VLAN for guest wifi

Term · Tue May 28, 2019 7:30 pm

Hello,
have CCR1009 at home. Have 2x UniFi AP.

eth1: WAN (pppoe)
eth5: unifi 1
eth6: unifi 2

Have bridge and there are eth2-eth7 (all ethernets)
In Unifi I created guests wifi network with vlan 20.

My question is how can I make bridge for vlan20? Created vlan in mikrotik too for bridge-wifi-guests.

If I create another bridge called bridge-unifi and add eth5 and eth6 there, unifi stop work and can't ping them.
Will be really thankful for your detailed help.

/interface export
/interface bridge
add arp=proxy-arp fast-forward=no name=bridge
add name=bridge-unifi
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] comment=Gateway speed=100Mbps
set [ find default-name=ether2 ] comment="NAS" speed=100Mbps
set [ find default-name=ether3 ] comment="LAPTOP" speed=100Mbps
set [ find default-name=ether4 ] comment="Gigabit Switch" speed=100Mbps
set [ find default-name=ether5 ] comment="UniFi AP-AC-PRO #1" speed=100Mbps
set [ find default-name=ether6 ] comment="UniFi AP-AC-PRO #2" speed=100Mbps
set [ find default-name=ether7 ] comment="Server" speed=100Mbps

/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 name=pppoe-out1 password=********** \
use-peer-dns=yes user=**********

/interface vlan
add interface=bridge-unifi name=vlan20-wifi-guests vlan-id=20

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge-unifi interface=ether5
add bridge=bridge-unifi interface=ether6
add bridge=bridge interface=ether7

/ip address
add address=10.31.0.1/24 interface=bridge network=10.31.0.0
add address=10.31.20.1/27 interface=vlan20-wifi-guests network=10.31.20.0

/ip dhcp-server
add disabled=no interface=bridge lease-time=1d name=dhcp
add address-pool=wifi-guests-pool disabled=no interface=bridge-unifi lease-time=1h name=dhcp-wifi-guests

/ip pool
add name=dhcp_pool ranges=10.31.0.201-10.31.0.210
add name=wifi-guests-pool ranges=10.31.20.2-10.31.20.30

tdw · Tue May 28, 2019 10:54 pm

As you have moved ether5 & ether6 to a separate bridge the APs will only have access to VLAN20.

Using multiple bridges to handle VLANs is not recommended, see https://wiki.mikrotik.com/wiki/Manual:L ... figuration for the various pitfalls. The recommended method is to use a single VLAN-aware bridge.

In your existing configuration, change ether5&6 back to the main bridge:

/interface bridge port
...
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
...

Change the VLAN to be attached to the bridge:

/interface vlan
add interface=bridge name=vlan20-wifi-guests vlan-id=20

Change the DHCP server to be attached to the VLAN:

/ip dhcp-server
...
add address-pool=wifi-guests-pool disabled=no interface=vlan20-wifi-guests lease-time=1h name=dhcp-wifi-guests

(The IP address is already attached to the VLAN interface, this was incorrect for what you were previously attempting but now right)

Remove the unnecessary bridge=bridge-unifi in /interface bridge, there should no longer be any references to it.

Create bridge VLANs:

/interface bridge vlan
add bridge=bridge untagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=1
add bridge=bridge tagged=bridge,ether5,ether6 vlan-ids=2

Then set vlan-filtering=yes on the bridge bridge in /interface bridge - use safe mode just in case anything has been overlooked.

I'm not sure why you have arp=proxy-arp set on the bridge.

sindy · Wed May 29, 2019 12:02 am

I assume that while ether5 and ether6 are member ports of bridge "bridge", you can connect to the unifi machines, so just attach your /interface vlan vlan-id=20 to that bridge instead of the bridge-unifi and that's it. If you want to make sure that other member ports of that basic bridge have no access to VLAN 20, you'll have to set the membership of ports in VLANs using /interface bridge port and /interface bridge vlan tables and activate the vlan-filtering mode on the bridge.

Another way would be to use your current setup but assign an IP address from yet another subnet to the bridge-unifi and move the unifi's management IP addresses to that subnet (in advance, while ether5 and ether6 are still member ports of bridge "bridge").

Term · Wed May 29, 2019 12:12 am

Thank you so much guys, works perfect!
Guests are isolate now so if I'm connected to guests wifi I can't reach my local network devices like NAS etc. So I'm so thankful.

Just changed

add bridge=bridge tagged=bridge,ether5,ether6 vlan-ids=2

There was vlan-ids=2, changed it to 20. So if I will want to isolate for example all TV's and other devices from my network, steps are similar right?
So another DHCP for multimedia devices, another address list, bridge vlan etc.

ARP -> Proxy ARP: some months ago I can't reach devices in LAN. If I turned on Proxy ARP, reach worked again. I changed the state to Enabled right now, everything works fine. Maybe I had something bad in configuration in past.
Thank you

tdw · Wed May 29, 2019 12:27 am

Just changed
Code: Select all
add bridge=bridge tagged=bridge,ether5,ether6 vlan-ids=2
There was vlan-ids=2, changed it to 20. So if I will want to isolate for example all TV's and other devices from my network, steps are similar right?
So another DHCP for multimedia devices, another address list, bridge vlan etc.

Correct, typo on my part. Yes - create another VLAN interface attached to the bridge, IP address & pool, DHCP network & server, bridge vlan membership. Depending on your existing firewall rules you may require additional rules to block VLAN-to-VLAN traffic.

@sindy The UniFi devices require their management interface to be untagged, the APs allow upto 8 SSIDs to be associated with tagged VLAN IDs although any one SSID may be untagged (i.e. shared with the management interface) if desired.

sindy · Wed May 29, 2019 12:33 am

@sindy The UniFi devices require their management interface to be untagged

Yep, that's what I've supposed, just wanted to double check that. As usually, I could have saved my typing completely if I had reloaded the page before even starting after commenting on those other topics

Term · Tue Jun 18, 2019 7:56 pm

Hello again,
today I tried to create VLAN 30 for multimedia like IPTV boxes, apple tv, synology nas, TV's etc. IPTV boxes and apple TV are connected to gigabit switch (unmanaged)

I found no devices get IP address, don't know why. VLAN 20 works fine with UniFi devices.
Any help please?

/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] comment="Gigabit Switch" speed=100Mbps

/interface vlan
add interface=bridge name=vlan30-multimedia vlan-id=30

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7

/interface bridge vlan
add bridge=bridge untagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=1
add bridge=bridge tagged=bridge,ether4 vlan-ids=30

/ip dhcp-server
add disabled=no interface=bridge lease-time=1d name=dhcp
add address-pool=vlan30_multimedia-pool disabled=no interface=vlan30-multimedia lease-time=1d name=dhcp_vlan30_multimedia

/ip dhcp-server network
add address=10.31.0.0/24 gateway=10.31.0.1
add address=10.31.30.0/27 gateway=10.31.30.1

/ip dhcp-server lease
add address=10.31.30.3 client-id=XX:XX:XX:XX:XX:XX comment="PlayStation 4 Pro 1TB" mac-address=XX:XX:XX:XX:XX:XX server= dhcp_vlan30_multimedia

/ip address
add address=10.31.0.1/24 interface=bridge network=10.31.0.0
add address=10.31.30.1/27 interface=vlan30-multimedia network=10.31.30.0

/ip pool
add name=dhcp_pool ranges=10.31.0.201-10.31.0.210
add name=vlan30_multimedia-pool ranges=10.31.30.2-10.31.30.30

sindy · Tue Jun 18, 2019 11:20 pm

I cannot see anything wrong in the Mikrotik configuration, but I don't get what you expect to happen. You say you use an unmanaged switch to connect the external gear (IPTV, Apple TV), but the only ethernet interface you've made a member port of VLAN30 on the Mikrotik is tagged. So unless the unmanaged switch is connected to ether4 and unless the external gear can receive and send packets in tagged frames, it cannot get the DHCP assignment. The unmanaged switch delivers tagged frames to the external gear and doesn't untag them on egress and tag them on ingress.

tdw · Tue Jun 18, 2019 11:49 pm

If the unmanaged switch connected to ether4 is only for multimedia devices on VLAN30, then change ether4 to be untagged for VLAN30

/interface bridge port
...
add bridge=bridge interface=ether4 pvid=30
...

/interface bridge vlan
add bridge=bridge untagged=bridge,ether2,ether3,ether5,ether6,ether7 vlan-ids=1
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=30

otherwise you will need to replace it with a managed switch to be able to untag VLAN30 on the multimedia ports.

Term · Fri Jun 21, 2019 9:13 pm

tdw: thank you. Tried it but it still doesn't work, same result.

sindy · Fri Jun 21, 2019 9:29 pm

If you follow tdw's advice (i.e. ether4 as access port to VLAN 30) and connect just one of the devices to ether4, instead of the unmanaged switch, does that one device work?

Term · Fri Jun 21, 2019 9:42 pm

Doesn't work. Still not getting IP address.

If anybody will connect to my computer via teamviewer, will be very thankful. Just PM me.

VLAN for guest wifi

VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi

Re: VLAN for guest wifi