Hello

I have set up a Guest Network on a hap ac lite, running 7.17.2. I have done this using the VLAN approach. It works fine and picks up Guest Network IP addresses from a dhcp relay from another router. Anything on the Guest Network via Wireless can access the internet via the other router.

However. if I add an ethernet interface and connect a Raspberry Pi, although it gets an IP address and DNS servers, the RasPi is not possible to ping anything else on the Guest Network. If I switch the Raspberry Pi from Wired to Wireless I am able to ping other machines on the Guest Network and out to the Internet.

I have tried to set up the ethernet interface in the same way as the Guest Network wireless interfaces. But obviously, I am missing something. Can anyone give me any ideas for what to look at?

[Just for clarity, I am not trying to put the virtual LAN out through the ethernet port, it is just the native Guest Network as a vanilla LAN]

Sure, if i was a fiction writer.......... but I am not. Need facts.
/export file=anynameyouwish ( minus mT device serial number, any public WANIP information, keys )

...
/export file=anynameyouwish ( minus mT device serial number, any public WANIP information, keys )

Will this do?

Firstly, 7.17.2 does not exist, only 7.17.1 and of course betas for 7.18.

just to be clear you are using this device ONLY as a switch/AP.
You wish to pass the guest network (vlan) to the wifi on the device and to at least one ethernet port.

Which port is connected to the router.
Is the guest vlan coming from the router onto that port?
What is the main trusted or base or management subnet on the main router.
That needs to be added to the trunk port to the MT device.
The MT device should get an IP address from that trusted subnet.

Any PI device put on the guest network should be able to be seen and vice versa on the guest network. Being in the same subnet/vlan at layer 2.

Firstly, 7.17.2 does not exist, only 7.17.1 and of course betas for 7.18.

7.16.2, yes. My bad.

just to be clear you are using this device ONLY as a switch/AP.

Correct

You wish to pass the guest network (vlan) to the wifi on the device and to at least one ethernet port.

Yes, except the guest network vlan only exists on the device as a vlan and any device on ethernet 5 is required to be on the guest network on equal terms with any wireless device on GN.wlan1 and GN.wlan2. The vlan itself is not required to pass outside the router

Which port is connected to the router.

I take it that you mean to the router with the WAN path to the 0.0.0.0/0 That is ethernet 1

Is the guest vlan coming from the router onto that port?

No. [That is above my pay grade at this point]. The vlan is contained entirely within the router in question

What is the main trusted or base or management subnet on the main router.
That needs to be added to the trunk port to the MT device.
The MT device should get an IP address from that trusted subnet.

The main trusted, base or management subnet from the main router is 10.*. The Guest Network is 172.*
The device in question has a fixed bridge address on the 10.* subnet. The Guest network is working fine and giving internet access to wireless devices.

My mental model is that wireless devices authenticate to the SSID and attach to the wireless much like plugging a wired device into an RJ45. Wireless devices are not aware that their connection is into a vlan and wireless presents them with an ordinary lan. I want to replicate this for (a) wired device(s) connected to ethernet 5, minus, of course, the bit about authenticating to an SSID

Any PI device put on the guest network should be able to be seen and vice versa on the guest network. Being in the same subnet/vlan at layer 2.

That is expected behaviour for the RasPi. It has enough Layer 2 connectivity wired via ether 5 to gain a 172.* address via a dhcp relay from the WAN router. Devices connected to the house [non guest] network have rather more layer 2 connectivity such that they get a 10* address from another dhcp server on the WAN router. But once the device gets a 172.* address, it can neither see nor be seen by other 172.* devices on the Guest Network. Devices connected by wireless behave as expected, as does this RasPi when connected by wireless.

Then send subnet 10 and subnet 172 on whatever port on the router to the MT device on its trunk port.
Or are you saying the upstream router is not capable of vlans.

There is no problem with subnets 10.* and 172.* between the 2 routers. The setup is working fine for both House and Guest Networks for devices connected by Wireless. The problem is solely one of making ethernet 5 into a port on the Guest Network.

The upstream router is another Mikrotik and therefore assumed to be capable of vlans. It is just the case that I have effectively only the Wireless part of the Guest Network on a vlan in order to achieve a Guest Network. At this stage I do not want to get involved in mixing vlans and ordinary lan on the single ethernet cable between the 2 routers. Not when the main router is in service.

As it happens, I have now made this work, but don't understand why. See next post.

OK, I have made this work after seeing a more or less random post on a video. But I don't count this solved until I understand why.

What I did was [in WebFig] I went to [Bridge -> VLANs -> <Local.Bridge> - <GN.vlan.ID>] and moved ether5 from the tagged list to the untagged list. Now everything works. I can connect a device to ethernet 5 and ping other devices connected to the Guest Network by wireless and I can ping out to the internet. Unfortunately the RasPi I am using is CLI only, so I can't easily test web access, but I got a refusal back for an ssh access to my internet mail server. so I think everything is working fine.

So any ideas on why going from tagged to untagged worked? My Virtual Wireless interfaces are tagged, but my ethernet interface is untagged. I would be grateful for help in understanding this.

So any ideas on why going from tagged to untagged worked? My Virtual Wireless interfaces are tagged, but my ethernet interface is untagged. I would be grateful for help in understanding this.

The tagged/untagged setting is about how frames are seen on the cable side of ethernet port. Unless device, connected to such port, is specially configured to work with 802.1Q headers (VLAN tags + QoS), port has to be configured as untagged. Which means tgat VLAN tags will be added on ingress and stripped on egress.If port is configured as tagged, then no VLAN header manipulation is done (connected device has to do it). Your wireless interfaces are doing it, so bridge doesn't have to.

So any ideas on why going from tagged to untagged worked? My Virtual Wireless interfaces are tagged, but my ethernet interface is untagged. I would be grateful for help in understanding this.

The tagged/untagged setting is about how frames are seen on the cable side of ethernet port. Unless device, connected to such port, is specially configured to work with 802.1Q headers (VLAN tags + QoS), port has to be configured as untagged. Which means tgat VLAN tags will be added on ingress and stripped on egress.If port is configured as tagged, then no VLAN header manipulation is done (connected device has to do it). Your wireless interfaces are doing it, so bridge doesn't have to.

Thanks for this. I think I am beginning to understand.

The Wireless interfaces in this case are virtual Wireless, which are on vlan 88. So they know that they communicate with the bridge on vlan 88 and they know that they communicate with wireless devices on plain ordinary lan. So they do the stripping of vlan tags for the wireless devices and apply tags for incoming from wireless

But the ethernet port does not have the depth to work this out. It puts out what comes and takes in what comes without regard to vlan tags, unless it is told to apply tags for incoming and disapply them for outgoing.

Excuse the anthropomorphism, but please tell me if I have this wrong!

You've got this right (as far the scope of this topic).