CRS326-24G-2S+ with two dhcp servers

RouterOS Beginner Basics
1

Hi to all!

At my home, main router is Mikrotik CRS326-24G-2S+. On interface eth24 I have Ubiquiti UAP-AC-HD access point connected with cable and everything works fine. IP address of router is 192.168.100.1. On access point, I have added WiFi network named fermi and it works fine. Its network settings are shown here:

All clients are connected to this wifi (in the range 192.168.100.1-192.168.100.50, and they work fine. However, I would like to introduce guest wifi network on its own subnet (in the range 192.168.101.1-192.168.100.50) so the clients, connected to guest network, do not “see” clients on primary network (i.e. fermi). Therefore I’ve added second WiFi network to access point:

Now, the problem is an arbitrary device “sees” network fermiGuests, but it does not receive network address (IP number) from DHCP server from Mikrotik. How do I spawn two DHCP servers in Mikrotik on interface eth24?

2

It’s easy IF the access point is VLAN aware. However I don’t see any indication on the AP config pages of VLANs. IF the AP is VLAN capable, configure it for two different VLANs - one for each SSID. Configure a separate DHCP server for the guest WiFi SSID.

3

Correction. I missed it on the Guest SSID that it DOES allow specifying a VLAN (I was primarily looking at the primary SSID setup page).

4

Don’t expect too much performance using CRS326-24G-2S+ as router doing Nat etc because it has a little cpu

5

If you are using a Mikrotik, or any other non-Ubiquiti gateway, the UniFi controller network settings have absolutely no effect. You can’t remove the inbuilt base/untagged LAN network and replace it with a VLAN-only network, but there is little point in using anything other than VLAN-only networks for additional VLANs. These are used by the UniFi controller solely to associate UniFi AP SSIDs and UniFi switch port profiles with particular VLAN IDs.

The Mikrotik will need a hybrid trunk port with a matching VLAN to the one chosen for the guest network, IP gateway address & DHCP server adding to provide the guest network, and firewall rules to limit access.

UniFi APs do have features not present on many other manufacturers - you can indicate an SSID is for guest devices which will prevent access to other devices on the same subnet, i.e. you can use the same subnet for main and guest devices but the guest devices are isolated avoiding the need for a separate subnet.

6

Ok, guys, thank you very much for your hints - I’ve manage to get it done after two quarter sleepy nights. :smiley: Wired clients now work ok, however, I still have these problems:

  • I’ve introduced “fermiServiceWIFI” wifi network for devices, which are part of skeleton, which my smart apartment resides on. I have also created new VLAN “fermiServiceVLAN” and
  1. fermiServiceVLAN has ip range 192.168.100.100 - 192.168.100.170
  2. fermiServiceWIFI has ip range 192.168.100.190-192.168.100.240

1st Problem) Now, on Mikrotik side, I’ve put “fermiServiceVLAN” ip range into IP->Address table and if I enable it, WAN stops working across apratment on all wired devices, Why?
2nd Problem) WiFi devices can connect to all three WiFi networks, but they cannor reach WAN. How do I fix that?

Sincerely,
Marko

7

Post you configuration, it is the output of /export hide-sensitive in a terminal window. Redact additional information such as the serial number, public IP addresses, credentials in scripts, etc. and post in a code block (the icon in the menu above the text box when posting a reply).

8

Here is my Mikrotik’s configuration, like you asked for:

# mar/05/2023 18:35:58 by RouterOS 7.8
# software id = A957-GW74
#
# model = CRS326-24G-2S+
# serial number = **********
/interface bridge
add admin-mac=B8:69:F4:8F:36:4E auto-mac=no comment="home lan wired clients bridge" name=bridgeHomeLANWiredClients
/interface ethernet
set [ find default-name=ether12 ] comment="dining room ethernet wall socket (ether12)" name=etherDiningRoomWallSocket
set [ find default-name=ether24 ] comment="corridor ceiling wifi access point socket (ether24)" name=etherWiFiAccessPoint
set [ find default-name=sfp-sfpplus1 ] mac-address=64:63:EA:17:B1:CA
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=etherWiFiAccessPoint name=vlanFermiFamily vlan-id=3000
add interface=etherWiFiAccessPoint name=vlanFermiGuests vlan-id=2000
add interface=etherWiFiAccessPoint name=vlanFermiService vlan-id=1000
add interface=bridgeHomeLANWiredClients name=vlanHomeLANWiredClients vlan-id=4000
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcpPoolHomeLANWiredClients ranges=192.168.100.100-192.168.100.150
add name=dhcpPoolFermiService ranges=192.168.100.160-192.168.100.230
add name=dhcpPoolFermiGuests ranges=192.168.101.100-192.168.101.250
add name=dhcpPoolFermiFamily ranges=192.168.102.100-192.168.102.250
/ip dhcp-server
add add-arp=yes address-pool=dhcpPoolHomeLANWiredClients interface=bridgeHomeLANWiredClients name=dhcpServerHomeLANWiredClients
add add-arp=yes address-pool=dhcpPoolFermiGuests interface=vlanFermiGuests name=dhcpServerFermiGuests
add add-arp=yes address-pool=dhcpPoolFermiService disabled=yes interface=vlanFermiService name=dhcpServerFermiService
add add-arp=yes address-pool=dhcpPoolFermiFamily interface=vlanFermiFamily name=dhcpServerFermiFamily
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeHomeLANWiredClients interface=ether1
add bridge=bridgeHomeLANWiredClients interface=ether2
add bridge=bridgeHomeLANWiredClients interface=ether3
add bridge=bridgeHomeLANWiredClients interface=ether4
add bridge=bridgeHomeLANWiredClients interface=ether5
add bridge=bridgeHomeLANWiredClients interface=ether6
add bridge=bridgeHomeLANWiredClients interface=ether7
add bridge=bridgeHomeLANWiredClients interface=ether8
add bridge=bridgeHomeLANWiredClients interface=ether9
add bridge=bridgeHomeLANWiredClients interface=ether10
add bridge=bridgeHomeLANWiredClients interface=ether11
add bridge=bridgeHomeLANWiredClients comment="Dining room wall ethernet socket" interface=etherDiningRoomWallSocket trusted=yes
add bridge=bridgeHomeLANWiredClients interface=ether13
add bridge=bridgeHomeLANWiredClients interface=ether14
add bridge=bridgeHomeLANWiredClients interface=ether15
add bridge=bridgeHomeLANWiredClients interface=ether16
add bridge=bridgeHomeLANWiredClients interface=ether17
add bridge=bridgeHomeLANWiredClients interface=ether18
add bridge=bridgeHomeLANWiredClients interface=ether19
add bridge=bridgeHomeLANWiredClients interface=ether20
add bridge=bridgeHomeLANWiredClients interface=ether21
add bridge=bridgeHomeLANWiredClients interface=ether22
add bridge=bridgeHomeLANWiredClients interface=ether23
add bridge=bridgeHomeLANWiredClients interface=etherWiFiAccessPoint
add bridge=bridgeHomeLANWiredClients comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridgeHomeLANWiredClients comment=defconf disabled=yes interface=sfp-sfpplus2
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridgeHomeLANWiredClients list=LAN
/ip address
add address=192.168.100.1/24 interface=bridgeHomeLANWiredClients network=192.168.100.0
add address=93.103.235.147/16 interface=sfp-sfpplus1 network=93.103.0.0
add address=192.168.100.160/24 disabled=yes interface=vlanFermiService network=192.168.100.0
add address=192.168.101.100/24 interface=vlanFermiGuests network=192.168.101.0
add address=192.168.102.100/24 interface=vlanFermiFamily network=192.168.102.0
/ip dhcp-client
add disabled=yes interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.100.107 client-id=1:0:e4:21:9b:14:2b comment="ps5 - living room" mac-address=00:E4:21:9B:14:2B server=dhcpServerHomeLANWiredClients
add address=192.168.100.146 client-id=1:e4:5f:1:d9:f0:e2 comment="raspberry pi - balcony" mac-address=E4:5F:01:D9:F0:E2 server=dhcpServerHomeLANWiredClients
add address=192.168.100.147 client-id=1:8:8f:c3:46:ef:8c comment="marko's laptop - work" mac-address=08:8F:C3:46:EF:8C server=dhcpServerHomeLANWiredClients
add address=192.168.100.105 client-id=1:f8:4e:17:81:4f:c5 comment="sony bravia tv - living room" mac-address=F8:4E:17:81:4F:C5 server=dhcpServerHomeLANWiredClients
add address=192.168.100.149 client-id=1:0:6:78:39:4c:b0 comment="denon 4700 - living room" mac-address=00:06:78:39:4C:B0 server=dhcpServerHomeLANWiredClients
add address=192.168.100.104 client-id=1:70:85:c2:a4:3d:d2 comment="marko's workstation - balcony" mac-address=70:85:C2:A4:3D:D2 server=dhcpServerHomeLANWiredClients
add address=192.168.100.148 client-id=1:0:11:32:a1:63:9a comment="synology ds918+ - living room" mac-address=00:11:32:A1:63:9A server=dhcpServerHomeLANWiredClients
add address=192.168.100.103 client-id=1:ac:17:2:6:d3:22 comment="fibaro home center 3 - living room" mac-address=AC:17:02:06:D3:22 server=dhcpServerHomeLANWiredClients
add address=192.168.100.102 client-id=1:74:83:c2:73:c:59 comment="uap ac hd access point - corridor's ceiling" mac-address=74:83:C2:73:0C:59 server=dhcpServerHomeLANWiredClients
add address=192.168.102.199 client-id=1:8a:2a:be:8a:0:a9 comment="marko's phone" mac-address=8A:2A:BE:8A:00:A9 server=dhcpServerFermiFamily
add address=192.168.101.249 client-id=1:74:83:c2:73:c:59 comment="uap ac hd access point - corridor's ceiling" mac-address=74:83:C2:73:0C:59 server=dhcpServerFermiGuests
add address=192.168.102.198 client-id=1:4c:50:77:d5:b3:19 comment="maja's phone" mac-address=4C:50:77:D5:B3:19 server=dhcpServerFermiFamily
add address=192.168.102.197 client-id=1:e8:f7:91:4b:6f:d2 comment="dimitrij's phone" mac-address=E8:F7:91:4B:6F:D2 server=dhcpServerFermiFamily
add address=192.168.102.196 client-id=1:e8:f7:91:4b:65:f0 comment="sandra's phone" mac-address=E8:F7:91:4B:65:F0 server=dhcpServerFermiFamily
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=***.***.***.***,***.***.***.*** gateway=0.0.0.0 netmask=24
add address=192.168.100.0/24 comment="wired clients & fermiService WIFI WAN connection" dns-server=***.***.***.***,***.***.***.*** gateway=192.168.100.1 netmask=24
add address=192.168.101.0/24 comment="fermiGuests wifi WAN connection" dns-server=***.***.***.***,***.***.***.*** gateway=192.168.100.1 netmask=24
add address=192.168.102.0/24 comment="fermiFamily wifi WAN connection" dns-server=***.***.***.***,***.***.***.*** gateway=192.168.100.1 netmask=24
/ip dns
set servers=***.***.***.***,***.***.***.***
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set domain=WORKGROUP enabled=yes
/system clock
set time-zone-name=****/****
/system identity
set name=tesla
/system package update
set channel=long-term
/system routerboard settings

Thanks in advance for help !!!

9

192.168.100.1/24 and 192.168.100.160/24 are the same subnet, you cannot use the same subnet on different networks.

The family and guest networks should work, do clients obtain IP addresses when they connect?

Hopefully you have some other firewall between the CRS and internet as with no firewall filer rules you are providing an open DNS proxy and exposing all of the Mikrotik services to the world.

10

Here is situation:
192.168.100.0 network is backbone for devices, which gives functionality of smart home. And some devices are wifi based (like 2 Amazon Echo dots I have) and some device, like Fibaro Home Center 3, which is central unit for smart based home. These devices must reside on same network, so they can “see” each other. Therefore, I gave wifi devices one ip range and wired devices other ip range, but on same network (192.168.100.0).

Regarding firewall: I will set it up, as soon I correct mentioned two problems.

Sincerely,
Marko

11

You can’t assign several ranges from one subnet to different layer 2 interfaces, it has to be the same network. Get rid of vlanFermiService (and the unused vlanHomeLANWiredClients), move/merge services to the base bridgeHomeLANWiredClients interface (maybe give it a better name), configure the WiFi SSID to use no VLAN ID (untagged).

12

Ok, I have moved vlanFermiService to its own subnet, here is current situation:

Now, how do I force WiFi enitties to gain access to WAN? I get local IP, if I connect to any of these WiFis, but I cannot get to WAN?

13

The /ip dhcp-server network settings are incorrect, the gateway has to be within the subnet assigned unless you have manually configured static routes on each client.

14

That’s it! Thank you very much, I’ve set them up like an hour ago .. now everything (for this phase :smiley:) is ok!

Sincerely,
Marko