Help setting guest Access Point with other VLANs

Hello,

I have been searching for a while now on how to set this up and I haven’t found, hence my question.

My setting:

ISP [Movistar Spain ONT] → RB750 running 6.35 on eth 0

RB750:
Eth 5 → TimeCapsule (multicast filtered), one printer wired and one wifi, couple desktops.
Eth 4 → Netgear Switch → AP Unifi
→ Dune HD Player
→ Apple TV
→ Movistar TV decoder
Eth 3 → PS4

Now, my access point Unifi allows to set up to 4 different SSIDs, and I want to have one private an one for guests. Currently, the one I have sees every other thing in the network, which is how it has to be.
Given that my AP can tag each SSID, I tried to tag the guest network with, say Vlan Id 50. Following instructions I read in this forum, I did what was needed, but with no success at all. I think there might be a problem with the fact that Movistar uses VLAN tagging for the ONT: Vlan2 is for the VOIP, VLAN3 for the TV and VLAN 6 for all internet access.

I have printed my configuration, which is as follows:

/interface bridge
add name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ONT-movistar
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-Sotano
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-Salon
set [ find default-name=ether5 ] name=ether5-Despacho

/interface vlan
add interface=ether1-ONT-movistar name=vlan2 vlan-id=2
add interface=ether1-ONT-movistar name=vlan3 vlan-id=3
add interface=ether1-ONT-movistar name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=vlan6 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=xxxxxxx use-peer-dns=yes user=xxxxxxx@telefonicanetpa
/interface ethernet switch port
set 3 vlan-header=always-strip
/ip dhcp-server option
add code=240 name=option_para_deco value="':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=none
add enc-algorithms=aes-256-cbc,3des name=L2TP_Proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.201-192.168.1.249
add name=L2TP_Pool ranges=192.xxx.xxx.xxx-192.1xxx.xxx.xxx
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=L2TP_Pool name=L2TP_Profile remote-address=L2TP_Pool use-encryption=required
set *FFFFFFFE use-encryption=required use-upnp=no
/interface bridge filter
add action=drop chain=output comment="Regla para no saturar wifi en TimeCapsule" disabled=yes dst-address=239.0.0.0/8 ip-protocol=udp mac-protocol=ip out-interface=ether5-Despacho
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether5-Despacho
/interface ethernet switch rule
add dst-address=239.0.0.0/8 new-dst-ports=ether4-Salon ports=ether1-ONT-movistar src-address=172.0.0.0/8 switch=switch1
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP_Profile enabled=yes ipsec-secret=xxxxxxxxxxxxxxxxxx max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface pptp-server server
set authentication=mschap2
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=ether2-master-local network=192.168.1.0
add address=192.168.100.10/24 interface=ether1-ONT-movistar network=192.168.100.0
add address=10.112.199.253/10 interface=vlan2 network=10.64.0.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.161 client-id=xxxxxxxxxxxxxxxxxxx mac-address= xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.201 client-id=xxxxxxxxxxxxxxxxxxx comment="DHCP Start" mac-address=xxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.209 client-id=xxxxxxxxxxxxxxxxxxx mac-address= xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.199 client-id=xxxxxxxxxxxxxxxxxxx comment="Deco Movistar" dhcp-option=option_para_deco mac-address= xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.101 comment=Impresoras mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.2 client-id= xxxxxxxxxxxxxxxxxxx comment="Network - Time Capsule" mac-address= xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.102 client-id=xxxxxxxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.212 client-id=xxxxxxxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.3 client-id=xxxxxxxxxxxxxxxxxxx comment=Switch mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.160 client-id=xxxxxxxxxxxxxxxxxxx comment= Multimedia mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.162 client-id=xxxxxxxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxxxxxxx server=dhcp1
add address=192.168.1.4 client-id= xxxxxxxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxxxxxx server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.1.199/32 comment="DNS Para el deco Movistar" dhcp-option=option_para_deco dns-server=172.26.23.3 gateway=192.168.1.1 netmask=24
add address=192.168.1.206/32 comment=“Content Filter” dns-server=208.67.222.222,208.67.220.220 gateway=192.168.1.1
add address=192.168.1.212/32 dns-server=208.67.222.222,208.67.220.220 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=input comment="### VPN L2TP/IPSEC Entrante ###" dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp
add chain=input in-interface=vlan2
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input disabled=yes dst-port=23,80 in-interface=pppoe-out1 protocol=tcp
add chain=input disabled=yes dst-port=8291 in-interface=pppoe-out1 protocol=tcp
add chain=input dst-port=1721 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=pppoe-out1
add chain=forward comment=default-configuration connection-state=established
add chain=forward comment=default-configuration connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan2
add action=set-priority chain=postrouting new-priority=1 out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="### Enmascara trafico VPN MODED###" src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-ONT-movistar
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan2
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan3
add action=dst-nat chain=dstnat comment=VOD dst-address-type=local in-interface=vlan2 to-addresses=192.168.1.199
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.125
add action=dst-nat chain=dstnat disabled=yes dst-port=21 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.125
/ip ipsec peer
add address=xxx.xxx.xxx.xxx enc-algorithm=aes-256,3des exchange-mode=main-l2tp generate-policy=port-override secret=xxxxxxxxxxxxxxxxxxx
/ip ipsec policy
set 0 dst-address=xxx.xxx.xxx.xxx src-address=xxx.xxx.xxx.xxx
add proposal=L2TP_Proposal template=yes
/ip route
add distance=255 gateway=255.255.255.255
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=xxxxxxxxxxxxxxxxxxx password=xxxxxxxxxxxxxxxxxxx profile=L2TP_Profile service=l2tp
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2 upstream=yes
add interface=bridge-local
/routing rip interface
add interface=vlan3 passive=yes receive=v2
add interface=vlan2 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
add network=172.26.0.0/16
/system clock
set time-zone-name=Europe/Madrid
/system ntp client
set enabled=yes primary-ntp=163.117.202.33 secondary-ntp=89.248.104.162
/system scheduler
add interval=5m name="no-ip temporizador" on-event=no-ip policy=ftp,read,write,test start-date=may/06/2016 start-time=15:08:12
add interval=30m name="OpenDNS temporizador" on-event=OpenDNS policy=ftp,read,write,test start-time=12:00:00
/system script
add name=no-ip owner= xxxxxxxxxxxxxxxxxxx policy=ftp,read,write,test source="#\
    #############Script Settings##################\
    \n    \
    \n    :local NOIPUser \""\
    \n    :local NOIPPass \""\
    \n    :local NOIPDomain \""\
    \n    \
    \n    ###############################################\
    \n    \
    \n"
add name="OpenDNS Updater" owner= xxxxxxxxxxxxxxxxxxx policy=\
    ftp,read,write,test source="#--------------- Change Values in t\
    his section to match your setup ------------------\

As you can imagine, my goal is to set the guest network so that it can only access internet, but cannot see anything else nor be seen.

Any help would be greatly appreciated.

Cheers.

Well after quite a lot of trial and error and help from people in a ubiquiti thread in adslzone forums (thank you @begepeich if you ever read this), I’ve been able to set it up working. The correct set up using Winbox is, assuming your guest network will be 10.50.50.x:

1. Interfaces, add VLAN interface, name it “vlanguests” in interface eth2-master-local and put t VLAN ID your AP is tagging.
2. IP, addresses, add. Address: 10.50.50.1/24 Network: 10.50.50.1 Interface: “vlanguests”
3. IP, pool, add. Name: “poolguests”, Addresses: 10.50.50.2-10.50.50.255 (you may change that for whatever suits you), next pool: none
4. IP, DHCP Server, add. Name: “dhcpguests”, interface: vlanguests, address pool: poolguests
   4.b. IP, DHCP Server, Network Tab, add. Address: 10.50.50.0/24, Gateway: 10.50.50.1, DNS servers: up to your choice. If you put 10.50.50.1 do not forget to add it in IP, DNS.

Now for the next step I am trying to figure out how to limit access from this VLAN to the rest of the network.

Cheers.

You can block it using firewall:

/ip firewall filter
add action=reject chain=forward in-interface=vlanguests out-interface=!<WAN interface> reject-with=icmp-admin-prohibited

Thank you sob, I use a similar one which works.

However, I have come to a different problem. Having another access point upstairs that is not capable of IGMP Snooping (Time Capsule 2nd Gen, bridge mode), all the multicast traffic of the VOIP is filtered in Eth5, which is the port to which the TC is wired. This can be done in two ways:

1st. In interface, bridge, filter:

chain=output action=drop out-interface=eth5 mac-protocol=ip dst-address=239.0.0.0/8 ip-protocol=udp log=no log-prefix=""

This way, the CPU handles the filter. It works, but my symmetric 300Mbps connection gets down to 140 approx.

2nd. Use the switch chip. Instead of applying the bridge filter, I set a switch rule directing all the multicast traffic to the Eth port where it is needed:

switch=switch1 ports=eth1-gateway src-address=172.0.0.0/8 dst-address=239.0.0.0/8 copy-to-cpu=no redirect-to-cpu=no mirror=no 
     new-dst-ports=eth4-slave

And I also set the VLAN Header of this port to “always strip”.

This second way allows me to get almost full speed without the cpu being at 95%.

Problem is that this is exactly what is causing the VLAN guests not to work. I mean, if I set the VLAN Header to leave as is, then the guest network is okay but the TV cannot be seen. If, on the other side, I set the VLAN Header to “always strip”, I can see the TV but the guests get a message saying “no internet connection” and they don’t get an ip.

¿Any ideas?

Sorry, I can’t help you with HW switch. I do use VLANs, but so far only with “normal” managed switches. I tried it only once with MikroTik HW (an old RB450) and result was complete disaster. My fault, obviously. And I didn’t have need to try it again since than, so it’s just on my long-term TODO list of things to learn. Hopefully someone else will help you.