MikroTik

Community discussions
https://forum.mikrotik.com/

Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

https://forum.mikrotik.com/viewtopic.php?t=212226

Page 1 of 1

Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Posted: Sat Nov 02, 2024 1:48 am
by dulasau
I've been trying to wrap my head around vlan isolation while using capsman.
My setup:
  • ccr2116 as a capsman and two hap ax2 and one ax3 as CAPs.
  • Two wifi networks: "trusted" (vlan-id 10) and "untrusted" (vlan-id 30)

Code: Select all
/interface wifi datapath
add bridge=bridge bridge-horizon=10 client-isolation=yes name=untrusted-datapath vlan-id=30
add bridge=bridge name=trusted-datapath vlan-id=10


It's all working perfectly on a CAP i can seed dynamically added interfaces with correct vlan ids
  • 5 D wifi1 bridgeLocal 10 0x80 none
  • 6 D wifi11 bridgeLocal 30 0x80 none
but... vlan-filtering is set to "no" on the bridge itself which in my mind defeats the purpose isolating wifi networks, what I'm i missing?
BTW bridge horizon from the datapath is not applied as well :(

Re: Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Posted: Sat Nov 02, 2024 10:42 am
by mkx
Do these interfaces get added as access ports or trunk ports to bridge? Check it using /interface/bridge/vlan/print .

If they are added as untagged, then it VLAN settings are ihnored and you'll have to set vlan-filtering=yes on bridge on all cAP devices. (Do enable safe mode before enabling vlan-filtering on bridge, you could loose management access if bridge config is not "ready" for vlan-filtering).

If they are added as tagged, then traffic separation based on VLAN IDs works without bridge being aware of it, wifi interfaces make sure of it (bridge is in this case operating as a dumb switch, passing frames between ports only according to dst MAC addresses ... which means that occasionally a frame with wrong VID will be delivered to wifi interface, but wifi interface will drop it as unusable according to its own config).

Re: Trying to understand vlan-filtering + datapath.vlan-id in capsman AX

Posted: Sun Nov 03, 2024 12:20 am
by dulasau
Do these interfaces get added as access ports or trunk ports to bridge? Check it using /interface/bridge/vlan/print .

If they are added as untagged, then it VLAN settings are ihnored and you'll have to set
Code: Select all
vlan-filtering
=yes on bridge on all cAP devices. (Do enable safe mode before enabling vlan-filtering on bridge, you could loose management access if bridge config is not "ready" for vlan-filtering).

If they are added as tagged, then traffic separation based on VLAN IDs works without bridge being aware of it, wifi interfaces make sure of it (bridge is in this case operating as a dumb switch, passing frames between ports only according to dst MAC addresses ... which means that occasionally a frame with wrong VID will be delivered to wifi interface, but wifi interface will drop it as unusable according to its own config).
That's the thing: the interfaces were added as access ports (PVID were added), but since vlan-filtering is not enabled
Code: Select all
/interface/bridge/vlan
table is not populated at all
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/