2 vlans with mikrotik and unifi - no way to make it work

lochesistemas · August 14, 2018, 3:34pm

Hi!

I’ve been researching in forums + youtube how to create vlans using unifi APs and mikrotik router and they are all different approaches. Tried mostly all of them without success.

I currently have a mikrotik router hAP ac with QCA 8337 switch chip and a non managed layer 2 tplink (regular) switch where all the wired computers are connected and also, the 5 unifi APs.

internet ↔ router ↔ tplink switch ↔ unifi APs

My goal is to have 2 wireless vlans using unifi mesh access points.

networks:
192.168.81.x administration (no vlan here - wired and wireless. default dhcp server)
192.168.200.x wireless security cameras (vlan 200)
192.168.250.x wireless guest access (vlan 250. need dhcp server here)

right now, the router is connected in this way:
ether1 = wan
ether2 = connected to the tplink switch
ether3 = nothing
ether4 = nothing
ether5 = DVR (in order to connect the wireless cameras)

router configuration so far (empty of course)

# aug/14/2018 12:31:35 by RouterOS 6.42.5
# software id = RDPG-VAHY
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8308072CEA76
/interface bridge
add admin-mac=64:D1:54:B8:C5:E8 auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether5 ] name=ether5-dvr
/interface vlan
add interface=wlan1 name=vlan200-cameras vlan-id=200
/ip pool
add name=pool-default ranges=192.168.81.102-192.168.81.249
/ip dhcp-server
add address-pool=pool-default disabled=no interface=bridge name=dhcp-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-lan
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5-dvr pvid=200
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.81.1/24 interface=bridge network=192.168.81.0
add address=192.168.200.254/24 interface=vlan200-cameras network=192.168.200.0
/ip dhcp-server network
add address=192.168.81.0/24 gateway=192.168.81.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan

is it possible to achieve it?
thanks in advance!

k6ccc · August 15, 2018, 1:13am

The problem is your dumb switch. Some dumb switches will pass 802.1Q VLAN traffic and some will not. I have no idea if your tplink will or not. Assuming that it won’t, my suggestion would be to split it up. Have the tplink and the attached computers connected as they are now. Then run a separate connection to the WiFi. Now to complicate that, is the WiFi set up as five independent A/Ps each of which has a wired LAN connection, or is it a mesh network with a small number of gateways that have the LAN connections and the rest are mesh nodes and only act as repeaters? The big reason for the question is number of available physical LAN ports on your router. From your description, you only have two available ports. If your WiFi is a mesh with only one or two gateway nodes, you’re good to go. If you need five ports, you will need a switch that can handle VLANs (or a router with more ports). I have been very happy with the RB260S switch or as it is now known CSS106-5G-1S (if I remembered that right). It fully understands VLANs.
If he tplink CAN handle the VLAN traffic, you are already set. I have not looked at your config as I’m doing this on my laptop on a moving commuter train, so a little hard. If no one else does, I can look at it, but it likely won’t be until tomorrow evening.