Hi All,

I'm probably doing something a bit stupid, but I have been banging my head against this for a week or so and still can't sort it out.

I have a home network with a CRS125 set up and working well with vlans 100, 200 and 300 just using the switch chip (just a L2 switch). I don't need to route through the CRS as it's hooked back to a Ubuntu server as a router with WAN connectivity and 3 further NIC's for each of the vlans. I'm also in the process of looking to replace the wireless points and so picked up a Hap lite AC to have a play with. The main internal vlan is 100, 200 is going to be a management vlan and 300 is guest. the only ones I'm playing with is 100 and 300 at the moment.

So I tried to use CAPsMAN with management forwarding and couldn't bridge the vlan 100 successfully onto the switch chip on the CRS (which is also using vlan 100). I gave up with the management forwarding and used local forwarding on the Hap and again if the switch chip is set up on the Hap (all on vlan 100), I can't bridge vlan 100 from the virtual AP onto the switch.

The only way I can get it working is with no switch chip running and bridging all of the local ports.

It seems like there is a limitation in that if I use vlan 100 on the switch chip then I can't bridge the same vlan id (100) from one of the virtual AP's on either the Hap or the CRS. Does that sound right?

All of the examples I have found using the switch chip and bridging at the same time seem to use a different vlan id for wireless.

Thanks in advance for your help.

To rephrase the question in case it makes it easier for people to digest -

Is it possible to do both switching and bridging at the same time for the same vlan?

I am afraid that one port cannot be enslaved twice.

For anyone else struggling with anything similar, I did eventually solve this today on the HAP lite itself.

In the end it's a relatively simple configuration, but with one key point.

All ports are slaved to ether1, vlans 100, 200 & 300 are set up on the switch chip with all ports set as secure/always strip except for ether 1 and the switch chip which are set as secure and leave as is.

AP's and virtual AP's are set to use tags and with the appropriate vlan number

ether1 and all of the AP's and virtual AP's are combined in a single bridge. The key though was to add the vlan interfaces to the bridge instead of the physical interface and to assign the management address against the vlan on the bridge. If I put the vlan interfaces onto ether1 they seemed to consume any traffic coming through with that vlan, rendering the switch chip inoperable.

I now have 4 AP's (2 for each radio) marked with the correct vlans and working alongside the switch chip for the physical ports. All gain IP addresses from the network DHCP server and all are isolated as required through the firewall in the main router (Ubuntu server) separating the network segments.

I have got it all working with CAPsMAN too, although I haven't got management forwarding working and so am using local forwarding. I also couldn't get the CAPS client adding the interfaces to the bridge automatically to work as the CAPsMAN lost connection for some strange reason when it dynamically added the interface to the bridge. I went with static interfaces though and added them manually and everything is now working.

Drop me a message if anyone needs config.

Thanks