I’m trying to setup network where I have Mikrotik switches (mostly CSR3xx-series) and Unifi wlan gear. Is there some general recommendation how Unifi AP should be connected to RouterOS? Until today I had them on trunk ports, but there must be some better solution. Thanks to some VLAN misconfiguration my Unifi Controller lost all APs and I decided that it is now time to reset all of them. It was not the best idea because all untagged packages were blocked or at least there was no bridge on VLAN1 (I think this is the misconfiguration, I have not solved this yet).
Is it a good idea to make AP-port where all untagged traffic goes for example to my GUEST VLAN and when Unifi AP is configured correctly it gets access to MGMT VLAN + all Wi-FI VLANs? I do not have 100 % physical port security, so something like this might work better than open trunk port. Is it possible to automate identification of real AP or should I just trust that all tagged traffic is coming from legitimate sources?
AFAIK UniFi controller doesn’t have management VLAN settings. They all expect to be untagged, so you can set PVID on all access ports and use trunk ports for UniFi AP and controller.
I have my Unifi controller on one VLAN and use that VLAN untagged for management on all AP. APs have a trunk with tagged VLANs that serve the different SSIDs (configured in the controller). My router than takes care of the firewalls as appropriate.
So on the AP trunks you can then define the management VLAN as untagged and only the other VLANs required for the SSIDs as tagged