configure ubiquiti AP tagged and untagged vlan on mikrotik

protoontje · December 5, 2020, 10:48am

Hi all,

So I have been running my setup for a while now but it really irritates me that I cant get my AP properly to work on my Mikrotik.
The problem with Ubiquiti AP is that they need an untagged VLAN for management.
That’s why I hope someone on this forum can enlighten me with some configuration that can fix my problem.
So the solution I am trying to figure out are shown in these 2 links but for some reason, I can’t get it to work.

Hybrid Ports:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

VLAN Example #2 (Trunk and Hybrid Ports):
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.232_.28Trunk_and_Hybrid_Ports.29

See my current configuration below for configuration that works for vlan 10 and 20 with no management on the AP:

/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] comment=WAN name=ether0
set [ find default-name=ether1 ] comment=AP
set [ find default-name=ether7 ] name=ether7_Management
/interface vlan
add comment=LAN interface=bridge-LAN name=vlan10 vlan-id=10
add comment=DMZ interface=bridge-LAN name=vlan20 vlan-id=20
/interface list
add comment=defconf name=LAN
add name=Mngmt
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.11-192.168.1.200
add name=dhcp_pool1 ranges=192.168.2.11-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=10h name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20 lease-time=10h name=dhcp2
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1 pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=Mngmt
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=10
/interface list member
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add comment=defconf interface=ether0 list=WAN
add interface=vlan10 list=Mngmt
/ip address
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan20 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.1.0/24 list=adminaccess
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat connection-state=new disabled=yes in-interface=ether0
add action=drop chain=forward comment=drop_All_else
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=drop chain=input comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“allowed admin to router” in-interface=vlan10 src-address-list=adminaccess
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether0

So what do I need to configure to get the Hybrid_Port (tagged and untagged on the same port) to work?

tdw · December 5, 2020, 11:32am

You are specifically excluding untagged traffic on the hybrid port connected to the AP. Under /interface bridge port make the following change:
add bridge=bridge-LAN frame-types=admit-only-vlan-taggedadmit-all ingress-filtering=yes interface=ether1 pvid=10

protoontje · December 5, 2020, 12:05pm

you are right, thank you so much everything seems to work now.