Ubiquiti Unifi, Mikrotik & Vlans

I have Ubiquiti Unifi Wap’s, and an rb750gl Mikrotik router. I am trying to set up 2 wlan’s on the Unifi. One for private use, and one for guest use. I want the vlan for private use located on 192.168.1.1, and the guest vlan located on 10.0.1.1, and both to be broadcast on the unifi.

I understand that I need to set up a vlan of 10.0.1.1 on the mikrotik, and I think I also need to set up bridging, and I get the basic ideas, but I’m not really sure how to accomplish this. I really need some help. I have searched this and unifi forums, and I don’t have a clear answer.

If anyone has a step by step or would be willing to create one I would really appreciate it.

Thanks.

Make a bridge, put ports in as member. So port2,port3,port4,port5. Port 1 is internet.
Make a new interface vlan 1 on the bridge. Then ofcourse dhcp. Ip ranges…

I’ve done pretty much this at home… only difference I don’t use the “guest” feature of Unifi, but have set up two standard SSID’s in UniFi with a RB750 as my main gateway.

In the UniFi controller, create two SSID’s and assign a VLAN ID to each. My UniFi AP’s connect to a switch and trunk back to a single port on the RB750 (eth2). On the RB750 gateway create two VLAN interfaces and assign IP addresses (192.168.1.1 on one, and 10.1.1.1 on the other).

Create two IP pools (192.168.1.0/24 and 10.1.1.0/24) and setup the DHCP server on the RB for the two VLAN interfaces with the respective IP pools. Optionally, put IP firewall rules to stop 192.168.1.0/24 clients talking to 10.1.1.0/24 clients and vice versa.

Here’s an extract from my RB config (Note that I use vlan 88 for the “guests” and use untagged for my own private stuff). Assume you have it already setup for internet access / NAT / routing / DNS etc…:

;;; Create the VLAN for the guest (for my config I used untagged for private)
/interface vlan
add interface=ether2-local-master l2mtu=1520 name=vlan88-guest vlan-id=88

;;; Set an IP address for each subnet on the two private / guest interfaces
/ip address
add address=192.168.88.1/24 interface=vlan88-guest
add address=192.168.1.1/24 interface=ether2-local-master

;;; Define the DHCP pools
/ip pool
add name=guest-dhcp ranges=192.168.88.10-192.168.88.254
add name=private-dhcp ranges=192.168.1.10-192.168.1.150

;;; Set some DHCP options for the two networks
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

;;; Create the DHCP server for the two networks
/ip dhcp-server
add address-pool=private-dhcp disabled=no interface=ether2-local-master name=private
add address-pool=guest-dhcp disabled=no interface=vlan88-guest name=guest

;;; optional for security between private / guest
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no in-interface=pppoe-isp
add action=accept chain=input connection-state=related disabled=no in-interface=pppoe-isp
add action=log chain=input disabled=yes in-interface=pppoe-isp log-prefix=""
add action=drop chain=input disabled=no in-interface=pppoe-isp
add action=accept chain=input disabled=no dst-port=53 in-interface=vlan88-guest protocol=tcp
add action=accept chain=input disabled=no dst-port=53 in-interface=vlan88-guest protocol=udp
add action=accept chain=input disabled=no dst-port=67 in-interface=vlan88-guest protocol=udp
add action=accept chain=input disabled=no dst-port=68 in-interface=vlan88-guest protocol=udp
add action=drop chain=input disabled=no in-interface=vlan88-guest
add action=drop chain=forward disabled=no dst-address=192.168.0.0/16 in-interface=vlan88-guest
add action=accept chain=forward disabled=no in-interface=vlan88-guest
add action=accept chain=forward disabled=no
add action=accept chain=input disabled=no
add action=accept chain=output disabled=no

/ip neighbor discovery
set ether1-isp disabled=yes
set vlan88-guest disabled=yes

;;; optional cosmetic config if you're using RB as DNS server
/ip dns static
add address=192.168.88.1 name=guest-router
add address=192.168.1.1 name=router-router

Rich

Ok, I see what you are doing. However, I want the unify to broadcast ALL of the routers dhcp addresses and vlans. Don’t you have to create a bridge to do this? Let’s say my main dhcp is 192.168.1.1, and then I have 2 vlans of 192.168.2.1 and 192.168.3.1. I want the unifi to broadcast all 3 of them, the first being private, the second being public and the third being public. Will your setup do that? Thanks.

Can anyone jump in and set me in the right direction?

His config wouldn’t work as is, but could be modified since it only has the two networks… Basically you want to create a SSID for each VLAN you want the Unifi to use (although the Unifis are limited to 4). Then setup a VLAN for each of those along with the appropriate bridges, DHCP-pools, networks, and servers on the RouterBoard. You also want to setup the firewall appropriately to drop traffic between the networks. Or you can do what I do and drop everything by default and allow only certain traffic.

I can try to write up an actual config later (or something that will get you pretty close) if you tell me exactly what you are doing and how your stuff is wired (e.g. which ports, etc so I can setup the bridges, trunks, and vlans).

Just give me as much info as you can. Also suppose you have the three VLANs, what are they for? Should traffic go between them? etc?

-Eric

Ok, here is what I am trying to do:

Create 3 wireless networks for the unify named:

wifi1
wifi2
wifi3

The first, wifi1, is private and is the wireless version of my actual wired lan. It will be on 192.168.1.1, if this is possible. I want it so that the unifi controller can get it’s ip address from it, and so I can wirelessly access my wired lan just like I was plugged in.

The second, wifi2, is a guest network for the kids. It will be on 192.168.2.1.

The third, wifi3, is also a guest network for everyone else. It will be on 192.168.3.1.

None of the networks should be able to talk to one another for security purposes. Also, if there is heavy traffic or a lot of activity on one subnet I don’t want it to bog down the other subnets, if this is possible. I think that’s what vlans do anyway?

Regarding ports, I would like:

port 1 to be the gateway wan
port 2 to be my lan at 192.168.1.1
port 3 to be 192.168.2.1
port 4 to be 192.168.3.1
port 5 to be the port with all subnets on it that will connect to my unify.

This way if I want to I can send each port to a switch somewhere down the road if need be.

If that isn’t possible, then how about:

port 1 for gateway wan
port 2 for 192.168.1.1
port 5 with all subnets to connect to the unify.

If you need any more info, just let me know. I really appreciate all the help. Thanks.

Alright. I got it. I’ll write you a config a little later today when I get some free time,

Thank you.

Alright… something like this. Basically I setup three bridges… one for local, one for kids, and one for guest. I set up the VLANs on Ether5 (the trunk port) because that is how you do VLANs on MikroTik. I bridged the VLANs into the three bridges along with their respective ports. I setup addresses, pool, dhcp networks, and dhcp servers on each of the bridges. I made sure that the switch chip was disabled (set master-port=none on the interfaces). Then I setup a firewall… first I allowed related/established, then allowed ports 53, 67, and 68 (DNS and DHCP) from the guest and kids networks (I did this with a jump to a separate chain so I didn’t have to copy all of the rules for both “guest” networks (kids and guest)), then allowed ALL from local and then DROP everything else (I prefer drop by default hence why the last input rule is drop vs the mikrotik standard of accept by default). Then I allowed forwarded traffic from anywhere out to the internet… then dropped everything again by default (this will isolate the Bridges. Then I masq traffic going out to the internet. Lastly I shut off discovery on the gateway interface and all of the guest interfaces.

Thats a basic config to get you started… any questions?

Oh… and on the Unifi… setup three SSIDs with the corresponding VLANs. Also make sure that the switch you are using can handle VLANs… or however the Unifi access points are connected.
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local master-port=none
set 2 name=ether3-kids master-port=none
set 3 name=ether4-guest master-port=none
set 4 name=ether5-trunk master-port=none

/interface vlan
add interface=ether5-trunk name=vlan-local-ether5 vlan-id=100
add interface=ether5-trunk name=vlan-kids-ether5 vlan-id=101
add interface=ether5-trunk name=vlan-guest-ether5 vlan-id=102

/interface bridge
add comment=“Local Bridge” name=bridge-local
add comment=“Kids Bridge” name=bridge-kids
add comment=“Guest Bridge” name=bridge-guest

/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=vlan-local-ether5

add bridge=bridge-kids interface=ether3-kids
add bridge=bridge-kids interface=vlan-kids-ether5

add bridge=bridge-guest interface=ether4-guest
add bridge=bridge-guest interface=vlan-guest-ether5

/ip address
add address=192.168.1.1/24 interface=bridge-local
add address=192.168.2.1/24 interface=bridge-kids
add address=192.168.3.1/24 interface=bridge-guest

/ip pool
add name=pool-local ranges=192.168.1.2-192.168.1.254
add name=pool-kids ranges=192.168.2.2-192.168.2.254
add name=pool-guest ranges=192.168.3.2-192.168.3.254

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1

/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-kids disabled=no interface=bridge-kids name=kids
add address-pool=pool-guest disabled=no interface=bridge-guest name=guest

/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no

add action=jump chain=input jump-target=input-guest in-interface=bridge-kids
add action=jump chain=input jump-target=input-guest in-interface=bridge-guest

add action=accept chain=input in-interface=bridge-local

add action=drop chain=input

add action=accept chain=forward out-interface=ether1-gateway
add action=drop chain=forward

add action=accept chain=input-guest dst-port=53 protocol=tcp
add action=accept chain=input-guest dst-port=53 protocol=udp
add action=accept chain=input-guest dst-port=67 protocol=udp
add action=accept chain=input-guest dst-port=68 protocol=udp

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1-gateway

/ip neighbor discovery
set ether1-gateway discover=no
set ether3-kids discover=no
set ether4-guest discover=no
set bridge-kids discover=no
set bridge-guest discover=no
set vlan-kids-ether5 discover=no
set vlan-guest-ether5 discover=no

Thank you. I will check this out and try it when I get home tonight.

Let me know if you run into anything… Also… about the config. It is the way you asked for (the ideal way). Basically ether1 is the gateway. Ether2-5 are access ports for the VLANs (e.g. untagged traffic into the ports)… and ether5 is the trunk with 3 tagged VLANs to the Unifis.

And there are no queues setup just yet… get it working without queues before you mess with it more… once it is working we can add queues.

I am getting this error when I paste your config into the mikrotik:


[admin@MikroTik] /ip dhcp-server network> /ip dhcp-server
[admin@MikroTik] /ip dhcp-server> add address-pool=dhcp-local disabled=no interface=bridge-local name=local
input does not match any value of address-pool
[admin@MikroTik] /ip dhcp-server> add address-pool=dhcp-kids disabled=no interface=bridge-kids name=kids
input does not match any value of address-pool
[admin@MikroTik] /ip dhcp-server> add address-pool=dhcp-guest disabled=no interface=bridge-guest name=guest
input does not match any value of address-pool


I will try to figure it out.

I think I figured out the problem. It was just a naming issue with the dhcp. I renamed it pool- to correspond to the way you named it above. Let me know if that’s the correct thing to do.

Ok, I tried it, but it did not work.

Here is what I did:

I started with a reset mikrotik with no configuration. I installed your script. It install correctly once I made the pool correction above.
I did not plug in anything into port 1 as I was just trying to get ip address and not really concerned with the internet. I don’t think this matters.

If i plugged my pc into port 2 I got an ip address in the 192.168.1.1 range
If i plugged my pc into port 3 I got an ip address in the 192.168.2.1 range
If i plugged my pc into port 4 I got an ip address in the 192.168.3.1 range
If i plugged my pc into port 5 I got NO ip address (aren’t I supposed to have an address in the 192.168.1.1 range here? If not, how does the unifi get an address in this range?)

Here might be the problem. I may not have explained myself correctly. Right now I am not using any switches. I want to go directly from port 5 of the mikrotik to the unifi. This does NOT work. I have read that the main subnet that you want the controller to have can not be tagged, which would be 192.168.1.1. I’m not sure that the unifi is getting an ip address in that range.

Am I supposed to tag 192.168.1.1 with 101 like you said? I want this to be my main private network, and also the main wired network that anything on port 2 would have the same subnet.

Have you tried this out? I am asking because if you got it working, and I didn’t, maybe I am doing something else wrong.

I think we can figure it out. I appreciate all the help. I am starting to understand what you are doing which helps a lot.

/ip pool
add name=pool-local ranges=192.168.1.1-192.168.1.254
add name=pool-kids ranges=192.168.2.2-192.168.2.254
add name=pool-guest ranges=192.168.3.2-192.168.3.254

Shouldn’t the address pool for 192.168.1.1 start at 192.168.1.2?

Yes. You are correct. And I also did make a typo in the config I posted. … Seems like you have it all at least running.

As for the other question it really comes down to a mater of how you want your network setup. If you want all of your “local” traffic untagged… then basically drop the vlan-local-ether5 and then add ether5-trunk directly to the bridge-local. This would give you untagged “local” traffic on ether5, as well as tagged vlans 102 and 103.

Does that make sense? The question is whether or not you want to have your “management” vlan tagged. If you want it tagged then the original config is correct, but you have to make sure the unifi is set to use 101 as its “management” vlan. That is how it will get an IP from the correct network.

Questions?

What do you suggest is the “best” way to do it? Does it make any difference? I understand the concept of what you are saying, but I am not sure how to put it on paper. Let’s say I want to try it both ways. What would it look like for each? Can you post the changes for each?

If I use the tagged method for local traffic, how do I tell the Unifi to use 101 as the management vlan? Is it as simple as checking it and putting in 101?

Thanks for all the help. I think we are going to finally get it going.

Personally… I just leave my “local” traffic untagged at home and tag only the other stuff… I don’t remember where offhand to set the management VLAN on the Unifi Controller. I’d have to look. What version controller are you using?

As for the configs… Here are the only differences between them… the rest of the config is the same
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-local master-port=none
set 2 name=ether3-kids master-port=none
set 3 name=ether4-guest master-port=none
set 4 name=ether5-trunk master-port=none

/interface vlan
add interface=ether5-trunk name=vlan-kids-ether5 vlan-id=101
add interface=ether5-trunk name=vlan-guest-ether5 vlan-id=102

/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether5-trunk

add bridge=bridge-kids interface=ether3-kids
add bridge=bridge-kids interface=vlan-kids-ether5

add bridge=bridge-guest interface=ether4-guest
add bridge=bridge-guest interface=vlan-guest-ether5Notice the local vlan is missing? And the bridge-local has the ether5-trunk in it? … basically your “local” vlan is just always untagged traffic.

If you do it this way the unifi’s can just use normally untagged traffic as their management VLAN.

-Eric

Ok, I’ll give it another try when I get home tonight.

Thanks Eric.

Sounds good. The difference between the two is minimal… just whether or not you tag your default network. The untagged way should require nothing to change on the unifi and may be easier to get to work.

Let me know how it goes.

-Eric