Mikrotik guest VLAN with Cap AC

It’s past time to create additional VLANs on my home network for IoT and guests, so I decided to take the plunge and see what configuration was required on my Mikrotik AP.

The basic physical network topology is:

internet <—> firewall <—> L2 switches <—> CapAC <—> users

As I’m not using an L3 switch (yet) , I need to create a trunk between the firewall and AP. I ref’d a couple of articles online (offering similar methods) but none seemed to work. And to be honest, they (more specifically the first) didn’t make sense based on standard VLAN networking.

First was TKSja’s youtube video, which while very granular, did not do the trick. At no point did I get logical comms over the trunk. Murray’s Blog had a similar config but same result.

TKSja’s method assigns the VLAN ID to the virtual wifi interface and then bridges the normal ethernet ports to the VLAN and VAP interfaces. Murray’s method doesn’t assign the VLAN ID to the virtual wifi interface but rather the VLAN interface (this makes more sense) and then bridges the VLAN and VAP interfaces.

I’m using a combination of the 2 – this is the basic setup:

  • add the wifi VAP interface in Wireless and assign the VLAN ID
  • create a VLAN in Interfaces and set VLAN ID
  • assign VLAN interface to existing bridge
  • edit the current bridge
    • add the wifi VAP interface to the bridge in ports
    • add the VLAN interface to the bridge in VLANs with ID
      • add the bridge as a tagged port
      • add the wifi VAP interface as an untagged port
  • Assign an IP to the VLAN

Because the VLAN is part of the bridge, you could assign the IP to the bridge as well, but assigning it to the VLAN makes more sense.

So in essence, the wifi VAP interface is untagged while the bridge (or upstream port – ether1 in my case) is tagged to the firewall. Classic VLAN setup. I’m still not sure why the wifi VAP interface needs the VLAN ID but wifi clients don’t get directed to the VLAN unless setting this.

Part of the differences between my setup and others is that I think there has been a change in how VLAN interfaces work in the bridge. You now have a VLANs sub-menu where previously there wasn’t one and you added the VLAN in the ports sub-menu. At least in TKSja’s video, there is no VLANs bridge sub-menu.

Here are the specifics:

  1. create a security profile

2. create the virtual wifi interface (VAP) in Wireless: VLAN mode = use tag, set VLAN ID, set the master interface to your normal Wifi interface

3. Create a VLAN interface in Interfaces: assign it to your bridge and set the VLAN ID

4. Edit the current bridge: add the VAP interface under ports and the VLAN interface under VLANs

5a. for the above VAP interface, set the PVID to the VLAN ID

5b. For the above VLAN, set the bridge interface to tagged, the VAP interface to untagged, set the VLAN ID

6. Add an IP address to the VLAN interface

As the CapAC is running as a bridge, there is no NAT/Masquerade or firewall rules. All access control is managed on the firewall.

Note 1: To get to the basic config for the CapAC, I reset the unit without basic configuration and then choose the WISP AP quickset option with bridge.

Note 2: the IoT VAP is assigned to WLAN1 which is the 2.4G radio while the guest VAP is assigned to WLAN2 which is the 5G radio. As most IoT devices are 2.4G, this seems the best option.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security