Guest WiFi with VLAN on UniFi AP

ieleja · December 26, 2024, 6:08pm

Hello,

As base config I use Using RouterOS to VLAN your network
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

My simple system looks like “Router-Switch-AP (all in one)” (and this works great) + 1 Unifi AP AC LR, which is configured manually with main MainWiFi on “default” network and guests GuestWiFi which I attach to “guestNetwork”, as GREEN VLAN 20. UniFi AP I attached to ether2 and it gets address from BLUE VLAN. MainWiFi works, GuestWiFi not (even not get DHCP address) and I guess that is from

[..]
# VLAN Security
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]

then how I must configure Mikrotik and UniFi AP to establish safe and stable guest WiFi?

thanks,
Saules Ieleja

sindy · December 26, 2024, 6:33pm

If /interface bridge port set bridge=BR1 [find interface=ether2] frame-types=admit-all doesn’t help, post the export of the complete configuration.

ieleja · December 26, 2024, 7:02pm

“admit-all” doesn’t help, config:

# 2024-12-22 20:44:24 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = hidden as 'anav' requested
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
    mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
    security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=99
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

sindy · December 26, 2024, 7:13pm

/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether2

ieleja · December 26, 2024, 7:26pm

doesn’t help, device not get address from GREEN DHCP, but assigns AutoIP from 169.x.x.x

anav · December 26, 2024, 7:42pm

First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc…
THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally “allow fast path” is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI… the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work…

# model = RB751G-2HnD
# serial number = XXXXXXXXXX
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=latvia frequency=auto \
    mode=ap-bridge ssid=BLUE
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=02:0C:42:FB:C7:4B master-interface=wlan1 name=wlan2 \
    security-profile=guest ssid=GREEN
/ip pool
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.2-192.168.0.10
/ip dhcp-server
add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1  interface=ether2 pvid=99 comment="hybrid port to UNIFI"
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether3 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether4 pvid=20
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=ether5 pvid=99
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=wlan1 pvid=10
add bridge=BR1 ingress-filtering=yes frame-type=admit-only-priority-and-untagged  interface=wlan2 pvid=20
/interface bridge settings
set use-ip-firewall-for-vlan=no
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ip settings
set allow-fast-path=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2  untagged=ether3,wlan1  vlan-ids=10
add bridge=BR1 tagged=BR1,ether2  untagged=ether4,wlan2  vlan-ids=20
add bridge=BR1 tagged=BR1  untagged=ether2,ether5  vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24  dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & untracked" \
    connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow admin"  in-interface-list=BASE
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"    { put this rule in last }
+++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="Allow Estab,Related & Untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlans" in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat disabled=yes  { enable or remove if not required }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=RouterSwitchAP
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.org
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

sindy · December 26, 2024, 7:43pm

Both the changes I have asked you to do were necessary, just apparently not sufficient. Does it behave the same if you try to connect using the wlan2 interface of the Mikrotik itself?

ieleja · December 26, 2024, 9:38pm

if I enable Mikrotik wlan, then all (BLUE and GREEN wifi) works with initial configuration.

UniFi AP connected to ether2;
UniFi configuration: “Guest” network, connected to 20 VLAN ID, GREEN wifi connected to “Guest” network.

sindy · December 27, 2024, 10:32am

If it works when you enable wlan2 on the Mikrotik itself, the IP configuration seems to be ok.

So as the next step, disable wlan2 again, open a command line window as wide as your screen allows, and do the following:
/interface bridge port set [find interface=ether2] hw=no
/tool sniffer quick interface=ether2 port=68
and then let some client device try to connect to the guest network that is broadcast from the Ubiquiti.
If the /tool sniffer … shows anything, copy-paste it here.

ieleja · December 27, 2024, 4:00pm

two iOS devices, one android

Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, VLAN, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME    NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS          DST-ADDRESS                  PROTOCOL  SIZE  CPU
ether2     55.412   11  <-   72:BD:A1:23:63:30  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     56.041   12  <-   22:F3:5D:F0:6A:77  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     57.692   13  <-   22:F3:5D:F0:6A:77  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     59.479   14  <-   72:BD:A1:23:63:30  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     346    0
ether2     64.881   15  <-   5C:51:81:B0:E2:AD  FF:FF:FF:FF:FF:FF    20  0.0.0.0:68 (bootpc)  255.255.255.255:67 (bootps)  ip:udp     354    0

sindy · December 27, 2024, 4:22pm

OK, so it comes alright from the Unifi, but I cannot spot an issue in the configuration. Post the current output of /interface bridge export after all the changes you’ve made so far, please.

ieleja · December 27, 2024, 4:46pm

# 2024-12-22 18:28:41 by RouterOS 7.16.2
# software id = 5DWL-EDZZ
#
# model = RB751G-2HnD
# serial number = xxxxxxxxxxxx
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=99
add bridge=BR1 hw=no interface=ether2 pvid=10
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
[ieladmin@RouterSwitchAP] >

what about “anav” recommendations?
my configuration was almost copy/paste from:
Using RouterOS to VLAN your network
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc…
Fifth: Ether2 should be a hybrid port to the UNIFI… the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.

sindy · December 27, 2024, 4:54pm

/interface bridge settings set use-ip-firewall-for-vlan=no

then try again.

I did not analyze all @anav’s recommendations as most of them are not relevant to the primary issue, but I agree with him on the above one, the purpose of this setting is different from what you assume - its name is misleading.

ieleja · December 27, 2024, 8:58pm

After change, all start working, but after few minutes devices disconnect and now don’t connect to guest at all.
Tomorrow try to reset and start again from scratch…

sindy · December 27, 2024, 9:31pm

If they cannot even connect to the WiFi, I don’t think it is a Mikrotik issue any more. So before starting from scratch, I’d suggest to save a backup and an export of the current configuration so that you have something known good to return to.

ieleja · December 29, 2024, 9:59pm

Done all such way.

But I reconfigure bit original configuration:

ether1 - WAN,
ether2 - BLUE VLAN,
ether3 - GREEN VLAN,
ether4, ether5 - BASE VLAN

connect internet to ether1, notebook to ether4, UniFi AP to ether5
reset UniFi AP, it gets IP from BASE DHCP

then

/interface bridge port set bridge=BR1 [find interface=ether5] frame-types=admit-all

and

/interface bridge vlan set [find vlan-ids=10] tagged=BR1,ether5
/interface bridge vlan set [find vlan-ids=20] tagged=BR1,ether5

booth WiFi, guest and main now works on UniFi AP through VLANs

Also setup some speed limiting via Queues on guest WiFi

p.s.
my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first.

anav · December 30, 2024, 4:05am

Stated clearly in post 6 of this thread…

First: Please remove router serial number from your post!
Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc…
THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed.
Fourth: Normally “allow fast path” is set to yes.. Why did you set it to NO??
Fifth: Ether2 should be a hybrid port to the UNIFI… the untagged vlan should be the base vlan ( the management vlan and the unifis IP should be 192.168.0.X ) PVID of 99, and the other two vlans, main and guest should be tagged as data vlans.
Sixth: Firewall rules need work…

ieleja · December 30, 2024, 3:59pm

It’s hard to follow two advisers in time, but thanks for your post!

anav · December 30, 2024, 6:09pm

Sindy is the expert, I am just learning.
However, his level of genius is not always needed for basic config issues.
I am searching for the big lump of cow poop in the haystack, his eyes are trained to look for needles… He might not even notice the cow poop LOL
Unless its very fresh )