I have already found multiple topics like this but none of them helped me. What I’m trying to achive is to set my geust Wifi (using Unifi unifi ap-ac-pro) and mikrotik RB30011UiAS. All my devices are currently connected to ether2 and my internet connection is connected to ether1.
As you are using a VLAN-aware bridge:
The VLAN interface created in #2 should be attached to bridge-lan NOT ether2
When setting up the DHCP server in #4 you need to create an entry under the Network tab too
The bridge VLAN settings in #5 are not correct, the entry for VLAN 10 should have tagged=bridge-lan,ether2 and no untagged entries
Thank you for answer! I have changed the config as you mentioned but nothing has changed. I’m still not able to get and IP from DHCP when connected to geuest network. Also looking at the interface list I can see no traffic on vlan10. Changes I made:
#2
Attaching vlan interface to bridge:
#4
I had an entry in Network tab:
#5
Fixing bridge vlan settings (cannot remove vlan10 from Untagged for vlan id 10):
Any other place I should update or anything else I’m missing?
You’re right, I forgot I have added also vlan10 into Bridge > Ports. Removing it from there automatically removed vlan10 from Untagged. But still it’s not working
A few things:
Uncheck ‘Use service VLAN’ in the configuration for vlan10 - it should be a regular 802.1Q VLAN rather than an 802.1ad (service) VLAN.
Remove the entries under /interface ethernet switch vlan - it is possible to mix a non-VLAN aware bridge with hardware switching and VLAN filtering, but unless you need wirespeed switching it should be avoided as there can be weird interactions.
The vlan10 interface isn’t a member of the LAN interface list unless you add it - the default rule to drop input from anything not in the LAN interface list will prevent access to the router from the new VLAN, ICMP is permitted by an earlier rule and as far as I can remember DHCP should work as it uses raw rather than IP sockets.
All those settings are default ones. Currently nothing is connected to ports from ether3 - to sfp1. After work I will adjust the settings according to your hints and I will share the results, thanks!
Hi complex, the reason I didnt untag ether 2 is due to two reasons, first because its acting as a trunk port for vlan10 and the default vlan1.
I am assuming his ubiquiti devices are able to assign vlan10 to attached devices.
In the latest configuration update I do not see any vlan1 setup.
Also I assuming that his ubiquiti device is not able to assign any vlan to the attached devices, thats why the devices get no IP address from DHCP pool.
If you untag ether2 then all devices should get an IP address.
This is my humble opinion.
VLAN1 is the default, it is assumed by the router.
The DHCP on the VLAN is all setup on the MT, it does give out IP addresses to any device connected on vlan10.
The ubiquities are advanced access points, they have VLAN capabilities similar to the CapACs I use which assign VLAN tags to incoming data.
I just assign trunk ports to capacs…
My Ubiquiti UniFi AP, AC PRO should have a capabilities to assign vlan10 to attached devices, but is there a way to test if it works correctly?
Tried that and it didn’t work - same effect - cannot get IP from dhcp. All devices connected to any other wifi networks gets IP correctly, only the ones connected to the guest wifi - vlan10 cannot get ip. Is there a way to test vlan connection?
Sorry for late reply but I got so busy at work for the last month that I had no time to play with it. Now I came back to it and I decided to reset the MT config and start from the begining, but with no success. Same result.
My config is:
[admin@MikroTik] > export hide-sensitive
# nov/03/2019 21:22:17 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I have tried to connect to the guest WiFi (vlan10) with statically set IP and no luck. I have also tried @complex1 hint:
New config:
[admin@MikroTik] > export hide-sensitive
# nov/03/2019 21:38:16 by RouterOS 6.45.1
# software id = JJDI-22UL
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEA09C227E2
/interface bridge
add admin-mac=B8:69:F4:2F:73:7E auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=rzeczna81f@dg-net.pl
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan10 lease-time=20m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Device connected to ether 4 by wire got the IP address from main dhcp: 192.168.88.xxx, not the one from vlan10. Still no traffic is shown on interface vlan10.
Do you not see the issues of your config??
(1) How can you assign an IP address to an interface and especially ether2
when you assigned the associated dhcp server to the bridge??
(2) Ether2 seems to be where you want the vlan10 so I am assuming its a hybrid port ??
One can only conclude that ether2 connects to a device that is feeding the router both regular LAN traffic and vlan10 traffic and therefore the router is connecting to a smart switch or something that can have trunk ports at its end (be it switch, a capAC another mT router etc…)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Following that logic…
It should look like…
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
Thanks @anav fir answer but assigning address to ether2 works fine and I have no problems with it. On my eth2 I have connected switch (Cisco SRW2048) where all devices (including APs) are connected and all of them works fine - gets an IP, etc. Problem I have is that no devices connected to ether2 with vlanID = 10 can get and IP address from dhcp_pool2 (192.168.10.x)
Current settings: