Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Post Reply
 
dulasau
just joined
Topic Author
Posts: 7
Joined: Mon Dec 18, 2023 4:18 am

Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Sat Nov 02, 2024 1:48 am

I've been trying to wrap my head around vlan isolation while using capsman.
My setup:
  • ccr2116 as a capsman and two hap ax2 and one ax3 as CAPs.
  • Two wifi networks: "trusted" (vlan-id 10) and "untrusted" (vlan-id 30)

Code: Select all
/interface wifi datapath
add bridge=bridge bridge-horizon=10 client-isolation=yes name=untrusted-datapath vlan-id=30
add bridge=bridge name=trusted-datapath vlan-id=10


It's all working perfectly on a CAP i can seed dynamically added interfaces with correct vlan ids
  • 5 D wifi1 bridgeLocal 10 0x80 none
  • 6 D wifi11 bridgeLocal 30 0x80 none
but... vlan-filtering is set to "no" on the bridge itself which in my mind defeats the purpose isolating wifi networks, what I'm i missing?
BTW bridge horizon from the datapath is not applied as well :(
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13062
Joined: Thu Mar 03, 2016 10:23 pm

Re: Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Sat Nov 02, 2024 10:42 am

Do these interfaces get added as access ports or trunk ports to bridge? Check it using /interface/bridge/vlan/print .

If they are added as untagged, then it VLAN settings are ihnored and you'll have to set vlan-filtering=yes on bridge on all cAP devices. (Do enable safe mode before enabling vlan-filtering on bridge, you could loose management access if bridge config is not "ready" for vlan-filtering).

If they are added as tagged, then traffic separation based on VLAN IDs works without bridge being aware of it, wifi interfaces make sure of it (bridge is in this case operating as a dumb switch, passing frames between ports only according to dst MAC addresses ... which means that occasionally a frame with wrong VID will be delivered to wifi interface, but wifi interface will drop it as unusable according to its own config).
Top
 
dulasau
just joined
Topic Author
Posts: 7
Joined: Mon Dec 18, 2023 4:18 am

Re: Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Sun Nov 03, 2024 12:20 am

Do these interfaces get added as access ports or trunk ports to bridge? Check it using /interface/bridge/vlan/print .

If they are added as untagged, then it VLAN settings are ihnored and you'll have to set
Code: Select all
vlan-filtering
=yes on bridge on all cAP devices. (Do enable safe mode before enabling vlan-filtering on bridge, you could loose management access if bridge config is not "ready" for vlan-filtering).

If they are added as tagged, then traffic separation based on VLAN IDs works without bridge being aware of it, wifi interfaces make sure of it (bridge is in this case operating as a dumb switch, passing frames between ports only according to dst MAC addresses ... which means that occasionally a frame with wrong VID will be delivered to wifi interface, but wifi interface will drop it as unusable according to its own config).
That's the thing: the interfaces were added as access ports (PVID were added), but since vlan-filtering is not enabled
Code: Select all
/interface/bridge/vlan
table is not populated at all
Top
Post Reply
  4. RouterOS
  5. Wireless Networking