I’m totally green on the VLAN but taking my first stab at creating a VLAN from scratch for my Ubiquiti AP. I had the VLAN working semi-correctly when added to a specific interface but when I add the VLAN on the Bridge and follow the same steps the DHCP Server comes out as Invalid. I prefer for the VLAN to be on the bridge instead of a specific port so there is no dependency on the AP to be plugged into a specific port.
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 defconf bridge dhcp 10m
1 I dhcp1 VLAN_Guest 10.1.200.1 VLAN_Guest_Pool 10m
Is there something simple I’m missing here, it’s extremely vanilla:
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=VLAN_Guest vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=VLAN_Guest_Pool ranges=10.1.200.100-10.1.200.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=VLAN_Guest_Pool disabled=no interface=VLAN_Guest name=dhcp1 relay=10.1.200.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.200.0/24 dns-server=192.168.88.1 gateway=10.1.200.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You can’t run DHCP server off an interface without IP address … and according to posted config interface VLAN_Guest doesn’t have IP address.
BTW, to avoid some possible odd problems, move LAN address from interface ether2 to interface bridge (IP settings should be done on bridge interface, not on bridge member ports).
Good catch. I knew a second set of eyes would help. Also moved the IP to the bridge as you suggested. Now I’m not getting an IP when hitting VLAN 200. Anything obvious?
/interface bridge
add admin-mac=B8:69:F4:AB:32:8A auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=VLAN_Guest vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=VLAN_Guest_Pool ranges=10.1.200.100-10.1.200.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=VLAN_Guest_Pool disabled=no interface=VLAN_Guest name=dhcp1 relay=10.1.200.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.1.200.1/24 interface=VLAN_Guest network=10.1.200.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.200.0/24 dns-server=192.168.88.1 gateway=10.1.200.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks for the link. That’s literally where I started but I was trying to run those rsc files and it didn’t really leave the router in a happy state. I have a previous post about that.
I’ll try to diff those files against what I have. Oddly enough these steps seemed to suffice when I linked it to ether5.
The thing is that in your last posted config, the whole vlan config which should be under /interface bridge is missing … and if you want your RB to work with VLANs, there should be some.