Mikrotik and unifi vlan

Dear Guys
i have routerboard RB493 and unifi UAP and 2 modems from different isp
what i am trying to get is to have 2 ssid on unifi each one is separate and connect to specific wan
ssid 1 can connect to wan 1
ssid 2 can connect to wan 2

wan 1 modem conf is 192.168.2.254
wan 2 modem conf is 192.168.15.1

i know i need to do vlans but i am a beginner on mikrotik world
i did the 2 ssid on unifi controller to have ssid 2= id 2 and ssid 15-id 15

i also tried this video
https://www.youtube.com/watch?v=B6egRmXZytI
and worked in doing the vlans on mikrotik by doing bridge trunk and if i connect to ssid 1 it assign me 192.168.2.0/24 ip and same for ssid 2 192.168.15.0/24 but what i am missing connecting the modems to mikrotik and configure vlans to use these wan separately
if anyone can help i appreciate that thank you in advance

Have a look at http://wiki.mikrotik.com/wiki/Load_Balancing_over_Multiple_Gateways specially the “Policy Routing based on Client IP Address” Section, which is what you’re looking for and a more exact title for the article, as that’s not strictly load-balancing, which usually involves dynamically spread the traffic across the Internet uplinks.

To further understand this, and other possibilities, there’s a great presentation to delve into: http://mum.mikrotik.com/presentations/US12/tomas.pdf

thank you for your reply
but it seems you misunderstood me
i read your pdf file but i don’t want load balancing or failover or pcc
i just want 2 separate networks with 2 ssids that connect to isp1 and isp2

what exactly i want is when i connect to ssid 1 i must use wan 1 and when i connect to ssid 2 i must use wan 2

thank you in advance

I must say that presentation is not mine but Tomas Kirnak’s.

You already have the SSID into separate VLANs and networks, VLANs are done.

Policy Routing is what you’re after now, i.e. route over specific uplinks based on source networks.

Check the wiki entry I added, I edited the post, not used to people answering that fast! .

yeah you are right what i am missing is doing routing between vlans and wans
while i can do it is was normal Ethernet and not vlan

I’m not getting you… could you paste an export?

To do so go to Winbox > New terminal and issue:

/export compact hide-sensitive=yes

[admin@MikroTik] > /export compact hide-sensitive    
# jan/02/1970 00:59:09 by RouterOS 6.33rc22
# software id = LRHK-XD60
#
/interface bridge
add name="bridge trunk"
/interface vlan
add interface="bridge trunk" l2mtu=1518 name=vlan2 vlan-id=2
add interface="bridge trunk" l2mtu=1518 name=vlan15 vlan-id=15
/ip dhcp-server
add disabled=no interface=vlan15 lease-time=3h name="server vlan15"
/ip pool
add name=pool15 ranges=192.168.15.2-192.168.15.99
add name=pool2 ranges=192.168.2.2-192.168.2.99
add name="pool unifi" ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool="pool unifi" disabled=no interface="bridge trunk" lease-time=\
    3h name=server-unifi
add address-pool=pool2 disabled=no interface=vlan2 lease-time=3h name=\
    "server vlan2"
/interface bridge port
add bridge="bridge trunk" interface=ether3
add bridge="bridge trunk" interface=ether4
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1 \
    network=192.168.88.0
add address=192.168.1.1/24 interface="bridge trunk" network=192.168.1.0
add address=192.168.15.100/24 interface=vlan15 network=192.168.15.0
add address=192.168.2.100/24 interface=vlan2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.254
add address=192.168.15.0/24 dns-server=8.8.8.8 gateway=192.168.15.1

now i want to connect modem 1 on port 9 and modem 2 on port 8 and assign ip 192.168.2.101/24 to port 2 and assign 192.168.15.101/24 to port 8

and then do the routing that i am missing

forgot to say i put unifi ap on port 3 and port 4 is used to controller for unifi

I see what you are trying to achieve with your setup, but why using a router for that? A layer3 switch will be enough…

If you want to do policy routing, you cannot set it that way, as when you assign an IP/mask to an interface you’re dynamically setting a connected route; you will end up with routes for 192.168.2.0/24 and 192.168.15.0/24 on wan, and vlan interfaces, not a good practice by any means (a mess!).

I wouldn’t setup it that way. Instead, choose different ip ranges for the modems, or even better, put them in bridge mode, and get the public ips directly on the mikrotik router.

Assign the IPs used as gateways on the VLAN interfaces: 192.168.15.1/24 to VLAN15 , and 192.168.2.1/24 to VLAN2.

In cli syntax:

/ip address
add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0

You can reconfigure them from the GUI, and do an export later to check if everything is ok comparing the output with this post, or remove all the IPs from the GUI and paste this on a New terminal.

Now, you have to reflect this on your DHCP setup so that the wireless clients get the proper addresses and settings:

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
add address=192.168.15.0/24 dns-server=8.8.8.8 gateway=192.168.15.1

Check wireless clients can ping their gateway.

They won’t be able to ping anything on internet; now is when it comes the Wiki article I posted before for policy routing, either using other private IP addresses for the modems and mikrotik router WAN addressing (192.168.10.x and 192.168.11.x for example), or by putting them in bridge mode and getting the public IPs directly on the router.

You’ll have to reconfigure the modems and WAN addresses on both cases.

Dear Sir
i did what you said about but something is going wrong the wifi is not showing anymore
i am plugging the wifi ap to ether3
is that correct ?

here is the code

/export compact hide-sensitive
# jan/02/1970 00:08:45 by RouterOS 6.33rc22
# software id = LRHK-XD60
#
/interface vlan
add interface=ether3 l2mtu=1518 name=vlan2 vlan-id=2
add interface=ether3 l2mtu=1518 name=vlan15 vlan-id=15
/ip pool
add name=pool15 ranges=192.168.15.2-192.168.15.99
add name=pool2 ranges=192.168.2.2-192.168.2.99
/ip dhcp-server
add address-pool=pool2 disabled=no interface=vlan2 lease-time=3h name=\
    "server vlan2"
add address-pool=pool15 disabled=no interface=vlan15 lease-time=3h name=\
    "server vlan15"
/ip address
add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
add address=192.168.15.0/24 dns-server=8.8.8.8 gateway=192.168.15.1

the wifi is set to get DHCP do i have to make it static ?

Please re-read my last post, I misunderstood you had 2 APs (instead of 1 AP and the controller) and edited it, guess you tried it before I finish editing it, and that’s why the UniFi controller cannot connect to the UniFI if that’s what you mean?

lets say we exclude bridge mode for modems idea
lets assume i used different range of ips on modems
can we do best practice for this
assuming modem 1 ip is 192.168.1.1
modem 2 ip 192.168.2.1

and vlan 10 192.168.10.0/24
vlan 20 192.168.20.0/24

is that what you suggest ?

thank you in advance

no i have only one ap but i used 2 ssid on it using 2 vlan id
the problem happening when i removed the bridge is that i can’t see the wifi ssids on clients at all
and not a problem of connecting the controller

see this diagram so you can understand me well
Untitled.png

I got you, no problem.

You can add this to your actual setup so that the UniFi controller (ether4) “sees” again the AP (ether3):

/interface ethernet set ether4 master-port=ether3

basically you’re creating a 2-port switch just for the AP and controller.

The VLANs should “hang” from the Master port (ether3) as they are right now.

I can’t see how vlans could affect the AP radio transmitting the SSID, try this, as that suggests the AP isn’t provisioned…

here what i did so far and all worked good for vlans except 2 things
1- there is no internet connections on all vlans
2- if i connect to ssid 1 i can ping 192.168.15.1 and 192.168.2.1 and 192.168.1.1 and same if i connect to ssid 2 ( which i don’t want )
here is my code

/interface ethernet
set [ find default-name=ether4 ] master-port=ether3
/interface vlan
add interface=ether3 l2mtu=1518 name=vlan2 vlan-id=2
add interface=ether3 l2mtu=1518 name=vlan15 vlan-id=15
/ip pool
add name=pool15 ranges=192.168.20.2-192.168.20.99
add name=pool2 ranges=192.168.10.2-192.168.10.99
add name=poolunifi ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=pool2 disabled=no interface=vlan2 lease-time=3h name=\
    "server vlan2"
add address-pool=pool15 disabled=no interface=vlan15 lease-time=3h name=\
    "server vlan15"
add address-pool=poolunifi disabled=no interface=ether3 lease-time=3h name=\
    serverunifi
/ip address
add address=192.168.10.1/24 interface=vlan2 network=192.168.10.0
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0
add address=192.168.15.1/24 interface=ether9 network=192.168.15.0
add address=192.168.2.1/24 interface=ether8 network=192.168.2.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=log chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ogero passthrough=no \
    src-address=192.168.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=cyberia passthrough=\
    no src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
/ip route
add distance=1 gateway=192.168.15.254 routing-mark=cyberia
add distance=1 gateway=192.168.2.254 routing-mark=ogero
[admin@MikroTik] >

thank you in advance

any help guys ?

You made several mistakes, these setups are complex and need you to closely pay atention to the detail.

For starters you swapped modem<->router addressing with vlan’s… this isn’t a mistake by itself, but it made you make another mistake: you didn’t assign any ip address to vlan15, and of course the checks I suggested are not longer useful.

You can choose any addressing for this, but it is a good practice to make things easier on yourself, (or others that may be coming in the future) and select intuitive addressing, so let’s assume:

vlan2 addressing is 192.168.2.0/24
vlan15 addressing is 192.168.15.0/24
modem1 - mikrotik router addressing is 192.168.10.0/24 (192.168.10.1 being the router and .254 the modem)
modem2 - mikrotik router addressing is 192.168.20.0/24 (192.168.20.1 being the router and .254 the modem)
controller - mikrotik addressing is 192.168.1.0/24

# Create a 2 port switch for Controller and AP
/interface ethernet
set [ find default-name=ether4 ] master-port=ether3

# Create VLAN interfaces hanging from that switch
/interface vlan
add interface=ether3 l2mtu=1518 name=vlan2 vlan-id=2
add interface=ether3 l2mtu=1518 name=vlan15 vlan-id=15

# Assign IP addresses to interfaces
/ip address
add address=192.168.1.1/24 interface=ether3 network=192.168.1.0 comment="UniFi Controller"
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0 comment ="Ogero Addressing"
add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0 comment="Cyberia Adressing"
add address=192.168.10.1/24 interface=ether8 network=192.168.10.0 comment="Modem 1"
add address=192.168.20.1/24 interface=ether9 network=192.168.20.0 comment="Modem 2"

# IP Pools
/ip pool
add name=pool2 ranges=192.168.2.2-192.168.2.99 comment="Ogero Pool"
add name=pool15 ranges=192.168.15.2-192.168.15.99 comment="Cyberia Pool"
add name=poolunifi ranges=192.168.1.2-192.168.1.254 comment="Unifi Controller Outside VLANs"

# DHCP Servers
/ip dhcp-server
add address-pool=pool2 disabled=no interface=vlan2 lease-time=3h name="server vlan2"
add address-pool=pool15 disabled=no interface=vlan15 lease-time=3h name="server vlan15"
add address-pool=poolunifi disabled=no interface=ether3 lease-time=3h name=serverunifi

# Parameters to hand out for each DHCP network
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=8.8.8.8 gateway=192.168.15.1
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1

# DNS server for the router
/ip dns
set servers=8.8.8.8,8.8.4.4

# Firewall Filter Rules
/ip firewall filter
add action=log chain=forward

# Mangle Rules
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=ogero passthrough=no \
    src-address=192.168.2.0/24 
add action=mark-routing chain=prerouting new-routing-mark=cyberia passthrough=\
    no src-address=192.168.15.0/24
 
# NAT and Masquerading  
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether9
add action=masquerade chain=srcnat out-interface=ether8

# Routing
/ip route
add distance=1 gateway=192.168.10.254 routing-mark=cyberia
add distance=1 gateway=192.168.20.254 routing-mark=ogero

Tests:

LAN/WLAN:
From a wireless client registered on Ogero, ping 192.168.2.1
From a Cyberia wireless client ping to 192.168.15.1

Internet:
If previous tests succeed, try pinging 8.8.8.8 from Ogero/Cyberia wireless clients.

Once you got that working, then it’s time to add firewall rules to prevent clients from each network to see each other.

Hello
sorry for late reply i applied the settings you gave me and all worked smooth as needed

tests
connected to vlan 2 can ping 192.168.2.1 and 192.168.15.1 and vice versa
but it can’t ping users on vlan 15
also it can ping 8.8.8.8


now how i can let vlans communicate to each others ?
as well the mikrotik itself can’t access internet if i want to check for update or something else.

is that can be done through firewall ?
thank you in advance

As you are modifying routing tables, you have to make sure everything is kept in the proper routing table, this is where Tomas presentation explains it step by step