Hex S + Ubiquiti - VLAN Tagging, DHCP, etc!

jdub88 · March 3, 2022, 5:05pm

Hey Everyone,

I’m giving my network a bit of a refresh using a Hex S (for now, may upgrade later!) and a UniFi AP Pro

I’m hoping to draw on the experience of others with a similar setup. I just need to understand the requirements of how to add a VLAN properly, such that I can rinse and repeat. I will have 4 VLANs, Private, Guest, VPN, IOT. Would I need to create firewall rules for each? I don’t want VLAN to VLAN comms for the most part - though I can also set this on the Ubiquiti AP itself, I believe.

The AP Is connected to eth3 - I am not sure if I need to remove this from the bridge, or just ensure that the VLANs are tagged on the bridge interface

The router has a default config, with a PPPoE interface configured to connect to my ISP (WAN) and the rest of the interfaces grouped under LAN in a Bridge. Basic connectivity is OK.

I have found this guide: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.\29

Do I add the bridge in addition to the bridge that already exists? I’ve tried creating the VLAN & DHCP Scope but I am definitely going wrong with the tagging.

Appreciate any input & guidance to get the basic configuration going - I’d also like to hear about things best left on the AP itself, eg it appears I can set DHCP there, which is likely easier to manage than adding it to the Hex, instead just having the correct gateway interface configured on the router itself.

Thanks!

404Network · March 3, 2022, 6:32pm

With the little bit of info provided, would look something like…

/interface bridge
add admin-mac=xxxxxxxxxxxx  auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-PRIVATE
set [ find default-name=ether3 ] name=ether3-UNIFI
set [ find default-name=ether4 ] name=ether4-PRIVATE
set [ find default-name=ether5 ] name=ether5-PRIVATE
/interface vlan
add interface=bridge name=vlan10-main vlan-ids=10
add interface=bridge name=vlan20-iot vlan-ids=20
add interface=bridge name=vlan30-guest vlan-ids=30
add interface=bridge name=vlan50-vpn vlan-ids=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment name=Trusted
/ip pool
add name=pool_10 ranges=10.10.10.50-10.10.10.100
add name=pool_20 ranges=20.20.20.50-20.20.20.100
add name=pool_30 range=30.30.30.50-30.30.30.100
add name=pool_50 range=50.50.50.50-50.50.50.100
/ip dhcp-server
add address-pool=pool_10 interface=vlan10-main name=dhcp_10
add address-pool=pool_20 interface=vlan20-iot name=dhcp_20
add address-pool=pool_30 interface=vlan30-guest name=dhcp_30
add address-pool=pool_50 interface=vlan50-vpn name=dhcp_50
/interface bridge port
add bridge=bridge interface=ether2-PRIVATE pvid=10
add bridge=bridge interface=ether3 
add brige=bridge  interface=ether4-PRIVATE pvid=10
add bridge=bridge interface=ether5-PRIVATE pvid=10
/interface bridge vlans
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether4,ether5  vlan-ids=10
add bridge=bridge tagged=bridge,ether3 vlan-ids=20,30
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface list member
add interface=vlan10-main list=LAN
add interface=vlan20-iot list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan50-vpn list=LAN
add interface=vlan10-main list=Trusted
add comment=defconf interface=ether1-WAN list=WAN
add interface=pppoe-name  list=WAN
/ip address
add address=10.10.10.1/24 interface=vlan10-main network=10.10.10.0
add address=20.20.20.1/24 interface=vlan20-iot network=20.20.20.0
add address=30.30.30.1/24 interface=vlan30-guest network=30.30.30.0
add address=30.30.30.1/24 interface=vlan30-guest network=30.30.30.0
/ip dhcp-client
DONE THRU PPOE CLIENT SETTINGS
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=20.20.20.0/24 dns-server=20.20.20.1 gateway=20.20.20.1
add address=30.30.30.0/24 dns-server=30.30.30.1 gateway=30.30.30.1
add address=50.50.50.0/24 dns-server=50.50.50.1 gateway=50.50.50.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access"  in-interface-list=Trusted
add action=accept chain=input comment="allow DNS services"  in-interface-list=LAN \
dst-port=53 protocol=udp
add action=accept chain=input comment="allow DNS services"  in-interface-list=LAN \
dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"  { ONLY PUT THIS IN WHEN AL OTHER RULES ARE IN PLACE! }
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic"
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Trusted

Now depending upon the unifi access point one has to adjust the interface bridge port/vlan settings.
A. if its acts like a standard smart device, all vlans at trunked to it, the config above is fine. BUT
B. if it acts like a weird duck, the it will want the Trusted VLAN untagged and all the other data ports tagged, thus a hybrid port…

/interface bridge port
add bridge=bridge interface=ether2-PRIVATE pvid=10
add bridge=bridge interface=ether3 pvid=10
add brige=bridge interface=ether4-PRIVATE pvid=10
add bridge=bridge interface=ether5-PRIVATE pvid=10
/interface bridge vlans
add bridge=bridge tagged=bridge, untagged=ether2,ether3, ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether3 vlan-ids=20,30

jdub88 · March 14, 2022, 7:59pm

Sorry for the delayed response! Your post is hugely helpful, thanks for taking the time to share. I’ve been busy learning the Ubiquiti side and ironing out some performance issues

I’ve got my Hex S up and running in a simple config for the moment which also acted as a nice refresher. I’ve now freed up my hAP to start setting up this config that I can then transfer later.

Thanks again - I’m sure I’ll have some more questions later!

Buckeye · March 15, 2022, 4:44am

I will assume the reference to Ubiquiti was the Unifi Access points and not router (either edgemax edgerouter, or unifi usg, or unifi udm).

At home I use an Ubiquiti ER-X as my home router and UAP-AC-LR access points.

In “lab” I have another ER-X and hEX S (new).

The ER-X and hEX S are very similar, but to get good vlan performance (at least using the “bridge” configuration) with the hEX S, you will need to run v7.1 or above. I am using the latest testing branch 7.2rc4 on the hEX S RB760iGS.

To adopt the UAP, it will have to be connected to an untagged network. Once adopted, it is possible to set the AP to use a tagged vlan for management, but I am not as adverse to what @404Networks refers to as “weird duck”, and what MikroTik refers to as “hybrid” and what Cisco refers to as a Trunk with native vlan as many MikroTik forum members. The IEEE 802.1Q spec requires that every port have a PVID, so the switch knows what to do when an untagged frame is received. It also states that bridges can limit what framing types to accept, so untagged can be ignored. The point being, what MikroTik calls Hybrid are quite common. “Pure Tagged” trunks prevent vlan mismatches, and they also carry priority information, so from a “best practice” point of view, having everything explicitly tagged makes things on trunk ports unambiguous. It also protects against accidental vlan mixing when someone plugs a trunk cable into to wrong port. But you need to understand what an untagged vlan on a trunk port is, because you will encounter them in the field.

At home I use untagged for my trusted/management and tagged for the guest/iot on cables going to the access points.

See this thread 2 ways to associate bridge and VLAN and this post for a setup I was using in my lab just to play with vlans. In that configuration, ether4 is configured as a hybrid port with pvid 10 (untagged,native) and tagged vlan 241.

There aren’t any fancy firewalls in my config, this was just for the vlan setup that I was trying to wrap my head around. Most of my vlan experience is from EdgeRouters which was based on vyatta, which was forked into at least three branches, EdgeOS, VyOS, and DanOS. The way vyatta handles vlans is more like cisco, i.e. it is port centric, and you configure the vlans that the port is a member of, and which one (if any) of the vlans will be untagged on that port (Cisco calls this the native vlan). MikroTik bridge setup is vlan centric, for every vlan, you define what ports will be will be tagged or untagged on the port. (the port/vlan matrix is rotated 90 degrees). As a learning exercise, I created this post.

You may also want to see this thread Bridge VLANS hEX S v7.2rc4 /interface bridge vlan print, because I was confused by winbox not displaying the vlans associated with a bridge-port. The configured ports wont show up in /interface bridge vlan print unless the port is active (has link up). If you use /interface bridge vlan print detail, then it will print at least the non-dynamic entries.

If you plan to use the new vlan-filtering bridge method, I found the resources in this post to be helpful. There is also NEW USER PATHWAY TO CONFIG SUCCESS compiled by @anav that has other good starting points for many things.

This blog post would be helpful to someone wanting to migrate from an ER-X to a hEX S (although it uses old firmware that doesn’t support hardware offloading). I haven’t tried the setup, but it does look intersting, so I am mentioning it, since you said Ubiquiti. VyOS and Mikrotik – VLAN-a-rama

lfoerster · March 15, 2022, 2:32pm

Do I add the bridge in addition to the bridge that already exists?

No ! A VLAN design only needs one single VLAN bridge definition.
Check here: https://administrator.de/contentid/367186

anav · March 15, 2022, 4:49pm

The requirement of the odd duck UBIQUITI ACCESS Points, is ODD from an MT perspective,
I dont give a rats behind about Cisco crap either.

The point is there should be no reason to force use of a hybrid port when attaching a smart AP to an etherport on the MT device.
None of the ones I use require that! Including MT APs.
Good to hear you can reverse the insane behaviour out of the box but most new persons are not aware of that or dont offer it up as an option and thus we go through the process of accommodating the odd ugly duck.

jdub88 · March 21, 2022, 8:57am

Very insightful information above, thank you all - I’ve been trying to snag an ER-X for testing but struggling to get one. Indeed though, I was referring to Ubiquiti in the AP sense, not routing.