Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Please help 2 LAN with 1 AP with mikrotik not working

Locked
 
phitx
just joined
Topic Author
Posts: 7
Joined: Sun Mar 22, 2015 2:40 pm

Please help 2 LAN with 1 AP with mikrotik not working

Tue May 31, 2016 12:00 pm

Hi All

I use RB750 and ubiquity unify as access point.
I want to use 1 Access point which can distribute 2 SSID. And each SSID has own network
I didn't want each network can talk

SSID 1 ( W2LAN ) use DHCP relay from my domain network
SSID 2 ( W2LAN ) use DHCP from mikrotik

I make bridge eth2 and eth5 cause I want to control my access point from my domain network

Port config
eth1_ISP ( use for connecting to my domain network )
eth2_LAN ( use for connecting to my internet network )
eth3_W2LAN ( use for testing directly with cable for connecting to SSID 1 network )
eth4_W2Inet ( use for testing directly with cable for connecting to SSID 2 network )
eth5_Trunk ( use for connecting to access point )

my config
Code: Select all
/interface bridge
add l2mtu=1594 name=b-LAN
add l2mtu=1594 name=b-W2Inet
add l2mtu=1598 name=b-W2LAN
/interface ethernet
set [ find default-name=ether1 ] name=eth1_ISP
set [ find default-name=ether2 ] name=eth2_LAN
set [ find default-name=ether3 ] name=eth3_W2LAN
set [ find default-name=ether4 ] name=eth4_W2Inet
set [ find default-name=ether5 ] name=eth5_Trunk
/ip neighbor discovery
set eth1_ISP discover=no
set eth3_W2LAN discover=no
set eth4_W2Inet discover=no
set b-W2Inet discover=no
set b-W2LAN discover=no
/interface vlan
add interface=eth5_Trunk l2mtu=1594 name=vl-W2Inet vlan-id=102
add interface=eth3_W2LAN l2mtu=1594 name=vl-W2LAN vlan-id=101
/ip neighbor discovery
set vl-W2Inet discover=no
set vl-W2LAN discover=no
/ip pool
add name=pool-W2Inet ranges=10.206.5.3-10.206.5.254
/ip dhcp-server
add address-pool=pool-W2Inet disabled=no interface=b-W2Inet lease-time=30s \
    name=DHCP-W2Inet
/interface bridge filter
add action=log chain=forward comment="Log DHCP server on 172.21.1.200" \
    dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
    "Alert Rogue DHCP (Blocked)" mac-protocol=ip src-address=172.21.1.200/32 \
    src-port=67-68
add action=drop chain=forward comment="Block DHCP server on 172.21.1.200" \
    dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=ip \
    src-address=172.21.1.200/32 src-port=67-68
add action=log chain=forward comment="Log DHCP server on 192.168.0.0/16" \
    dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
    "Alert Rogue DHCP (Blocked)" mac-protocol=ip src-address=192.168.1.0/24 \
    src-port=67-68
add action=drop chain=forward comment="Block DHCP server on 192.168.0.0/16" \
    dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=ip \
    src-address=192.168.1.0/24 src-port=67-68
add action=log chain=forward comment="log DHCP server on 10.206.0.240" \
    disabled=yes dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
    "blocked dhcp server" mac-protocol=ip src-address=10.206.0.240/32 \
    src-port=67-68
add action=drop chain=forward comment="drop DHCP server on 10.206.0.240" \
    disabled=yes dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=\
    ip src-address=10.206.0.240/32 src-port=67-68
/interface bridge port
add bridge=b-LAN interface=eth2_LAN priority=0x90
add bridge=b-W2Inet interface=eth4_W2Inet
add bridge=b-W2Inet interface=vl-W2Inet
add bridge=b-W2LAN interface=eth3_W2LAN
add bridge=b-W2LAN interface=eth5_Trunk
add bridge=b-LAN interface=vl-W2LAN
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=10.206.5.1/24 interface=b-W2Inet network=10.206.5.0
add address=192.168.1.3/24 interface=eth1_ISP network=192.168.1.0
add address=172.21.52.1/16 interface=eth2_LAN network=172.21.0.0
add address=172.21.52.2/16 interface=eth3_W2LAN network=172.21.0.0
/ip dhcp-relay
add dhcp-server=172.21.1.200 disabled=no interface=eth2_LAN name=DR-W2LAN
/ip dhcp-server network
add address=10.206.5.0/24 dns-server=192.168.1.1 domain=W2Inet gateway=\
    10.206.5.1
add address=172.21.0.0/16 dns-server=172.21.1.200 domain=cgglobal.com \
    gateway=172.21.2.240
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1_ISP src-address=\
    10.206.5.0/24
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=1 dst-address=172.21.0.0/16 gateway=\
    172.21.2.240
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=Asia/Jakarta
Existing condition is :
Eth3 : DHCP relay from my domain not running
Eth4 : DHCP from mikrotik running, NAT to eth1 ok
Eth5 : DHCP relay from my domain not running. both vkan ( vl-W2LAN & vl-W2Inet ) not yet test cause DHCP relay still not running

Anyone can help me?
Thanks
Top
 
TyBermea
newbie
Posts: 29
Joined: Mon Nov 02, 2015 3:18 am
Contact:
Contact TyBermea

Re: Please help 2 LAN with 1 AP with mikrotik not working

Wed Jun 01, 2016 5:45 pm

I have used vlan tagging with Unifi to accomplish a similar goal. Each vlan will be a separate broadcast domain and you can then use ip firewall filter rules in the forward chain to drop traffic between the vlans.

Remove the bridges and associated filter rules
Set up vlans on the appropriate ethernet interface.
Give each vlan an IP (like 10.10.10.1/24) and set up DHCP server
Add forward chain filter rule to drop source traffic from vlan1 IP range to destination vlan2 IP range
Add forward chain filter rule to drop source traffic from vlan2 IP range to destination vlan1 IP range
Configure Unifi controller to vlan tag each SSID with the associated vlan. Be sure to include vlan on the unifi network settings or it won't work (vlan has to be specified in two places in unifi config).
Top
Locked
  4. RouterOS
  5. Beginner Basics