Hi,
I'm currently having an rb3011 connected to wan, an unifi AP and an "ethernet lan", all up and running well on different networks.
Now I wonder if it is possible to have the ethernet lan and the devices connected to the AP on the same network?
I would like to cast from my computer on the "ethernet lan" to my chromecast and to use wifi to access my files on my computer from my tablets.
The computer is a windows 7 machine.
Could a VLAN be used somehow?
I'm a newbie so please explain thoroughly.
/Johannes
Re: one network including AP and ethernet?
Yes, you just need to create a bridge, then add the ethernet port the UniFI uses, with the LAN port your LAN devices use. This will be using RB3011 CPU to do the task.Now I wonder if it is possible to have the ethernet lan and the devices connected to the AP on the same network?
This can be done too by creating a switch group too; post an export of your config if you want more specific help.
-
-
Johannes33
Frequent Visitor
- Posts: 58
- Joined:
Re: one network including AP and ethernet?
Code: Select all
# may/27/2017 11:11:09 by RouterOS 6.35.4
# software id = E66J-P7EA
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] master-port=ether2_LAN name=ether3_UnifiAP
set [ find default-name=ether4 ] master-port=ether2_LAN name=ether4_boxee
set [ find default-name=ether5 ] master-port=ether2_LAN name=ether5_TEST
/interface vlan
add interface=ether2_LAN name=vlan11_Admin vlan-id=11
add interface=ether2_LAN name=vlan12_Users vlan-id=12
add interface=ether2_LAN name=vlan13_guests vlan-id=13
/ip pool
add name=dhcp ranges=192.168.99.21-192.168.99.250
add name=dhcp_pool2 ranges=192.168.11.21-192.168.11.250
add name=dhcp_pool3 ranges=192.168.12.21-192.168.12.250
add name=dhcp_pool4 ranges=192.168.13.21-192.168.13.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2_LAN lease-time=1h name=\
dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan11_Admin lease-time=1h \
name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=vlan12_Users lease-time=1h \
name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=vlan13_guests lease-time=1h \
name=dhcp4
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.99.1/24 interface=ether2_LAN network=192.168.99.0
add address=192.168.11.1/24 interface=vlan11_Admin network=192.168.11.0
add address=192.168.12.1/24 interface=vlan12_Users network=192.168.12.0
add address=192.168.13.1/24 interface=vlan13_guests network=192.168.13.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1_WAN
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1
add address=192.168.13.0/24 dns-server=192.168.13.1 gateway=192.168.13.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers="195.67.199.42,195.67.199.43,195.67.160.\
3,195.67.183.153,208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=192.168.99.0/24 list="Admin Lan"
add address=198.168.12.0/24 list=Users_12vlan
add address=198.168.11.0/24 list="Admin Wifi_11vlan"
add address=192.168.13.0/24 list=guests_13vlan
add address=192.168.0.0/16 list=support
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
\_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
established
add chain=input comment="Accept to related connections" connection-state=\
related
add chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system routerboard settings
set protected-routerboot=disabled
In the best of worlds I would like to have 3 security levels.
one for vpn when I'm gone from my house with full access to all on my computer (Administrator)
one for users who will get access to most of my files (users)
one for guests who will have access to internet only.
That is why I have 3 Vlans.
Is this possible since I have a windows 7 machine?
I did not succeed in my attempts so now I'm using users vlan for wifi and Lan for ethernet.
The next best thing would be 2 security levels
one for users and one for guests.
I was thinking of putting my computer and ethernet on the users vlan and guests has only access to the internet, if that is smart?
I don't really know how to do this...
If neither this is not possible I would like to have one security level with everything connected to the same network so I can see chromecast and my tablet can access the files on the computer.
Does the unifi AP take the dhcp from the lan it is connected to? I think I remember that it creates a pool of it's own and hand out. Then I will have two networks or how does it work?
Also I would like to have 4-10 static IP addresses and the rest dynamically assigned.
The statics would be my boxee box (media player), computer, chromecast and unifi AP if possible.
Suggestions?
Re: one network including AP and ethernet?
I guess the VLANs come from the unifi device.one for vpn when I'm gone from my house with full access to all on my computer (Administrator)
one for users who will get access to most of my files (users)
one for guests who will have access to internet only.
To achieve this the first thing you'll need is:
1.- Making ether3 an standalone port (no master interface).
2.- make vlan interfaces child of ether3
From this point:
- Create a bridge, add admin vlan, and ether2: now you are L2 connected when you connect through Admin SSID.
A diagram would make things easier.
-
-
Johannes33
Frequent Visitor
- Posts: 58
- Joined:
Re: one network including AP and ethernet?
Hi thanks for the time you take in answering my questions 
I'm not really familiar with all the things to be done but I will show you in a diagram how my setup is now to not cause any confusion.
This is how my setup looks now:
eth3,4,5 are slaves to eth2 thus creating a switch.
There are different dhcp servers on eth2, vlan11, vlan12, vlan13. Creating 4 networks with routing in between.
Normally I'm using vlan11-vlan13 for my ap to be able to separate the different clients security clearance, but now I'm just using vlan12 (users) for all wifi traffic.
Could you answer in a few words: what is the difference between bridge and switch? Also are I not making a switch/bridge when using master/slave ports?
When using a bridge is there nat involved or are the ip addresses preserved, L2 must be no nating. So if I would use the same range of ip addresses on two networks there would be a problem if I bridge the two?
I have read that when you make eth2 your master port, it does not work to connect a cable to it, it disables the port. But for me it works just fine. Is there a problem with using that port?
Now that I have shown you my setup is your instructions correct for it?
Is there a way to communicate to windows the "users" security?
I'm not really familiar with all the things to be done but I will show you in a diagram how my setup is now to not cause any confusion.
This is how my setup looks now:
eth3,4,5 are slaves to eth2 thus creating a switch.
There are different dhcp servers on eth2, vlan11, vlan12, vlan13. Creating 4 networks with routing in between.
Normally I'm using vlan11-vlan13 for my ap to be able to separate the different clients security clearance, but now I'm just using vlan12 (users) for all wifi traffic.
Could you answer in a few words: what is the difference between bridge and switch? Also are I not making a switch/bridge when using master/slave ports?
When using a bridge is there nat involved or are the ip addresses preserved, L2 must be no nating. So if I would use the same range of ip addresses on two networks there would be a problem if I bridge the two?
I have read that when you make eth2 your master port, it does not work to connect a cable to it, it disables the port. But for me it works just fine. Is there a problem with using that port?
Now that I have shown you my setup is your instructions correct for it?
Is there a way to communicate to windows the "users" security?
You do not have the required permissions to view the files attached to this post.
Re: one network including AP and ethernet?
switch = work is done by hardware switch chip; bridge= work is done in software (CPU).Could you answer in a few words: what is the difference between bridge and switch? Also are I not making a switch/bridge when using master/slave ports?
When using a bridge is there nat involved or are the ip addresses preserved, L2 must be no nating.
So yes, when you are creating the bridge I posted, admin SSID vlan will be in L2 with your LAN (or any other vlan you add to the bridge).
You should bridge (or switch the two) if you want to use the same range of addresses (same L2 segment).So if I would use the same range of ip addresses on two networks there would be a problem if I bridge the two?
Don't know where did you read that, but it's simply BS. No problem at all.I have read that when you make eth2 your master port, it does not work to connect a cable to it, it disables the port. But for me it works just fine. Is there a problem with using that port?
Yes.Now that I have shown you my setup is your instructions correct for it?
What do you refer to?Is there a way to communicate to windows the "users" security?
Your windows machine won't need to be set to any vlan to be reachable from admin SSID as both will be bridged...
-
-
Johannes33
Frequent Visitor
- Posts: 58
- Joined:
Re: one network including AP and ethernet?
I mean is it possible to attach something to the communication so that windows can distinguish between persons logged in to vlan11 (admin full access) or vlan12 (user partial access)?Johannes33 wrote:
Is there a way to communicate to windows the "users" security?
What do you refer to?
Your windows machine won't need to be set to any vlan to be reachable from admin SSID as both will be bridged...
I mean if I have one computer on one network with the ip address 192.168.1.10 and on an other network I have a computer with 192.168.1.10.Johannes33 wrote:
So if I would use the same range of ip addresses on two networks there would be a problem if I bridge the two?
You should bridge (or switch the two) if you want to use the same range of addresses (same L2 segment).
If I bridge the two networks and If I send a package to 192.168.1.10 would it not be a problem?
Can I bridge 192.168.11.1/24 with 192.168.99.1/24? If I bridge the two networks they will not have continous address spaces is it a problem?
I have already set up the 3 vlans on eth2 can't I use eth2 and disable it as master or is it some benefit using eth3?I guess the VLANs come from the unifi device.
To achieve this the first thing you'll need is:
1.- Making ether3 an standalone port (no master interface).
2.- make vlan interfaces child of ether3
I also wonder, if I set up vlan interfaces as child to eth2, is it possible to close the routing from eth2 to the vlans?
If it were possible to close the routing I could make a bridge, without worrying about creating a loop, between eth2 and one of the vlans.
I don't know if I understand the process of child vlans on an interface. What kind of connection is there between the interface and the vlans? I have heard that vlans are connected as a routed network to the interface. Can I choose to connect one of them as switched to the interface and the others no connection? If it is routed would I not be able to set rules on the traffic between the interface and the vlans?
eth3 could be master for eth4-5? and then I could bridge vlan12 to eth3?From this point:
- Create a bridge, add admin vlan, and ether2: now you are L2 connected when you connect through Admin SSID.
Re: one network including AP and ethernet?
If you have two separate L2 networks using the same L3 addressing scheme then something will have to change when you bring them together. You will have to disable one of the DHCP servers [or make sure they don't overlap] and make sure any devices with static IPs don't overlap.I mean if I have one computer on one network with the ip address 192.168.1.10 and on an other network I have a computer with 192.168.1.10.You should bridge (or switch the two) if you want to use the same range of addresses (same L2 segment).So if I would use the same range of ip addresses on two networks there would be a problem if I bridge the two?
If I bridge the two networks and If I send a package to 192.168.1.10 would it not be a problem?
Well...it will work so long as you're careful [you'll only be able to have one DHCP server] but it probably isn't what you want to do.Can I bridge 192.168.11.1/24 with 192.168.99.1/24? If I bridge the two networks they will not have continous address spaces is it a problem?