name=wifi4 security=Guest
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.199
add name=pool_iot ranges=192.168.90.100-192.168.90.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1w name=defconf
add address-pool=pool_iot comment=Guest interface=vlan1_iot lease-time=1d \
    name=dhcp-iot
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge ingress-filtering=no interface=wifi3 pvid=1003
add bridge=bridge ingress-filtering=no interface=wifi4 pvid=1003
/interface bridge vlan
add bridge=bridge comment=Guest tagged=wifi3,wifi4,bridge vlan-ids=1003
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg2 list=LAN
add interface=wg1 list=WAN
add interface=vlan1_iot list=LAN
/ip address
add address=192.168.90.1/24 comment=Guest interface=vlan1_iot network=\
    192.168.90.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/24 comment=Guest dns-server=192.168.90.1 gateway=\
    192.168.90.1


 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 10:18 am

Datapath is only to be used when you use capsman, a controller for managing multiple access points (MT proprietary).

Just like for ether-ports, add wifi ports to bridge with required VLAN settings. And that's enough.
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 10:24 am

Datapath is only to be used when you use capsman, a controller for managing multiple access points (MT proprietary).

Just like for ether-ports, add wifi ports to bridge with required VLAN settings. And that's enough.
Are you sure?

I added them:
add bridge=bridge ingress-filtering=no interface=wifi3 pvid=1003
add bridge=bridge ingress-filtering=no interface=wifi4 pvid=1003
but without datapath.vlan-id, the clients can connect to WLAN and get DHCP address but can't ping to anyone.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 10:30 am

I'm sure, yes.
That's how I have it setup already quite a while since I use VLANs on Wifi with AX3 and AX2 (and before AC3).
Never touched that datapath setting except for capsman experiments (it's only when capsman config for wifiwave2 came available, that datapath setting came available too).

For me it is like this (AX3, only wifi itf shown):
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge interface=wifi3 pvid=20
wifi3 is a slave of wifi2 for IoT purposes.

You also need to set the VLAN part of the bridge settings (my config):
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether3,ether4 vlan-ids=2
add bridge=bridge tagged=bridge,ether1 vlan-ids=1
add bridge=bridge tagged=ether1 untagged=wifi2,wifi1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wifi3 vlan-ids=20
ether1 is trunk to RB5009.

Please post full config between code quotes [ ], leave out serial number and public WAN IP so we can have a look.
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 11:08 am

I'm sure, yes.
That's how I have it setup already quite a while since I use VLANs on Wifi with AX3 and AX2 (and before AC3).
Never touched that datapath setting except for capsman experiments (it's only when capsman config for wifiwave2 came available, that datapath setting came available too).

For me it is like this (AX3, only wifi itf shown):
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge interface=wifi3 pvid=20
you use 3 VLANs? I only use two: the default 1 and guest 1003

If no any datapath.vlan_id , client will get a DHCP offer such as 192.168.90.199, but con't ping to 192.168.90.1 ,

wifi3 is a slave of wifi2 for IoT purposes.

You also need to set the VLAN part of the bridge settings (my config):
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether2,ether3,ether4 vlan-ids=2
add bridge=bridge tagged=bridge,ether1 vlan-ids=1
add bridge=bridge tagged=ether1 untagged=wifi2,wifi1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=wifi3 vlan-ids=20
ether1 is trunk to RB5009.

Please post full config between code quotes [ ], leave out serial number and public WAN IP so we can have a look.
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 11:16 am

see my config
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 12:24 pm

Looks like you have a mix of VLAN and no-VLAN.
Your bridge is not set to only accept VLAN-tags but your non-IoT wifi interfaces are not VLAN aware.

My guess is that if you change this
/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes

To this
/interface bridge
add admin-mac=48:A9:8A:0F:05:23 auto-mac=no ingress-filtering=no name=bridge vlan-filtering=yes frame-types=admit-all

That it should work for IoT channels.
But it's not a clean config.

Either go VLAN all the way, or don't use it at all.

Now, for only 1 AP and only 1 (or 2) Guest networks, you do not need VLAN (it can be used but it is not required).
Simple DHCP server on interface and proper firewall rules will accomplish the same.

PS since you do not have any firewall right now on your device (unless your config is incomplete ?), it doesn't make any sense either to use VLAN.
Everything can reach everything as it is now (from what you show as config ...).
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 3:28 pm


Either go VLAN all the way, or don't use it at all.
OK.

it looks wifiwave2 is so different .

I change to use 2 bridges to run 2 networks .
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 3:58 pm

Errm ... unless you REALLY know what you're doing, don't use 2 bridges.
If you do not know why it should or should not be done, you definitely don't need it.

it looks wifiwave2 is so different .

THAT I can fully agree with.
But if one has ever used capsman in the past (with legacy wifi), it's not that different from what was used there.
So depending on your previous experience, wifiwave2 can be a real shock :lol:
 
User avatar
mantouboji
newbie
Topic Author
Posts: 40
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: AX3 wifiwave2 VLAN

Fri May 19, 2023 7:02 pm

Errm ... unless you REALLY know what you're doing, don't use 2 bridges.
If you do not know why it should or should not be done, you definitely don't need it.

it looks wifiwave2 is so different .

THAT I can fully agree with.
But if one has ever used capsman in the past (with legacy wifi), it's not that different from what was used there.
So depending on your previous experience, wifiwave2 can be a real shock :lol:
Maybe you are right, two bridges are very ugly, I don’t like at all.

In fact I have a RB4011 running ROS 7.9,no wifiwave2,two other vlans (one for guest and one for IoT),just use bridge vlan filtering, works very well.

Who is online

Users browsing this forum: maigonis and 27 guests