MikroTik router with UniFi and "guest vlan"

Hello, I have an issue with my router config and after days spent trying to understand what’s going on, I decided to ask for some help (I did read lots of threads here and others on other pages on the Internet, but I am stuck now :/). I followed this article https://lcx.wien/blog/gaste-wlan-mit-unifi-und-mikrotik/ to configure my router (hEX, RouterOS v6.45.7) and a UniFi AP Lite in order to setup a separate network for guests. It works okay as all clients have Internet access, no matter which network they connect to, and I have 2 subnets (guest and main/default).

That being said, I tried to talk to a client in the guest subnet from the main/default subnet and it works:

$ traceroute 172.16.0.102
traceroute to 172.16.0.102 (172.16.0.102), 64 hops max, 52 byte packets
 1  192.168.88.1 (192.168.88.1)  3.699 ms  2.729 ms  2.002 ms
 2  172.16.0.102 (172.16.0.102)  82.308 ms  5.140 ms  5.645 ms

Not really surprising because my firewall rules don’t prevent that.

I then tried to do the same but in the other direction, and it fails:

$ traceroute 192.168.88.246
1: 172.16.0.102 2.124ms pmtu 1500
1: 172.16.0.1 4.690ms
1: 172.16.0.1 8.665ms
2: no reply
...

I am not sure what I did wrong (besides following an article found on the Internet). My networking skills are very rusty so I am not sure to fully understand everything.

I tried to add extra firewall rules to allow everything but that did not change anything. I used the “Torch” to monitor the traffic in the single “bridge” and I can see icmp packets in both directions when I ping a client in the main/default subnet from another client in the guest subnet.

Here is my router config:

$ /export hide-sensitive  
# nov/06/2019 12:20:43 by RouterOS 6.45.7
/interface bridge
add admin-mac=B8:69:F4:E0:F3:33 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan-guest vlan-id=100
add interface=ether1 name=vlan-telekom vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-telekom keepalive-timeout=disabled name=pppoe-telekom use-peer-dns=yes user=XXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=guest-dhcp ranges=172.16.0.100-172.16.0.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=guest-dhcp disabled=no interface=vlan-guest name=guest-dhcp-server
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-telekom list=WAN
add comment="LAN guest" interface=vlan-guest list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.16.0.1/24 interface=vlan-guest network=172.16.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.50 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes

Some more information:

• 192.168.88.50 is a DNS server (pihole).
• The UniFi AP does not have any specific configuration besides having a “guest” wifi network with VLAN ID = 100
• The UniFi controller lives in the main subnet (ip: 192.168.88.246)

My initial idea was to create a “guest” wifi network that was fully isolated from my main/default network, and only used for Internet access. Given that UniFi APs have a “guest portal” feature, I wanted to try that and that’s how I found that I could not reach a machine in the default subnet from the guest one. I suppose, once this is doable, I can add firewall rules to re-isolate the two subnets and only allow traffic from the guest subnet to the UniFi “guest portal”.

Any obvious reason(s) on why my setup is not working properly? Any suggestions? Thanks!

–
William

My guess is firewall on 192.168.88.246 dropping anything which is not coming from own subnet. If you’re running linux, then you could force traceroute to use ICMP packets as probes (instead of usual UDP packets) by running traceroute -I 192.168.88.246, which might get you a bit further if remote host allows ICMP.

From my limited knowledge it appears you are missing the Bridge Vlan setting…
Which port is a trunk port for both LAN and VLAN??
In other words I get that the UNIFI is vlan capable and resides on the main lan but which etherport is it connected to on the hex.

For example if the unifi was connected on ether2
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=100

With current OP’s settings, bridge behaves as dumb switch … meaning that it will leak VLANs as hell, but that might be fine (this was the way to go before ROS 6.42). The vlan interface(s) deal with VLANs for the upper layers … and are symmetrical (in sense that they don’t care about connection direction, they only pass packets tagging/untagging on the go).

The non-symmetric behaviour many times point at differences on far ends of the connection and most obvious cause for that is firewall settings …

heh, I feel really daft: I forgot that I had a firewall on 192.168.88.246 indeed, and that was the problem. Thank you!

Right, there is no bridge vlan configured. UniFi is connected to ether3 FWIW. I read about the bridge vlan, etc. but I am not sure to understand the benefit of doing it (I sort of understand that it is the new best approach, but I am not sure why). Thanks for the suggestion, though. I’ll see what I can do.

Interesting, so what does “leak[ing] VLANs as hell” mean exactly?

I’ll remember about the non-symmetric behavior being a good hint for double-checking all firewall settings, thanks again.

The way you have your RB currently configured it only cares about VLAN tags when it comes to its own interaction with VLANs (the tagged and the untagged one) via the two IP interfaces. But when it comes to L2 operations (e.g. switching data between ether ports) it doesn’t care about VLAN tags and will act as dumb switch which only cares about MAC addresses.

The idea of VLANs illustrated: a switch has half of ports configured as access ports of one VLAN and half of ports as access ports of another VLAN. In this case packets from one half of switch don’t get into the other half in any case. As if you had two separate switches without any connection. If some ports are trunk ports (carrying packets of different VLANs), then one can imagine two (or more, as many as different VLANs in trunk) virtual wires … and packets from different VLANs still don’t mix.
Switches generally forward a packet only through port where the destinaton MAC was seen active recently (that’s MAC learning). If switch doesn’t know location of destination MAC or if it’s a broadcast packet, then switch will pass that packet to all ports.
If switch is “smart” switch and is configured with VLANs, even broadcasts stay contained within ports belonging to same VLAN.

If switch is “dumb”, then it ignores VLAN information … it passes broadcasts (and packrts for unknown MACs) from one VLAN to all ports, even ones that it should not - that’s VLAN leaking. And this is current state of bridge (the swiitch-like function) in your RB.

May I ask why you don’t create the wlans in the unifi client instead? It’s very easy to do, and you don’t have to configure anything in the router.

If unifi client is located inside LAN, does this ensure strict separation of guest subnet from LAN?

It’s a special Guest WiFi config with short leases and a whole different set of firewall rules and bandwidth restrictions if needed, and lots of things to configure if you want (hotel style management, paywall, encryption etc), so I suppose it is totally separated from the regular network.

You’re describing OP’s setup or your own which is totally unrelated?

I also have a MT router and unify AP’s.
The WiFi setup in the unify software is a user friendly GUI. A working and safe guest network is setup by anyone in minutes, that’s why I asked why he doesn’t create the WiFi network there.

@charliecrash mmmh I am not sure what you are referring to but on the UniFi side, I do have a separate WiFi SSID with “guest policies”. I do not have a USG or any other Ubiquiti product, only an AP. I tried to find more information online, and it seems that the “guest policies” provide some sort of isolation between the guest clients, preventing them to see everyone else on the network. IIRC, this means guest clients use my main/default network but the AP prevents them to see the other clients.

I guess that would work, too, but I do like having a clear separation with different subnets. I think I need to update the router config to use bridge vlans as recommended above.