RB750 with vlan for guest WiFi (unifi)

RouterOS General
1

Hi everyone,

I have tried to get the vlan working on an RB750, but no success. I’m not able to ping the vlan interface no matter what. What I want is ports 2 to 5 to all be trunked and have both vlan1 and vlan129 on them. This would allow the Unifi router to be plugged into any of the ports and for the guest wireless network to be separate from internal lan.

Could someone please look at this config and tell me what’s wrong?

/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                       TYPE    ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1-gateway             ether         1500  1600       4076 4C:5E:0C:C2:3F:79
 1  RS ether2-master-local        ether         1500  1598       2028 4C:5E:0C:C2:3F:7A
 2   S ether3-slave-local         ether         1500  1598       2028 4C:5E:0C:C2:3F:7B
 3  RS ether4-slave-local         ether         1500  1598       2028 4C:5E:0C:C2:3F:7C
 4   S ether5-slave-local         ether         1500  1598       2028 4C:5E:0C:C2:3F:7D
 5  R  br-Guest-WiFi              bridge        1500 65531            00:00:00:00:00:00
 6  R  bridge1                    bridge        1500  1598            4C:5E:0C:C2:3F:7A
 7  RS vlan-WiFi                  vlan          1500 65527            00:00:00:00:00:00


/interface bridge print
Flags: X - disabled, R - running 
 0  R name="br-Guest-WiFi" mtu=auto actual-mtu=1500 l2mtu=65531 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=rstp priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 1  R name="bridge1" mtu=1500 actual-mtu=1500 l2mtu=1598 arp=enabled mac-address=4C:5E:0C:C2:3F:7A protocol-mode=rstp priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m 


/interface bridge port  print                
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                   BRIDGE                   PRIORITY  PATH-COST    HORIZON
 0    ether2-master-local         bridge1                      0x80         10       none
 1 I  vlan-WiFi                   br-Guest-WiFi                0x80         10       none
 
 

/interface vlan print      
Flags: X - disabled, R - running, S - slave 
 #    NAME                        MTU ARP        VLAN-ID INTERFACE     
 0 R  vlan-WiFi                  1500 enabled        129 br-Guest-WiFi 



/ip address  print                     
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                     
 0   ;;; default configuration
     10.103.0.250/24    10.103.0.0      ether2-master-local           
 1   10.103.129.1/24    10.103.129.0    br-Guest-WiFi                 
 2 D publicIP/29        gateway   ether1-gateway                



/interface ethernet   print  
Flags: X - disabled, R - running, S - slave 
 #    NAME                          MTU MAC-ADDRESS       ARP        MASTER-PORT                   SWITCH  
 0 R  ether1-gateway               1500 4C:5E:0C:C2:3F:79 enabled    none                         
 1 RS ether2-master-local          1500 4C:5E:0C:C2:3F:7A enabled    none                          switch1 
 2  S ether3-slave-local           1500 4C:5E:0C:C2:3F:7B enabled    ether2-master-local           switch1 
 3 RS ether4-slave-local           1500 4C:5E:0C:C2:3F:7C enabled    ether2-master-local           switch1 
 4  S ether5-slave-local           1500 4C:5E:0C:C2:3F:7D enabled    ether2-master-local           switch1
2

Hi, few questions…

Ports 2 through 5 trunked, you mean that all of them are part of a switch? If yes, you can do that making port 2 master of all the remaining ports.

When you say Unifi “router” you mean an access point or a real router?

A diagram will help.

But let me tell you that the vlan need to be attached only to the master or bridge port of your LAN. depending on the path you have chosen.

Then a dhcp is required on the vlan and proper routing and masquerading also are needed.

Sent from my Nexus 4 using Tapatalk

3

markdueck, “print” does not provide enough information about your config. Please use “export” instead.

4

Hello,

How it’s seen from yours prints - there many errors:

  1. main error VLAN is on incorrect bridge..
    Please change interface of VLAN (from br-guest-WiFi to bridge1 )
  2. IP addresses is on incorrect interfaces, pleas check what is needed.
  3. For now - I don’t see need in br-guest-WiFi and bridge1 , you can remove it and set up IP on VLAN interface itself and on ether2-master.
    Bridge is needed when you use one LAN over multiple interface (for example ether2-master and wlan )

Best regards.

5

Thanks so far. I’ve made the suggested changes, but I still cannot ping the IP on the vlan. Here’s the export of the same commands:

/interface export
# sep/30/2015 05:40:28 by RouterOS 6.32.2
# software id = A0PB-R4V5
#
/interface bridge
add disabled=yes name=br-Guest-WiFi
add mtu=1500 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface vlan
add interface=bridge1 l2mtu=1582 name=vlan-WiFi vlan-id=129
/interface bridge port
add bridge=bridge1 interface=ether2-master-local
add bridge=bridge1 interface=vlan-WiFi
/interface ethernet switch vlan
add ports=ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local switch=switch1 vlan-id=129
/interface l2tp-server server
set enabled=yes ipsec-secret=secret use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes



/interface bridge export
/interface bridge
add disabled=yes name=br-Guest-WiFi
add mtu=1500 name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2-master-local
add bridge=bridge1 interface=vlan-WiFi



/interface bridge port  export
/interface bridge port
add bridge=bridge1 interface=ether2-master-local
add bridge=bridge1 interface=vlan-WiFi



/interface vlan export
/interface vlan
add interface=bridge1 l2mtu=1582 name=vlan-WiFi vlan-id=129



/ip address  export
/ip address
add address=10.103.0.250/24 comment="default configuration" interface=ether2-master-local network=10.103.0.0
add address=10.103.129.1/24 interface=vlan-WiFi network=10.103.129.0



/interface ethernet   export
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface ethernet switch vlan
add ports=ether2-master-local,ether3-slave-local,ether4-slave-local,ether5-slave-local switch=switch1 vlan-id=129
6

The Unifi is an AP with multiple SSID’s. the guest SSID is on a different vlan to keep it separate from the internal lan.

Once I have this working, I’ll work on all the other rules; DHCP and natting as I get to it.

Thanks.

7

Do the following:

/interface ethernet switch vlan remove [find ]
/interface vlan set vlan-WiFi interface=ether2-master-local
/interface bridge remove bridge1

Then please report back if your problem is solved.

8

Thank you. This helped it. I had setup the DHCP from before, so I set to the vlan129 and everything was working. Including internet. And I could not ping to the internal lan, so I’m hoping that’s good.

Could you explain what the

vlan remove [find ]

means?

Then just for clarification, since ports 3 to 5 are slaves to port 2, that means it’s basically a switch? So then the master port 2 can be set to have vlan129 and it’s available on all ports? That’s how it seems to be working now. :astonished:

# sep/25/2015 18:25:10 by RouterOS 6.32.2
# software id = A0PB-R4V5
#
/ip firewall filter
add chain=input protocol=ipsec-esp src-address=2.2.2.2
add chain=input dst-port=500 protocol=udp src-address=2.2.2.2
add chain=input protocol=icmp
add chain=input dst-port=80,8291,22 protocol=tcp
add chain=forward comment="default configuration" connection-state=established
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-gateway


/ip firewall nat
add chain=srcnat dst-address=10.101.0.0/24 src-address=10.103.0.0/24
add chain=srcnat disabled=yes dst-address=10.101.0.0/24 src-address=10.103.0.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes dst-address=10.101.0.0/25 src-address=10.103.0.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

I also want to make sure that the vlan129 does not have access to the IPSec tunnel. I’ll need to create a rule for that? Or because the src and dst are not including the 129 subnet, it will automatically not work?

9

That means remove all vlan entries (in this case from HW switch configuration).

Correct.

Traffic that does not match IPsec policy will leave your device unencrypted. If you want to drop it instead either add a corresponding firewall filter rule, or another IPsec policy with action=discard.

[/quote]
10

markdueck: are you around? trying to do the same thing as you seem to have managed to do.

nvm, solved it.