Page 1 of 1
Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 8:08 pm
by ieleja
Hello,
As base config I use
Using RouterOS to VLAN your network
viewtopic.php?t=143620&sid=8d57615ae14b ... b348b28fb8
My simple system looks like "Router-Switch-AP (all in one)" (and this works great) + 1 Unifi AP AC LR, which is configured manually with main MainWiFi on "default" network and guests GuestWiFi which I attach to "guestNetwork", as GREEN VLAN 20. UniFi AP I attached to ether2 and it gets address from BLUE VLAN. MainWiFi works, GuestWiFi not (even not get DHCP address) and I guess that is from
[..]
# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
then how I must configure Mikrotik and UniFi AP to establish safe and stable guest WiFi?
thanks,
Saules Ieleja
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 8:33 pm
by sindy
If /interface bridge port set bridge=BR1 [find interface=ether2] frame-types=admit-all doesn't help, post the export of the complete configuration.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 9:02 pm
by ieleja
"admit-all" doesn't help, config:
# 2024-12-22 20:44:24 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = hidden as 'anav' requested
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether4 pvid=20
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
ether5 pvid=99
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 9:13 pm
by sindy
/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 9:26 pm
by ieleja
/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2
doesn't help, device not get address from GREEN DHCP, but assigns AutoIP from 169.x.x.x
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 9:42 pm
by anav
First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
THird:
remove or set to
NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally "allow fast path" is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work...............
# model = RB751G-2HnD
# serial number = XXXXXXXXXX
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.2-192.168.0.10
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 interface=ether2 pvid=99 comment="hybrid port to UNIFI"
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4 pvid=20
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether5 pvid=99
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wlan1 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wlan2 pvid=20
/interface bridge settings
set use-ip-firewall-for-vlan=no
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=ether3,wlan1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=ether4,wlan2 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether2,ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow admin" in-interface-list=BASE
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { put this rule in last }
+++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Allow Estab,Related & Untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlans" in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 9:43 pm
by sindy
Both the changes I have asked you to do were necessary, just apparently not sufficient. Does it behave the same if you try to connect using the wlan2 interface of the Mikrotik itself?
Re: Guest WiFi with VLAN on UniFi AP
Posted: Thu Dec 26, 2024 11:38 pm
by ieleja
if you try to connect using the wlan2 interface of the Mikrotik itself?
if I enable Mikrotik wlan, then all (BLUE and GREEN wifi) works with initial configuration.
UniFi AP connected to ether2;
UniFi configuration: "Guest" network, connected to 20 VLAN ID, GREEN wifi connected to "Guest" network.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 12:32 pm
by sindy
If it works when you enable wlan2 on the Mikrotik itself, the IP configuration seems to be ok.
So as the next step, disable wlan2 again, open a command line window as wide as your screen allows, and do the following:
/interface bridge port set [find interface=ether2] hw=no
/tool sniffer quick interface=ether2 port=68
and then let some client device try to connect to the guest network that is broadcast from the Ubiquiti.
If the /tool sniffer ... shows anything, copy-paste it here.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 6:00 pm
by ieleja
If the /tool sniffer ... shows anything, copy-paste it here.
two iOS devices, one android
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether2 55.412 11 <- 72:BD:A1:23:63:30 FF:FF:FF:FF:FF:FF 20 0.0.0.0:68 (bootpc) 255.255.255.255:67 (bootps) ip:udp 346 0
ether2 56.041 12 <- 22:F3:5D:F0:6A:77 FF:FF:FF:FF:FF:FF 20 0.0.0.0:68 (bootpc) 255.255.255.255:67 (bootps) ip:udp 346 0
ether2 57.692 13 <- 22:F3:5D:F0:6A:77 FF:FF:FF:FF:FF:FF 20 0.0.0.0:68 (bootpc) 255.255.255.255:67 (bootps) ip:udp 346 0
ether2 59.479 14 <- 72:BD:A1:23:63:30 FF:FF:FF:FF:FF:FF 20 0.0.0.0:68 (bootpc) 255.255.255.255:67 (bootps) ip:udp 346 0
ether2 64.881 15 <- 5C:51:81:B0:E2:AD FF:FF:FF:FF:FF:FF 20 0.0.0.0:68 (bootpc) 255.255.255.255:67 (bootps) ip:udp 354 0
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 6:22 pm
by sindy
OK, so it comes alright from the Unifi, but I cannot spot an issue in the configuration. Post the current output of /interface bridge export after all the changes you've made so far, please.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 6:46 pm
by ieleja
# 2024-12-22 18:28:41 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = xxxxxxxxxxxx
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
add bridge=BR1 hw=no interface=ether2 pvid=10
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
[ieladmin@RouterSwitchAP] >
what about "anav" recommendations?
my configuration was almost copy/paste from:
Using RouterOS to VLAN your network
viewtopic.php?t=143620&sid=8d57615ae14b ... b348b28fb8
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 6:54 pm
by sindy
/interface bridge settings set use-ip-firewall-for-vlan=no
then try again.
I did not analyze all @anav's recommendations as most of them are not relevant to the primary issue, but I agree with him on the above one, the purpose of this setting is different from what you assume - its name is misleading.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 10:58 pm
by ieleja
/interface bridge settings set use-ip-firewall-for-vlan=no
After change, all start working, but after few minutes devices disconnect and now don't connect to guest at all.
Tomorrow try to reset and start again from scratch...
Re: Guest WiFi with VLAN on UniFi AP
Posted: Fri Dec 27, 2024 11:31 pm
by sindy
Tomorrow try to reset and start again from scratch...
If they cannot even connect to the WiFi, I don't think it is a Mikrotik issue any more. So before starting from scratch, I'd suggest to save a backup and an export of the current configuration so that you have something known good to return to.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Sun Dec 29, 2024 11:59 pm
by ieleja
I'd suggest to save a backup and an export of the current configuration so that you have something known good to return to.
Done all such way.
But I reconfigure bit original configuration:
- ether1 - WAN,
- ether2 - BLUE VLAN,
- ether3 - GREEN VLAN,
- ether4, ether5 - BASE VLAN
connect internet to ether1, notebook to ether4, UniFi AP to ether5
reset UniFi AP, it gets IP from BASE DHCP
then
/interface bridge port set bridge=BR1 [find interface=ether5] frame-types=admit-all
and
/interface bridge vlan set [find vlan-ids=10] tagged=BR1,ether5
/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether5
booth WiFi, guest and main now works on UniFi AP through VLANs
Also setup some speed limiting via Queues on guest WiFi
p.s.
my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first.
Re: Guest WiFi with VLAN on UniFi AP
Posted: Mon Dec 30, 2024 6:05 am
by anav
p.s.
my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first.
Stated clearly in post 6 of this thread............
First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc.....
THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally "allow fast path" is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI..... the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work...............
Re: Guest WiFi with VLAN on UniFi AP
Posted: Mon Dec 30, 2024 5:59 pm
by ieleja
Stated clearly in post 6 of this thread............
It's hard to follow two advisers in time, but thanks for your post!
Re: Guest WiFi with VLAN on UniFi AP
Posted: Mon Dec 30, 2024 8:09 pm
by anav
Sindy is the expert, I am just learning.
However, his level of genius is not always needed for basic config issues.
I am searching for the big lump of cow poop in the haystack, his eyes are trained to look for needles....... He might not even notice the cow poop LOL
Unless its very fresh
)