Wireless VLAN Trunk

Wireless VLAN Trunk

Summary

A common networking requirement is to forward only a specific set of VLANs over a Wireless Point-to-Point (PtP) link. This can be accomplished using bridge VLAN filtering, which is the recommended approach rather than bridging VLAN interfaces or other methods.

In this scenario, VLAN 10 carries Internet traffic while VLAN 99 handles management traffic. All other VLAN IDs are dropped by the configuration. This approach provides secure segmentation between traffic types while maintaining centralized management access.

Configuration

Bridge and Port Setup

Create a new bridge on both the AP and ST devices, then add ether1 and wlan1 interfaces to it:

/interface bridge
add name=bridge protocol-mode=none
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=wlan1

RSTP is optional for PtP links since loops cannot naturally occur in a two-point topology. If your network design requires RSTP for consistency with other segments, enable it; otherwise, disabling it reduces unnecessary protocol overhead.

Ingress Filtering and Frame Types

Enable ingress filtering on both devices to drop untagged traffic, since the link expects only tagged VLAN traffic:

/interface bridge port
set [find where interface=ether1 or interface=wlan1] frame-types=admit-only-vlan-tagged ingress-filtering=yes

This configuration ensures that only properly tagged VLAN packets pass through the wireless link, preventing accidental untagged traffic from causing network issues or security vulnerabilities.

Bridge VLAN Table

Configure the bridge VLAN table to specify which VLANs are allowed over the link. VLAN 99 includes the bridge interface in its tagged ports to allow management access to the device itself:

/interface bridge vlan
add bridge=bridge tagged=ether1,wlan1 vlan-ids=10
add bridge=bridge tagged=ether1,wlan1,bridge vlan-ids=99

VLAN 10 does not include the bridge interface because it is only meant to pass through to the other end. You can restrict management access by removing interfaces from the tagged list if needed, for example to prevent device access from the wireless side.

Caution

Devices with hardware offloaded VLAN filtering and wireless interface support (such as RB4011 with RTL8367 switch chip, or LtAP with MT7621 switch chip) require additional attention. Packets moving from hardware-offloaded ports to wireless interfaces may be filtered if CPU access is not explicitly allowed for the VLAN. Add the bridge interface to VLAN entries or disable hardware offloading on affected ports to resolve this.

Management Interface Configuration

Create VLAN interfaces on all devices (R1, R2, AP, and ST) to enable device management through specific VLANs. For AP and ST, create the VLAN interface on the bridge:

/interface vlan
add interface=bridge name=MGMT vlan-id=99
/ip address
add address=192.168.99.X/24 interface=MGMT

For R1 and R2, the VLAN interface is created on the appropriate physical interface depending on your topology:

/interface vlan
add interface=ether1 name=MGMT vlan-id=99
/ip address
add address=192.168.99.X/24 interface=MGMT

To forward additional VLANs, simply add more entries to the bridge VLAN table. You can specify multiple VLAN IDs separated by commas, or use VLAN ranges for larger configurations.

Wireless Link Configuration

Configure the AP side of the wireless link:

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan_sec wpa2-pre-shared-key=use_a_long_password_here
/interface wireless
set wlan1 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no mode=bridge scan-list=5180 security-profile=wlan_sec ssid=ptp_test

Configure the ST (station) side of the wireless link:

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan_sec wpa2-pre-shared-key=use_a_long_password_here
/interface wireless
set wlan1 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no mode=station-bridge scan-list=5180 security-profile=wlan_sec ssid=ptp_test

For PtP links, consider using the NV2 wireless protocol for improved performance and efficiency. Refer to the NV2 Manual documentation for configuration details.

Enable VLAN Filtering

After completing the VLAN table configuration, enable VLAN filtering on both AP and ST:

/interface bridge set bridge vlan-filtering=yes

Caution

Verify the bridge VLAN table configuration before enabling VLAN filtering. A misconfigured VLAN table can make the device inaccessible and may require a configuration reset to restore access. Test the configuration on a non-production device first.

Troubleshooting: Management Access Lost After Enabling VLAN Filtering

One of the most common issues when enabling VLAN filtering is losing management access to the device. This happens when the port used for management is not properly configured in the bridge VLAN table.

Symptoms

• Device becomes unreachable after enabling vlan-filtering=yes
• Cannot access the router via webfig, WinBox, or SSH
• Previous management VLAN no longer works

Prevention

Always configure the management VLAN before enabling VLAN filtering:

1. Create the bridge and add ports
2. Configure the bridge VLAN table with your management VLAN
3. Create the VLAN interface for management
4. Assign an IP address to the management VLAN
5. Test management access works
6. Then enable VLAN filtering

Example of proper management VLAN configuration:

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2

# Add management VLAN (e.g., VLAN 99) to bridge VLAN table
# Include 'bridge' in tagged ports to allow device management
/interface bridge vlan
add bridge=bridge1 tagged=bridge,ether1 vlan-ids=99

# Create management VLAN interface
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99

# Assign IP address
/ip address
add address=192.168.99.1/24 interface=MGMT

Recovery Options

If you’ve already lost access:

Option 1: Serial Console Connect via serial console and correct the VLAN configuration.

Option 2: Reset Configuration Use the router’s reset button to reset to defaults, then reconfigure properly.

Option 3: Safe Mode (if access still partially available) If you have partial access (e.g., through a specific port), use safe mode to revert changes:

# From a port that still works, check current VLAN configuration
/interface bridge vlan print

# Add your management VLAN
/interface bridge vlan add bridge=bridge1 tagged=bridge,ether1 vlan-ids=99

# If needed, disable VLAN filtering temporarily
/interface bridge set bridge1 vlan-filtering=no

Option 4: Bootloader Recovery For devices with RouterBOOT, boot the router without the configuration:

1. Power on the device
2. Press and hold the Reset button during boot
3. Select “n” to reset configuration
4. Reconfigure with proper VLAN settings

Common Mistakes

1. Forgetting to add the bridge interface to tagged ports: The management VLAN interface is created on the bridge, so the bridge must be tagged for that VLAN to allow CPU-bound traffic.

2. PVID mismatch: If the port used for management has a different PVID than the management VLAN, ensure the port is either untagged for that VLAN or the PVID is set correctly.

3. Enabling VLAN filtering before testing management access: Always verify you can reach the device via the management VLAN before enabling filtering.

See Also

• Bridge VLAN Filtering
• VLANs on Wireless
• CAPsMAN with VLANs
• NV2 Manual
• Basic VLAN Switching