Hi,
I want to connect a access point with 3 VLANs to one port oy my Mikrotik for testing.
On the access point I configured the 3 VLANs as tagged.
On the Mikrotik RB3011 I did the same.
But when I change IP address to the VLAN interface (in menu addresses), the connection will be lost.
Is there a tutorial with whole configuration?
Thanks, very much.
When using Winbox in the normal way (using IP address) it is common to get kicked out when changing VLAN settings.
Use Winbox MAC address or remove 1 port from your router off bridge and configure from there (setup small DHCP server on that port or again, use Winbox via MAC address).
The workflow I’ve settled on when making changes like you’ve described is to configure a management VLAN, set one of the physical router ports to be untagged on that VLAN, and connect my workstation to that physical port. Then I can change the other VLAN configurations to my heart’s content without ever losing my connection.
Brand/Model of Access point?
Config of MT router ( and ap if mt)
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
UniFi: vlan 1, 400, 401 (tagged)
Mikrotik port 4: tagged with vlan 1,400,401.
vlan 400 and vlan 401 works fine (seperated dhcp servers on Mikrotik interfaces)
But vlan 1 does not work - i I bind the ip address on Mikrotik to vlan 1 interface, the connection to the Unifi will be lost.
Why vlan1 on the unifi?
Unifi typically accepts whatever traffic is coming to it untagged as the trusted or management vlan and the tagged vlans as data vlans.
Therefore on the MT suggest you use three vlans and forget about using vlan1 for anything ( it works in the background )
vlan10 - home ( wired and wireless)
vlan20 - guest (wireless)
vlan99 ( management)_ — or simply use vlan10 as trusted vlan and dont use a management vlan.
In all smart devices connected to MT router get their IP address on the management or trusted vlan.
So unless you change ubiquiti default to something else, you will need to create a hybrid port on the MT to match the hybrid nature of the ubiquiti.
Option One, with separate Management VLAN
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10 comment=“home PC - access port”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3 comment=“managed switch - trunk port”
add bridge=bridge interface=ether4 pvid=99 comment=“hybrid port to ubiquiti AP”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=WLAN1 pvid=10 comment=“home wifi 5ghz”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=WLAN2 pvid=10 comment=“home wifi 2ghz”
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4 untagged=ether2,WLAN1,WLAN2 vlan-ids=10
add bridge=bridge tagged=bridge,ether3,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether3 untagged=ether4 vlan-id=99
Option Two, using vlan10 as trusted vlan
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10 comment=“home PC - access port”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether3 comment=“managed switch - trunk port”
add bridge=bridge interface=ether4 pvid=10 comment=“hybrid port to ubiquiti AP”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=WLAN1 pvid=10 comment=“home wifi 5ghz”
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=WLAN2 pvid=10 comment=“home wifi 2ghz”
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether4,WLAN1,WLAN2 vlan-ids=10
add bridge=bridge tagged=bridge,ether3,ether4 vlan-ids=20
The ubiquiti and managed switch in the above scenarios will either get an IP on the managerment subnet, or if none, the trusted subnet.
The issue is likely due to misconfigured VLAN tagging or missing bridge VLAN filtering.
“Native VLANs” (whatever that means) should never be tagged on wires … also devices on both ends of same cable have to have same config … and in your case UniFi has “native” (whichever that is) VLAN untagged and you configured MT to pass VLAN 1 tagged.
Thanks for all the answers.
VLAN 1 is the defautl setting on Unifi - I could not find an option that the configuration should be able via other VLAN.
I tried following Mikrotik’s bridges, because I thought that Unifi should hae a trunk connection with all 4 VLANS to the Mikrotik.
Bridge VLAN IDs current tagged current untagged
001 001 vlan_001 001
400 400 vlan_400 400
401 401 vlan_401 401
402 402 vlan_402 402
If I set no static VLAN bridges, there will be added dynamically bridges.
Bridge VLAN IDs current tagged current untagged
xxx xxx vlan_xxx, xxx
In this case every VLAN gets it’s own subnet and IP addresses from Mikrotik but all VLANS comes untagged to the Mikrotik port.
But when I try to change the interface of ether4 (port to the Unifi access point) from the physical ether4 to VLAN 100 interface, I loose the connectio n to the Unifi.
Unifi expects VLAN 1 to be untagged on wire (because that’s how it is with “native VLANs”) … so if you’re using VLAN 1 on mikrotik (by default it’s untagged on all ports and bridge so it should work just fine), then it should be untagged on ether4 (i.e. set pvid=1 and frame-types=admit-all … both settings are default and thus not shown in export and possibly also in GUIs).
Thanks.
Unifi offers the possibility to ovverride the network for every access point.
But would it be the same, the management network must be untagged on Mikrotik to be able to access the access points?
I think the idea with default VLAN 1 as native VLAN should be easier for setup or what was their basic idea to do it like this?
Which is your management vlan.
I see you have data vlans 401,402 and 403 on the unifi and then vlan1.
Since unifi expects the management vlan untagged, simply do the following. Lets assume on the MIKROK TIK you have a management vlan99.
We simply untag this vlan to the unifi on a hybrid port with vlans 400,401,402 tagged for the data vlan side.
The unifi will assume the untagged vlan is the management vlan etc. and all devices are happy.
You will not have to change anything on the unifi.
/interface bridge port
add bridge=bridge interface=ether4 pvid=99 comment=“hybrid port to ubiquiti AP”
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=4 vlan-ids=99
add bridge=bridge tagged=bridge,ether4 vlan-ids=400,401,402
Thanks, very much.
Everything runs fine now.
Why is it not sugestable to run a management vlan on vlan 1?
I saw a lot of configurations, where people uses vlan 1, too.
MT users are not ordinary people. 
There is nothing technically wrong with using VLAN 1 or running management on it, you just have to be very aware of how different vendors use VLAN 1.
With Ubiquiti the UniFi default LAN is untagged and they reserve VLAN ID 1 for internal use, they also reserve VLAN IDs 4010-4094 for internal use in devices so in the controller Settings > Networks you can only create additional networks with VLAN IDs 2-4009.
With Mikrotik there is no restriction on the VLAN IDs which can be specified for an /interface vlan, any permitted by the IEEE 802.1Q specification , i.e. 1-4094, can be used.
Sorry that I post here but I think that my question fits good here.
In case of onlineuser, he created 4 bridges assigned to ether4 (port for wifi access points).
Then there are 4 vlans, every points to a different bridge.
Is this good practice on MT devices or should be one bridge enough which contains the 4 vlans?
I am a little bit confused, when I saw this.
Since the introduction of VLAN-aware bridges some years ago a single bridge is the recommended method. There are various potential issues when using multiple bridges https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration
Thanks for the tip.
I thought that one bridge for vlans is only relevant when more than one ether port should be used.
So, it really makes a difference if I assign the vlans to a bridge which is assigned to an ether port?
And every vlan/bridge is bounded to it’s own dhcp server.
Can a dhcp server, which is assigned to a bridge which contains more than one vlan, occur troubles?
In my case every dhcp server is assigned to a different bridge and vlan.
I think it is also not possible to assign the same bridge as interface to different dhcp server with different ip pools.
If you will never require the VLANs to be present on more than one physical port then you can attach an /interface vlan directly to a port. The do not work as drawn, they merely add a VLAN tag for packets passing in one direction and remove it for packets passing in the other.
Consider
/interface vlan
add interface=ether4 name=vlan1 vlan-id=1
add interface=ether4 name=vlan400 vlan-id=400
add interface=ether4 name=vlan401 vlan-id=401
add interface=ether4 name=vlan402 vlan-id=402
When you add IP addresses, DHCP servers, etc. to the vlan1/400/401/402 interfaces the packets have the corresponding VLAN tag added as they leave ether4. For untagged packets you would use ether4 directly, not vlan1, as untagged packets have no VLAN ID. Using vlan1 adds a tag with VLAN ID 1 for packets leaving ether4, and will only accept packets tagged with VLAN ID 1 on entry.
The main confusion arises when a switch chip or VLAN-aware bridge is used, these typically have no mechanism for handling untagged packets internally so manufacturers use/reserve one. Untagged packets have this reserved VLAN ID added on entry to the switch or bridge, and removed on exit.
On Mikrotiks a VLAN-aware bridge behaves like a managed switch which is embedded within the Mikrotik, in addition to the external ports there is also a bridge-to-CPU port which can be configured as untagged only, hybrid or tagged only just like the external ports. Tagged traffic on this bridge-to-CPU port has to be handled by /interface vlan as the services provided by the CPU generally expect untagged traffic only. http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1 may be helpful.
Ok, now it’s more clear.