I think there have been some recent firmware changes that might help me here (looking at old VLAN comments).
I am setting up a new network with a little different network topology than I am used to and I can't quite wrap my head around the solution.
Our router is serving a dozen or so VLANs. Each VLAN contains a /27 of client public IP addresses with a DCHP pool for each VLAN. Additionally, we have a management /24 VLAN that is not running a DHCP server. All radios have static IPs in the management subnet. A VPN is also built to remote into the router and get on the management VLAN.
What utimately we want to do is assign the management VLAN to the APs and SMs and be able to access radio management from either the wireless side or the Ethernet side of any AP or SM (as long as the techs laptop is configured to that VLAN and subnet). All are running 2.5.2 firmware and it looks like that is possible now?
Additionally, we want the client's home router to grab a public IP address from the client VLAN when they plug in without having to configure any VLANs on their end.
Where I am a bit confused is the programming of the SMs to make this work and the VLAN tagging. What am I doing under Membership VLANs and VLAN Mapping?
Sorry, coming from a different vendor and I must not be very smart anyway since VLANs get me in trouble mentally.
After reading through the Excel spreadsheet from the KB on VLANs, it looks like what I want to do is this:
Assumptions - VLAN 5 is management VLAN 10 is public IP DHCP VLAN (for clients router WAN port)
On the AP: Turn on Management VLAN and assign it 5. No other changes.
On the SM: Turn on Management VLAN and assign it 5. Turn on Data VLAN and assign it 10. Allow management from wired and wireless.
I feel like I am missing steps but that is what I read? Since the customer will never know about VLANS, I don't need any VLAN memberships built? They plug in to the Ethernet port and get an IP served from VLAN 10's pool. I plug in a tech laptop with a static IP in the management subnet AND tagging VLAN 5 and I can access any radio IP.
All switches in the system connected to radios are set to trunk ports.
Great questions here. We actually use VLANs over the wireless link too! We run VLAN 10 for all the SMs to have IPs, and VLAN 11 for the customer access side. The idea is to make it so no customer could ever even get to the login page of another customers SM.
In addition, we run "SM Isolation" This also prevents any two clients from communicating on the AP. We further this with Port isolation on our switches to only permit the AP port to talk to the router port. This allows us to have one VLAN for all client IPs per site without the fear of broadcast storms or having customers hand out DHCP to other customers.
Now for the VLAN side, it's all really simple. You tag your management and data vlans to the AP side from your switch or router at the tower, then configure the AP for the management VLAN you are using. Then on the SM side you set its Management VLAN and the Data VLAN. The client will get untagged access on the Data VLAN without having any special configuration on their end.
Will this fail if my switch ports conencted to the APs are left as trunk ports? Should just pass all VLANs to the APs and then deal with it at the client SM - or do they need to get tagged "somewhere" other than the SM?
Would you mind posting a screen shot of your network tab on the SM and AP? Just the VLAN sections?
You can send trunked vlans to the AP from the switch or router, and no additional configuration on the AP is required to pass the VLAN. You just select what VLAN you want untagged on the client end in "Data VLAN"
The first screen shot is of the SM side, and the second is of the AP.
Say I have an SM that is going to be recieving data from an AP with both tagged and un-tagged VLANs coming across the wireless link. The tagging / un-tagging is done with a Netonix at the AP end (and there is a Netonix at the SM end).
I want all the traffic to simply pass through the SM un-changed and into the SM side Netonix. For example, the SM will see VLAN 5, 50, 99 as tagged and VLAN 31 as un-tagged
In the SM radio, I select Management VLAN and enter 5 (our tagged MGT VLAN for all radios).
If I leave the "VLAN Membership" section totally empty as well as the Data VLAN section, will the SM pass the rest of the VLANs along to the switch? Since I have an un-tagged VLAN coming across the link, I am worried about using the VLAN Membership section since that deals with tagged VLANs and may drop the un-tagged?
Leave the VLAN Memebership table blank. The SM will simply pass through all the tagged and untagged traffic. Even the packets tagged with Mgmt VLAN ID 5 will pass through if the destination IP is something other than the SM's IP.
Here's a good KB article on how ePMP's VLAN works (if you haven't seen it already):
Hello, I need to clarify something. I have a setup where I use a Vlan 100 ID for management but the ISP is providing public IP Address, so in my router (Mikrotik) i have configured the port for the AP as bridge connected to the gateway of the ISP and i didnt have any data VLAN configured so the wireless link can act as a transparent bridge.
I have connected a computer in the SM ethernet and configured as the public IP address and everything works fine.
But when the client connect his router/firewall he gets a error of a mismatch VLAN.
Is there any possibility that my configuration is causing the error? or it can be on the client side configuration.
Thanks for any clarification.
SM Mode
Management VLAN
Data VLAN
Multicast VLAN
Membership VLAN
VLAN Mapping
Separate PPPoE / NAT VLAN
Downlink Operation
Uplink Operation
Bridge
100
NA
Tagged packets of 100 destined for SM terminates at the SM. All other traffic passed (including packets tagged with 100 for other destinations other than SM).
Tagged packets of 5 destined for SM are are allowed if Access is Enabled via "VLAN Management Access" for Ethernet, otherwise - dropped. All other traffic passed (including packets tagged with 5 for other destinations other than SM).
