Microtik CCR1009 w/UniFi AC PRO AP - tagged VLANs and mutli DHCP issue

RouterOS General
1

Hi, I'm a Mikrotik newbie and am struggling with a VLAN setup for our new office. We've purchased a Microtik CCR1009 router (running latest bits v6.34) and plan to use this with a series of Ubiquity AC PRO access points. The AC PRO AP's have the ability to support multiple WIFI networks and will tag each network with a unique VLAN Id. We utilizes a private 172.XXX/20 range of IPs for our local corpnet which are routable to other corp sites via a larger /16 block. As such it's critical that the WIFI network for corp gives out IPs in from the same /20 block as regular wired connections.

The basic setup we want is as follows:

**CCR1009
Port    Use     VLAN		       DHCP
SFP     WAN1    n/a               n/a
SFP+    WAN2    n/a               n/a
Ether1  LAN     0 (not tagged)    172.100.0.0/16
Ether2  WIFI    100 (wifi corp)   172.100.0.0/16
        WIFI    200 (wifi guest)  172.200.0.0/16 
			
	
**Unifi AP AC Pro
WIFI       VLAN
Public     200
Guest      300

I've spent hours with multiple configurations with a combination of using Switch VLAN groups (CCR1009 has a 4 port switch on ether1 - ether4) and software routing using bridges. The main problem I'm having is how to have a single port (ether2) consume two VLAN ids (100 == corp and 200 == guest) and serve unique IP block based on the VLAN id. I've tried creating a bridge - say bridge-vlan which contains ports ether2 (physical uplink) and vlan interfaces for VLANs 100 and 200. However once I try to create a DHCP servers on each of the VLAN interfaces they return 'I' (invalid) state. This appears to be caused by the fact that one they are added to the bridge with a physical interface (ether2) they become slaves and you cannot run DHCP on a slave instance.

So my question is what's the best and supported way to get this config working? Is there an option to leverage the build-in switch which has VLAN magic? Note the articles which reference the CRS switching (RouterOS - RouterOS - MikroTik Documentation) use a command "/interface ethernet switch egress-vlan-tag" which does not appear to be supported on my device.

Thanks for any help and pointers,
Nigel.

Articles I referenced:
Need help: DHCP on VLAN bridge not working, works on just an interface?
Ubiquiti Unifi, Mikrotik & Vlans - General - MikroTik community forum

\

Here's a subset of my configuration:

-- CREATE SWITCH PORTS (leave ether2 non-switched)
/interface ethernet
  set ether2 master-port=none
  set ether3 master-port=ether1
  set ether4 master-port=ether1

-- CREATE VLAN INTERFACES
/interface vlan
  add interface=ether2 name=vlan-wifi-corp-100 vlan-id=100
  add interface=ether2 name=vlan-wifi-guest-200 vlan-id=200

-- CREATE BRIDGE
/interface bridge
  add name=bridge-vlan-wifi

/interface bridge port
  add bridge=bridge-vlan-wifi interface=ether2
  add bridge=bridge-vlan-wifi interface=vlan-wifi-corp-100
  add bridge=bridge-vlan-wifi interface=vlan-wifi-guest-200

-- ADD IP ADDRESSES
/ip address
  add address=172.25.16.1/20 interface=ether1 network=172.25.16.0
  add address=172.100.0.1/20 interface=vlan-wifi-corp-100 network=172.100.0.0
  add address=172.200.0.1/20 interface=vlan-wifi-guest-200 network=172.200.0.0

-- AND DHCP 
/ip dhcp-server
  add address-pool=dhcp-corp disabled=no interface=ether1 name=dhcp-corp-lan
  add address-pool=dhcp-wifi-corp disabled=no interface=vlan-wifi-corp-100 name=dhcp-wifi-corp
  add address-pool=dhcp-wifi-guest disabled=no interface=vlan-wifi-guest-200 name=dhcp-wifi-guest
2

CCRs are pure routers and as such most don’t contain switch chips, but for the CCR1009 which is an exception and can be considered an “hybrid”.

However, switch chip in the CCR1009, which still can be considered a pure router, is intended more for other operations (mirror, copy, etc) and while you can do VLANs with it the interface is slighly different. You can access it via Winbox > Switch button.

In addition to the “hardware” way (using the switch chip) you can manage VLANs the “software” way, which AFAIK is the only way in your scenario, and additionally will be easier and more intuitive for you.

If you intend this CCR1009 to act as a hotspot controller/router for your UniFi network, I doubt using the software way will tax its CPU as it has plenty of power to spare, so no need to have concerns here.

You cannot have two DHCP servers on the same network segment, and as such RouterOS won’t let you add a second on the same bridge or interface.

Even without the need for DHCP, I doubt you want to bridge both networks together, as you’ll be putting the two networks on the same network segment which isn’t needed nor follows “best practices” and totally defeats the purpose of using VLANs for a start.

So for your scenario, what you need to do for the “software way” is simply creating the vlan interfaces “hanging” from ether2, (they will be different network segments) and then set each DHCP server on top of each VLAN interface. That’s all needed.

3

Add the VLANs to the interface that feeds your switches that the UniF–ks are on.

Tag the SSIDs wiith the proper VLAN tag.

Assuming you built your network.
/IP
Address
DHCP-Server and network
Pools
Firewall Filter and NAT

Should be off and running.

Gotta use the UniFi software to set the units up thou.

4

By putting everything into a bridge, you’re combining the two VLANs and the parent interface into a single broadcast domain, which is exactly the opposite of what you want. Drop the bridge, and you’re there.