I recently bought an Ubiquiti AP to complement my mikrotik router; to better manage it I also bought a Ubiquiti Gateway Ultra.
In this setup WIFI is on network A (Ubiquiti) , cable and internet on network B (mikrotik); I tried to have two ways connection between the two networks, but B to A will never work because Ubiquiti is blocking the WAN incoming traffic, no matter what (no firewall will override this).
So I tried this setup: the Ubiquiti gets his “WAN” address from VLAN Z (different from network B) and mikrotik gets a routable address from VLAN Y on the Ubiquiti side; this way I can route through that and inter LAN communication works flawlessly. But internet doesn’t, nor for wifi devices, nor for cabled one.
Is there a way to make this work? What did I do wrong. The two cables are attached to two different switches (one on ETH1-5, one on ETH6-10).
Any help is much appreciated here, on the Ubiquiti forum the suggestion was to throw away the mikrotik…
I would throw away the ubiquiti gateway ultra. Pretty dumb if you cannot buy an AP and get it to work, but instead you have to buy a second ubiquiti product to talk to the AP.
To unlock the full potential of UniFi APs, including advanced features and centralized management, you’ll need to use a UniFi Controller (either a physical device or a cloud-based version)
The frustrating thing about the unifi controller is that its only needed for A. setup, or B. any changes. OTher than that is has no 24/7 useful functionality.
If you are not using the controller functionality which requires it to be running all of the time (captive portal, statistics gathering) running the software controller would have been an easier solution.
There shouldn’t be a problem setting up the UCG-Ultra with its WAN port connected to your existing Mikrotik LAN (for internet access), together with one of its LAN ports to link the Mikrotik LAN/VLANs to some VLAN-only networks on the UCG which are associated with SSIDs on the UniFi AP. The exact detail depends on where the AP is connected to - Mikrotik or UCG.
Thanks for the replies, the AP is connected to the UCG. Thanks for showing me options, I may explore the container setup on the mikrotik, but I don’t think it is doable with my RB4011IGS+RM, at least not without seriously affecting general performance and stability of the router.
An option if favour of the UCG is the fact that it has a 2,5Gb/s WAN port, which the miktorik does not have; and I have a 2,5Gb/s fiber cable connection.
As for the software solution I don’t have a computer that I want to keep 24/7 on that will run the software decently.
I have the wan IP of the UCG on a different network than the rest of the cabled devices, that part is solved through the use of VLANs.
It’s the return LAN to LAN cable that is causing me troubles, although it is on a VLAN only DHCP; that’s the part I will need help with.
You don’t need to run the controller 24/7. Only when you need to change the configuration or upgrade firmware. I have networks with UniFi APs and RouterOS routers in different locations and just use a small Linux VM where the controller is installed that I only occasionally start up. And I even manage all the different locations on that single software controller instance, each location as one “Site” in UniFi, with some WireGuard setup.
that’s what I did before and it regularly failed. After a couple of days the AP went “Offline” (although it perfectly worked) and setup was impossbile. I had to power cycle it to bring it back “online”, until next time. A nightmare.
I could use a linux vm, but I would have to leave the host online 24/7 and electricity is not cheap here.
My Linux VM only runs a couple of times a month, when I want to check for firmware updates. I only need the VM because I need WireGuard to run together with the controller to give it access to the remote locations (If I had run the controller directly on my PC I would need to run WG on my PC too, which I don’t want). But if your APs are all local then you can just run the controller on Windows or macOS occasionally.
Normally, after you start up the controller, it only needs a few tens of seconds for the APs to change from Offline to Ready/Up to Date in the Devices list (in my case even with the APs in remote locations). It’s the AP that tries to periodically connect to the controller, if set up correctly. You can SSH directly to the APs to see if they have the correct URLs to the controller, look into the content of the file /etc/persistent/cfg/mgmt, there should be something like this at the bottom:
Where “ip_address” is the IP address of the controller, and “default” is the Id of the “Site” in the controller. Needless to say, your controller (the PC you run it on) should have a static IP address.
Also, on the APs (through SSH) if you run the command set-inform you can manually change the URLs to the controller. I used that to have the APs in the remote locations (other sites) connect to my single controller instance.
# help
UniFi Command Line Interface - Ubiquiti Networks
info display device information
set-default restore to factory default
set-inform <inform_url> attempt inform URL (e.g. set-inform http://192.168.0.8:8080/inform)
upgrade <firmware_url> upgrade firmware (e.g. upgrade http://192.168.0.8/unifi_fw.bin)
fwupdate --url <firmware_url|firmware_name> [--dl-only] [--md5sum <sum_of_fw>]
[--keep-firmware] [--keep-running] [--reboot-sys]
new firmware update command
reboot reboot the device
again, thanks for the reply, but really that didn’t work like that at my house… the AP went offline and stayed there for good, until restarted. At one point (maybe one week) also started not listening for ssh either. I mean, I didn’t buy a UCG just to give money to ubiquiti, I bought it because what I had didn’t work satisfactory.
Anyway here is the mikrotik forum, let’s keep it mikrotik. What did I do wrong with the LAN cable? The DCHP server of the LAN cable should stay on the mikrotik or on the UCG? I actually tried with the UCG, maybe that was a mistake.
Good luck with your endeavor mixing LAN WAN VLAN and whatever between the UniFi and MikroTik network then.
As I said, static leases for the APs in MikroTik DHCP server, static lease / IP address for the host machine that from time-to-time runs the controller software. There is nothing special about those UniFi APs that can cause such serious problems so that even SSH is unreachable. They are just running a fork of OpenWrt, the ethernet side with the RJ45 plug is just normal Linux networking. Maybe there is some other serious connectivity or PoE issue within your LAN.
I’ve been using UniFi APs with MikroTik routers since 2018 with software controller, with the same controller setting DB from version 5.x, first on Windows then migrated to Linux, just gradually upgraded up to 9.0.114 as the actual version. Never had the issues that you describe. The APs all have multiple VLANs, including per-WiFi-user dynamic VLANs with WPA3 Enterprise, where RouterOS acts nicely as RADIUS server (with User Manager).
Let’s try:
how would I set LAN up so that it doesn’t make a mess? Of course the two cables to the UCG would be on different switch (one on eth1-5, the other on eth 6-10)
In the current setup (without the LAN cable) network B can access network A, A can’t access B because UCG is blocking all incoming traffic on WAN port, and this can’t be changed.
anyway I decided to give up the mikrotik and go full ubiquiti. It’s the best choiche for what I want to do now and in the next years, and also I can use my 2,5Gb/s connection to it’s full extend with the UCG, while with the mikrotik I would be limited to 1Gb/s.
