Difference between revisions of "Manual:VLANs on Wireless"

From MikroTik Wiki
Jump to: navigation, search
m (Example)
 
(26 intermediate revisions by 4 users not shown)
Line 2: Line 2:
  
  
==Summary==
+
=Summary=
  
Configuration examples for VLAN cooperation with wireless interface features.
+
VLANs provide the possibility to isolate devices into different Layer2 segments while still using the same Layer1 medium. This is very useful in setups where you want to separate different types of devices of users. This feature is also very useful for Wireless setups since you can isolate different Virtual APs and restricting access to certain services or networks by using Firewall. Below is an example with a setup with two Access Points on the same device that and isolates them into saprate VLANs. This kind of scenario is very common when you have a '''Guest AP''' and '''Work AP'''.
  
===Example with separate bridges===
+
=Example=
 +
[[File:vlan-wlan1.jpg|740px|center|alt=Alt text|Vlan forwarding over wireless interface]]
  
[[File:vlan-wlan1.jpg|740px|center|alt=Alt text|Vlan forwarding over wireless interface]]
+
[https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering Bridge VLAN Filtering] since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.
  
 
'''R1:'''
 
'''R1:'''
* Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port. Add ip addresses on VLAN interfaces.
+
* Add necessary VLAN interfaces on ethernet interface to make it a VLAN trunk port. Add ip addresses on VLAN interfaces.
  
 
<pre>
 
<pre>
 
[admin@R1] >
 
[admin@R1] >
 
/interface vlan
 
/interface vlan
add interface=ether1 name=vlan110 vlan-id=110
+
add interface=ether1 name=vlan111 vlan-id=111
add interface=ether1 name=vlan220 vlan-id=220
+
add interface=ether1 name=vlan222 vlan-id=222
  
 
/ip address
 
/ip address
add address=192.168.1.1/24 interface=vlan110 network=192.168.1.0
+
add address=192.168.1.1/24 interface=vlan111
add address=172.168.1.1/24 interface=vlan220 network=172.168.1.0
+
add address=192.168.2.1/24 interface=vlan222
 
</pre>
 
</pre>
  
 
'''R2:'''
 
'''R2:'''
* Add VirtualAP under wlan1 interface. (Also create wireless security-profiles for wlan1 and wlan2)
+
* Add VirtualAP under wlan1 interface and create wireless security-profiles for wlan1 and wlan2
  
 
<pre>
 
<pre>
 
[admin@R2] >
 
[admin@R2] >
 
/interface wireless
 
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=vlan110 ssid=vlan110
+
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=vlan111 ssid=vlan111 vlan-id=111 vlan-mode=use-tag
add disabled=no master-interface=wlan1 name=wlan2 security-profile=vlan220 ssid=vlan220
+
add disabled=no master-interface=wlan1 name=wlan2 security-profile=vlan222 ssid=vlan222 vlan-id=222 vlan-mode=use-tag
 
</pre>
 
</pre>
  
* Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port.
+
{{Note | It is important to set wlan1,wlan2 vlan-mode to "use-tag".}}
* Add bridges for each VLAN.
 
* Add VLAN interfaces to their corresponding bridges and wireless interfaces to each bridge.
 
  
 +
* Create bridge with ''vlan-filtering=yes''
 +
* Add necessary bridge ports
 +
* Add ''tagged'' interfaces under ''interface bridge vlan'' section with correct ''vland-ids''
 
<pre>
 
<pre>
 
[admin@R2] >
 
[admin@R2] >
/interface vlan
 
add interface=ether1 name=vlan110-ether1 vlan-id=110
 
add interface=ether1 name=vlan220-ether1 vlan-id=220
 
 
 
/interface bridge
 
/interface bridge
add name=bridge-vlan110
+
add fast-forward=no name=bridge1 vlan-filtering=yes
add name=vlan220-bridge
 
  
 
/interface bridge port
 
/interface bridge port
add bridge=bridge-vlan110 interface=vlan110-ether1
+
add bridge=bridge1 interface=ether2
add bridge=bridge-vlan110 interface=wlan1
+
add bridge=bridge1 interface=wlan1
add bridge=vlan220-bridge interface=vlan220-ether1
+
add bridge=bridge1 interface=wlan2
add bridge=vlan220-bridge interface=wlan2
+
/interface bridge vlan
</pre>
+
add bridge=bridge1 tagged=ether2,wlan1 vlan-ids=111
 
+
add bridge=bridge1 tagged=ether2,wlan2 vlan-ids=222
'''R3:'''
 
* Add ip address on wlan1 interface.
 
* Create wireless security-profile compatible with R2 wlan1.
 
<pre>
 
[admin@R3] >
 
/ip address
 
add address=192.168.1.3/24 interface=wlan1 network=192.168.1.0
 
 
 
/interface wireless
 
set [ find default-name=wlan1 ] disabled=no security-profile=vlan110
 
</pre>
 
 
 
'''R4:'''
 
* Add ip address on wlan1 interface.
 
* Create wireless security-profile compatible with R2 wlan2.
 
<pre>
 
[admin@R4] >
 
/ip address
 
add address=172.168.1.4/24 interface=wlan1 network=172.168.1.0
 
 
 
/interface wireless
 
set [ find default-name=wlan1 ] disabled=no security-profile=vlan220
 
</pre>
 
 
 
 
 
===Example with vlan-mode usage===
 
 
 
'''R1:'''
 
* Add necessary VLAN interfaces on ethernet interface to make it as a VLAN trunk port. Add ip addresses on VLAN interfaces.
 
 
 
<pre>
 
[admin@R1] >
 
/interface vlan
 
add interface=ether1 name=vlan110 vlan-id=110
 
add interface=ether1 name=vlan220 vlan-id=220
 
 
 
/ip address
 
add address=192.168.1.1/24 interface=vlan110 network=192.168.1.0
 
add address=172.168.1.1/24 interface=vlan220 network=172.168.1.0
 
 
</pre>
 
</pre>
  
'''R2:'''
+
{{ Warning | Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched, this does not affect Wireless interfaces as traffic through them cannot be offloaded to the switch chip either way. }}
* Add VirtualAP under wlan1 interface. (Also create wireless security-profiles for wlan1 and wlan2)
 
  
<pre>
+
{{ Note | VLAN filtering is not required in this setup, but is highly recommended due to security reasons. Without VLAN filtering it is possible to forward unknown VLAN IDs in certain scenarios. Disabling VLAN filtering does have performance benefits. }}
[admin@R2] >
 
/interface wireless
 
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=vlan110 ssid=vlan110 vlan-id=110 vlan-mode=use-tag
 
add disabled=no master-interface=wlan1 name=wlan2 security-profile=vlan220 ssid=vlan220 vlan-id=220 vlan-mode=use-tag
 
</pre>
 
 
 
{{Note | It is important to set wlan1,wlan2 vlan-mode to "use-tag".}}
 
 
 
* Add necessary VLAN interfaces on ethernet,wlan1,wlan2 interfaces.
 
* Add bridge for VLAN interfaces.  
 
* Add all VLAN interfaces to bridge1.
 
 
 
<pre>
 
[admin@R2] >
 
/interface vlan
 
add interface=ether1 name=vlan110-ether1 vlan-id=110
 
add interface=ether1 name=vlan220-ether1 vlan-id=220
 
 
 
/interface bridge
 
add name=bridge1
 
 
 
/interface bridge port
 
add bridge=bridge1 interface=vlan110-wlan1
 
add bridge=bridge1 interface=vlan220-wlan2
 
add bridge=bridge1 interface=vlan110-ether1
 
add bridge=bridge1 interface=vlan220-ether1
 
</pre>
 
  
 
'''R3:'''
 
'''R3:'''
* Add ip address on wlan1 interface.  
+
* Add IP address on wlan1 interface.  
 
* Create wireless security-profile compatible with R2 wlan1.
 
* Create wireless security-profile compatible with R2 wlan1.
 
<pre>
 
<pre>
 
[admin@R3] >
 
[admin@R3] >
 
/ip address
 
/ip address
add address=192.168.1.3/24 interface=wlan1 network=192.168.1.0
+
add address=192.168.1.3/24 interface=wlan1
  
 
/interface wireless
 
/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan110
+
set [ find default-name=wlan1 ] disabled=no security-profile=vlan111
 
</pre>
 
</pre>
  
Line 146: Line 76:
 
[admin@R4] >
 
[admin@R4] >
 
/ip address
 
/ip address
add address=172.168.1.4/24 interface=wlan1 network=172.168.1.0
+
add address=192.168.2.4/24 interface=wlan1
  
 
/interface wireless
 
/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan220
+
set [ find default-name=wlan1 ] disabled=no security-profile=vlan222
 
</pre>
 
</pre>

Latest revision as of 08:39, 7 February 2020


Summary

VLANs provide the possibility to isolate devices into different Layer2 segments while still using the same Layer1 medium. This is very useful in setups where you want to separate different types of devices of users. This feature is also very useful for Wireless setups since you can isolate different Virtual APs and restricting access to certain services or networks by using Firewall. Below is an example with a setup with two Access Points on the same device that and isolates them into saprate VLANs. This kind of scenario is very common when you have a Guest AP and Work AP.

Example

Alt text

Bridge VLAN Filtering since RouterOS v6.41 provides VLAN aware Layer2 forwarding and VLAN tag modifications within the bridge.

R1:

  • Add necessary VLAN interfaces on ethernet interface to make it a VLAN trunk port. Add ip addresses on VLAN interfaces.
[admin@R1] >
/interface vlan
add interface=ether1 name=vlan111 vlan-id=111
add interface=ether1 name=vlan222 vlan-id=222

/ip address
add address=192.168.1.1/24 interface=vlan111
add address=192.168.2.1/24 interface=vlan222

R2:

  • Add VirtualAP under wlan1 interface and create wireless security-profiles for wlan1 and wlan2
[admin@R2] >
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=vlan111 ssid=vlan111 vlan-id=111 vlan-mode=use-tag
add disabled=no master-interface=wlan1 name=wlan2 security-profile=vlan222 ssid=vlan222 vlan-id=222 vlan-mode=use-tag
Icon-note.png

Note: It is important to set wlan1,wlan2 vlan-mode to "use-tag".


  • Create bridge with vlan-filtering=yes
  • Add necessary bridge ports
  • Add tagged interfaces under interface bridge vlan section with correct vland-ids
[admin@R2] >
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface bridge vlan
add bridge=bridge1 tagged=ether2,wlan1 vlan-ids=111
add bridge=bridge1 tagged=ether2,wlan2 vlan-ids=222
Icon-warn.png

Warning: Some devices have a built-in switch chip that can switch packets between Ethernet ports with wire-speed performance. Bridge VLAN filtering disables hardware offloading (except on CRS3xx series switches), which will prevent packets from being switched, this does not affect Wireless interfaces as traffic through them cannot be offloaded to the switch chip either way.


Icon-note.png

Note: VLAN filtering is not required in this setup, but is highly recommended due to security reasons. Without VLAN filtering it is possible to forward unknown VLAN IDs in certain scenarios. Disabling VLAN filtering does have performance benefits.


R3:

  • Add IP address on wlan1 interface.
  • Create wireless security-profile compatible with R2 wlan1.
[admin@R3] >
/ip address
add address=192.168.1.3/24 interface=wlan1

/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan111

R4:

  • Add ip address on wlan1 interface.
  • Create wireless security-profile compatible with R2 wlan2.
[admin@R4] >
/ip address
add address=192.168.2.4/24 interface=wlan1

/interface wireless
set [ find default-name=wlan1 ] disabled=no security-profile=vlan222