cAP ac Multiple SSID

SanchoHa · Thu Mar 21, 2024 11:09 pm

Hi guys,
i`m new to Mikrotik, this week i received my first cAP ac AP`s. My goal is to run them as AP only, routing, DHCP and so on is done with a Draytek Vigor. I`d like to have multible SSID`s with different VLANs.
What i´ve done so far:
- Updated to 7.14
- Installed wifi-qcom-ac package
- created a bridge and bridged all ports
- assigned an IP adress to eth1
- configured wifi1 and wifi2, works fine, can login and have access to the internet

Now i tried to create a second WIFI with a VLAN tag
I read the RouterOs documentation and searched for videos and so on. I couldn`t find any way to create a Virtual AP. All i could do was to create a new WIFI with f.e. wifi1 as master. But when i tried to assign a VLAN ID i get the message "vlan-id configured, but interface does not support assigning vlans".

After googling around i found it might work with creating a bridge and assign VLAN for the bridge. So i created a wifi3 with wifi1 as master (without VLAN ID). Then i created a bridge and tried to add the port wifi3 to the new bridge. But then i get the message "Couldn`t add New Bridge Port - device already added as bridge port".

In the Mikrotik documentation i found the following: "Virtual AP interface will only work if master interface is in ap-bridge, bridge, station or wds-slave mode." What does that mean? In cAP ac i don`t have the option ap-bridge, only ap.

Can anyone please can push me in the right direction? Any help is appreciated. Thanks a lot!

Edit: corrected title typos

Fri Mar 22, 2024 12:55 am

Check this tutorial, the "de facto" guide around here for everything vlan:
viewtopic.php?t=143620

Part labeled: Access Point

robmaltsystems · Fri Mar 22, 2024 1:27 am

Check this tutorial, the "de facto" guide around here for everything vlan:
viewtopic.php?t=143620

Part labeled: Access Point

Thanks for that - hadn't come across it before. Experimenting and learning more about VLANS and that looks very useful.

SanchoHa · Sat Mar 23, 2024 8:18 pm

Thanks for the link!

I had a look at it and used the RSC file as a template but i struggle a little with the configuration of the VLANs.

At the moment i have in my home network only 1 VLAN. This is for some IoT stuff. Everything else in the network is running in standard network without VLAN.
This means, i only have one SSID with VLAN.

Do i need to configure a VLAN "BASE_VLAN" like in the example?

What i want is one SSID without VLAN, and one SSID with VLAN

anav · Sat Mar 23, 2024 9:22 pm

Its an excellent link if NOT using capsman controller concept. Setting up the Capacs for the link above is easy and fast.

Setting up the off bridge access and doing the configuring from there is recommended.
just put something like 192.168.36.3 into the ipv4 settings of your laptop and you are in.............'
Also ensure if the capac is not readily accessible, to wire a second cable to a place that is accessible to make changes later if you cannot reach the unit via the router.

/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=12  { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \
    mode=ap-bridge name=homeWLan security-profile=home_Security skip-dfs-channels=all ssid=NoPain-NoGain wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-b="" country=canada disabled=no frequency=2437 mode=ap-bridge \
    name=mediaWlan rate-set=configured security-profile=media_Security skip-dfs-channels=all ssid=Media \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=yy.yy.yy.yy  master-interface=mediaWlan multicast-buffering=\
    disabled name=HVAC_WLAN security-profile=Cerv_key ssid=machine wds-cost-range=0 wds-default-cost=0 wmm-support=\
    enabled wps-mode=disabled
/interface bridge port
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.84/24 interface=homeVlan network=192.168.10.0  comment="IP of capac on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

SanchoHa · Tue Mar 26, 2024 10:53 am

@anav: i read your post a couple of times, but i couldn`t get any information out of it. sorry for that, i assume that`s my bad

I conitnued testing, read the whole link in i think i got a clearer understanding.
Here my situation.
I`ve got a Draytek Vigor Router. All used VLANs are managed on it, each with a separate DHCP. (VLANs also configured in Unif Controller)
All the VLANs are tagged on Port 1 of the Router.
From there a connection goes to a Unifi Switch. The Switch Port Profile is set to "All", for those who are familair with Unifi (means it relays all VLAN tags afaik).
From this Switch i have a SFP connection to a Unifi POE Switch, both ports also have the Switch Port Profile "All".
From this POE switch i have a connection to a CAP AC to Ether1.

No i applied the configuration below. (I used VLAN ID 1 for managment because this is the default Unifi ID for management LAN afaik)
As soon as i import the configuration (import was successfull) i can not reach the AP anymore with Winbox. Also i can not see any SSID`s. I tried to assign my computer to the VLAN 17, but it still does not work.

Any idea what might go wrong?

# 1970-01-02 00:24:07 by RouterOS 7.14.1
# software id = Q3XX-5EBT
#
# model = RBcAPGi-5acD2nD
# serial number = HG209G78CJB

#######################################
# VLAN Overview
#######################################

# 17 = Home  	(mkthome)
# 98 = IoT		(mktIoT)
# 99 = HomeOffice (mktHomeoffice)
# 1   =Base (MGMT) VLAN


#######################################
# WIFI Setup
#
#######################################

/interface wifi configuration
add country=Germany disabled=no mode=ap name=cfg_mkthome ssid=mkthome
add country=Germany disabled=no mode=ap name=cfg_mktIoT ssid=mktIoT
add country=Germany disabled=no mode=ap name=cfg_mktHomeoffice ssid=mktHomeoffice
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mkthome wps=\
    disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mktIoT wps=\
    disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_mktHomeoffice wps=\
    disable
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg_mkthome configuration.mode=\
    ap disabled=no security=sec_mkthome
set [ find default-name=wifi2 ] configuration=cfg_mkthome configuration.mode=\
    ap disabled=no security=sec_mkthome
add configuration=cfg_mktIoT configuration.mode=ap disabled=no mac-address=\
    D6:01:C3:13:82:6B master-interface=wifi1 name=wifi3 security=sec_mktIoT
add configuration=cfg_mktIoT configuration.mode=ap disabled=no mac-address=\
    D6:01:C3:13:82:6C master-interface=wifi2 name=wifi4 security=sec_mktIoT

add configuration=cfg_mktHomeoffice configuration.mode=ap disabled=no mac-address=\
    D6:01:C3:13:82:6D master-interface=wifi1 name=wifi5 security=sec_mktHomeoffice
add configuration=cfg_mktHomeoffice configuration.mode=ap disabled=no mac-address=\
    D6:01:C3:13:82:6E master-interface=wifi2 name=wifi6 security=sec_mktHomeoffice
	
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
#/ip address
/system identity
set name=MikroTik_AP1
/system note
set show-at-login=no

#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
# wifi1, wifi3, wifi5 = 2,4Ghz
# wifi2, wifi4, wifi6 = 5Ghz
#######################################

# ingress behavior
/interface bridge port

# mkthome, mktIot VLAN
#(192.168.17.x)
add bridge=BR1 interface=wifi1 pvid=17     
add bridge=BR1 interface=wifi2 pvid=17	 
# (192.168.98.x)
add bridge=BR1 interface=wifi3 pvid=98	
add bridge=BR1 interface=wifi4 pvid=98
# (192.168.99.x)
add bridge=BR1 interface=wifi5 pvid=99	
add bridge=BR1 interface=wifi6 pvid=99

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=BR1 tagged=ether1     vlan-ids=17
add bridge=BR1 tagged=ether1     vlan-ids=98
add bridge=BR1 tagged=ether1     vlan-ids=99
# (192.168.0.x)
add bridge=BR1 tagged=BR1,ether1 vlan-ids=1			


#######################################
# IP Addressing & Routing
#######################################

# LAN facing AP's Private IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=192.168.0.200/24 interface=BASE_VLAN

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.0.1


#######################################
# IP Services
#######################################

# We have a router that will handle this. Nothing to set here.
# Attach this AP to a router configured as shown under the "RoaS" example.


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi6]

# Only allow ingress packets WITH tags on Trunk Ports
/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

anav · Tue Mar 26, 2024 12:57 pm

The problem is using vlan1. Your management vlan is the subnet BASE.
All your smart devices should get their IP address from the BASE subnet.
No one wants to look at a article format, next time post your config as it appears for real
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

If you look closely the referenced article does NOT use vlan1.

SanchoHa · Tue Mar 26, 2024 2:42 pm

The problem is using vlan1. Your management vlan is the subnet BASE.
All your smart devices should get their IP address from the BASE subnet.
No one wants to look at a article format, next time post your config as it appears for real
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

If you look closely the referenced article does NOT use vlan1.

Ok, you`re right... Changed it to vlan2

Regarding to config file, sorry that`s the way i´ve seen it in another post, so i assumed it`s ok.
Here is my new config import file. Unfortunately i can not make an export as i can not reach my AP with this configuration.
But, independent from the vlan issues, i don`t know why the AP doesn`t send any SSID`s? Maybe there is something totally wrong in the config?

The config file is attached

SanchoHa · Tue Mar 26, 2024 8:45 pm

Now i tried a manual configuration, i set it up like described in the AccessPoint.rsc from the article above and adapted it to my needs (i did my very best

)

The good news:
The SSID`s are visible
Still available with Winbox

Bad news:
Can`t connect to the SSID`s, probably no IP adress from router...
I can`t reach the devices IP 192.168.0.200

Probably still far away from a success

Here is the current configuration i exported from the device

Tue Mar 26, 2024 8:56 pm

There is a help page for this, you know ...

Capsman part
Cap part

https://help.mikrotik.com/docs/display/ ... ionexample:

anav · Tue Mar 26, 2024 8:57 pm

Comparing my config to your config I can see two errors right away.

Hovle, should I report you to the UN for attempting to exterminate the newbie race by piling on crap when the solid foundation does not yet exist and furthermore a config that has errors which should be addressed first. If I was in charge you would be fired LOL.

SanchoHa · Tue Mar 26, 2024 10:49 pm

Comparing my config to your config I can see two errors right away.

Here is what i found:
In your config:
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes

I unchecked it now on my device in Winbox

In my config:
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=17
add bridge=bridge1 tagged=ether1 vlan-ids=98
add bridge=bridge1 tagged=ether1 vlan-ids=99
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=2

The "bridge1" was missing here. Thats because i tried to config it in Winbox and couldn`t figure out how to add both bridge1 and ether1. I know added it in the config file, imported it and afterwards the SSID`s are gone again. I assume this causes a major fault in the configuration?

Another thing in my configuration:
/ip address
add address=192.168.0.200 interface=Base_VLAN network=192.168.0.200
Think should be 192.168.0.0....

anav · Tue Mar 26, 2024 11:57 pm

Not bad!! Good work.
(1) Correct only thing to change on the bridge is the name if you dont like bridge and turning on vlan-filtering=yes
As I stated I always assign ETHER2 an off bridge address to actually do the initial config and emergency access to the CAP, in case the bridge blows up.

(2) Yes, ether1 is the TRUNK port to the main router so this need to be tagged with the Bridge as its the management vlan,
I prefer to set the untagging manually so I can match visually my /interface bridge ports with /interface bridge vlan settings for a double check...

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 pvid=98
add bridge=bridge1 b]ingress-filtering=yes[/b frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=98
add bridge=bridge1 b]ingress-filtering=yes[/b frame-types=admit-only-untagged-and-priority-tagged interface=wifi5 pvid=99
add bridge=bridge1 b]ingress-filtering=yes[/b frame-types=admit-only-untagged-and-priority-tagged interface=wifi6 pvid=99
add bridge=bridge1 b]ingress-filtering=yes[/b frame-types=admit-only-untagged-and-priority-tagged interface=ether1

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=wifi1,wifi2 vlan-ids=17
add bridge=bridge1 tagged=ether1 untagged=wifi3,wifi4 vlan-ids=98
add bridge=bridge1 tagged=ether1 untagged=wifi5,wifi6 vlan-ids=99
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=2

(3) YES< needs adjustment
From:
add address=192.168.0.200___ interface=Base_VLAN network=192.168.0.200

TO:
add address=192.168.0.200/24 interface=Base_VLAN network=192.168.0.0

(4) MISSING Entries

/interface list
add name=MGMT
/interface list member
add interface=Base_VLAN list=MGMT
add interface=ether2-access list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/ip address
add address=192.168.55.1/24 interface=ether2-access network=192.168.55.0
/interface ethernet
set [ find default-name=ether2 ] name=ether2-access

SanchoHa · Wed Mar 27, 2024 1:26 am

So, i fixed what you mentioned. The things under point (4) i adjusted to "emergaccess" where needed.

While importing i got the message
input does not match any value of allowed-interface-list
I played a bit around but i guess this will not affect the overall functionality of my VLAN at the moment so i focused on that

So, what i found out is that i can not ping 192.168.0.1 and i can only connect to WIFI if i assign a static IP, but unfortunately no internet access.
I added the /ip dns entry but without effect.

I think there is still a piece missing in the puzzle. Attached the current config.

anav · Wed Mar 27, 2024 4:39 am

(1) Since you changed emergaccess to 192.168.88.1 ,, you can get rid of this entry at the bottom.

/ip address
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0

(2) Everything else looks fine and thus I suspect we will have to see what is on the other side of ether1 ( where the problem seems to be pointing )

(3) protocol mode I would leave at STP ( on the bridge itself vice none )

anav · Wed Mar 27, 2024 4:43 am

Ahhh I see the issue.......... one of the config lines on /interface bridge ports is incorrect.
From:
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 pvid=98
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=98
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi5 pvid=99
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi6 pvid=99
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1

TO:

add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1

SanchoHa · Wed Mar 27, 2024 12:47 pm

Seems like we are almost there

All my SSID`s are available and i get an IP from the DHCP of the router, internet access works.

Now i´ve got still one problem to solve. But that`s probably a problem of my computer, or maybe the interface list?

My computer is on Network 192.168.0.xxx. I can ping the router with 192.168.0.1, but not the AP with 192.168.0.200. Also Winbox can`t find the AP.
Any idea?

Anyway, thank`s for your support! I really appreciate it!

anav · Wed Mar 27, 2024 1:02 pm

Latest config of both router and capac.

SanchoHa · Wed Mar 27, 2024 1:32 pm

Here it comes. These are screenshots from the Draytek Router, i hope it`s sufficient. All traffic goes through P1.

anav · Wed Mar 27, 2024 2:02 pm

Well its hard to say since the draytek is not an MT device.
I am also not aware of the firewall rules on the draytek etc..
So winbox doesnt see the capac at all?

Did you try it by IP address in Winbox?
192.168.0.200:winboxPort#

SanchoHa · Wed Mar 27, 2024 2:22 pm

At the moment there are no firewall rules active.

I now logged into the AP using emergaccess. I tried to ping 192.168.0.1 from the terminal, without success. Pinging 192.168.0.200 works.

SanchoHa · Sat Mar 30, 2024 5:10 pm

I wonder if it is right that there is no IP assigned directly to ether1. 192.168.0.200 is assigned to Base_VLAN.

anav · Sat Mar 30, 2024 5:19 pm

That is correct the CAPACs address is on the BASE or management vlan.
The capac is set correctly. Winbox on a the same LAN behind the draytek should see that IP and you should be able to ping that IP.
If not, the issue is with the draytek setup.

why does your LAN 1 have Vs hard coded instead of checkbox for example.

SanchoHa · Sat Mar 30, 2024 6:10 pm

LAN1 is default LAN and probably therefore hard coded.
I also tried using another LAN and other VLAN id to avoid trouble with the default LAN, but the result was the same.

anav · Sat Mar 30, 2024 7:27 pm

Figured as much. Just to let you know.
If all the vlans are coming as trunk to Mikrotik device, all your vlans should be working on the capac now.
Just confirming the only problem is reaching the capac wired behind the draytek using winbox????.

Lets do a test!
Modify one of the wifis lets say CHANGE wifi 6 vlan to the base vlan and see if you can reach the capac via winbox that way!!
its only two changes very easy.

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=17
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 pvid=98
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=98
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi5 pvid=99
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi6 pvid=2
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-taggedinterface=ether1

/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=wifi1,wifi2 vlan-ids=17
add bridge=bridge1 tagged=ether1 untagged=wifi3,wifi4 vlan-ids=98
add bridge=bridge1 tagged=ether1 untagged=wifi5, vlan-ids=99
add bridge=bridge1 tagged=bridge1,ether1 untagged=wifi6 vlan-ids=2

No need to change anything else. Give it a go...........
See if you can connect on wifi on vlan2, then use winbox to see capac.

SanchoHa · Sat Mar 30, 2024 8:22 pm

Ok, i made the test.
Changed Wifi5 and Wifi6 to ID 2.

Then connected my laptop to the wifi. It got an IP from DHCP VLAN 2, 192.168.0.76.

I`m now able to get the AP with Winbox.
So far so got, what does it mean now for me?

My problem is, that i can not reach the AP with my "hardwired" PC.

I attached a schematic of my setup.

anav · Sat Mar 30, 2024 10:02 pm

Hahahah, so you have a unifi switch in between.
What is the setup for the UNIFI then,
What is the managment vlan on the UNIF etc.......

SanchoHa · Sat Mar 30, 2024 10:11 pm

Yes, mentioned it all the time

Management VLAN in Unifi is 1.
All Ports that are used have Switch Port Profile „All“, means tagged with all VLANs…
Wait… Just found this explaination.
ALL" means that the port is untagged in VLAN 1 and all other VLANs are tagged

anav · Sat Mar 30, 2024 10:33 pm

The management vlan is 2, so thats a problem right there........ You need to properly configure the switch, for example it should have its own address as 192.168.0.XX in the vlan2 subnet!!!

I cannot ffind an easy link that shows the management/setup of the software on the switch.......

SanchoHa · Sat Mar 30, 2024 10:55 pm

Alright... It worked, two things:
I had to set the Port on the switch to PVID 2. In the Unifi environment that means i have to assign this Port to a Switch Port Profile that is configured to VLAN ID2.
So i had to create a VLAN within the Unifi controller with ID2 and assign this to the Port where my PC is connected...

I thought it has to work when the Switch Port is set to "All". But it has to be a untagged port....

So, thanks for you patience and help!

Next step is to rollout the configuration to the other CAPs with CAPsMAN. I think there is enough information about that in the tutorials.
Or any usefull hints regarding this?

anav · Sat Mar 30, 2024 11:07 pm

Since its older wifi from MT, simply recommend setting up just like the first one. It will take only minutes and it will b up and working right away.
I avoid capsman because its a quagmire of frustration and complexity. If I had multiple AX wifi devices all using the same new drivers, I might consider it.

SanchoHa · Sat Mar 30, 2024 11:11 pm

Ok, is there anything to consider regarding roaming?

anav · Sat Mar 30, 2024 11:32 pm

You might see a slightly better (marginal at best) roaming experience but its not fully fledged as its the older drivers which are missing some of that capability so not worth it IMHO.
Feel free to pull your hair out though!

SanchoHa · Sat Mar 30, 2024 11:44 pm

Hm, then i think i keep my hands off it

I`ll have a look how the roaming works and if it`s ok for me.

One more general question, i now learned that i can only connect to the CAP when my PC is connected to a Switch port with PVID2. Is there a way to bypass that? Is it possible to route that somehow? I don`t want to switch cables when i want to have access...

anav · Sat Mar 30, 2024 11:47 pm

On an MT router it would be easy to make a firewall rule.
add action=accept chain=forward src-address=lanip of your pc (static lease set) dst-address=192.168.0.0/24

On draytek probably a similar filter rule is possible.

DIRECTION: LAN to LAN
SOURCE: SourceIP --> your PC LANIP
DESTINATION: VLAN2 Subnet
PROTOCOL: udp/tcp
Pass Immediately.

SanchoHa · Sat Mar 30, 2024 11:58 pm

My PC is already on the same subnet, sorry for a maybe dumb question... Your firewall rule would just route my PC to the Base_VLAN. But i`m already in the same Subnet, only the VLAN2 Tag is missing on my PC right?

Sorry, i know it`s probably not a good idea to place the Base_VLAN into my standard subnet. I`ve never planned to implement a Management VLAN

I know i should reorganize it...

anav · Sun Mar 31, 2024 12:04 am

Regardless, a trusted homesubnet works just fine!! No need to create extra work for nothing really.
Just ensure all smart devices get their IP from trusted subnet.
Why you cannot reach the capac from behind the draytek is most bizarre but the issue is probably still the switch
Negative on the dumb devices, they cannot read tags!!
Thus the reason we untag the packet just before they exit the port heading to the dumb device and their return traffic gets tagged back with the vlan tag as soon as it comes in the port.

SanchoHa · Sun Mar 31, 2024 12:38 am

I now tried to attach my PC directly to the Draytek Port 2 and assigned all the related VLAN`s to this port. But now i don`t have any connectivity, neither i can login in to the router nor internet....
Oh my gosh...
All i wanted is to replace my AP`s, now i jumped into a rabbit hole and can`t find the way out anymore

Until tuesday i have to make a final decission...
1. Keep the mikrotiks, then maybe use the Draytek only as modem and let the CAP do the PPPOE, DHCP and Routing. Should be possible is assume? Then i still have potential issues with the Unifi stuff...
2. Stick with Unifi AP`s, send the MT`s back and keep it like it is...

anav · Sun Mar 31, 2024 1:13 am

I would get rid of the unifi switch and get a real one. A plain jane cheapo TPlink managed switch works better or more sanely that the unifi.
Or get a CRS3XX switch from mikrotik

or send me a copy of the switch User Guide ( I cannot find one ) and then I can figure out how to setup it so it works properly.

SanchoHa · Sun Mar 31, 2024 1:31 am

In this case i would also have to replace my POE switch.
Though Unifi has some disadvantages i really like the Controller software.
But if i have to replace a switch in the future i would probably go with another one

anav · Sun Mar 31, 2024 6:52 am

So you can program only through controllor software, is there a user guide for that??

SanchoHa · Tue Apr 02, 2024 11:41 pm

You can also use a CLI, but i have never done that. The Unifi Controller is for the Basic functions self explainig imho. There are articles in the link.
Also a lot of guides on YouTube

https://help.ui.com/hc/en-us/categories/6583256751383

In the controller you have a real good overview of your devices and clients. I think i would miss that…
So, i decided to send the MT‘s back and ordered Unifi APs.
Nevertheless it might happen that i‘ll use a MT router in the future.

SanchoHa · Wed Apr 03, 2024 7:16 pm

I would get rid of the unifi switch and get a real one. A plain jane cheapo TPlink managed switch works better or more sanely that the unifi.
Or get a CRS3XX switch from mikrotik

or send me a copy of the switch User Guide ( I cannot find one ) and then I can figure out how to setup it so it works properly.

What do you think about this one https://mikrotik.com/product/crs328_24p_4s_rm.
This would replace my both Unifi Switches and i could use my Draytek Vigor only as modem and all the Routing, Firewall, VPN, PPPOE etc would be managed in one device...?

llamajaja · Wed Apr 03, 2024 7:32 pm

You did NOT find that device under MT--> products --> Routers.
Hence, its a switch and should be used as a switch.
What you want is an RB5009 as the router and then a switch.

Not sure what you are looking for in a switch though, here are two potential options.
24gig ports, 2xsfp+ ports - ->CRS326-24G
8 x2.5copper gig ethernet ports and 2xsfp+ ports --> CRS310-8G You can use the 2.5gig ports like normal 1gig ports but have the increased throughput if you get a 2.5 gig capable access point etc.........

However, I would simply use the draytek as the modem, the RB5009 as your main router, and your unifi switches as they are decent as switches just need to config them so they play nice.

Who is online