Community discussions

MikroTik App
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

[HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Sun Dec 08, 2024 10:15 pm

Hi,

I'm not an experienced Mikrotik admin (more of an enthusiast) an I would be grateful if members of this forum could help with pointing out where I went wrong when trying to improve my network with use of VLANS (nothing fancy for now, just VLAN for client devices and management VLAN).

First the outline of my test setup:
HEX PoE working as a router
hap ac lite working as bridge/switch
Audience serving as AP and bridge/switch (controlled by CAPsMAN in my actual non-test setup but I did not get as far in my tests)
All devices running RouterOS 7.16.2

I started with configuring HEX PoE and hap ac lite using switch configuration for hardware offloading as suggested here:
https://help.mikrotik.com/docs/spaces/R ... switchchip

This seems to be working fine with trunk, access and hybrid ports on both devices.

The real troubles started with configuring Audience.

First I realised that I can't use the same setup method as above, as Audience doesn't seem to have Switch menu in Winbox, and although I could configure ports and vlan table using terminal I could not finish the configuration by setting vlan-mode=secure. I found this and lack of Switch menu in Winbox strange as Atheros8327 chip on my Audience supports most of switch features (as confirmed in this link):
https://help.mikrotik.com/docs/spaces/R ... troduction

Anyway, I thought that instead of pondering this, I'll just drop hardware offloading as (unlike the other two devices) Audience has some resources to spare. I followed the below guide to configure a bridge with VLAN filtering:
https://help.mikrotik.com/docs/spaces/R ... VLAN+Table

What I'm trying to do at this phase is to configure ether1 and ether2 in a bridge where ether1 is a trunk port with VLAN 10 and 90 tagged, and ether2 is a hubrid port with VLAN 90 tagged and 10 untagged.

Unfortunately I couldn't get this to work and even though I can see some traffic on VALN 10 and 90 on ether1 I can't even connect to Audience via Winbox other than through default VLAN 1. Audience can't reach ntp server either.

This leads me to two questions:
1) Is there a reason why switch configuration in not present on audience with RouterOS 7.16.2 even though it has capable switch chip?
2) Where did I go wrong with the below bridge filtering configuration?
# 1970-01-02 01:31:31 by RouterOS 7.16.2
# software id = 4XZX-9Q65
#
# model = RBD25G-5HPacQD2HPnD
# serial number = D5840DBC5A69
/interface bridge
add name=bridge-lan vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge-lan tagged=ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=bridge-lan,ether2,ether1 vlan-ids=90
/interface wireless cap
# 
set bridge=*7 caps-man-addresses=192.168.90.1 enabled=yes interfaces=\
    wlan2,wlan1
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip dhcp-client
add interface=MGMT
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
I'd appreciate any help and I appreciate that I most likely did something dumb and I just can't see it yet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21892
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Sun Dec 08, 2024 11:07 pm

For me the error was using capsman jajaajaja. I can do vlans very easily without capsman,,,,,,,,,,, somebody else will have to provide direction.
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Mon Dec 09, 2024 1:02 am

Thanks Anav, but I don't think that my problem (for now :wink: ) is use of CAPsMAN. As I said I didn't get as far as even establishing connection with the HEX PoE router where the CAPsMAN is.

I just can't see where I went wrong with the Bridge VLAN filtering configuration on Audience and why, even though I think Adudience should connect via VLAN 10 and 90 over the trunk port (ether1) it doesn't seem to work.

As a test, if I connect my PC (with virtual NIC set on port 90) to the same hap ac lite port where audience is meant to be connected, I can get IP from "management" DHCP without problem and connectivity seems to be fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21892
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Mon Dec 09, 2024 2:42 am

IF there was no capsman it would be like so.
This is the audience in ap/switch mode and will assume the vlan10 is the trusted vlan where the audience gets its IP address from.

/ip interface
add name=TRUSTED
/ip interface member
add interface=vlan10 list=TRUSTED


/ip address
add address=vlan10(assigned IP address) interface=vlan10 network=


/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port
add bridge=bridge-lan interface=ether2 pvid=10 comment="Hybrid Port"


/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=ether1,ether2 vlan-ids=90


/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12978
Joined: Thu Mar 03, 2016 10:23 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Mon Dec 09, 2024 2:21 pm

Apart from VLAN stuff (@anav already gave you some good advice) ... are you intending to use hAP ac lite as AP as well? If not, then you better remove wireless package and install wifi-qcom-ac on Audience, its wireless will really take off and fly. You'll have to use the new CAPsMAN (available under /interface/wifi ... various branches under it). Benefit is that if you intended to run CAPsMAN on main router (hEX PoE), then you don't have to have wireless package installed there either (new capsman functonality is included in core ROS since 7.13). However, hAP ac lite is not compatible with new capsman ...
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Mon Dec 09, 2024 11:49 pm

Hi mkx,

The hAP ac lite in my test setup replaces HEX from my actual network. So I do not intend have this device at all in my eventual setup as AP or otherwise. I currently have old CAPsMAN configuration in my "live" network and translating it to new CAPsMAN and wave2 will most likely be the next challenge once I've established a working VALN setup. So one step at a time... :)
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Tue Dec 10, 2024 12:17 am

Hi anav,

Thanks for further suggestions. In my original idea I actually meant for vlan 90 to be a trusted vlan where Audience would communicate with other Mikrotik devices and get its IP from, but for the purpose of this test it doesn't really matter.

I grew tired of disconnecting the Audience from my "live" network for these experiments, but I did few more tests with wiped out hAP ac lite.

I tried to take your example like for like and after adding few things which Mikrotik was complaining about (like declaration of the bridge and vlan10 interface) I arrived at something like this:
/interface bridge
add name=bridge-lan

/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10

/interface list
add name=TRUSTED

/interface list member
add interface=vlan10 list=TRUSTED

/ip address
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0

/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port"
add bridge=bridge-lan interface=ether2 pvid=10 comment="Hybrid Port"

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge-lan tagged=ether1,ether2 vlan-ids=90

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Is this what you had in mind? This obviously should not have much effect as I intentionally left out enabling vlan filtering so that I could do it as the last step.

When I apply the above from terminal, I can apply all the commands, but then when I enable vlan filtering I need to set pvid. When I set it to 10 (which seems to be a logical choice for this configuration?) I get locked out from the device (I get disconnected and can't connect again using Winbox).

Interestingly if I import it as .rsc script to a blank device I get the message that script was loaded successfully and get locked out immediately after (I don't even get a chance to enable vlan filtering).

For completeness, I'm connected to the device via ether2 using PC which accepts untagged traffic on it's main network interface and vlan 90 on a virtual NIC. The same device connected to a hybrid (stripped vlan10 and tagged vlan90) port configured with switch configuration rather than bridge vlan filtering connects fine, getting IP from DHCP on both interfaces, so I think there is nothing wrong with the client and I'm still messing something up in the bridge vlan filtering configuration.

I'd welcome any further suggestions or troubleshooting steps which I could try.

Many thanks for your suggestions so far!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21892
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Tue Dec 10, 2024 12:29 am

You forgot to add the address of the device which is provided on the trusted vlan. I usually make this a static lease setting on the main router.

Yes getting locked out doing vlan filtering is a problem thats why I came up with this solution years ago....

to avoid vlan filtering hiccups, and to config from a safe spot, recommend you take etherX off the bridge let say port 5

/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5

/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0

/interface list member
add interface=Offbridge5 list=LAN { or trusted or base/management whatever is the interface list that is trusted )

Now plug in your laptop into ether5, change ipv4 settings to 192.168.65.2 and you should be in!!!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4324
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Tue Dec 10, 2024 2:11 am

You might try setting STP to "none", as you could something could be going into a blocking state during the configuration process. But otherwise it looks right to me...

Also, in 7.16+, it's safe to set vlan-filtering=yes when you create the bridge, as the default bridge/ports all use a "VLAN 1" & when you add the /interface/vlan for VLAN10, it will automatically add bridge as tagged in /interface/bridge/vlans dynamically.

So, assuming starting from empty configuration and use MAC address in winbox to connect BEFORE connecting to rest of network... I'd break the configuration into two parts. First, get the bridge setup using MAC address in winbox, and the last line will disconnect you.
/interface bridge add name=bridge-lan vlan-filtering=yes
/interface vlan add interface=bridge-lan name=vlan10 vlan-id=10
/ip address add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0
/interface bridge vlan add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10
/interface bridge port add bridge=bridge-lan interface=ether2 pvid=10 comment="Hybrid Port"
/interface bridge port add bridge=bridge-lan ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="Trunk Port"
Then plugin the trunk line into ether1, and verify you can access the router. Finally tweak the rest of the security stuff as desired:
/interface list
add name=TRUSTED
/interface list member
add interface=vlan10 list=TRUSTED
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
Notes:
- /interface/bridge/vlan comes BEFORE /interface/bridge/port with ingress-filtering=yes
- /interface/bridge/vlan will have a dynamic entry (marked with D) with tagged=bridge-lan for PVID 10 in version 7.16+.
- Router would have a 192.168.88.1 even if "empty", so may need to remove that from IP address
- Set the TRUSTED interface list AFTER getting the VLANs working... since /tool/mac-server is how you'd get into "fix" the VLANs initially
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12978
Joined: Thu Mar 03, 2016 10:23 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Tue Dec 10, 2024 9:23 am

... translating it to new CAPsMAN and wave2 will most likely be the next challenge once I've established a working VALN setup. So one step at a time... :)

Well ... support for VLANs in wifi-qcom-ac package is next to none (while wireless has pretty good support), so if you're struggling with VLANs on your Audience now, it'll be worse then. So I suggest you to switch over to wifi-qcom-ac first, wifi configuration done locally will be very similar to the one needed on wifi capsman later. Except for VLANs, you'll have to be a bit innovative if you want to run Audience with VLANs as capsman client. Unless you'll have multiple (two or more) APs (running wifi drivers) and you'll need to run capsman for improved mobility of clients, then using capsman (in your particular case) might be a PITA. If the rest of your devices will be ax devices (running wifi-qcom driver, which supports VLANs better), then you might want to run capsman on audience itself (even if local radios will be configured locally, running capsman on same device will enable improved mobility).
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Wed Dec 11, 2024 9:55 pm

Hi mkx,

Thanks for the warning. In my "live" setup I have 3 Audience APs and no ax devices. If the vlan support in wifi-qcom-ac is somewhat patchy I guess I'll stick to wireless for now until support for wifi-qcom-ac is improved ...if ever :)
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Wed Dec 11, 2024 10:02 pm

Regarding below point:

You forgot to add the address of the device which is provided on the trusted vlan.

I thought I did that in the config I posted on Monday:
/ip address
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0
...with vlan10 being included in TRUSTED list.

Did you mean something else?

BTW, thanks for the hint with OffBridge port. It saved me few resets while I'm testing on hAP ac lite which has few extra ports (unlike Audience:) )
 
ias
just joined
Topic Author
Posts: 7
Joined: Sat Dec 07, 2024 6:31 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Wed Dec 11, 2024 10:24 pm

Hi Amm0,

Thanks for the config. It goes a little bit further from my original goal (as it does not include vlan 90) but is a good test in my current struggles.

I used the first part of config, and did not go further with the steps for restricting the access as even the first part wasn't working for me. I thought I'd at least check if PC connected to ether2 will get IP from DHCP on HEX over vlan 10 and, spoiler alert, it did not :(

I'm pasting a full export in case you can spot something I did wrong.

I also want to assure you that I entered the commands in the order you suggested, even though the export ordered them randomly.
# 1970-01-02 00:29:05 by RouterOS 7.16.2
# software id = 99ZS-54IM
#
# model = RB952Ui-5ac2nD
# serial number = 9249097A6CAA

/interface bridge
add name=bridge-lan vlan-filtering=yes

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik

/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5

/interface vlan
add interface=bridge-lan name=vlan10 vlan-id=10

/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge-lan comment="Hybrid Port" interface=ether2 pvid=10
add bridge=bridge-lan comment="Trunk Port" frame-types=admit-only-vlan-tagged \
    interface=ether1

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether1 untagged=ether2 vlan-ids=10

/interface list member
add interface=OffBridge5 list=TRUSTED

/ip address
add address=192.168.65.1/29 interface=OffBridge5 network=192.168.65.0
add address=192.168.10.6/24 interface=vlan10 network=192.168.10.0

/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
Note that the above config includes the advice from anav for the offBridge port but it should not interfere with vlan filtering.

As I feel I'm growing mad trying to understand what I'm doing wrong, I decided to try my original concept using switch commands while testing on hAP ac lite (i.e. the config that wouldn't work on Audience due to lack of switch menu). The below config (based on vlan 90 for management, and hybrid tagged 90 and untagged 10 on ether2) worked flawlessly:
# 1970-01-02 01:32:14 by RouterOS 7.16.2
# software id = 99ZS-54IM
#
# model = RB952Ui-5ac2nD
# serial number = 9249097A6CAA
/interface bridge
add name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=10 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
/interface ethernet switch vlan
add ports=ether1,ether2 switch=switch1 vlan-id=10
add ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=90
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
If I had more confidence in my Mikrotik skills I'd start suspecting I came across some kind of bug in ROS 7.16.2, but as things stand I still feel I must be making some dumb error.

I'd welcome further suggestions.
 
anavk0
newbie
Posts: 26
Joined: Wed Dec 11, 2024 10:40 pm

Re: [HELP] Trouble with VLAN setup on Audience (RBD25G-5HPacQD2HPnD) running RouterOS 7.16.2

Thu Dec 12, 2024 4:05 am

What is not clear is what users is the audience serving.
Acting as an AP/switch it should get at least two vlans from the trunk port on ether1.
vlan10 and lets say vlan90 for management (trusted vlan) and where Audience gets it IP address from.

What is on ether2?? eth3 and eth4? In other words refresh my memory why were we thinking hybrid port??
/interface bridge
add name=bridge-lan vlan-filtering=no { change to yes as last step }
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridge-lan name=MGMT vlan-id=90
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list
add name=TRUSTED
/interface list member
add interface=MGMT list=TRUSTED
add interface=OffBridge5 list=TRUSTED
/interface bridge port
add bridge=bridge-lan ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether1 comment="trunk port from hex"
add bridge=bridge-lan ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=10 comment="access port to PC"
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-lan tagged=ether1  untagged=ether2  vlan-id=10
add bridge=bridge-lan tagged=ether1,bridge-lan  vlan-ids=90
/ip dns
set server=192.168.90.1
/ip address
add address=192.168.90.6/24 interface=MGMT network=192.168.90.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.90.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=IAS-WIFI-2
/system note
set show-at-login=no
/system ntp client servers
add address=192.168.90.1
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Who is online

Users browsing this forum: Elvis1991, escor and 27 guests