I have a mikrotik CRS-125-24G that needs to run separate networks for 3 different tenants.
I have a single Unifi AP-AC-Pro sitting on the bridge. it broadcasts 3 seperate ssids, on is un-tagged and the other 2 are tagged with vlan 111 and 222.
However I’m unable to get the physical ehternet ports that are alocated to each tenent on the same vlan.
I’m currently trying to use the switch settings to egress mark the traffic on the eth ports with the corresponding vlan id but it still doesn’t rout onto the actual vlan. I know I’m probably missing something really obvious but it is elluding me.
What I want to achieve is tenants being able to plug in their cabled devices and be able to access them from their wirless devices. things like sonos or printers.
I have spent a lot of time trying to find information but it seems that there are so many different ways to achieve this and so many recent chages to routeros that I cant figure out what the best method is for maintaining security and reducing overhead.
Thanks in advance for any advice you have.
Here is my config:
# mar/19/2020 12:35:11 by RouterOS 6.46.4
# software id = 7BP3-0B3C
#
# model = CRS125-24G-1S
# serial number = 49CE027A76CD
/interface bridge
add name=bridge111
add name=bridge222
add name=bridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
/interface vlan
add interface=bridgeLAN name=vlan1 vlan-id=111
add interface=bridgeLAN name=vlan2 vlan-id=222
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.99
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridgeLAN name=dhcpLAN
add address-pool=dhcp_pool1 disabled=no interface=vlan1 name=dhcpvlan1
add address-pool=dhcp_pool2 disabled=no interface=vlan2 name=dhcpvlan2
/interface bridge port
add bridge=bridgeLAN disabled=yes interface=ether1-gateway
add bridge=bridgeLAN interface=ether2
add bridge=bridgeLAN interface=ether3
add bridge=bridgeLAN interface=ether4
add bridge=bridgeLAN interface=ether5
add bridge=bridgeLAN interface=ether6
add bridge=bridgeLAN interface=ether7
add bridge=bridgeLAN interface=ether8
add bridge=bridge111 interface=ether9
add bridge=bridge111 interface=ether10
add bridge=bridge111 interface=ether11
add bridge=bridge111 interface=ether12
add bridge=bridge111 interface=ether13
add bridge=bridge111 interface=ether14
add bridge=bridge111 interface=ether15
add bridge=bridge111 interface=ether16
add bridge=bridge222 interface=ether17 pvid=222
add bridge=bridge222 interface=ether18 pvid=222
add bridge=bridge222 interface=ether19 pvid=222
add bridge=bridge222 interface=ether20 pvid=222
add bridge=bridge222 interface=ether21
add bridge=bridge222 interface=ether22
add bridge=bridge222 interface=ether23
add bridge=bridge222 interface=ether24
/interface bridge vlan
add bridge=bridge111 untagged=vlan1 vlan-ids=111
add bridge=bridge222 untagged=vlan2 vlan-ids=222
/interface ethernet switch egress-vlan-tag
add tagged-ports=\
ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-id=\
111
add tagged-ports=\
ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-id=\
222
/interface ethernet switch ingress-vlan-translation
add new-customer-vid=111 ports=\
ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
/interface ethernet switch vlan
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 \
vlan-id=111
/interface list member
add interface=ether1-gateway list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp1 list=LAN
add interface=bridgeLAN list=LAN
/ip address
add address=192.168.1.1/24 interface=bridgeLAN network=192.168.1.0
add address=192.168.100.1/24 interface=vlan1 network=192.168.100.0
add address=192.168.200.1/24 interface=vlan2 network=192.168.200.0
/ip dhcp-client
add disabled=no interface=bridgeLAN
add disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1
/ip firewall filter
add action=drop chain=input dst-address=192.168.100.0/24 src-address=\
192.168.1.0/24
add action=drop chain=input dst-address=192.168.200.0/24 src-address=\
192.168.1.0/24
add action=drop chain=input dst-address=192.168.1.0/24 src-address=\
192.168.100.0/24
add action=drop chain=input dst-address=192.168.200.0/24 src-address=\
192.168.100.0/24
add action=drop chain=input dst-address=192.168.1.0/24 src-address=\
192.168.200.0/24
add action=drop chain=input dst-address=192.168.100.0/24 src-address=\
192.168.200.0/24
add action=accept chain=input
add action=accept chain=forward in-interface=bridge111 out-interface=vlan1
add action=accept chain=forward in-interface=bridge222 out-interface=vlan2
add action=accept chain=forward in-interface=vlan2 out-interface=bridge222
add action=accept chain=forward in-interface=vlan1 out-interface=bridge111
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name="Brad's desk CRS"