Hi,

Currently I have two bridges on my CRS125: main and guest. Both have their own DHCP server, IP range, and a NAT to my Internet Provider. The main bridge goes to most of the ethernet ports (via a masterport), and for two ports I use the guest bridge (for some devices that are completely separate from my main network).

I am not using the built-in WiFi because of the bad location in the house, but I am using a Ubiquiti Unifi LR-AC access point, connected to one of the ethernet ports that are linked with the main bridge.

This is working perfectly fine.

Now, I would like to use an 2nd, separate, guest SSID. This is quite easy to setup in the Unifi: the 2nd guest network is now using VLAN15. However, now I need to "tell" the CRS125 that this ethernet port is actually a trunk port, and to devide the traffic: no VLAN tagging to the main bridge, and VLAN15 tagging to the guest bridge.

This is probably easy for many of you, but I can't manage it

Can someone point me in the right direction please?

Thanks!

Personally, I would ditch the bridges. The CRS is meant as a switch, and as such, it has a weak CPU. Bridging operates at the CPU, so this is a waste of resources at the CRS, especially considering the hardware supports wire-speed switching without touching the CPU. If you don't have a separate router, you can use the CRS as one, though again, its capabilities will be limited compared to a standalone router due to the weak CPU. What you're trying to achieve is much more simply set up using a routing/switching configuration as opposed to bridging.

Thanks for your reply.

Thanks for your concern, but speed is not an issue, since my guest network has low traffic. But I could setup two masterports, yes.

But can you help me with my question?

I assume the router+switch that you are suggesting can also be done with the CRS, of course probably slower, but that is not important. But you write "much more simple", which I can't see why.

Thanks.

He uses bridges only administratively, it was clearly stated that only master port is the bridge member... Well, you can get rid of first bridge and use the master port directly. Add a vlan 15 slave interface to it and use this as the guest network port. So easy.

Add a vlan 15 slave interface to it and use this as the guest network port. So easy.

Thanks, I will try it tonight. And I don't need to worry about tagging?

EDIT: should I add the slave interface to the masterport? Not to the port, going to the WAP? I only want this specific port to be able to accept VLAN15.

EDIT2: so I can work completely without any bridge? I remember that before when I deleted the last bridge, that the quick set screen always switched to "switch" instead of "router" (maybe not important, but it felt wrong).

Since speed isn't really a factor, you can use the CRS as your router, assuming your ISP connects via RJ45 or SFP. Set port 1 as your ISP uplink (assuming RJ45, otherwise set SFP), make port 2 the master port, and all other ports slave. Apply your two VLANs to port 2 from the Interfaces menu. From the Switch VLAN menu, add your two VLAN IDs to port 2 and switch1-cpu. On the Switch Egress VLAN Tag menu, add switch1-cpu. Use the Switch Ingress VLAN Translation menu to set the default VLAN ID for each port as needed. For your hybrid trunk port to the UniFi AP, use Ingress VLAN translation to set a management VLAN for the AP to use, but also set an Egress VLAN Tag for VLAN 15, and make the VLAN valid on that port by adding it to the Switch VLAN table. You should set up your UniFi access point to tag the guest network for VLAN 15.

The VLAN tagging and untagging has to be done by the CPU?
The switch chip can't do this?

Thanks!

The switch chip does all the tagging. You have to add switch1-cpu to parts of the configuration so the CPU can understand which VLANs each packet belongs to.

I am sorry, but I still need more guidance to get this working :-/

Ports 2-10 are the switch of the main bridge
Ports 11-14 are the switch of the guest bridge

Port 15 goes to my WAP. Untagged traffic from the WAP goes to the main bridge (working fine). But VLAN15 traffic from the WAP needs to go to the guest bridge.

How do I do this?

Anyone please?

Do you currently have two master ports set up? One for main and another for guest?
I'd set up with only one. Create two virtual vlans under the master port for main and guest. Then configure the switch to do the tagging/untagging.
Add the valid ports for each vlan in the switch vlan table. Set up vlan ingress for incomming untagged vlans (access ports) and egress vlan tag for both vlans on cpu and vlan 15 on the port going to your Wi-Fi.
Once your sure it's right set forward-invalid-vlans to off to actually issolate everything. Will lock you out if wrong.

Recheck the wiki on crs_examples for more.

Create a new VLAN interface on ether15 with VLAN 15 tag. Then under bridge-port, add the newly created interface to the Guest Bridge.

Something like this:

Thanks for all the suggestions, guys. I tried all these things, but I can't get it to work...

Is there any way to monitor the VLAN tags? Because I start to wonder if my Ubiquiti Unifi is really sending anything on VLAN25... (I just clicked in the guest wifi settings on vlan and entered 15). I tried with torch on my Ubiquiti's port, but it doesn't show anything at all - not even untagged - but that could be me, of course...

You have to torch on the master-port and get all packets for the group.