Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Kuba1301 · Mon Mar 30, 2020 10:38 pm

Hi All,
I have followed manual: https://wiki.mikrotik.com/wiki/Manual:C ... s_examples + few other manuals and finally I came up with port based vlan configuration.
Here is how my network looks like: https://drive.google.com/file/d/1ZYr5Vk ... sp=sharing

Summary:
- Thee vlans are configured: vlan59, 69 and 79.
- Almost all physical ports belong to 10.69.0.x/24 subnet (vlan 69)
- All Access Points are supposed to be part of 10.69.0.x/24 subnet
- APs broadcast 3 different subnets (corresponding to vlans)

Almost everything works are expected. All wired devices receive IP address, the same story with all wireless clients. Surprisingly, that happens even though AP do not get IP addresses? How do I know:
- No entries in ARP table;
- No leaseon DHCP;
- Access Points are grayed out in Controller (typical for issues on layer3 -> lack of IP).

Can someone explain to me how the hell APs are able to transmit DHCP requests properly without having IP address assgined?

Here is my config:


# MikroTik RouterOS 6.46.4 (c) 1999-2020       http://www.mikrotik.com/
# mar/30/2020 21:33:22 by RouterOS 6.46.4
# model = CRS125-24G-1S

/interface bridge
add name=my-bridge

/interface ethernet
set [ find default-name=ether1 ] comment="WAN"
set [ find default-name=ether2 ] comment="[A_SL_01]"
set [ find default-name=ether3 ] comment="[A_SL_02]"
set [ find default-name=ether4 ] comment="[A_SL_03]"
set [ find default-name=ether5 ] comment="[A_SL_04]"
set [ find default-name=ether6 ] comment="[A_SL_05]"
set [ find default-name=ether7 ] comment="[A_SL_06]"
set [ find default-name=ether8 ] comment="[A_KT_01]"
set [ find default-name=ether9 ] comment="[A_PR_01]"
set [ find default-name=ether10 ] comment="[B_GB_01]"
set [ find default-name=ether11 ] comment="[B_GB_02]"
set [ find default-name=ether12 ] comment="[B_GB_03]"
set [ find default-name=ether13 ] comment="[B_GB_04]"
set [ find default-name=ether14 ] comment="[B_GB_05]"
set [ find default-name=ether15 ] comment="[B_GB_06]"
set [ find default-name=ether16 ] comment="[B_GB_07]"
set [ find default-name=ether17 ] comment="[B_GB_08]"
set [ find default-name=ether18 ] comment="[B_DL_01]"
set [ find default-name=ether19 ] comment="[B_DL_02]"
set [ find default-name=ether20 ] comment="[B_DP_01]"
set [ find default-name=ether21 ] comment="[B_DP_02]"
set [ find default-name=ether22 ] comment="[B_GO_01]"
set [ find default-name=ether23 ] comment="[B_GS_01]"
set [ find default-name=ether24 ] comment=Plug&Go
set [ find default-name=sfp1 ] comment=Fiber disabled=yes

/interface vlan
add interface=my-bridge name=vlan59 vlan-id=59
add interface=my-bridge name=vlan69 vlan-id=69
add interface=my-bridge name=vlan79 vlan-id=79

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports="ether2,ether3,ether\
    4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14\
    ,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23"

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=mgmt ranges=10.100.0.2
add name=pool-vlan59 ranges=10.59.0.2-10.59.0.254
add name=pool-vlan69 ranges=10.69.0.2-10.69.0.254
add name=pool-vlan79 ranges=10.79.0.2-10.79.0.254

/ip dhcp-server
add address-pool=mgmt disabled=no interface=ether15 lease-time=30m name=dhcp
add address-pool=pool-vlan59 disabled=no interface=vlan59 name=dhcp-vlan59
add address-pool=pool-vlan69 disabled=no interface=vlan69 lease-time=23h59m59s \
    name=dhcp-vlan69
add address-pool=pool-vlan79 disabled=no interface=vlan79 lease-time=10h name=\
    dhcp-vlan79

/interface bridge port
add bridge=my-bridge interface=ether2
add bridge=my-bridge interface=ether3
add bridge=my-bridge interface=ether4
add bridge=my-bridge interface=ether5
add bridge=my-bridge interface=ether6
add bridge=my-bridge interface=ether7
add bridge=my-bridge interface=ether8
add bridge=my-bridge interface=ether9
add bridge=my-bridge interface=ether10
add bridge=my-bridge interface=ether11
add bridge=my-bridge interface=ether12
add bridge=my-bridge interface=ether13
add bridge=my-bridge interface=ether14
add bridge=my-bridge interface=ether16
add bridge=my-bridge interface=ether17
add bridge=my-bridge interface=ether18
add bridge=my-bridge interface=ether19
add bridge=my-bridge interface=ether20
add bridge=my-bridge interface=ether21
add bridge=my-bridge interface=ether22
add bridge=my-bridge interface=ether23

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7,ether22,ether23,switch1-cpu vlan-id=59
add tagged-ports=ether7,ether22,ether23,switch1-cpu vlan-id=69
add tagged-ports=ether7,ether22,ether23,switch1-cpu vlan-id=79

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=69 ports=ether2
add customer-vid=0 new-customer-vid=69 ports=ether3
add customer-vid=0 new-customer-vid=69 ports=ether4
add customer-vid=0 new-customer-vid=69 ports=ether5
add customer-vid=0 new-customer-vid=69 ports=ether6
add customer-vid=0 new-customer-vid=69 ports=ether8
add customer-vid=0 new-customer-vid=69 ports=ether9
add customer-vid=0 new-customer-vid=69 ports=ether10
add customer-vid=0 new-customer-vid=69 ports=ether11
add customer-vid=0 new-customer-vid=69 ports=ether12
add customer-vid=0 new-customer-vid=79 ports=ether13
add customer-vid=0 new-customer-vid=69 ports=ether14
add customer-vid=0 new-customer-vid=69 ports=ether16
add customer-vid=0 new-customer-vid=69 ports=ether17
add customer-vid=0 new-customer-vid=69 ports=ether18
add customer-vid=0 new-customer-vid=69 ports=ether19
add customer-vid=0 new-customer-vid=69 ports=ether20
add customer-vid=0 new-customer-vid=69 ports=ether21

/interface ethernet switch vlan
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether\
    11,ether12,ether14,ether16,ether17,ether18,ether19,ether20,ether21,ether22,e\
    ther23,switch1-cpu" vlan-id=69
add ports=ether7,ether13,ether22,ether23,switch1-cpu vlan-id=79
add ports=ether7,ether22,ether23,switch1-cpu vlan-id=59

/ip address
add address=10.100.0.1/30 interface=ether15 network=10.100.0.0
add address=10.59.0.1/24 interface=vlan59 network=10.59.0.0
add address=10.69.0.1/24 interface=vlan69 network=10.69.0.0
add address=10.79.0.1/24 interface=vlan79 network=10.79.0.0

/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
--- [i]many entries here[/i] ---

/ip dns
set allow-remote-requests=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=xyz

/system clock
set time-zone-name=Europe/Warsaw

mkx · Mon Mar 30, 2020 11:21 pm

Plain APs are more or less transparent for L2 traffic ... so if wireless client requests DHCP lease, AP will pipe it to configured VLAN (and vice versa in the other direction). And this doesn't have any correlation to management interface IP address whatsoever.

I don't have any experience with UniFi gear, but quite some APs by different vendors require untagged for management. Meaning you have to convert trunk ports connecting APs to hybrid ports with PVID set to your management VLAN ID (69).

Kuba1301 · Tue Mar 31, 2020 12:01 am

[...] quite some APs by different vendors require untagged for management. Meaning you have to convert trunk ports connecting APs to hybrid ports with PVID set to your management VLAN ID (69).

Again, thanks for the help. Based on your reply I found 2 possible solutions:
1. Change trunk ports to hybrid, as suggested
2. Change mgmt vlan on APs to 69 (according to doc, that is possible).

Do not know why but 2nd option sounds less scary to me

will try and post an update.

Thank you!

tdw · Tue Mar 31, 2020 12:35 am

Historically UniFi only supported untagged management. I believe that tagged management support has been added, BUT this will only be for adopted and provisioned devices - the initial controller discovery and connection to the controller has to be over an untagged network.

llag · Tue Mar 31, 2020 9:33 pm

[...] quite some APs by different vendors require untagged for management. Meaning you have to convert trunk ports connecting APs to hybrid ports with PVID set to your management VLAN ID (69).
Again, thanks for the help. Based on your reply I found 2 possible solutions:
1. Change trunk ports to hybrid, as suggested
2. Change mgmt vlan on APs to 69 (according to doc, that is possible).

Do not know why but 2nd option sounds less scary to me will try and post an update.

Thank you!

You 'll need hybridports for the APs: in your case VLAN69 for management (assuming that the controler is on VLAN69 too). Then add the appropriate VLANs tagged so the APs can reach the VLANs. In the controler you can then define the SSIDs with the VLANs they need to be on.
Iam not sure what you mean by "change the mgmt VLAN on the APs to 69". I have trunks to the APs with the mgmt VLAN as UNTAGGED, and the other VLANs for the SSIDs as tagged. Works great with my CRS328 -> 2 * AP-Lite

Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Re: Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Re: Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Re: Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses

Re: Port based vlan on CSR1xx and issue with Unifi APs - broadcast SSIDs but they do not have IP addresses