Community discussions

MikroTik App
  4. RouterOS
  5. General

Guest WiFi with VLAN on UniFi AP

Post Reply
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 8:08 pm

Hello,

As base config I use Using RouterOS to VLAN your network
viewtopic.php?t=143620&sid=8d57615ae14b ... b348b28fb8

My simple system looks like "Router-Switch-AP (all in one)" (and this works great) + 1 Unifi AP AC LR, which is configured manually with main MainWiFi on "default" network and guests GuestWiFi which I attach to "guestNetwork", as GREEN VLAN 20. UniFi AP I attached to ether2 and it gets address from BLUE VLAN. MainWiFi works, GuestWiFi not (even not get DHCP address) and I guess that is from
Code: Select all
[..]
# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
then how I must configure Mikrotik and UniFi AP to establish safe and stable guest WiFi?

thanks,
Saules Ieleja
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 8:33 pm

If /interface bridge port set bridge=BR1 [find interface=ether2] frame-types=admit-all doesn't help, post the export of the complete configuration.
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 9:02 pm

"admit-all" doesn't help, config:
Code: Select all
# 2024-12-22 20:44:24 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = hidden as 'anav' requested
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
    mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
    security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=99
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Last edited by ieleja on Thu Dec 26, 2024 11:39 pm, edited 1 time in total.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 9:13 pm

/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 9:26 pm

/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2
doesn't help, device not get address from GREEN DHCP, but assigns AutoIP from 169.x.x.x
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 9:42 pm

First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally "allow fast path" is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work...............
Code: Select all
# model = RB751G-2HnD
# serial number = XXXXXXXXXX
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
    mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
    security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.2-192.168.0.10
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1  interface=ether2 pvid=99 comment="hybrid port to UNIFI"
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether3 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether4 pvid=20
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether5 pvid=99
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=wlan1 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=wlan2 pvid=20
/interface bridge settings
set use-ip-firewall-for-vlan=no
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2  untagged=ether3,wlan1  vlan-ids=10
add bridge=BR1 tagged=BR1,ether2  untagged=ether4,wlan2  vlan-ids=20
add bridge=BR1 tagged=BR1  untagged=ether2,ether5  vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24  dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & untracked" \
    connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow admin"  in-interface-list=BASE
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"    { put this rule in last }
+++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Allow Estab,Related & Untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlans" in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat disabled=yes  { enable or remove if not required }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Last edited by anav on Thu Dec 26, 2024 9:46 pm, edited 2 times in total.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 9:43 pm

Both the changes I have asked you to do were necessary, just apparently not sufficient. Does it behave the same if you try to connect using the wlan2 interface of the Mikrotik itself?
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Thu Dec 26, 2024 11:38 pm

if you try to connect using the wlan2 interface of the Mikrotik itself?
if I enable Mikrotik wlan, then all (BLUE and GREEN wifi) works with initial configuration.

UniFi AP connected to ether2;
UniFi configuration: "Guest" network, connected to 20 VLAN ID, GREEN wifi connected to "Guest" network.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 12:32 pm

If it works when you enable wlan2 on the Mikrotik itself, the IP configuration seems to be ok.

So as the next step, disable wlan2 again, open a command line window as wide as your screen allows, and do the following:
/interface bridge port set [find interface=ether2] hw=no
/tool sniffer quick interface=ether2 port=68
and then let some client device try to connect to the guest network that is broadcast from the Ubiquiti.
If the /tool sniffer ... shows anything, copy-paste it here.
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 6:00 pm

If the /tool sniffer ... shows anything, copy-paste it here.
two iOS devices, one android
Code: Select all
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME    NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS          DST-ADDRESS                  PROTOCOL  SIZE  CPU
ether2     55.412   11  <-   72:BD:A1:23:63:30  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     56.041   12  <-   22:F3:5D:F0:6A:77  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     57.692   13  <-   22:F3:5D:F0:6A:77  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     59.479   14  <-   72:BD:A1:23:63:30  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     64.881   15  <-   5C:51:81:B0:E2:AD  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     354    0
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 6:22 pm

OK, so it comes alright from the Unifi, but I cannot spot an issue in the configuration. Post the current output of /interface bridge export after all the changes you've made so far, please.
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 6:46 pm

Code: Select all
# 2024-12-22 18:28:41 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = xxxxxxxxxxxx
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
add bridge=BR1 hw=no interface=ether2 pvid=10
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
[ieladmin@RouterSwitchAP] >
what about "anav" recommendations?
my configuration was almost copy/paste from:
Using RouterOS to VLAN your network
viewtopic.php?t=143620&sid=8d57615ae14b ... b348b28fb8
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 6:54 pm

/interface bridge settings set use-ip-firewall-for-vlan=no

then try again.

I did not analyze all @anav's recommendations as most of them are not relevant to the primary issue, but I agree with him on the above one, the purpose of this setting is different from what you assume - its name is misleading.
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 10:58 pm

/interface bridge settings set use-ip-firewall-for-vlan=no
After change, all start working, but after few minutes devices disconnect and now don't connect to guest at all.
Tomorrow try to reset and start again from scratch...
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11278
Joined: Mon Dec 04, 2017 9:19 pm

Re: Guest WiFi with VLAN on UniFi AP

Fri Dec 27, 2024 11:31 pm

Tomorrow try to reset and start again from scratch...
If they cannot even connect to the WiFi, I don't think it is a Mikrotik issue any more. So before starting from scratch, I'd suggest to save a backup and an export of the current configuration so that you have something known good to return to.
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Sun Dec 29, 2024 11:59 pm

I'd suggest to save a backup and an export of the current configuration so that you have something known good to return to.
Done all such way.

But I reconfigure bit original configuration:
- ether1 - WAN,
- ether2 - BLUE VLAN,
- ether3 - GREEN VLAN,
- ether4, ether5 - BASE VLAN

connect internet to ether1, notebook to ether4, UniFi AP to ether5
reset UniFi AP, it gets IP from BASE DHCP

then
Code: Select all
/interface bridge port set bridge=BR1 [find interface=ether5] frame-types=admit-all
and
Code: Select all
/interface bridge vlan set [find vlan-ids=10] tagged=BR1,ether5
/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether5
booth WiFi, guest and main now works on UniFi AP through VLANs

Also setup some speed limiting via Queues on guest WiFi

p.s.
my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Guest WiFi with VLAN on UniFi AP

Mon Dec 30, 2024 6:05 am

p.s.
my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first.
Stated clearly in post 6 of this thread............

First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally "allow fast path" is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work...............
Top
 
User avatar
ieleja
newbie
Topic Author
Posts: 29
Joined: Thu Mar 29, 2012 10:22 pm

Re: Guest WiFi with VLAN on UniFi AP

Mon Dec 30, 2024 5:59 pm

Stated clearly in post 6 of this thread............
It's hard to follow two advisers in time, but thanks for your post!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Guest WiFi with VLAN on UniFi AP

Mon Dec 30, 2024 8:09 pm

Sindy is the expert, I am just learning.
However, his level of genius is not always needed for basic config issues.
I am searching for the big lump of cow poop in the haystack, his eyes are trained to look for needles....... He might not even notice the cow poop LOL
Unless its very fresh ;-))
Top
Post Reply
  4. RouterOS
  5. General