Hi,
I have 6 Ubiquiti WiFi APs connected directly to Mikrotik CRS328 router, i.e. each AP to its own Muikrotik port. Each AP is radiating four distinct SSIDs (all 6 APs radiate three identical SSIDs, the fourth SSID may vary per AP). So far Port #1 of the Mikrotik router is connected to internet, the remaining ports are groupped into bridge where there is NAT & Masquerade between the two (Port 1 & the Bridge). For the time being all other devices connected to the non-AP ports jiust as well all wireless devices in all SSIDs are receiving their IP addresses from one DHCP pool distributed by DHCP server in Mikrotik.
One of the SSIDs is intended to become “Guest” so the ultimate target is to isolate traffic from that Guest SSID from the rest of the network - not allowing access to “inner LAN” and ship all the traffic from that guest SSID directly towards internet. I guess VLAN is the right way to go…
When configuring SSIDs on Ubiquiti APs, I will use “VLAN only” purpose so each SSID will carry its own distinct VLAN id. I assume the practical effect of this setting is that all packets that come to existence within each SSID will be marked (tagged is probably the correct term) with its respective VLAN id (tag) assigned to the respective SSID. Ubiquiti APs will simply mark all packet accordingly while Mikrotik is then responsible for routing / handling rules what happens to each VLAN id tragged packet.
When defining the VLANs in Mikrotik, each needs to be attached to an interface. I assume I will define each VLAN in Mikrotik and assign it to what? Repeating VLAN definition per each interface where there is an AP connected is not a convenient way - since there is 6 of them. Shall I create group of interfaces and attach the VLAN definition to the Group? Or shall I use the Bridge as the interface?
Sorry for this newby question - I really tried to google it upfront but either the topics were covering VLANs as theoretical concepts or were dealing with several SSIDs however on one AP only - I could not find anything covering multiple SSIDs on multiple APs which are connected to the Mikrotik directly (i.e. over several ports) without being aggregated by some middle switch first. I also don’t seek full description of how to do it e2e. I will figure out routing and e.g. DHCP ranges for each SSID later - primarily now I’m looking to solve the riddle of multiple WiFi APs with multiple SSIDs connected to several Mikrotik ports directly - in which direction to start definition of the VLANs (which interface to use defining them). Would be grateful for any hint… Thanks!
The article is excellent when you have attempted to apply it, come back for help.
The general concept is one bridge and then assign all vlans to the bridge.
All ports going smart devices are trunk ports (tagged vlans)
All ports going to dumb devices are access ports (untagged vlans)
All ports going to a mix are hybrid ports (one untagged vlan and the rest tagged).
Note ubiquiti equipment ( strange beast that it is ) likes the management vlan or trusted vlan BY DEFAULT to come to the device untagged while the rest of the vlans are tagged.
i believe this is changeable so that it acts like other smart devices but not aware of how to do this.
Thanks for the help & the article reference so far. I will definitely do the reading (and I did some beforehand). One thing to make clear: I’m trying to setup a private network at my home and I’m not doing it for living (i.e. not trying to squeeze knowledge out of community easy way and sell it on the market).
I’m afraid that even after reading I won’t be able to make the right conclusions - esp. related to performance topics. I can imagine all ports to which APs are attached will be assigned to a bridge. Will I leave them in the “default” internal bridge too (if that’s even possible)? If not I will need to route the traffic between the two bridges which is something I wanted to avoid for at least some of the devices connected to wifi.
The other Mikrotik ports (besides WiFi APs) are occupied with e.g. NAS, TV, etc. The SSIDs I run are the Home (for family), Guest (for whoever visit us) and IoT (for devices like e.g. smoke&fire alarm). I seek for the devices connected to Home SSID to have unlimited access to resources inside the home network. Guest to the contrary shall route directly out to the internet (no interaction with in-house network). IoT is mixed/special.
Split of what is what is done based on to which SSID the device is connected to - and I assume Ubiquiti APs will be tagging the packets as per the SSID.
Now what happens on Mikrotik side is still in a fog for me. Either I keep the WiFi AP ports in the same bridge and replicate settings (which sounds dumb way to be - if nothing else then it opens the window of opportunity for discrepancies). Or I move them into a separate bridge - in which case I can’t use HW switching and will need to route in between (which is probably ok for the volume of my home traffic vs. the router’s performance - but I like to do things the right way). Or there is some hybrid scenario.
And absolutely possible alternative: I still get the whole concept wrong. I will do the reading now & come back as suggested.
There isn’t much to show but since I’m the one who needs help here is one schema:
The blue rectangle represents one “bridge” - all 24 metalic interfaces are groupped into the bridge, There is masuqerade and couple of usual firewall rules set up between the blue (=inner LAN) and the red (=connectivity to internet).
Architecture is flat (so far). All six WiFi APs are radiating the mentioned 3 SSIDs: Home (for my family use), Guest (for guests) and IoT (for miscallaneous deivces). Each AP radiates all these 3 SSIDs
The usecase is simple: Guest devices go only to Internet (regardless through which of the 6 APs the device is connected). Devices in Home SSID or connected directly to Mikrotik can “talk to each other”, i.e. access e.g. NAS.
What does green represent?
assuming its the trusted,admin network.
Suggest one bridge
4 vlans.
guest vlan 40.
iot vlan vlan30
house vlan vlan20
management vlan vlan10
THe unifi APs assuming they need management vlan untagged and the data vlans tagged.
The unifis get their IP address from the managment vlan as well as admin laptop.
Makes sense to me and thanks for all the advice so far!
The green one is actually meant like accessing content on NAS. Next to it may be Smart TV accessing media content from NAS etc. I don’t think (in my current setup, current time and current needs) I will need management VLAN - may be later when I learn more.
Primarily at the moment I need to divert Guest SSID traffic from the rest of internal LAN and allow it to go out to internet only.
I will now do some reading and setup testing attempts and will come back in case needed - thank you once again.
Just to document the direction I’m heading after some more reading (and yes, the referenced article/post helped alongside of responses in this thread):
I will attempt to have a Native VLAN for the traffic between devices connected to Mikrotik’s physical interfaces
all metalic ports in Mikrotik router will be bridged regardless whether a WiFi AP is attached or any other device
tagging packets as per SSID will be taken care of by Ubiquiti WiFi APs; thanks to this packets coming from WiFi will ingress into the Bridge tagged with respective VLAN id
what happens with packets that are tagged will be defined in and decided by Mikrotik router; for a start it will be so that all packets coming from Guest SSID will be automaticaly routed towards the Internet SFP interface
The biggest misconception in the mental model of my setup I’ve had prior to asking for help here and reading was in the fact, that I’m allowed to attach the definition of VLANs to the primary Bridge eventhough there are more ports groupped including those to which there is no WiFi AP connected.I was therefore considering either repeating definition of each VLAN and attaching such definition to every physical interface a WiFi AP is attached to or building a separate bridge to which only WiFi AP interfaces would be groupped. Both such concepts carry significant disadvantages: the former opens up window of opportunity for creating discrepancies between definitions, the latter mandates a need to route between the default Bridge and the WiFi Bridge thus loading CPU and not using HW switchnig.
Hope it all makes sense what I write. Will do some further reading and configuration attempts and will report results.
