BPDU problem

Neferith · Thu Jun 28, 2018 2:54 pm

Hi,

I'm trying to set up quite simple topology:

Netgear GS728 switch [Gi 25] -----trunk----- [SFP1] Mikrotik [SFP2] -----trunk----- [Gi 25] Netgear GS728 switch

Mikrotik is the root for all vlans (10,20,30,100 and 192) with Priority 4096, I use RSTP.

But Netgear switches somehow doesn't respect MT as the root bridge. It looks like MT is not sending BPDU packets. Can you suggest what I'm doing wrong?

Mikrotik config

# jun/28/2018 13:16:06 by RouterOS 6.42.4
# software id = 5HWC-UFX8
#
# model = CRS328-24P-4S+
# serial number = 822308F79C2A
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
    "name=ch_01_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
    "name=ch_06_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
    "name=ch_11_2400_20_bgn"
/interface bridge
add fast-forward=no name=bridge-vlan10 priority=0x4096
add fast-forward=no name=bridge-vlan20 priority=0x4096
add fast-forward=no name=bridge-vlan30 priority=0x4096
add fast-forward=no name=bridge-vlan100 priority=0x4096
add fast-forward=no name=bridge-vlan130 priority=0x4096
add fast-forward=no name=bridge-vlan192 priority=0x4096
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether3 ] comment="ESX i ETH1 Trunk"
set [ find default-name=ether4 ] comment="ESXi ETH2 Trunk"
/interface vlan
add interface=ether3 name=trunk-eth3-vlan10 vlan-id=10
add interface=ether3 name=trunk-eth3-vlan100 vlan-id=100
add interface=ether4 name=trunk-eth4-vlan10 vlan-id=10
add interface=ether4 name=trunk-eth4-vlan100 vlan-id=100
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan10 vlan-id=10
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan100 vlan-id=100
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan130 vlan-id=130
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan192 vlan-id=192
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=trunk-sfp1-vlan30 vlan-id=30
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan10 vlan-id=10
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan100 vlan-id=100
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan130 vlan-id=130
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan192 vlan-id=192
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan20 vlan-id=20
add interface=sfp-sfpplus2 name=trunk-sfp2-vlan30 vlan-id=30
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan10 vlan-id=10
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan100 vlan-id=100
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan130 vlan-id=130
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan192 vlan-id=192
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan20 vlan-id=20
add interface=sfp-sfpplus3 name=trunk-sfp3-vlan30 vlan-id=30
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan10 vlan-id=10
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan100 vlan-id=100
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan130 vlan-id=130
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan192 vlan-id=192
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan20 vlan-id=20
add interface=sfp-sfpplus4 name=trunk-sfp4-vlan30 vlan-id=30
/caps-man datapath
add bridge=bridge-vlan20 name=datapath-OFFICE
add bridge=bridge-vlan30 name=datapath-VISITORS
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-OFFICE
add name=security-VISITORS
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-OFFICE distance=indoors guard-interval=any mode=ap \
    name=config-OFFICE rates.basic="" rx-chains=0,1 security=security-OFFICE \
    ssid=OFFICE tx-chains=0,1
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-VISITORS guard-interval=any mode=ap name=\
    config-VISITORS security=security-VISITORS ssid=VISITORS
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.firma.pl hotspot-address=10.1.30.1 \
    html-directory=flash/hotspot login-by=http-chap name=HSPRO1
/ip pool
add name=pool-vlan10 ranges=10.1.10.100-10.1.10.250
add name=pool-vlan20 ranges=10.1.20.100-10.1.20.250
add name=pool-vlan30 ranges=10.1.30.100-10.1.30.250
add name=pool-vlan192 ranges=192.168.0.150-192.168.0.180
add name=pool-vpn-ppt ranges=10.1.99.100-10.1.99.250
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=bridge-vlan10 lease-time=\
    8h name=server-vlan10
add address-pool=pool-vlan192 disabled=no interface=bridge-vlan192 \
    lease-time=8h name=server-vlan192
add address-pool=pool-vlan20 disabled=no interface=bridge-vlan20 lease-time=\
    8h name=server-vlan20
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 lease-time=\
    8h name=server-vlan30
/ip hotspot
add address-pool=pool-vlan30 disabled=no idle-timeout=none interface=\
    bridge-vlan30 name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-vlan30 keepalive-timeout=4h \
    mac-cookie-timeout=1d shared-users=100
/ppp profile
add dns-server=10.1.10.10 local-address=pool-vpn-ppt name=vpn-pptp only-one=\
    no remote-address=pool-vpn-ppt use-encryption=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config-OFFICE \
    name-format=identity slave-configurations=config-VISITORS
/interface bridge port
add bridge=bridge-vlan10 interface=trunk-sfp1-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp1-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp1-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp1-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp1-vlan192
add bridge=bridge-vlan192 interface=trunk-sfp2-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp2-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp2-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp2-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp2-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp3-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp3-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp3-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp3-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp3-vlan30
add bridge=bridge-vlan192 interface=trunk-sfp4-vlan192
add bridge=bridge-vlan10 interface=trunk-sfp4-vlan10
add bridge=bridge-vlan100 interface=trunk-sfp4-vlan100
add bridge=bridge-vlan20 interface=trunk-sfp4-vlan20
add bridge=bridge-vlan30 interface=trunk-sfp4-vlan30
add bridge=bridge-vlan100 comment=ILO interface=ether5
add bridge=bridge-vlan100 comment=UPS interface=ether6
add bridge=bridge-vlan100 comment=QNAP interface=ether7
add bridge=bridge-vlan100 comment=QNAP interface=ether8
add bridge=bridge-vlan192 interface=ether17
add bridge=bridge-vlan192 interface=ether10
add bridge=bridge-vlan10 comment=Server interface=trunk-eth3-vlan10
add bridge=bridge-vlan100 comment=Server interface=trunk-eth3-vlan100
add bridge=bridge-vlan10 comment=Server interface=trunk-eth4-vlan10
add bridge=bridge-vlan100 comment=Server interface=trunk-eth4-vlan100
add bridge=bridge-vlan192 interface=ether9
add bridge=bridge-vlan192 interface=ether11
add bridge=bridge-vlan192 interface=ether12
add bridge=bridge-vlan192 interface=ether13
add bridge=bridge-vlan192 interface=ether14
add bridge=bridge-vlan192 interface=ether15
add bridge=bridge-vlan192 interface=ether16
add bridge=bridge-vlan130 interface=trunk-sfp1-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp2-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp3-vlan130
add bridge=bridge-vlan130 interface=trunk-sfp4-vlan130
add bridge=bridge-vlan192 interface=ether18
add bridge=bridge-vlan192 interface=ether19
add bridge=bridge-vlan192 interface=ether20
add bridge=bridge-vlan192 interface=ether21
add bridge=bridge-vlan192 interface=ether22
/interface pptp-server server
set authentication=chap,mschap2 default-profile=vpn-pptp enabled=yes
/ip address
add address=XX.YY.ZZ.II/30 interface=ether1-WAN network=XX.YY.ZZ.128
add address=10.1.10.1/24 interface=bridge-vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=bridge-vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=bridge-vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=bridge-vlan192 network=192.168.0.0
add address=10.1.100.1/24 interface=bridge-vlan100 network=10.1.100.0
add address=10.1.130.1/24 interface=bridge-vlan130 network=10.1.130.0
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=208.67.222.222,208.67.220.220 domain=\
    domain.internal gateway=10.1.30.1 netmask=24
add address=10.1.99.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.99.1 netmask=24
add address=10.1.100.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 dns-server=\
    10.1.10.10,208.67.220.220,208.67.222.222 domain=domain.internal \
    gateway=192.168.0.1 netmask=24
/ip dns
set servers=10.1.10.10,208.67.220.220
/ip firewall address-list
add address=10.0.0.0/8 list=LAN
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.0.0/24 list=LAN
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=input dst-address-list=LAN in-interface=bridge-vlan30
add action=drop chain=forward dst-address-list=LAN in-interface=bridge-vlan30
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" src-address-list=LAN
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Access to Winbox" dst-port=42323 \
    protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5445 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5415 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5443 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5435 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5000 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5002 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=5001 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.II dst-port=234234 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=input comment="Echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment=\
    "!!Drop any other traffic INPUT - put at the end"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5445 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=5445
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5415 \
    protocol=tcp to-addresses=192.168.0.56 to-ports=5415
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5443 \
    protocol=tcp to-addresses=192.168.0.100 to-ports=5443
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5435 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=5435
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5000 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5000
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5001 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=5002 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5002
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.II dst-port=51991 \
    protocol=tcp to-addresses=10.1.10.10 to-ports=3389
/ip hotspot user
add name=visitor
/ip route
add distance=1 gateway=XX.YY.ZZ.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=52341
/ppp aaa
set use-radius=yes
/ppp secret
add name=xadmin profile=vpn-pptp
/radius
add address=10.1.10.10 src-address=10.1.10.1 timeout=100ms
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NTO-R01
/system routerboard settings
set boot-os=router-os silent-boot=no

Netgear switches should see the root on ort G25 but it assumes itself as root. I attached Netgear screen from RSTP config and port.
Trunk work well between devices, only RSTP doesn't work as expected. Can you help me ?

Thanks for any input or hint!
/BR Eliash

artz · Fri Jun 29, 2018 10:12 am

Most likely the Netgear is dropping tagged BPDUs, which are being sent out of your device because of misconfiguration.
You should read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:L ... _interface

Fri Jun 29, 2018 11:24 am

have you checked timings on RSTP settings on all devices??

check RSTP bridge priority on netgear devices

Neferith · Fri Jun 29, 2018 11:35 am

Hi,

Thanks for your reply.

Netgears have the same, default priority: 32768

Can you verify if my trunk configuration is correct? I'm new to Mikrotik.

/BR Eliash

sindy · Fri Jun 29, 2018 11:49 am

Follow the suggestion of @artz.

The way you have configured it, each VLAN has its own bridge running its own instance of RSTP inside the Mikrotik, so the BPDU frames from these bridges are sent out to the Netgear with VLAN tags. This is not how STP works normally. In normal switches which are not so flexible as the Mikrotik ones, the BPDU frames are tagless and the spanning tree is a single common one for all VLANs (for RSTP) or there is one spanning tree for each group of VLANs (for MSTP), but even in the latter case the BPDU frames must be tagless.

The priority has nothing to do with that, the Netgear doesn't recognize the tagged BPDUs as you have initially suspected.

Neferith · Fri Jun 29, 2018 11:58 am

Thank you very much for your help - I will try reconfiguration and let you know about the result.

best regards,
Eliash

Neferith · Fri Jun 29, 2018 12:35 pm

I have some more questions:
I have couple of VLANs: 10,20,30, 100 and 192
I created bridges for each vlan:
bridge-vlan10,bridge-vlan20,bridge-vlan30,bridge-vlan100 and bridge-vlan192
My trunks are on physical ports SFP1, SPF2, SFP3 and SFP4

According to proposed solution (example):

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 pvid=99
add bridge=bridge interface=ether2
/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=ether1 vlan-ids=99

I should set (for vlan10):

/interface bridge
add name=bridge-vlan10 vlan-filtering=yes

then add access ports and for trunk port (SFP1) set pvid

/interface bridge port
add bridge=bridge-vlan10 interface=SFP1 pvid=10
add bridge=bridge-vlan10 interface=ether2
add bridge=bridge-vlan10 interface=ether3
add bridge=bridge-vlan10 interface=ether4

and at the end set vlans on ports

/interface bridge vlan
add bridge=bridge-vlan10 tagged=ether2, ether3, ether4 untagged=SFP1 vlan-ids=10

How about another vlans? I can add SFP1 only to 1 bridge. I will get error when trying to add SFP1 to bridge-vlan20, bridge-vlan30...

BR/Eliash

sindy · Fri Jun 29, 2018 1:03 pm

The whole idea of RSTP requires that all VLANs share the same bridge which has trunk and access member ports, and that there are no loops via the access ports as all the VLANs in the same STP instance (and there is only one in case of RSTP) must have the same topology. The wiki explains how to do that.

Fri Jun 29, 2018 1:06 pm

Follow the suggestion of @artz.

The way you have configured it, each VLAN has its own bridge running its own instance of RSTP inside the Mikrotik, so the BPDU frames from these bridges are sent out to the Netgear with VLAN tags. This is not how STP works normally. In normal switches which are not so flexible as the Mikrotik ones, the BPDU frames are tagless and the spanning tree is a single common one for all VLANs (for RSTP) or there is one spanning tree for each group of VLANs (for MSTP), but even in the latter case the BPDU frames must be tagless.

The priority has nothing to do with that, the Netgear doesn't recognize the tagged BPDUs as you have initially suspected.

i think is a good idea

making only one bridge with "normal" vlan configuration like a switch can help

artz · Fri Jun 29, 2018 2:49 pm

I have some more questions:
I have couple of VLANs: 10,20,30, 100 and 192
I created bridges for each vlan:
bridge-vlan10,bridge-vlan20,bridge-vlan30,bridge-vlan100 and bridge-vlan192
My trunks are on physical ports SFP1, SPF2, SFP3 and SFP4

According to proposed solution (example):
Code: Select all
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 pvid=99
add bridge=bridge interface=ether2
/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=ether1 vlan-ids=99
I should set (for vlan10):
Code: Select all
/interface bridge
add name=bridge-vlan10 vlan-filtering=yes
then add access ports and for trunk port (SFP1) set pvid
Code: Select all
/interface bridge port
add bridge=bridge-vlan10 interface=SFP1 pvid=10
add bridge=bridge-vlan10 interface=ether2
add bridge=bridge-vlan10 interface=ether3
add bridge=bridge-vlan10 interface=ether4
and at the end set vlans on ports
Code: Select all
/interface bridge vlan
add bridge=bridge-vlan10 tagged=ether2, ether3, ether4 untagged=SFP1 vlan-ids=10
How about another vlans? I can add SFP1 only to 1 bridge. I will get error when trying to add SFP1 to bridge-vlan20, bridge-vlan30...

BR/Eliash

You can specify multiple VLANs in "vlan-ids=10,20,30,40".

The problem with the previous setup is that a packet is always sent out through a physical interface. In your case, you had a VLAN interface that was running a separate RSTP instance. The problem arises when a BPDU needs to be sent out, it will be sent out through all interfaces that are added to the bridge. The bridge takes each bridge slave and sends out a BPDU out of this interface, but since the VLAN interface is created on top of a physical interface, then traffic leaving the VLAN interface is tagged with a VLAN tag, regardless of the type of the packet. This can cause issues on other devices and it depends on the RSTP implementation. If the device is not running a VLAN aware bridge, then in case of a tagged BPDU the bridge might look at the DSAP field and find 0x8100XX (802.1Q VLAN EtherType), which does not correspond to STP BPDU and might get dropped since the packet does not comply with IEEE 802.1W.

Neferith · Fri Jun 29, 2018 3:07 pm

Hi, to summarize, my current scenario

for vlans:
10 - wired office
20 -WLAN office
30 - Internet only vlan (captive portal)
100 - mgmt
192 - old 192.168.0.0/24 legacy network

I should create 1 common bridge

/interface bridge
add name=bridge vlan-filtering=yes

add ports to the bridge and for SFP which are trunks set pvid

/interface bridge port
add bridge=bridge interface=SFP1 pvid=10
add bridge=bridge interface=SFP1 pvid=20
add bridge=bridge interface=SFP1 pvid=30
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
...

assign vlans to particular ports

/interface bridge vlan
add bridge=bridge tagged=ether2 untagged=SFP1 vlan-ids=10
add bridge=bridge tagged=ether3 untagged=SFP1 vlan-ids=20
add bridge=bridge tagged=ether4 untagged=SFP1 vlan-ids=30

Is it OK?

Now I'm using different bridges for different dhcp pools. How to run different DHCP pools when I have only 1 bridge as you suggest?
Now I run captive portal for WLAN network on bridge-vlan30. How can I set it up with only 1 bridge?

sindy · Fri Jun 29, 2018 3:17 pm

It is not OK - you define the SFP as a tagless (untagged) port of more than one VLAN which is impossible. If a tagless packet comes in, there cannot be more than one VLAN ID with which it should be tagged. So you seem to have mixed the category names - tagged is for trunk ports, untagged is for access ports. Also the pvid must be specified for access ports, not for trunk ports in the /interface bridge port configuration.

Also, as you need the packets to be processed on L3 by the Mikrotik, you must make the bridge itself a tagged member port of itself. It's a weird approach but that's how it is currently done.

As for DHCP, each /ip dhcp-server must be attached to the corresponding /interface vlan, not to the common bridge. Each /interface vlan has a tagged side which is a member port of the bridge common to all VLANs (the bridge is chosen by the interface parameter of /interface vlan), and the tagless side to which the IP configuration (including /ip dhcp-server) is attached.

So the DHCP request arrives tagless to an access port, gets tagged as it is forwarded to the bridge, and the bridge forwards it to the /interface vlan with matching vlan-id which untags it again and sends it to the /ip dhcp-server attached to its tagless side.

Neferith · Sun Jul 01, 2018 7:38 pm

Hello All,

Thank you for all your comments and hints. They are all very valuable for me.

I set up a lab at home with such scenario:
vlan 10 (10.1.10.0/24) - port ether2 (access)
vlan 20 (10.1.20.0/24) - port ether3 (access)
vlan 30 (10.1.30.0/24) - port ether4 (access)
vlan 100 (10.1.100.0/24) - port ether5 (access)
trunk - Ether 7 (tagged)

I created 1 bridge and tried to adjust to your suggestions, but I didn't succeed. I can't get vlan 10 (10.1.10.0) IP from DHCP on port Ether2 or vlan 20 (10.1.20.0) IP from DHCP on port Ether3. It looks like DHCP doesn't work. I tried to set up static IP but still could't ping my default GW 10.1.10.1 (port eth2 for vlan10) or 10.1.20.1 (port eth3 for vlan20). This is what I'm gonna start with. When it works, I'll proceed to fix the trunk and BPDU related issues. Please review my lab config and tell me if I'm going into right direction.

This is my config:

# jan/02/1970 00:57:48 by RouterOS 6.42.1
# software id = 9VYH-4F3W
#
# model = 2011UiAS
# serial number = 771E069D0D75
/interface bridge
add admin-mac=6C:3B:6B:28:77:95 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool192 ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool192 disabled=no interface=vlan1 name=server192
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=vlan100 name=server100
add address-pool=pool10 disabled=no interface=vlan10 name=server10
/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge edge=yes interface=ether3 pvid=20
add bridge=bridge edge=yes interface=ether4 pvid=30
add bridge=bridge edge=yes interface=ether5 pvid=100
add bridge=bridge edge=yes interface=ether6 pvid=192
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether7 untagged=ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=1,10,20,30,100,192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
add address=10.1.100.0/24 gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Many thanks for all comments!
BR/Eliash

sindy · Sun Jul 01, 2018 8:02 pm

The purpose of /interface bridge vlan is to set up the vlan filtering rules. So for each item of this list which contains at least one item in the untagged parameter must have just a single VLAN ID.
And all VLANs which are processed locally at the CPU (because IP configuration is attached to them or because a wireless interface should be a member of that VLAN) must have the bridge itself as a tagged port.
Plus avoid vlan ID 1 as it never works the way you expect.

So change your

/interface bridge vlan
add bridge=bridge tagged=ether7 untagged=ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=1,10,20,30,100,192

to

/interface bridge vlan
add bridge=bridge tagged=bridge,ether7 untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge,ether7 untagged=ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether7 untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether7 untagged=ether5 vlan-ids=100
add bridge=bridge tagged=bridge,ether7 untagged=ether6 vlan-ids=192

and you should be good.

Neferith · Sun Jul 01, 2018 8:56 pm

Hi Sindy,

I tried your suggestion, but still with no success. See my current code:

# jan/02/1970 00:10:24 by RouterOS 6.42.1
# software id = 9VYH-4F3W
#
# model = 2011UiAS
# serial number = 771E069D0D75
/interface bridge
add admin-mac=6C:3B:6B:28:77:95 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool192 ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool192 disabled=no interface=vlan1 name=server192
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool100 disabled=no interface=vlan100 name=server100
add address-pool=pool10 disabled=no interface=vlan10 name=server10
/interface bridge port
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge edge=yes interface=ether3 pvid=20
add bridge=bridge edge=yes interface=ether4 pvid=30
add bridge=bridge edge=yes interface=ether5 pvid=100
add bridge=bridge edge=yes interface=ether6 pvid=192
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether7,bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether7,bridge untagged=ether3 vlan-ids=20
add bridge=bridge tagged=ether7,bridge untagged=ether4 vlan-ids=30
add bridge=bridge tagged=ether7,bridge untagged=ether5 vlan-ids=100
add bridge=bridge tagged=ether7,bridge untagged=ether6 vlan-ids=192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
add address=10.1.100.0/24 gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It does not provide IP address from DHCP and static IP address on my PC doesn't allow me to ping default GW (10.1.10.1 on access port eth2 in vlan10).
I'm not sure if vlan interfaces should be attached to physical bridge.

Thanks in advance!
BR/Eliash

sindy · Sun Jul 01, 2018 9:43 pm

To me this whole configuration seems correct. The fact that the tagged side of the /interface vlan (the interface parameter) is the bridge is also correct, that's the purpose of the setup. I hazily remember there were recently some issues with dhcp server on bridge, but if you cannot ping the Mikrotik's address in the VLAN even if you set an IP address from the same subnet on the PC manually, there must be something else wrong. Except that I cannot see it.

The firewall could interfere but ICMP is permitted so pinging should work and the firewall has no effect on DHCP.

CZFan · Mon Jul 02, 2018 1:18 am

IIRC, I had issues with this config, change the following:

/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24

To

/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=255.255.255.0

And report back

Neferith · Mon Jul 02, 2018 3:18 pm

Hi,

Thank you for all your comments. I have a progess

In my lab I managed to implement settings you suggested with vlan-filtering and 1 commong bridge. DHCP and intervlan routing works well except BPDU's for each VLAN (works only for vlan1)

This is my lab config:

/interface bridge
add admin-mac=4C:5E:0C:C0:AB:32 auto-mac=no name=bridge priority=0x4096 \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.0.100-192.168.0.200
add name=pool10 ranges=10.1.10.100-10.1.10.200
add name=pool20 ranges=10.1.20.100-10.1.20.200
add name=pool30 ranges=10.1.30.100-10.1.30.200
add name=pool100 ranges=10.1.100.100-10.1.100.200
/ip dhcp-server
add address-pool=pool10 disabled=no interface=vlan10 name=server10
add address-pool=pool20 disabled=no interface=vlan20 name=server20
add address-pool=pool30 disabled=no interface=vlan30 name=server30
add address-pool=pool1 disabled=no interface=vlan1 name=server1
/interface bridge port
add bridge=bridge edge=yes interface=ether1 pvid=10
add bridge=bridge edge=yes interface=ether2 pvid=20
add bridge=bridge edge=yes interface=ether3 pvid=30
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=sfp1
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether5 untagged=ether3 vlan-ids=30
/ip address
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=vlan1 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    bridge
/ip dhcp-server network
add address=10.1.10.0/24 gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 gateway=10.1.30.1 netmask=24
/system routerboard settings
set silent-boot=no

Mikrotik is sending BPDU's on it's trunk (port eth5) and the other side (Cisco switch) receives BPDU's.
Cisco switch sees that Mikrotik is the root, but only for VLAN1:

Cisco is attached via trunk from port te 3/0/12 ---- eth5 on Mikrotik

Switch#sh spanning-tree root

                                        Root    Hello Max Fwd
Vlan                   Root ID          Cost    Time  Age Dly  Root Port
---------------- -------------------- --------- ----- --- ---  ------------
[b]VLAN0001         16534 4c5e.0cc0.ab32         4    2   20  15  Te3/0/12[/b]
VLAN0010         32778 247e.12c1.e600         0    2   20  15
VLAN0020         32788 247e.12c1.e600         0    2   20  15
VLAN0030         32798 247e.12c1.e600         0    2   20  15
VLAN0100         32868 247e.12c1.e600         0    2   20  15
Switch#

As you can see, for vlans 10, 20 and 30, Cisco treats itself as ROOT. Only for VLAN1 everything works as expected. Additionally, priority of Mikrotik is incorrect, as it shows 16534, but MT configuration specifies 4096 as priority.

Thanks again for any hints.
BR/Eliash

sindy · Mon Jul 02, 2018 3:41 pm

That takes us a bit away from this forum scope as it is not a Cisco forum, but what STP flavor have you chosen on that Cisco? Because having the BPDU only respected on a single VLAN suggests that Cisco is running PVST or PVST+ which do work with tagged BPDUs. But don't expect the Netgear gear to support the same, please.

STP and RSTP expect a common topology for all VLANs; PVST expects individual topology for every single VLAN so there is a lot of BPDU traffic and is Cisco-proprietary; MSTP expects individual topology for each "instance" which handles a group of VLANs and it is the only STP flavor you can expect to be fully interoperable between different vendors' devices.

Neferith · Mon Jul 02, 2018 3:49 pm

Hi Sindy,

Cisco is running rapid-pvst. It's only LAB envorinment, on production I will use Netgear. If current Mikrotik config works with Netgear then I'm fine with that

BR/Eliash

sindy · Mon Jul 02, 2018 4:04 pm

Okay. As for the priority, 0x4096 is not the same as 4096, it does translate to 16534 as the Cisco shows

So if you want to set the priority to 4096, configure 0x1000.

Neferith · Mon Jul 02, 2018 4:11 pm

Great!
It seems to work. For a test I set MST on both MT and Cisco side, and works well.

Thanks you very much for your time and effort!
Best regards,
Eliash

Neferith · Tue Jul 10, 2018 8:45 pm

Hello All,

Many thanks for help from all you - I implemented changes in VLANs and trunks/RSTP/DHCP for LAN work as expected.

I need to ask for some more support one more time.
After vlan-related changes my CAPsMAN stopped working. SSID's are visibile but I cannot connect - I don't get IP address (I expect some DHCP/VLAN related issues).

Short description:
10.1.100.0/24 - VLAN100 - management for AP's
10.1.20.0/24- vlan20 for OFFICE SSID
10.1.30.0/23 - vlan30 for VISITORS SSID

Can you take a look at config?

AP config:

# jul/10/2018 19:33:15 by RouterOS 6.42.2
# software id = ERPW-WF49
#
# model = RouterBOARD cAP 2nD
# serial number = 720D06B58AAE
/interface bridge
add name=CAPsMAN protocol-mode=none
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] rx-chains=0 ssid=MikroTik tx-chains=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=CAPsMAN hw=no interface=ether1
add bridge=CAPsMAN interface=wlan1
/interface wireless cap
# 
set bridge=CAPsMAN caps-man-addresses=10.1.100.1 certificate=request \
    discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip address
add address=10.1.100.11/24 interface=CAPsMAN network=10.1.100.0
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip route
add distance=1 gateway=10.1.100.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=NTO-AP01
/system routerboard settings
set silent-boot=no

This AP also disconnects from router with the following errors:
CAP joined to OGR-R01
CAP sent max keepalives without response
CAP disconnected from OGR-R01
CAP selected CAPsMAN OGR-R01.....failed:timeout
CAP failed to join OGR-R01...
CAP selected CAPsMAN OGR-R01.....failed:timeout

It only happens with this 1 AP which is connected via power injector. Can it be the reason?

Router config


# jul/10/2018 19:31:14 by RouterOS 6.42.4
# software id = 5HWC-UFX8
#
# model = CRS328-24P-4S+
# serial number = 822308F79C2A
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
    "name=ch_01_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
    "name=ch_06_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
    "name=ch_11_2400_20_bgn"
/interface bridge
add fast-forward=no name=bridge priority=0x4096 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether3 ] comment="ESX i ETH1 Trunk"
set [ find default-name=ether4 ] comment="ESXi ETH2 Trunk"
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan130 vlan-id=130
add interface=bridge name=vlan192 vlan-id=192
/caps-man datapath
add bridge=bridge name=datapath-OFFICE vlan-id=20 vlan-mode=use-tag
add bridge=bridge name=datapath-VISITORS vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-OFFICE passphrase="XXXXXXXXXXX"
add name=security-VISITORS
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-OFFICE datapath.bridge=bridge distance=indoors \
    guard-interval=any mode=ap name=config-OFFICE rates.basic="" rx-chains=\
    0,1 security=security-OFFICE ssid=OFFICE tx-chains=0,1
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-VISITORS datapath.bridge=bridge guard-interval=any \
    mode=ap name=config-VISITORS security=security-VISITORS ssid=VISITORS
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.firma.pl hotspot-address=10.1.30.1 \
    html-directory=flash/hotspot login-by=http-chap name=HSPRO1
/ip pool
add name=pool-vlan10 ranges=10.1.10.100-10.1.10.250
add name=pool-vlan20 ranges=10.1.20.100-10.1.20.250
add name=pool-vlan30 ranges=10.1.30.100-10.1.30.250
add name=pool-vlan192 ranges=192.168.0.150-192.168.0.180
add name=pool-vpn-ppt ranges=10.1.99.100-10.1.99.250
add name=pool-vlan100 ranges=10.1.100.150-10.1.100.180
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=vlan10 lease-time=8h name=\
    server-vlan10
add address-pool=pool-vlan192 disabled=no interface=vlan192 lease-time=8h \
    name=server-vlan192
add address-pool=pool-vlan20 disabled=no interface=vlan20 lease-time=8h name=\
    server-vlan20
add address-pool=pool-vlan30 disabled=no interface=vlan30 lease-time=8h name=\
    server-vlan30
add address-pool=pool-vlan100 disabled=no interface=vlan100 name=\
    server-vlan100
/ip hotspot
add address-pool=pool-vlan30 disabled=no idle-timeout=none interface=vlan30 \
    name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-vlan30 keepalive-timeout=4h \
    mac-cookie-timeout=1d shared-users=100
/ppp profile
add dns-server=10.1.10.10 local-address=pool-vpn-ppt name=vpn-pptp only-one=\
    no remote-address=pool-vpn-ppt use-encryption=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config-OFFICE \
    name-format=identity slave-configurations=config-VISITORS
/interface bridge port
add bridge=bridge comment=ILO interface=ether5 pvid=100
add bridge=bridge comment=UPS interface=ether6 pvid=100
add bridge=bridge comment=QNAP interface=ether7 pvid=100
add bridge=bridge comment=QNAP interface=ether8 pvid=100
add bridge=bridge edge=yes interface=ether17 pvid=192
add bridge=bridge interface=ether10 pvid=192
add bridge=bridge interface=ether9 pvid=192
add bridge=bridge interface=ether11 pvid=192
add bridge=bridge interface=ether12 pvid=192
add bridge=bridge interface=ether13 pvid=192
add bridge=bridge interface=ether14 pvid=192
add bridge=bridge interface=ether15 pvid=192
add bridge=bridge interface=ether16 pvid=192
add bridge=bridge interface=ether18 pvid=192
add bridge=bridge edge=yes interface=ether19 pvid=192
add bridge=bridge edge=yes interface=ether20 pvid=192
add bridge=bridge edge=yes interface=ether21 pvid=192
add bridge=bridge edge=yes interface=ether22 pvid=192
add bridge=bridge interface=ether23 pvid=100
add bridge=bridge interface=ether24 pvid=100
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
add bridge=bridge tagged=bridge,ether3,ether4,sfp-sfpplus1,sfp-sfpplus2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=30
add bridge=bridge tagged=bridge,ether3,ether4,sfp-sfpplus1,sfp-sfpplus2 \
    untagged=ether23,ether24,ether7,ether8 vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 untagged="ether9,eth\
    er10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether\
    19,ether20,ether21,ether22" vlan-ids=192
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=130
/interface pptp-server server
set authentication=chap,mschap2 default-profile=vpn-pptp enabled=yes
/ip address
add address=XX.YY.ZZ.WWW/30 interface=ether1-WAN network=XX.YY.ZZ.WWW
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=vlan192 network=192.168.0.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.130.1/24 interface=vlan130 network=10.1.130.0
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=208.67.222.222,208.67.220.220 domain=\
    domain.internal gateway=10.1.30.1 netmask=24
add address=10.1.99.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.99.1 netmask=24
add address=10.1.100.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=domain.internal gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 dns-server=\
    10.1.10.10,208.67.220.220,208.67.222.222 domain=domain.internal \
    gateway=192.168.0.1 netmask=24
/ip dns
set servers=10.1.10.10,208.67.220.220
/ip firewall address-list
add address=10.0.0.0/8 list=LAN
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.0.0/24 list=LAN
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=input dst-address-list=LAN in-interface=vlan30
add action=drop chain=forward dst-address-list=LAN in-interface=vlan30
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" src-address-list=LAN
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Access to Winbox" dst-port=58291 \
    protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5445 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5415 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5443 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5435 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5000 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5002 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=5001 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=XX.YY.ZZ.WW dst-port=51991 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=input comment="Echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment=\
    "!!Drop any other traffic INPUT - put at the end"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5445 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=5445
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5415 \
    protocol=tcp to-addresses=192.168.0.56 to-ports=5415
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5443 \
    protocol=tcp to-addresses=192.168.0.100 to-ports=5443
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5435 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=5435
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5000 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5000
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5001 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=5002 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5002
add action=dst-nat chain=dstnat dst-address=XX.YY.ZZ.WW dst-port=51991 \
    protocol=tcp to-addresses=10.1.10.10 to-ports=3389
/ip hotspot user
add name=visitor password=XXXXXXXXXXXXXXXXXX
/ip route
add distance=1 gateway=XX.YY.ZZ.WWW
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=58291
/ppp aaa
set use-radius=yes
/ppp secret
add name=xadmin password=XXXXXXXXXXXXXXXX profile=vpn-pptp
/radius
add address=10.1.10.10 secret=XXXXXXXXXXXXXXXX src-address=10.1.10.1 \
    timeout=100ms
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=OGR-R01
/system routerboard settings
set boot-os=router-os silent-boot=no

AP is connected to port ETH24 (vlan100) in access mode. Should it be trunk? Should I use now VLAN-filtering on AP's bridges as well?
I'm playing with datapath settings and VLANs/use-tag but without success.

Thanks for any help!

BR/Eliash

sindy · Tue Jul 10, 2018 11:57 pm

To me everything seems fine, except maybe that you have made wlan1 a member interface of the bridge named CAPsMAN on the AP (but I'm not sure it is wrong, it is just unusual).

Unless you use local forwarding, which you don't, the frames from AP's wireless interfaces are encapsulated into UDP and delivered to the CAPsMAN device, and there they are de-encapsulated and placed on the bridge indicated in the datapath, eventually tagged with the Vlan ID indicated in the datapath. So the fact that ether24 is an access port to vlan 100 is fine as well.

Neferith · Wed Jul 11, 2018 10:39 am

Hi Sindy,

Previously, I configured CAPsMAN with datapath settings: bridge-vlan20 for OFFICE (vlan20) and bridge-vlan30 for VISITORS (vlan30), so CAPsMAN knows, to which VLAN traffic belongs. Now, with vlan-filter configuration, I have 1 common bridge within router and I don't specify in datapath any bridge-vlanX. I think it's difficult to find to which VLAN belongs traffic from particular SSID.

I'm trying to find out what else should be reconfigured in CPAsMAN to adjust to current 1-bridge scenario.

I used central data forwarding, so AP was in VLAN100 in access mode and was passing 2 SSIDs traffic encapsulated in UDP to CAPsMAN (2 VLANs for configured bridge-vlan20 and bridge-vlan30 in router). Should I configure CAPsAMN to use any vlans and tags? Should AP be connected to access or trunk port?

kind regards,
Eliash

sindy · Wed Jul 11, 2018 11:31 am

I think it's difficult to find to which VLAN belongs traffic from particular SSID.

Nie zrozumiałem... what is difficult? The capsman datapath and capsman configuration clearly define that. The frames received from air get a vlan tag with the ID configured in the datapath configuration before being sent to the bridge also configured in the datapath configuration. Each capsman configuration, which defines the SSID, refers to a capsman datapath, so the mapping between the SSID and the vlan ID is clear.

Should I configure CAPsMAN to use any vlans and tags?

If you have in mind the /capsman manager configuration item, then no. If you have in mind the router which acts as a cAP's manager, as some people tend to call the device fulfilling that role a CAPsMAN then yes, but you've done it already.

Should AP be connected to access or trunk port?

Whether the cAP talks with the device running the cAP manager via tagged or tagless port has nothing to do with mapping between SSIDs and VLANs. As said, as the frame gets received from the air, no VLAN tag is assigned to it. The cAP encapsulates it into a UDP packet and delivers that UDP packet to the device running the cAP manager using normal L3 routing, so it doesn't matter whether the L3 path between cAP and cAP manager uses VLAN tags or not, the devices must just see each other at L3 - and in your case, they do as the cAP manager listens on 192.168.100.1 which is in vlan 100, and ether24. And only at the cAP manager device the frame from the air is extracted from the UDP and processed according to the settings in the interface's datapath.

When the cAP interfaces are up, what does /capsman interface print and /interface bridge vlan print show?

Neferith · Wed Jul 11, 2018 11:43 am

Hi Sindy,

Thanks for your answer.

There's no such command like /capsman interface prit

/interface bridge vlan print

xadmin@OGR-R01] > /interface bridge vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                                        VLAN-IDS  CURRENT-TAGGED                                                       CURRENT-UNTAGGED                                                      
 0   bridge                                                        1         bridge                                                               ether3                                                                
                                                                             sfp-sfpplus1                                                         ether4                                                                
                                                                             sfp-sfpplus2                                                        
 1   bridge                                                        10        bridge                                                              
                                                                             ether3                                                              
                                                                             ether4                                                              
                                                                             sfp-sfpplus1                                                        
                                                                             sfp-sfpplus2                                                        
 2   bridge                                                        20        bridge                                                              
                                                                             sfp-sfpplus1                                                        
                                                                             sfp-sfpplus2                                                        
 3   bridge                                                        30        bridge                                                              
                                                                             sfp-sfpplus1                                                        
                                                                             sfp-sfpplus2                                                        
 4   bridge                                                        100       bridge                                                               ether5                                                                
                                                                             ether3                                                               ether7                                                                
                                                                             ether4                                                               ether8                                                                
                                                                             sfp-sfpplus1                                                        
                                                                             sfp-sfpplus2                                                        
 5   bridge                                                        192       bridge                                                               ether11                                                               
                                                                             sfp-sfpplus1                                                         ether20                                                               
                                                                             sfp-sfpplus2                                                        
 6   bridge                                                        130       bridge                                                              
                                                                             sfp-sfpplus1                                                        
                                                                             sfp-sfpplus2

Many thanks for help!
BR/Eliash

Neferith · Wed Jul 11, 2018 12:37 pm

Hi,

I addedd vlan ID for datapath configuration for each SSID, but client still cannot get IP address.
Datapath config:

xadmin@OGR-R01] > caps-man datapath print
 0 name="datapath-OFFICE" bridge=bridge vlan-id=20 

 1 name="datapath-VISITORS" bridge=bridge vlan-id=30

Keep in mind that we use the same common bridge in both SSID's. Is that ok? Previously, I had 2 dedicated bridge-vlan 20 and bridge-vlan30.

Router config again as reminder


# jul/11/2018 11:33:56 by RouterOS 6.42.4
# software id = 5HWC-UFX8
#
# model = CRS328-24P-4S+
# serial number = 822308F79C2A
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
    "name=ch_01_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
    "name=ch_06_2400_20_bgn"
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
    "name=ch_11_2400_20_bgn"
/interface bridge
add fast-forward=no name=bridge priority=0x4096 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether3 ] comment="ESXi ETH1 Trunk"
set [ find default-name=ether4 ] comment="ESXi ETH2 Trunk"
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan130 vlan-id=130
add interface=bridge name=vlan192 vlan-id=192
/caps-man datapath
add bridge=bridge name=datapath-OFFICE vlan-id=20
add bridge=bridge name=datapath-VISITORS vlan-id=30
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security-OFFICE
add name=security-VISITORS
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-OFFICE datapath.bridge=bridge distance=indoors \
    guard-interval=any mode=ap name=config-OFFICE rates.basic="" rx-chains=\
    0,1 security=security-OFFICE ssid=OFFICE tx-chains=0,1
add channel.band=2ghz-g/n channel.control-channel-width=20mhz country=poland \
    datapath=datapath-VISITORS datapath.bridge=bridge guard-interval=any \
    mode=ap name=config-VISITORS security=security-VISITORS ssid=VISITORS
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.firma.pl hotspot-address=10.1.30.1 \
    html-directory=flash/hotspot login-by=http-chap name=HSPRO1
/ip pool
add name=pool-vlan10 ranges=10.1.10.100-10.1.10.250
add name=pool-vlan20 ranges=10.1.20.100-10.1.20.250
add name=pool-vlan30 ranges=10.1.30.100-10.1.30.250
add name=pool-vlan192 ranges=192.168.0.150-192.168.0.180
add name=pool-vpn-ppt ranges=10.1.99.100-10.1.99.250
add name=pool-vlan100 ranges=10.1.100.150-10.1.100.180
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=vlan10 lease-time=8h name=\
    server-vlan10
add address-pool=pool-vlan192 disabled=no interface=vlan192 lease-time=8h \
    name=server-vlan192
add address-pool=pool-vlan20 disabled=no interface=vlan20 lease-time=8h name=\
    server-vlan20
add address-pool=pool-vlan30 disabled=no interface=vlan30 lease-time=8h name=\
    server-vlan30
add address-pool=pool-vlan100 disabled=no interface=vlan100 name=\
    server-vlan100
/ip hotspot
add address-pool=pool-vlan30 disabled=no idle-timeout=none interface=vlan30 \
    name=server1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool-vlan30 keepalive-timeout=4h \
    mac-cookie-timeout=1d shared-users=100
/ppp profile
add dns-server=10.1.10.10 local-address=pool-vpn-ppt name=vpn-pptp only-one=\
    no remote-address=pool-vpn-ppt use-encryption=yes
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config-OFFICE \
    name-format=identity slave-configurations=config-VISITORS
/interface bridge port
add bridge=bridge comment=ILO interface=ether5 pvid=100
add bridge=bridge comment=UPS interface=ether6 pvid=100
add bridge=bridge comment=QNAP interface=ether7 pvid=100
add bridge=bridge comment=QNAP interface=ether8 pvid=100
add bridge=bridge edge=yes interface=ether17 pvid=192
add bridge=bridge interface=ether10 pvid=192
add bridge=bridge interface=ether9 pvid=192
add bridge=bridge interface=ether11 pvid=192
add bridge=bridge interface=ether12 pvid=192
add bridge=bridge interface=ether13 pvid=192
add bridge=bridge interface=ether14 pvid=192
add bridge=bridge interface=ether15 pvid=192
add bridge=bridge interface=ether16 pvid=192
add bridge=bridge interface=ether18 pvid=192
add bridge=bridge edge=yes interface=ether19 pvid=192
add bridge=bridge edge=yes interface=ether20 pvid=192
add bridge=bridge edge=yes interface=ether21 pvid=192
add bridge=bridge edge=yes interface=ether22 pvid=192
add bridge=bridge interface=ether23 pvid=100
add bridge=bridge interface=ether24 pvid=100
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1
add bridge=bridge tagged=bridge,ether3,ether4,sfp-sfpplus1,sfp-sfpplus2 \
    vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether24 vlan-ids=20
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether24 vlan-ids=30
add bridge=bridge tagged=bridge,ether3,ether4,sfp-sfpplus1,sfp-sfpplus2 \
    untagged=ether7,ether8,ether24 vlan-ids=100
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 untagged="ether9,eth\
    er10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether\
    19,ether20,ether21,ether22" vlan-ids=192
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=130
/interface pptp-server server
set authentication=chap,mschap2 default-profile=vpn-pptp enabled=yes
/ip address
add address=public.ip.130/30 interface=ether1-WAN network=public.ip.128
add address=10.1.10.1/24 interface=vlan10 network=10.1.10.0
add address=10.1.20.1/24 interface=vlan20 network=10.1.20.0
add address=10.1.30.1/24 interface=vlan30 network=10.1.30.0
add address=192.168.0.1/24 interface=vlan192 network=192.168.0.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
add address=10.1.130.1/24 interface=vlan130 network=10.1.130.0
/ip dhcp-server network
add address=10.1.10.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=ogrodnik.internal gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=ogrodnik.internal gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 dns-server=208.67.222.222,208.67.220.220 domain=\
    ogrodnik.internal gateway=10.1.30.1 netmask=24
add address=10.1.99.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=ogrodnik.internal gateway=10.1.99.1 netmask=24
add address=10.1.100.0/24 dns-server=10.1.10.10,208.67.222.222,208.67.220.220 \
    domain=ogrodnik.internal gateway=10.1.100.1 netmask=24
add address=192.168.0.0/24 dns-server=\
    10.1.10.10,208.67.220.220,208.67.222.222 domain=ogrodnik.internal \
    gateway=192.168.0.1 netmask=24
/ip dns
set servers=10.1.10.10,208.67.220.220
/ip firewall address-list
add address=10.0.0.0/8 list=LAN
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.0.0/24 list=LAN
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=input dst-address-list=LAN in-interface=vlan30
add action=drop chain=forward dst-address-list=LAN in-interface=vlan30
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" src-address-list=LAN
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Access to Winbox" dst-port=58291 \
    protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5445 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5415 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5443 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5435 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5000 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5002 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=5001 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward dst-address=public.ip.130 dst-port=51991 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=input comment="Echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=ether1-WAN \
    src-address-list=NotPublic
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=drop chain=input comment=\
    "!!Drop any other traffic INPUT - put at the end"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    10.0.0.0/8
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=\
    192.168.0.0/24
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5445 \
    protocol=tcp to-addresses=192.168.0.15 to-ports=5445
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5415 \
    protocol=tcp to-addresses=192.168.0.56 to-ports=5415
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5443 \
    protocol=tcp to-addresses=192.168.0.100 to-ports=5443
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5435 \
    protocol=tcp to-addresses=192.168.0.10 to-ports=5435
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5000 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5000
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5001 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=5002 \
    protocol=tcp to-addresses=192.168.0.220 to-ports=5002
add action=dst-nat chain=dstnat dst-address=public.ip.130 dst-port=51991 \
    protocol=tcp to-addresses=10.1.10.10 to-ports=3389
/ip hotspot user
add name=visitor
/ip route
add distance=1 gateway=public.ip.129
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=58291
/ppp aaa
set use-radius=yes
/ppp secret
add name=xadmin profile=vpn-pptp
/radius
add address=10.1.10.10 src-address=10.1.10.1 timeout=100ms
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=OGR-R01
/system routerboard settings
set boot-os=router-os silent-boot=no

Many thanks for any help!

kind regards,
Eliash

sindy · Wed Jul 11, 2018 1:30 pm

Well, I admit that /capsman interface print does not exist, but /caps-man interface print does

I cannot see the issue in your configuration, except if the presence of bridge parameter in /caps-man configuration shadows also some other settings from the /caps-man datapath. So try to unset the bridge parameter in /caps-man configuration and keep it only in /caps-man datapath, and then show me the output of /caps-man interface print detail and /caps-man actual-interface-configuration print detail.

Neferith · Wed Jul 11, 2018 1:51 pm

Hi,

I unset bridge from config and kept it noly in datapath. Didn't help.

[xadmin@OGR-R01] > /caps-man interface print det
Flags: M - master, D - dynamic, B - bound, 
X - disabled, I - inactive, R - running 
 0 MDB  name="OGR-AP02-1" mac-address=CC:2D:E0:31:94:5D arp-timeout=auto 
        radio-mac=CC:2D:E0:31:94:5D master-interface=none 
        configuration=config-OFFICE l2mtu=1600 current-state="running-ap" 
        current-channel="2432/20-Ce/gn(20dBm)" 
        current-rate-set="OFDM:6-54 BW:1x-2x SGI:1x-2x HT:0-15" 
        current-basic-rate-set="" current-registered-clients=0 
        current-authorized-clients=0 

 1  DB  name="OGR-AP02-1-1" mac-address=CE:2D:E0:31:94:5D arp-timeout=auto 
        radio-mac=00:00:00:00:00:00 master-interface=OGR-AP02-1 
        configuration=config-VISITORS l2mtu=1600 current-state="running-ap" 
        current-rate-set="OFDM:6-54 BW:1x-2x SGI:1x-2x HT:0-15" 
        current-basic-rate-set="OFDM:6" current-registered-clients=0 
        current-authorized-clients=0 

 2 MDB  name="OGR-AP03-1" mac-address=CC:2D:E0:31:94:5F arp-timeout=auto 
        radio-mac=CC:2D:E0:31:94:5F master-interface=none 
        configuration=config-OFFICE l2mtu=1600 current-state="running-ap" 
        current-channel="2452/20-Ce/gn(20dBm)" 
        current-rate-set="OFDM:6-54 BW:1x-2x SGI:1x-2x HT:0-15" 
        current-basic-rate-set="" current-registered-clients=0 
-- [Q quit|D dump|down]

/caps-man actual-interface-configuration print detail


[xadmin@OGR-R01] > /caps-man actual-interface-configuration print detail                
Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running 
 0 MDB  name="OGR-AP02-1" mac-address=CC:2D:E0:31:94:5D arp-timeout=auto radio-mac=CC:2D:E0:31:94:5D master-interface=none configuration.mode=ap configuration.ssid="OFFICE" configuration.tx-chains=0,1 
        configuration.rx-chains=0,1 configuration.guard-interval=any configuration.country=poland configuration.distance=indoors security.authentication-types=wpa2-psk security.encryption=aes-ccm 
        security.group-encryption=aes-ccm security.passphrase="secrepassword" l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=20 channel.control-channel-width=20mhz channel.band=2ghz-g/n 

 1  DB  name="OGR-AP02-1-1" mac-address=CE:2D:E0:31:94:5D arp-timeout=auto radio-mac=00:00:00:00:00:00 master-interface=OGR-AP02-1 configuration.mode=ap configuration.ssid="VISITORS" configuration.guard-interval=any 
        configuration.country=poland l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=30 channel.control-channel-width=20mhz channel.band=2ghz-g/n 

 2 MDB  name="OGR-AP03-1" mac-address=CC:2D:E0:31:94:5F arp-timeout=auto radio-mac=CC:2D:E0:31:94:5F master-interface=none configuration.mode=ap configuration.ssid="OFFICE" configuration.tx-chains=0,1 
        configuration.rx-chains=0,1 configuration.guard-interval=any configuration.country=poland configuration.distance=indoors security.authentication-types=wpa2-psk security.encryption=aes-ccm 
        security.group-encryption=aes-ccm security.passphrase="secrepassword" l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=20 channel.control-channel-width=20mhz channel.band=2ghz-g/n 

 1  DB  name="OGR-AP03-1-1" mac-address=CE:2D:E0:31:94:5F arp-timeout=auto radio-mac=00:00:00:00:00:00 master-interface=OGR-AP03-1 configuration.mode=ap configuration.ssid="VISITORS" configuration.guard-interval=any 
        configuration.country=poland l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=30 channel.control-channel-width=20mhz channel.band=2ghz-g/n 

 3 MDB  name="OGR-AP04-1" mac-address=CC:2D:E0:31:94:85 arp-timeout=auto radio-mac=CC:2D:E0:31:94:85 master-interface=none configuration.mode=ap configuration.ssid="OFFICE" configuration.tx-chains=0,1 
        configuration.rx-chains=0,1 configuration.guard-interval=any configuration.country=poland configuration.distance=indoors security.authentication-types=wpa2-psk security.encryption=aes-ccm 
        security.group-encryption=aes-ccm security.passphrase="secrepassword" l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=20 channel.control-channel-width=20mhz channel.band=2ghz-g/n 

 1  DB  name="OGR-AP04-1-1" mac-address=CE:2D:E0:31:94:85 arp-timeout=auto radio-mac=00:00:00:00:00:00 master-interface=OGR-AP04-1 configuration.mode=ap configuration.ssid="VISITORS" configuration.guard-interval=any 
        configuration.country=poland l2mtu=1600 datapath.bridge=bridge datapath.vlan-id=30 channel.control-channel-width=20mhz channel.band=2ghz-g/n 
[xadmin@OGR-R01] >

Thanks for help!
/BR Eliash

sindy · Wed Jul 11, 2018 2:35 pm

Add vlan-mode=use-tag to the datapath configurations. The presence of vlan-id doesn't seem to imply that automatically.

Neferith · Wed Jul 11, 2018 2:50 pm

Hi Sindy,

Still no luck.
Is it normal that interfaces of registered APs are in pvid=1

/interface bridge port print details


  interface=OGR-AP04-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes 

27 ID  interface=OGR-AP04-1-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes 

28 ID  interface=OGR-AP02-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes 

29 ID  interface=OGR-AP02-1-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes 

30 ID  interface=OGR-AP03-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes 

31 ID  interface=OGR-AP03-1-1 bridge=bridge priority=0x80 path-cost=10 
       internal-path-cost=10 edge=yes point-to-point=no learn=auto horizon=none 
       auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 
       frame-types=admit-all ingress-filtering=no unknown-unicast-flood=yes 
       unknown-multicast-flood=yes broadcast-flood=yes

Since we started to use vlan-filre on bridge on router, is it necessary to use it as well on AP's local bridges?

Thanks!

BR/Eliash

sindy · Wed Jul 11, 2018 3:28 pm

Is it normal that interfaces of registered APs are in pvid=1

Yes, it is normal, the pvid value controls with what VID the tagless frames will be marked (so if the datapath is not set to vlan-mode=use-tag, and the pvid would be set to something else than 1, the frames from that datapath would be marked with that VID taken from the pvid parameter). The pvid value of 1 seems to have a reserved meaning "don't tag", and for dynamically added /interface bridge port items, it is always set like that.

The datapath etc. settings seem to work correctly as your /interface bridge port print shows that the dynamically created wireless interfaces have been dynamically added as bridge ports.

However, I'm afraid that the real problem is that these dynamically created wireless interfaces are not automatically added also to the /interface bridge vlan rules, so if vlan-filtering=yes on the bridge, the tagged frames are not let in to the bridge.

So either add the names of the dynamically created wireless interfaces to the tagged list in the two /interface bridge vlan items with vlan-ids=20 and vlan-ids=30 or, if you want to first confirm that it is the root cause of the issue with less effort, set vlan-filtering=no on the cAP manager's bridge for a while if it doesn't cause some security issue. I hazily remember I was dealing with the same in the past but the behaviour is so counter-intuitive that I've since forgotten that again.

Since we started to use vlan-filre on bridge on router, is it necessary to use it as well on AP's local bridges?

No. As I've tried to explain before, the first place where the frames coming from the air get tagged is in the cAP manager. On the AP, they look like ordinary UDP packets, so the VLAN-related configuration on the AP has no relevance.

Neferith · Wed Jul 11, 2018 4:21 pm

Disabling vlan filter on bridge disconnected me totally.Keep in mind, there's only 1 bridge for whole router. I enabled in again.

Then I made a test with adding dynamic radio interfaces to the tagged list in the two /interface bridge vlan items and it seems to work

I tried it in my small lab environment which is quite unstable, but I will try it production in coming days, but it looks better now.
Let me know, if you have nother ideas on how to process of if you recall how you solved that int the past.

Many thanks!
BR/Eliash

sindy · Wed Jul 11, 2018 4:57 pm

Disabling vlan filter on bridge disconnected me totally.

That's strange unless you'd have some very weird loops somewhere. It could be that as the mac forwarding tables get rebuilt, you were disconnected for a while, it should recover in a couple of seconds though.

Let me know, if you have nother ideas on how to process of if you recall how you solved that int the past.

I'm afraid I wasn't solving that in any of my networks as I only use /caps-man access-list rules to configure SSID to vlan-id mapping, and that it was someone else from Poland with whom I was dealing with this issue here on the forum. And in my own networks, vlan filtering wasn't necessary given the overall simplicity of the setup.

What makes automated handling of this very complicated is that the vlan-id values to be added to wireless frames can be configured at many places in the configuration (/caps-man datapath, /caps-man configuration, /caps-man interface, /caps-man access-list, /interface wireless access-list to name those which affect dynamically created configuration items), leaving aside that the VLAN filtering on bridges currently works with 802.1Q tags but doesn't with 802.1ad ("service") tags, and the configuration processing seems to ignore all this when creating the dynamic items - maybe because it seemed too complex to handle even to Mikrotik developers. And unlike other subsystems (like dhcp-client or dhcp-server), there is no hook point for a script which could be run once each time a cAP interface is auto-generated or disappears, so you'd have to schedule a periodic script checking the current dynamic configuration and adding the missing items to the /interface bridge vlan section when an interface appears, and clean up non-existent interfaces from these lists.

Neferith · Thu Jul 12, 2018 10:23 am

Hi All,

I'm a bit confused, that MT doesn't provide any working solution which supports normal vlans, trunking, rstp.
When I was suing different bridges for vlans, everything worked excet rtsp. When now I use vlan-filter with 1 bridge, everything works except VLANs/DHCP on Access Points :/

Does anyone have easy working configuration for router with few vlans/trunk and capsman supporting 2 SSID with different vlans?

/BR Eliash

Neferith · Thu Jul 12, 2018 10:36 am

Wooow!

I just got answear from MT support:

Hello,

Either you need to manually configure dynamic CAP interfaces to corresponding VLAN in the Bridge VLAN table or upgrade to the latest RouterOS v6.43rc where it has been fixed.

What's new in 6.43rc42 (2018-Jul-04 15:07):
*) bridge - add dynamic CAP interface to tagged ports if "vlan-mode=use-tag" is enabled;

Best regards,
Janis B.

)))

Gonna try it later in technical window time

Many thanks to ALL of YOU for help!

BR/Eliash

sindy · Thu Jul 12, 2018 12:54 pm

Just bear in mind that the way from "rc" to "current" is long, and the way from "rc" to "bugfix" is even longer

So if you need to deploy a production network within days, you may find the manual configuration of cAP interfaces and their vlan membership a safer approach.

But I'm going to give a try to the 6.43rc42 to see how this automated approach is going to deal with /caps-man access-list rules assigning a VLAN ID.

Neferith · Fri Jul 13, 2018 12:16 pm

I installed RC 6.43 and it works great!

Thanks again, especially for you Sindy for your time and effort!

Take care!
BR/Eliash

BPDU problem

BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem

Re: BPDU problem