Trying to get VLANs working between Mikrotik HAP AC and RB4011iGS+











up vote
1
down vote

favorite












Here is the network diagram:



diagram



I have set up 3 vlans:
vlan1: 192.168.9.0/24
vlan11-lan: 192.168.11.0/24
vlan22-guest: 192.168.22.0/24



vlan1 is working perfectly. Every host in 192.168.9.0/24 network is pinging each other.



vlan11-lan and vlan22-guest do not work correctly:




  • HAP AC can ping RB4011 (192.168.11.1 or 192.168.22.1)

  • RB4011 can ping HAP AC (192.168.11.2 or 192.168.22.2)

  • PC5 and PC2 cannot ping each other and cannot ping RB4011 (192.168.11.1) or HAP AC (192.168.11.2). They do not even get MAC addresses of each other in their ARP tables.

  • PC3 cannot ping RB4011 (192.168.22.1) or HAP AC (192.168.22.2). Also it does not get their MAC addresses in its ARP table.


I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+).



RB4011iGS+ config:



# nov/15/2018 22:53:31 by RouterOS 6.43.4
# software id = WP4U-Z565
#
# model = RB4011iGS+
# serial number = 968A09187F4C
/interface bridge
add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598
set [ find default-name=ether2 ] l2mtu=1598
set [ find default-name=ether3 ] l2mtu=1598
set [ find default-name=ether4 ] l2mtu=1598
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598
set [ find default-name=ether8 ] l2mtu=1598
set [ find default-name=ether9 ] l2mtu=1598
set [ find default-name=ether10 ] l2mtu=1598
/interface vlan
add interface=ether10 name=vlan11-lan vlan-id=11
add interface=ether10 name=vlan22-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.9.50-192.168.9.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge interface=ether10
add bridge=bridge interface=ether5 pvid=11
add bridge=bridge interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether10 vlan-ids=11
add bridge=bridge tagged=ether10 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
add address=192.168.9.1/24 interface=bridge network=192.168.9.0
add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
/ip route
add distance=1 gateway=192.168.100.1
/ip traffic-flow
set cache-entries=32k interfaces=local
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=RB4011
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether10


HAP AC config:



# nov/15/2018 22:47:07 by RouterOS 6.43.2
# software id = R9TC-1I4K
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6737065A9A5D
/interface bridge
add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan11-lan vlan-id=11
add interface=ether1 name=vlan22-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4 pvid=11
add bridge=bridge interface=ether5 pvid=22
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=11
add bridge=bridge tagged=ether1 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
add address=192.168.9.2/24 interface=bridge network=192.168.9.0
add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.2 name=router.lan
/ip route
add distance=1 gateway=192.168.9.1
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=HAP_AC
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=ether1 filter-ip-address=!192.168.13.2/32









share|improve this question




























    up vote
    1
    down vote

    favorite












    Here is the network diagram:



    diagram



    I have set up 3 vlans:
    vlan1: 192.168.9.0/24
    vlan11-lan: 192.168.11.0/24
    vlan22-guest: 192.168.22.0/24



    vlan1 is working perfectly. Every host in 192.168.9.0/24 network is pinging each other.



    vlan11-lan and vlan22-guest do not work correctly:




    • HAP AC can ping RB4011 (192.168.11.1 or 192.168.22.1)

    • RB4011 can ping HAP AC (192.168.11.2 or 192.168.22.2)

    • PC5 and PC2 cannot ping each other and cannot ping RB4011 (192.168.11.1) or HAP AC (192.168.11.2). They do not even get MAC addresses of each other in their ARP tables.

    • PC3 cannot ping RB4011 (192.168.22.1) or HAP AC (192.168.22.2). Also it does not get their MAC addresses in its ARP table.


    I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+).



    RB4011iGS+ config:



    # nov/15/2018 22:53:31 by RouterOS 6.43.4
    # software id = WP4U-Z565
    #
    # model = RB4011iGS+
    # serial number = 968A09187F4C
    /interface bridge
    add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
    /interface ethernet
    set [ find default-name=ether1 ] l2mtu=1598
    set [ find default-name=ether2 ] l2mtu=1598
    set [ find default-name=ether3 ] l2mtu=1598
    set [ find default-name=ether4 ] l2mtu=1598
    set [ find default-name=ether5 ] l2mtu=1598
    set [ find default-name=ether6 ] l2mtu=1598
    set [ find default-name=ether7 ] l2mtu=1598
    set [ find default-name=ether8 ] l2mtu=1598
    set [ find default-name=ether9 ] l2mtu=1598
    set [ find default-name=ether10 ] l2mtu=1598
    /interface vlan
    add interface=ether10 name=vlan11-lan vlan-id=11
    add interface=ether10 name=vlan22-guest vlan-id=22
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip pool
    add name=dhcp ranges=192.168.9.50-192.168.9.254
    /ip dhcp-server
    add address-pool=dhcp disabled=no interface=bridge name=defconf
    /interface bridge port
    add bridge=bridge interface=ether10
    add bridge=bridge interface=ether5 pvid=11
    add bridge=bridge interface=ether6
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface bridge vlan
    add bridge=bridge tagged=ether10 vlan-ids=11
    add bridge=bridge tagged=ether10 vlan-ids=22
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add comment=defconf interface=ether1 list=WAN
    add list=LAN
    /ip address
    add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
    add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
    add address=192.168.9.1/24 interface=bridge network=192.168.9.0
    add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
    /ip cloud
    set ddns-enabled=yes
    /ip dhcp-server network
    add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
    /ip dns
    set allow-remote-requests=yes
    /ip dns static
    add address=192.168.9.1 name=router.lan
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
    add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
    add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
    add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
    add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
    /ip route
    add distance=1 gateway=192.168.100.1
    /ip traffic-flow
    set cache-entries=32k interfaces=local
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name=RB4011
    /system routerboard settings
    set silent-boot=no
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN
    /tool sniffer
    set filter-interface=ether10


    HAP AC config:



    # nov/15/2018 22:47:07 by RouterOS 6.43.2
    # software id = R9TC-1I4K
    #
    # model = RouterBOARD 962UiGS-5HacT2HnT
    # serial number = 6737065A9A5D
    /interface bridge
    add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
    set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
    /interface vlan
    add interface=ether1 name=vlan11-lan vlan-id=11
    add interface=ether1 name=vlan22-guest vlan-id=22
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
    /ip hotspot profile
    set [ find default=yes ] html-directory=flash/hotspot
    /interface bridge port
    add bridge=bridge interface=ether1
    add bridge=bridge interface=ether3
    add bridge=bridge interface=ether4 pvid=11
    add bridge=bridge interface=ether5 pvid=22
    /interface bridge vlan
    add bridge=bridge tagged=ether1 vlan-ids=11
    add bridge=bridge tagged=ether1 vlan-ids=22
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add interface=sfp1 list=WAN
    /ip address
    add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
    add address=192.168.9.2/24 interface=bridge network=192.168.9.0
    add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
    /ip dns
    set allow-remote-requests=yes
    /ip dns static
    add address=192.168.9.2 name=router.lan
    /ip route
    add distance=1 gateway=192.168.9.1
    /system clock
    set time-zone-name=Europe/Moscow
    /system identity
    set name=HAP_AC
    /system routerboard settings
    set silent-boot=no
    /tool sniffer
    set filter-interface=ether1 filter-ip-address=!192.168.13.2/32









    share|improve this question


























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Here is the network diagram:



      diagram



      I have set up 3 vlans:
      vlan1: 192.168.9.0/24
      vlan11-lan: 192.168.11.0/24
      vlan22-guest: 192.168.22.0/24



      vlan1 is working perfectly. Every host in 192.168.9.0/24 network is pinging each other.



      vlan11-lan and vlan22-guest do not work correctly:




      • HAP AC can ping RB4011 (192.168.11.1 or 192.168.22.1)

      • RB4011 can ping HAP AC (192.168.11.2 or 192.168.22.2)

      • PC5 and PC2 cannot ping each other and cannot ping RB4011 (192.168.11.1) or HAP AC (192.168.11.2). They do not even get MAC addresses of each other in their ARP tables.

      • PC3 cannot ping RB4011 (192.168.22.1) or HAP AC (192.168.22.2). Also it does not get their MAC addresses in its ARP table.


      I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+).



      RB4011iGS+ config:



      # nov/15/2018 22:53:31 by RouterOS 6.43.4
      # software id = WP4U-Z565
      #
      # model = RB4011iGS+
      # serial number = 968A09187F4C
      /interface bridge
      add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
      /interface ethernet
      set [ find default-name=ether1 ] l2mtu=1598
      set [ find default-name=ether2 ] l2mtu=1598
      set [ find default-name=ether3 ] l2mtu=1598
      set [ find default-name=ether4 ] l2mtu=1598
      set [ find default-name=ether5 ] l2mtu=1598
      set [ find default-name=ether6 ] l2mtu=1598
      set [ find default-name=ether7 ] l2mtu=1598
      set [ find default-name=ether8 ] l2mtu=1598
      set [ find default-name=ether9 ] l2mtu=1598
      set [ find default-name=ether10 ] l2mtu=1598
      /interface vlan
      add interface=ether10 name=vlan11-lan vlan-id=11
      add interface=ether10 name=vlan22-guest vlan-id=22
      /interface list
      add comment=defconf name=WAN
      add comment=defconf name=LAN
      /interface wireless security-profiles
      set [ find default=yes ] supplicant-identity=MikroTik
      /ip pool
      add name=dhcp ranges=192.168.9.50-192.168.9.254
      /ip dhcp-server
      add address-pool=dhcp disabled=no interface=bridge name=defconf
      /interface bridge port
      add bridge=bridge interface=ether10
      add bridge=bridge interface=ether5 pvid=11
      add bridge=bridge interface=ether6
      /ip neighbor discovery-settings
      set discover-interface-list=LAN
      /interface bridge vlan
      add bridge=bridge tagged=ether10 vlan-ids=11
      add bridge=bridge tagged=ether10 vlan-ids=22
      /interface list member
      add comment=defconf interface=bridge list=LAN
      add comment=defconf interface=ether1 list=WAN
      add list=LAN
      /ip address
      add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
      add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
      add address=192.168.9.1/24 interface=bridge network=192.168.9.0
      add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
      /ip cloud
      set ddns-enabled=yes
      /ip dhcp-server network
      add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
      /ip dns
      set allow-remote-requests=yes
      /ip dns static
      add address=192.168.9.1 name=router.lan
      /ip firewall nat
      add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
      add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
      add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
      add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
      add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
      /ip route
      add distance=1 gateway=192.168.100.1
      /ip traffic-flow
      set cache-entries=32k interfaces=local
      /system clock
      set time-zone-name=Europe/Moscow
      /system identity
      set name=RB4011
      /system routerboard settings
      set silent-boot=no
      /tool mac-server
      set allowed-interface-list=LAN
      /tool mac-server mac-winbox
      set allowed-interface-list=LAN
      /tool sniffer
      set filter-interface=ether10


      HAP AC config:



      # nov/15/2018 22:47:07 by RouterOS 6.43.2
      # software id = R9TC-1I4K
      #
      # model = RouterBOARD 962UiGS-5HacT2HnT
      # serial number = 6737065A9A5D
      /interface bridge
      add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
      /interface wireless
      set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
      set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
      /interface vlan
      add interface=ether1 name=vlan11-lan vlan-id=11
      add interface=ether1 name=vlan22-guest vlan-id=22
      /interface list
      add comment=defconf name=WAN
      add comment=defconf name=LAN
      /interface wireless security-profiles
      set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
      /ip hotspot profile
      set [ find default=yes ] html-directory=flash/hotspot
      /interface bridge port
      add bridge=bridge interface=ether1
      add bridge=bridge interface=ether3
      add bridge=bridge interface=ether4 pvid=11
      add bridge=bridge interface=ether5 pvid=22
      /interface bridge vlan
      add bridge=bridge tagged=ether1 vlan-ids=11
      add bridge=bridge tagged=ether1 vlan-ids=22
      /interface list member
      add comment=defconf interface=bridge list=LAN
      add interface=sfp1 list=WAN
      /ip address
      add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
      add address=192.168.9.2/24 interface=bridge network=192.168.9.0
      add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
      /ip dns
      set allow-remote-requests=yes
      /ip dns static
      add address=192.168.9.2 name=router.lan
      /ip route
      add distance=1 gateway=192.168.9.1
      /system clock
      set time-zone-name=Europe/Moscow
      /system identity
      set name=HAP_AC
      /system routerboard settings
      set silent-boot=no
      /tool sniffer
      set filter-interface=ether1 filter-ip-address=!192.168.13.2/32









      share|improve this question















      Here is the network diagram:



      diagram



      I have set up 3 vlans:
      vlan1: 192.168.9.0/24
      vlan11-lan: 192.168.11.0/24
      vlan22-guest: 192.168.22.0/24



      vlan1 is working perfectly. Every host in 192.168.9.0/24 network is pinging each other.



      vlan11-lan and vlan22-guest do not work correctly:




      • HAP AC can ping RB4011 (192.168.11.1 or 192.168.22.1)

      • RB4011 can ping HAP AC (192.168.11.2 or 192.168.22.2)

      • PC5 and PC2 cannot ping each other and cannot ping RB4011 (192.168.11.1) or HAP AC (192.168.11.2). They do not even get MAC addresses of each other in their ARP tables.

      • PC3 cannot ping RB4011 (192.168.22.1) or HAP AC (192.168.22.2). Also it does not get their MAC addresses in its ARP table.


      I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+).



      RB4011iGS+ config:



      # nov/15/2018 22:53:31 by RouterOS 6.43.4
      # software id = WP4U-Z565
      #
      # model = RB4011iGS+
      # serial number = 968A09187F4C
      /interface bridge
      add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
      /interface ethernet
      set [ find default-name=ether1 ] l2mtu=1598
      set [ find default-name=ether2 ] l2mtu=1598
      set [ find default-name=ether3 ] l2mtu=1598
      set [ find default-name=ether4 ] l2mtu=1598
      set [ find default-name=ether5 ] l2mtu=1598
      set [ find default-name=ether6 ] l2mtu=1598
      set [ find default-name=ether7 ] l2mtu=1598
      set [ find default-name=ether8 ] l2mtu=1598
      set [ find default-name=ether9 ] l2mtu=1598
      set [ find default-name=ether10 ] l2mtu=1598
      /interface vlan
      add interface=ether10 name=vlan11-lan vlan-id=11
      add interface=ether10 name=vlan22-guest vlan-id=22
      /interface list
      add comment=defconf name=WAN
      add comment=defconf name=LAN
      /interface wireless security-profiles
      set [ find default=yes ] supplicant-identity=MikroTik
      /ip pool
      add name=dhcp ranges=192.168.9.50-192.168.9.254
      /ip dhcp-server
      add address-pool=dhcp disabled=no interface=bridge name=defconf
      /interface bridge port
      add bridge=bridge interface=ether10
      add bridge=bridge interface=ether5 pvid=11
      add bridge=bridge interface=ether6
      /ip neighbor discovery-settings
      set discover-interface-list=LAN
      /interface bridge vlan
      add bridge=bridge tagged=ether10 vlan-ids=11
      add bridge=bridge tagged=ether10 vlan-ids=22
      /interface list member
      add comment=defconf interface=bridge list=LAN
      add comment=defconf interface=ether1 list=WAN
      add list=LAN
      /ip address
      add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
      add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
      add address=192.168.9.1/24 interface=bridge network=192.168.9.0
      add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
      /ip cloud
      set ddns-enabled=yes
      /ip dhcp-server network
      add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
      /ip dns
      set allow-remote-requests=yes
      /ip dns static
      add address=192.168.9.1 name=router.lan
      /ip firewall nat
      add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
      add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
      add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
      add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
      add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
      /ip route
      add distance=1 gateway=192.168.100.1
      /ip traffic-flow
      set cache-entries=32k interfaces=local
      /system clock
      set time-zone-name=Europe/Moscow
      /system identity
      set name=RB4011
      /system routerboard settings
      set silent-boot=no
      /tool mac-server
      set allowed-interface-list=LAN
      /tool mac-server mac-winbox
      set allowed-interface-list=LAN
      /tool sniffer
      set filter-interface=ether10


      HAP AC config:



      # nov/15/2018 22:47:07 by RouterOS 6.43.2
      # software id = R9TC-1I4K
      #
      # model = RouterBOARD 962UiGS-5HacT2HnT
      # serial number = 6737065A9A5D
      /interface bridge
      add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
      /interface wireless
      set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
      set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
      /interface vlan
      add interface=ether1 name=vlan11-lan vlan-id=11
      add interface=ether1 name=vlan22-guest vlan-id=22
      /interface list
      add comment=defconf name=WAN
      add comment=defconf name=LAN
      /interface wireless security-profiles
      set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
      /ip hotspot profile
      set [ find default=yes ] html-directory=flash/hotspot
      /interface bridge port
      add bridge=bridge interface=ether1
      add bridge=bridge interface=ether3
      add bridge=bridge interface=ether4 pvid=11
      add bridge=bridge interface=ether5 pvid=22
      /interface bridge vlan
      add bridge=bridge tagged=ether1 vlan-ids=11
      add bridge=bridge tagged=ether1 vlan-ids=22
      /interface list member
      add comment=defconf interface=bridge list=LAN
      add interface=sfp1 list=WAN
      /ip address
      add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
      add address=192.168.9.2/24 interface=bridge network=192.168.9.0
      add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
      /ip dns
      set allow-remote-requests=yes
      /ip dns static
      add address=192.168.9.2 name=router.lan
      /ip route
      add distance=1 gateway=192.168.9.1
      /system clock
      set time-zone-name=Europe/Moscow
      /system identity
      set name=HAP_AC
      /system routerboard settings
      set silent-boot=no
      /tool sniffer
      set filter-interface=ether1 filter-ip-address=!192.168.13.2/32






      networking vlan mikrotik-routeros






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 12 hours ago

























      asked yesterday









      Rualark

      63




      63






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          You haven't added the bridge itself (i.e. the virtual "CPU port") as a VLAN member:




          /interface bridge vlan set [find] tagged=bridge1,ether10


          Without this, the bridge would forward traffic between other ports, but wouldn't pass it "upwards" to the operating system.






          share|improve this answer





















          • Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
            – Rualark
            yesterday












          • Yes, the 'tagged' option has to list the bridge's actual name.
            – grawity
            yesterday










          • I added these lines, but I am still facing the same problem. Should I post full changed config?
            – Rualark
            yesterday


















          up vote
          0
          down vote













          Thanks to grawity for an idea! The full answer to the problem is the following:





          1. Add bridge as VLAN member on both bridges (thanks grawity):



            /interface bridge vlan
            add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
            add bridge=bridge tagged=ether10,bridge vlan-ids=22

            /interface bridge vlan
            add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
            add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22



          2. Move vlan interfaces from trunk interface to bridge:



            /interface vlan
            add interface=bridge name=vlan11-lan vlan-id=11
            add interface=bridge name=vlan22-guest vlan-id=22

            /interface vlan
            add interface=bridge name=vlan11-lan vlan-id=11
            add interface=bridge name=vlan22-guest vlan-id=22



          Fixed RB4011iGS+ config:



          # nov/16/2018 19:24:29 by RouterOS 6.43.4
          # software id = WP4U-Z565
          #
          # model = RB4011iGS+
          # serial number = 968A09187F4C
          /interface bridge
          add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
          /interface ethernet
          set [ find default-name=ether1 ] l2mtu=1598
          set [ find default-name=ether2 ] l2mtu=1598
          set [ find default-name=ether3 ] l2mtu=1598
          set [ find default-name=ether4 ] l2mtu=1598
          set [ find default-name=ether5 ] l2mtu=1598
          set [ find default-name=ether6 ] l2mtu=1598
          set [ find default-name=ether7 ] l2mtu=1598
          set [ find default-name=ether8 ] l2mtu=1598
          set [ find default-name=ether9 ] l2mtu=1598
          set [ find default-name=ether10 ] l2mtu=1598
          /interface vlan
          add interface=bridge name=vlan11-lan vlan-id=11
          add interface=bridge name=vlan22-guest vlan-id=22
          /interface list
          add comment=defconf name=WAN
          add comment=defconf name=LAN
          /interface wireless security-profiles
          set [ find default=yes ] supplicant-identity=MikroTik
          /ip pool
          add name=dhcp ranges=192.168.9.50-192.168.9.254
          /ip dhcp-server
          add address-pool=dhcp disabled=no interface=bridge name=defconf
          /interface bridge port
          add bridge=bridge interface=ether10
          add bridge=bridge interface=ether5 pvid=11
          add bridge=bridge interface=ether6
          /ip neighbor discovery-settings
          set discover-interface-list=LAN
          /interface bridge vlan
          add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
          add bridge=bridge tagged=ether10,bridge vlan-ids=22
          /interface list member
          add comment=defconf interface=bridge list=LAN
          add comment=defconf interface=ether1 list=WAN
          add list=LAN
          /ip address
          add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
          add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
          add address=192.168.9.1/24 interface=bridge network=192.168.9.0
          add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
          /ip cloud
          set ddns-enabled=yes
          /ip dhcp-server network
          add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
          /ip dns
          set allow-remote-requests=yes servers=8.8.8.8
          /ip dns static
          add address=192.168.9.1 name=router.lan
          /ip firewall nat
          add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
          add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
          add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
          add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
          add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
          /ip route
          add distance=1 gateway=192.168.100.1
          /ip traffic-flow
          set cache-entries=32k interfaces=local
          /system clock
          set time-zone-name=Europe/Moscow
          /system identity
          set name=RB4011
          /system routerboard settings
          set silent-boot=no
          /tool mac-server
          set allowed-interface-list=LAN
          /tool mac-server mac-winbox
          set allowed-interface-list=LAN
          /tool sniffer
          set filter-interface=vlan22-guest


          Fixed HAP AC config:



          # nov/16/2018 19:20:06 by RouterOS 6.43.4
          # software id = R9TC-1I4K
          #
          # model = RouterBOARD 962UiGS-5HacT2HnT
          # serial number = 6737065A9A5D
          /interface bridge
          add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
          /interface ethernet
          set [ find default-name=ether3 ] disabled=yes
          /interface wireless
          set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
          set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
          /interface vlan
          add interface=bridge name=vlan11-lan vlan-id=11
          add interface=bridge name=vlan22-guest vlan-id=22
          /interface list
          add comment=defconf name=WAN
          add comment=defconf name=LAN
          /interface wireless security-profiles
          set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
          /ip hotspot profile
          set [ find default=yes ] html-directory=flash/hotspot
          /interface bridge port
          add bridge=bridge interface=ether1
          add bridge=bridge interface=ether3
          add bridge=bridge interface=ether4 pvid=11
          add bridge=bridge interface=ether5 pvid=22
          /interface bridge vlan
          add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
          add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
          /interface list member
          add comment=defconf interface=bridge list=LAN
          add interface=sfp1 list=WAN
          /ip address
          add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
          add address=192.168.9.2/24 interface=bridge network=192.168.9.0
          add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
          /ip dns
          set allow-remote-requests=yes servers=8.8.8.8
          /ip dns static
          add address=192.168.9.2 name=router.lan
          /ip route
          add distance=1 gateway=192.168.9.1
          add distance=1 gateway=192.168.22.1
          /system clock
          set time-zone-name=Europe/Moscow
          /system identity
          set name=HAP_AC
          /system routerboard settings
          set silent-boot=no
          /tool sniffer
          set filter-interface=ether1 filter-ip-address=!192.168.13.2/32





          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375643%2ftrying-to-get-vlans-working-between-mikrotik-hap-ac-and-rb4011igs%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            You haven't added the bridge itself (i.e. the virtual "CPU port") as a VLAN member:




            /interface bridge vlan set [find] tagged=bridge1,ether10


            Without this, the bridge would forward traffic between other ports, but wouldn't pass it "upwards" to the operating system.






            share|improve this answer





















            • Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
              – Rualark
              yesterday












            • Yes, the 'tagged' option has to list the bridge's actual name.
              – grawity
              yesterday










            • I added these lines, but I am still facing the same problem. Should I post full changed config?
              – Rualark
              yesterday















            up vote
            0
            down vote













            You haven't added the bridge itself (i.e. the virtual "CPU port") as a VLAN member:




            /interface bridge vlan set [find] tagged=bridge1,ether10


            Without this, the bridge would forward traffic between other ports, but wouldn't pass it "upwards" to the operating system.






            share|improve this answer





















            • Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
              – Rualark
              yesterday












            • Yes, the 'tagged' option has to list the bridge's actual name.
              – grawity
              yesterday










            • I added these lines, but I am still facing the same problem. Should I post full changed config?
              – Rualark
              yesterday













            up vote
            0
            down vote










            up vote
            0
            down vote









            You haven't added the bridge itself (i.e. the virtual "CPU port") as a VLAN member:




            /interface bridge vlan set [find] tagged=bridge1,ether10


            Without this, the bridge would forward traffic between other ports, but wouldn't pass it "upwards" to the operating system.






            share|improve this answer












            You haven't added the bridge itself (i.e. the virtual "CPU port") as a VLAN member:




            /interface bridge vlan set [find] tagged=bridge1,ether10


            Without this, the bridge would forward traffic between other ports, but wouldn't pass it "upwards" to the operating system.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered yesterday









            grawity

            227k35475535




            227k35475535












            • Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
              – Rualark
              yesterday












            • Yes, the 'tagged' option has to list the bridge's actual name.
              – grawity
              yesterday










            • I added these lines, but I am still facing the same problem. Should I post full changed config?
              – Rualark
              yesterday


















            • Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
              – Rualark
              yesterday












            • Yes, the 'tagged' option has to list the bridge's actual name.
              – grawity
              yesterday










            • I added these lines, but I am still facing the same problem. Should I post full changed config?
              – Rualark
              yesterday
















            Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
            – Rualark
            yesterday






            Do you mean this: /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=11 and /interface bridge vlan add bridge=br1-lan tagged=ether10,br1-lan vlan-ids=22
            – Rualark
            yesterday














            Yes, the 'tagged' option has to list the bridge's actual name.
            – grawity
            yesterday




            Yes, the 'tagged' option has to list the bridge's actual name.
            – grawity
            yesterday












            I added these lines, but I am still facing the same problem. Should I post full changed config?
            – Rualark
            yesterday




            I added these lines, but I am still facing the same problem. Should I post full changed config?
            – Rualark
            yesterday












            up vote
            0
            down vote













            Thanks to grawity for an idea! The full answer to the problem is the following:





            1. Add bridge as VLAN member on both bridges (thanks grawity):



              /interface bridge vlan
              add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
              add bridge=bridge tagged=ether10,bridge vlan-ids=22

              /interface bridge vlan
              add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
              add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22



            2. Move vlan interfaces from trunk interface to bridge:



              /interface vlan
              add interface=bridge name=vlan11-lan vlan-id=11
              add interface=bridge name=vlan22-guest vlan-id=22

              /interface vlan
              add interface=bridge name=vlan11-lan vlan-id=11
              add interface=bridge name=vlan22-guest vlan-id=22



            Fixed RB4011iGS+ config:



            # nov/16/2018 19:24:29 by RouterOS 6.43.4
            # software id = WP4U-Z565
            #
            # model = RB4011iGS+
            # serial number = 968A09187F4C
            /interface bridge
            add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
            /interface ethernet
            set [ find default-name=ether1 ] l2mtu=1598
            set [ find default-name=ether2 ] l2mtu=1598
            set [ find default-name=ether3 ] l2mtu=1598
            set [ find default-name=ether4 ] l2mtu=1598
            set [ find default-name=ether5 ] l2mtu=1598
            set [ find default-name=ether6 ] l2mtu=1598
            set [ find default-name=ether7 ] l2mtu=1598
            set [ find default-name=ether8 ] l2mtu=1598
            set [ find default-name=ether9 ] l2mtu=1598
            set [ find default-name=ether10 ] l2mtu=1598
            /interface vlan
            add interface=bridge name=vlan11-lan vlan-id=11
            add interface=bridge name=vlan22-guest vlan-id=22
            /interface list
            add comment=defconf name=WAN
            add comment=defconf name=LAN
            /interface wireless security-profiles
            set [ find default=yes ] supplicant-identity=MikroTik
            /ip pool
            add name=dhcp ranges=192.168.9.50-192.168.9.254
            /ip dhcp-server
            add address-pool=dhcp disabled=no interface=bridge name=defconf
            /interface bridge port
            add bridge=bridge interface=ether10
            add bridge=bridge interface=ether5 pvid=11
            add bridge=bridge interface=ether6
            /ip neighbor discovery-settings
            set discover-interface-list=LAN
            /interface bridge vlan
            add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
            add bridge=bridge tagged=ether10,bridge vlan-ids=22
            /interface list member
            add comment=defconf interface=bridge list=LAN
            add comment=defconf interface=ether1 list=WAN
            add list=LAN
            /ip address
            add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
            add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
            add address=192.168.9.1/24 interface=bridge network=192.168.9.0
            add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
            /ip cloud
            set ddns-enabled=yes
            /ip dhcp-server network
            add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
            /ip dns
            set allow-remote-requests=yes servers=8.8.8.8
            /ip dns static
            add address=192.168.9.1 name=router.lan
            /ip firewall nat
            add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
            add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
            add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
            add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
            add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
            /ip route
            add distance=1 gateway=192.168.100.1
            /ip traffic-flow
            set cache-entries=32k interfaces=local
            /system clock
            set time-zone-name=Europe/Moscow
            /system identity
            set name=RB4011
            /system routerboard settings
            set silent-boot=no
            /tool mac-server
            set allowed-interface-list=LAN
            /tool mac-server mac-winbox
            set allowed-interface-list=LAN
            /tool sniffer
            set filter-interface=vlan22-guest


            Fixed HAP AC config:



            # nov/16/2018 19:20:06 by RouterOS 6.43.4
            # software id = R9TC-1I4K
            #
            # model = RouterBOARD 962UiGS-5HacT2HnT
            # serial number = 6737065A9A5D
            /interface bridge
            add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
            /interface ethernet
            set [ find default-name=ether3 ] disabled=yes
            /interface wireless
            set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
            set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
            /interface vlan
            add interface=bridge name=vlan11-lan vlan-id=11
            add interface=bridge name=vlan22-guest vlan-id=22
            /interface list
            add comment=defconf name=WAN
            add comment=defconf name=LAN
            /interface wireless security-profiles
            set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
            /ip hotspot profile
            set [ find default=yes ] html-directory=flash/hotspot
            /interface bridge port
            add bridge=bridge interface=ether1
            add bridge=bridge interface=ether3
            add bridge=bridge interface=ether4 pvid=11
            add bridge=bridge interface=ether5 pvid=22
            /interface bridge vlan
            add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
            add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
            /interface list member
            add comment=defconf interface=bridge list=LAN
            add interface=sfp1 list=WAN
            /ip address
            add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
            add address=192.168.9.2/24 interface=bridge network=192.168.9.0
            add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
            /ip dns
            set allow-remote-requests=yes servers=8.8.8.8
            /ip dns static
            add address=192.168.9.2 name=router.lan
            /ip route
            add distance=1 gateway=192.168.9.1
            add distance=1 gateway=192.168.22.1
            /system clock
            set time-zone-name=Europe/Moscow
            /system identity
            set name=HAP_AC
            /system routerboard settings
            set silent-boot=no
            /tool sniffer
            set filter-interface=ether1 filter-ip-address=!192.168.13.2/32





            share|improve this answer



























              up vote
              0
              down vote













              Thanks to grawity for an idea! The full answer to the problem is the following:





              1. Add bridge as VLAN member on both bridges (thanks grawity):



                /interface bridge vlan
                add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
                add bridge=bridge tagged=ether10,bridge vlan-ids=22

                /interface bridge vlan
                add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
                add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22



              2. Move vlan interfaces from trunk interface to bridge:



                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22

                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22



              Fixed RB4011iGS+ config:



              # nov/16/2018 19:24:29 by RouterOS 6.43.4
              # software id = WP4U-Z565
              #
              # model = RB4011iGS+
              # serial number = 968A09187F4C
              /interface bridge
              add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
              /interface ethernet
              set [ find default-name=ether1 ] l2mtu=1598
              set [ find default-name=ether2 ] l2mtu=1598
              set [ find default-name=ether3 ] l2mtu=1598
              set [ find default-name=ether4 ] l2mtu=1598
              set [ find default-name=ether5 ] l2mtu=1598
              set [ find default-name=ether6 ] l2mtu=1598
              set [ find default-name=ether7 ] l2mtu=1598
              set [ find default-name=ether8 ] l2mtu=1598
              set [ find default-name=ether9 ] l2mtu=1598
              set [ find default-name=ether10 ] l2mtu=1598
              /interface vlan
              add interface=bridge name=vlan11-lan vlan-id=11
              add interface=bridge name=vlan22-guest vlan-id=22
              /interface list
              add comment=defconf name=WAN
              add comment=defconf name=LAN
              /interface wireless security-profiles
              set [ find default=yes ] supplicant-identity=MikroTik
              /ip pool
              add name=dhcp ranges=192.168.9.50-192.168.9.254
              /ip dhcp-server
              add address-pool=dhcp disabled=no interface=bridge name=defconf
              /interface bridge port
              add bridge=bridge interface=ether10
              add bridge=bridge interface=ether5 pvid=11
              add bridge=bridge interface=ether6
              /ip neighbor discovery-settings
              set discover-interface-list=LAN
              /interface bridge vlan
              add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
              add bridge=bridge tagged=ether10,bridge vlan-ids=22
              /interface list member
              add comment=defconf interface=bridge list=LAN
              add comment=defconf interface=ether1 list=WAN
              add list=LAN
              /ip address
              add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
              add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
              add address=192.168.9.1/24 interface=bridge network=192.168.9.0
              add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
              /ip cloud
              set ddns-enabled=yes
              /ip dhcp-server network
              add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
              /ip dns
              set allow-remote-requests=yes servers=8.8.8.8
              /ip dns static
              add address=192.168.9.1 name=router.lan
              /ip firewall nat
              add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
              add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
              add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
              add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
              add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
              /ip route
              add distance=1 gateway=192.168.100.1
              /ip traffic-flow
              set cache-entries=32k interfaces=local
              /system clock
              set time-zone-name=Europe/Moscow
              /system identity
              set name=RB4011
              /system routerboard settings
              set silent-boot=no
              /tool mac-server
              set allowed-interface-list=LAN
              /tool mac-server mac-winbox
              set allowed-interface-list=LAN
              /tool sniffer
              set filter-interface=vlan22-guest


              Fixed HAP AC config:



              # nov/16/2018 19:20:06 by RouterOS 6.43.4
              # software id = R9TC-1I4K
              #
              # model = RouterBOARD 962UiGS-5HacT2HnT
              # serial number = 6737065A9A5D
              /interface bridge
              add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
              /interface ethernet
              set [ find default-name=ether3 ] disabled=yes
              /interface wireless
              set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
              set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
              /interface vlan
              add interface=bridge name=vlan11-lan vlan-id=11
              add interface=bridge name=vlan22-guest vlan-id=22
              /interface list
              add comment=defconf name=WAN
              add comment=defconf name=LAN
              /interface wireless security-profiles
              set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
              /ip hotspot profile
              set [ find default=yes ] html-directory=flash/hotspot
              /interface bridge port
              add bridge=bridge interface=ether1
              add bridge=bridge interface=ether3
              add bridge=bridge interface=ether4 pvid=11
              add bridge=bridge interface=ether5 pvid=22
              /interface bridge vlan
              add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
              add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
              /interface list member
              add comment=defconf interface=bridge list=LAN
              add interface=sfp1 list=WAN
              /ip address
              add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
              add address=192.168.9.2/24 interface=bridge network=192.168.9.0
              add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
              /ip dns
              set allow-remote-requests=yes servers=8.8.8.8
              /ip dns static
              add address=192.168.9.2 name=router.lan
              /ip route
              add distance=1 gateway=192.168.9.1
              add distance=1 gateway=192.168.22.1
              /system clock
              set time-zone-name=Europe/Moscow
              /system identity
              set name=HAP_AC
              /system routerboard settings
              set silent-boot=no
              /tool sniffer
              set filter-interface=ether1 filter-ip-address=!192.168.13.2/32





              share|improve this answer

























                up vote
                0
                down vote










                up vote
                0
                down vote









                Thanks to grawity for an idea! The full answer to the problem is the following:





                1. Add bridge as VLAN member on both bridges (thanks grawity):



                  /interface bridge vlan
                  add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
                  add bridge=bridge tagged=ether10,bridge vlan-ids=22

                  /interface bridge vlan
                  add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
                  add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22



                2. Move vlan interfaces from trunk interface to bridge:



                  /interface vlan
                  add interface=bridge name=vlan11-lan vlan-id=11
                  add interface=bridge name=vlan22-guest vlan-id=22

                  /interface vlan
                  add interface=bridge name=vlan11-lan vlan-id=11
                  add interface=bridge name=vlan22-guest vlan-id=22



                Fixed RB4011iGS+ config:



                # nov/16/2018 19:24:29 by RouterOS 6.43.4
                # software id = WP4U-Z565
                #
                # model = RB4011iGS+
                # serial number = 968A09187F4C
                /interface bridge
                add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
                /interface ethernet
                set [ find default-name=ether1 ] l2mtu=1598
                set [ find default-name=ether2 ] l2mtu=1598
                set [ find default-name=ether3 ] l2mtu=1598
                set [ find default-name=ether4 ] l2mtu=1598
                set [ find default-name=ether5 ] l2mtu=1598
                set [ find default-name=ether6 ] l2mtu=1598
                set [ find default-name=ether7 ] l2mtu=1598
                set [ find default-name=ether8 ] l2mtu=1598
                set [ find default-name=ether9 ] l2mtu=1598
                set [ find default-name=ether10 ] l2mtu=1598
                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22
                /interface list
                add comment=defconf name=WAN
                add comment=defconf name=LAN
                /interface wireless security-profiles
                set [ find default=yes ] supplicant-identity=MikroTik
                /ip pool
                add name=dhcp ranges=192.168.9.50-192.168.9.254
                /ip dhcp-server
                add address-pool=dhcp disabled=no interface=bridge name=defconf
                /interface bridge port
                add bridge=bridge interface=ether10
                add bridge=bridge interface=ether5 pvid=11
                add bridge=bridge interface=ether6
                /ip neighbor discovery-settings
                set discover-interface-list=LAN
                /interface bridge vlan
                add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
                add bridge=bridge tagged=ether10,bridge vlan-ids=22
                /interface list member
                add comment=defconf interface=bridge list=LAN
                add comment=defconf interface=ether1 list=WAN
                add list=LAN
                /ip address
                add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
                add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
                add address=192.168.9.1/24 interface=bridge network=192.168.9.0
                add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
                /ip cloud
                set ddns-enabled=yes
                /ip dhcp-server network
                add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
                /ip dns
                set allow-remote-requests=yes servers=8.8.8.8
                /ip dns static
                add address=192.168.9.1 name=router.lan
                /ip firewall nat
                add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
                add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
                add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
                add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
                add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
                /ip route
                add distance=1 gateway=192.168.100.1
                /ip traffic-flow
                set cache-entries=32k interfaces=local
                /system clock
                set time-zone-name=Europe/Moscow
                /system identity
                set name=RB4011
                /system routerboard settings
                set silent-boot=no
                /tool mac-server
                set allowed-interface-list=LAN
                /tool mac-server mac-winbox
                set allowed-interface-list=LAN
                /tool sniffer
                set filter-interface=vlan22-guest


                Fixed HAP AC config:



                # nov/16/2018 19:20:06 by RouterOS 6.43.4
                # software id = R9TC-1I4K
                #
                # model = RouterBOARD 962UiGS-5HacT2HnT
                # serial number = 6737065A9A5D
                /interface bridge
                add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
                /interface ethernet
                set [ find default-name=ether3 ] disabled=yes
                /interface wireless
                set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
                set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22
                /interface list
                add comment=defconf name=WAN
                add comment=defconf name=LAN
                /interface wireless security-profiles
                set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
                /ip hotspot profile
                set [ find default=yes ] html-directory=flash/hotspot
                /interface bridge port
                add bridge=bridge interface=ether1
                add bridge=bridge interface=ether3
                add bridge=bridge interface=ether4 pvid=11
                add bridge=bridge interface=ether5 pvid=22
                /interface bridge vlan
                add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
                add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
                /interface list member
                add comment=defconf interface=bridge list=LAN
                add interface=sfp1 list=WAN
                /ip address
                add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
                add address=192.168.9.2/24 interface=bridge network=192.168.9.0
                add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
                /ip dns
                set allow-remote-requests=yes servers=8.8.8.8
                /ip dns static
                add address=192.168.9.2 name=router.lan
                /ip route
                add distance=1 gateway=192.168.9.1
                add distance=1 gateway=192.168.22.1
                /system clock
                set time-zone-name=Europe/Moscow
                /system identity
                set name=HAP_AC
                /system routerboard settings
                set silent-boot=no
                /tool sniffer
                set filter-interface=ether1 filter-ip-address=!192.168.13.2/32





                share|improve this answer














                Thanks to grawity for an idea! The full answer to the problem is the following:





                1. Add bridge as VLAN member on both bridges (thanks grawity):



                  /interface bridge vlan
                  add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
                  add bridge=bridge tagged=ether10,bridge vlan-ids=22

                  /interface bridge vlan
                  add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
                  add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22



                2. Move vlan interfaces from trunk interface to bridge:



                  /interface vlan
                  add interface=bridge name=vlan11-lan vlan-id=11
                  add interface=bridge name=vlan22-guest vlan-id=22

                  /interface vlan
                  add interface=bridge name=vlan11-lan vlan-id=11
                  add interface=bridge name=vlan22-guest vlan-id=22



                Fixed RB4011iGS+ config:



                # nov/16/2018 19:24:29 by RouterOS 6.43.4
                # software id = WP4U-Z565
                #
                # model = RB4011iGS+
                # serial number = 968A09187F4C
                /interface bridge
                add admin-mac=B8:69:F4:92:25:57 auto-mac=no name=bridge vlan-filtering=yes
                /interface ethernet
                set [ find default-name=ether1 ] l2mtu=1598
                set [ find default-name=ether2 ] l2mtu=1598
                set [ find default-name=ether3 ] l2mtu=1598
                set [ find default-name=ether4 ] l2mtu=1598
                set [ find default-name=ether5 ] l2mtu=1598
                set [ find default-name=ether6 ] l2mtu=1598
                set [ find default-name=ether7 ] l2mtu=1598
                set [ find default-name=ether8 ] l2mtu=1598
                set [ find default-name=ether9 ] l2mtu=1598
                set [ find default-name=ether10 ] l2mtu=1598
                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22
                /interface list
                add comment=defconf name=WAN
                add comment=defconf name=LAN
                /interface wireless security-profiles
                set [ find default=yes ] supplicant-identity=MikroTik
                /ip pool
                add name=dhcp ranges=192.168.9.50-192.168.9.254
                /ip dhcp-server
                add address-pool=dhcp disabled=no interface=bridge name=defconf
                /interface bridge port
                add bridge=bridge interface=ether10
                add bridge=bridge interface=ether5 pvid=11
                add bridge=bridge interface=ether6
                /ip neighbor discovery-settings
                set discover-interface-list=LAN
                /interface bridge vlan
                add bridge=bridge tagged=ether10,bridge untagged=ether5 vlan-ids=11
                add bridge=bridge tagged=ether10,bridge vlan-ids=22
                /interface list member
                add comment=defconf interface=bridge list=LAN
                add comment=defconf interface=ether1 list=WAN
                add list=LAN
                /ip address
                add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
                add address=192.168.22.1/24 interface=vlan22-guest network=192.168.22.0
                add address=192.168.9.1/24 interface=bridge network=192.168.9.0
                add address=192.168.11.1/24 interface=vlan11-lan network=192.168.11.0
                /ip cloud
                set ddns-enabled=yes
                /ip dhcp-server network
                add address=192.168.9.0/24 gateway=192.168.9.1 netmask=24
                /ip dns
                set allow-remote-requests=yes servers=8.8.8.8
                /ip dns static
                add address=192.168.9.1 name=router.lan
                /ip firewall nat
                add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
                add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
                add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
                add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
                add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
                /ip route
                add distance=1 gateway=192.168.100.1
                /ip traffic-flow
                set cache-entries=32k interfaces=local
                /system clock
                set time-zone-name=Europe/Moscow
                /system identity
                set name=RB4011
                /system routerboard settings
                set silent-boot=no
                /tool mac-server
                set allowed-interface-list=LAN
                /tool mac-server mac-winbox
                set allowed-interface-list=LAN
                /tool sniffer
                set filter-interface=vlan22-guest


                Fixed HAP AC config:



                # nov/16/2018 19:20:06 by RouterOS 6.43.4
                # software id = R9TC-1I4K
                #
                # model = RouterBOARD 962UiGS-5HacT2HnT
                # serial number = 6737065A9A5D
                /interface bridge
                add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no name=bridge vlan-filtering=yes
                /interface ethernet
                set [ find default-name=ether3 ] disabled=yes
                /interface wireless
                set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
                set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
                /interface vlan
                add interface=bridge name=vlan11-lan vlan-id=11
                add interface=bridge name=vlan22-guest vlan-id=22
                /interface list
                add comment=defconf name=WAN
                add comment=defconf name=LAN
                /interface wireless security-profiles
                set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1234567123 wpa2-pre-shared-key=1234567123
                /ip hotspot profile
                set [ find default=yes ] html-directory=flash/hotspot
                /interface bridge port
                add bridge=bridge interface=ether1
                add bridge=bridge interface=ether3
                add bridge=bridge interface=ether4 pvid=11
                add bridge=bridge interface=ether5 pvid=22
                /interface bridge vlan
                add bridge=bridge tagged=ether1,bridge untagged=ether4 vlan-ids=11
                add bridge=bridge tagged=ether1,bridge untagged=ether5 vlan-ids=22
                /interface list member
                add comment=defconf interface=bridge list=LAN
                add interface=sfp1 list=WAN
                /ip address
                add address=192.168.22.2/24 interface=vlan22-guest network=192.168.22.0
                add address=192.168.9.2/24 interface=bridge network=192.168.9.0
                add address=192.168.11.2/24 interface=vlan11-lan network=192.168.11.0
                /ip dns
                set allow-remote-requests=yes servers=8.8.8.8
                /ip dns static
                add address=192.168.9.2 name=router.lan
                /ip route
                add distance=1 gateway=192.168.9.1
                add distance=1 gateway=192.168.22.1
                /system clock
                set time-zone-name=Europe/Moscow
                /system identity
                set name=HAP_AC
                /system routerboard settings
                set silent-boot=no
                /tool sniffer
                set filter-interface=ether1 filter-ip-address=!192.168.13.2/32






                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 12 hours ago

























                answered 14 hours ago









                Rualark

                63




                63






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375643%2ftrying-to-get-vlans-working-between-mikrotik-hap-ac-and-rb4011igs%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?