Unifi AP running on MikroTik VLAN

RouterOS Wireless Networking
1

Hello everyone, I recently switched my network configuration over to router-on-a-stick, using the RB5009. I followed the tutorial in the other forum post and everything is going pretty well. One of the last things I am trying to do is remove the default dhcp server set on the main bridge (192.168.88.0), which is the default VLAN 1.

My AP’s are the Unifi Pro 6 running on this VLAN, and they are configured with my various wireless networks attached to VLANs (iot, home, management, etc). For some reason, I can’t put these APs on a VLAN other than the default 1. I use bridge port, set the VLAN id on the port, and have ingress filtering on, admit all. When I try, they are assigned an IP address in DHCP but are unreachable via ping/ssh.

I’m wondering if this is a case of bad mixing of different products, since there is some advanced configuration that I might not be aware of that can only be set with the unifi gateway product.

2

Well the first few rules of the Mikrotik Club are:
http://forum.mikrotik.com/t/configuring-wireless-on-wap-r-from-zero/179986/1
VLAN1 is seemingly used internally, and using it externally may create issues:
http://forum.mikrotik.com/t/management-vlan-issue/175412/1

If you really cannot change those UNIFI VLAN 1 settings there is probably some way to configure differently the Mikrotik, but you will need the assistance of some expert members, I have no idea what could be done.

3

To learn a bit (more) about VLAN, please have a good look at this (great) topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

4

So yeah to be clear, I don’t actually have a VLAN set up on 1, but it’s just using the defaults by both MikroTik and UniFi. You are definitely right though, that I do not have a great understanding of how the default is handled by both MikroTik and UniFi.

5

This is the thread I was referring to in how I set up my ROAS :smiley:

Great topic

6

UniFi AP’s are going to be fairly easy, tag the SSID’s that you need and the AP unless you specifically set a management VLAN, leave it as a “basic” dhcp client, just get clever with your native (untagged) vlan.

You will need to read through the VLAN implementation documentation, short story (as much as I hate to admit this), do what anav advises and remove a port from the bridge, leave it on vlan1 and give it an IP and use it as a management port in case you knock yourself off the network.
Implement bridge vlan filtering, build the vlans and label tagged and untagged ports.

It’s a weird one to get your head around (especially if you’ve vlanned in any other manufacturer) but once it’s in, it feels odd but it sticks.

I run a similar setup but use Zyxel AP’s so give me a tag if you want any further input from someone who won’t ask for a config file :slight_smile:

7

I do actually want to post my config if that’s OK. The two APs are located on ports 7 and 8. When I change the PVID from 1 to 10, it gets an IP from DHCP, but is unconnectable. I tried hard resetting the config on one of the APs as well and the same thing happened.

I have a pretty good handle on VLAN routing, but I am weak in terms of the firewall rules. So I think that might be the reason this isn’t working.

Please let me know if I forgot to redact something. Thank you.
mikrotik_router_config.txt (12.6 KB)

8

A warning sign → have a pretty good handle on VLAN routing, UH OH :slight_smile:

  1. You should really upgrade to 7.16.2, if you upgrade manually you have to do it in two steps, first to 7.12.1 and then to 7.16.2

  2. Why five pools when you only have four VLANS?
    Ahh I see why, you didnt read the reference given to you (which apparently you used LOL).
    NO EXAMPLE showed the bridge doing any dhcp!!!

  3. WHY do you have vlans on your bridge port …port does not equal vlan???
    Again, please show me on the excellent reference where pcunite put vlans as bridge ports… I would love to be wrong!

add bridge=bridge interface=home_vlan pvid=2
add bridge=bridge interface=iot_vlan pvid=4
add bridge=bridge interface=public_vlan pvid=3

  1. Not an error but an observation /interface bridge port that ether6 is untagged for pvid 2,
    Lets look at the corresponding line on /interface bridge vlan
    add bridge=bridge tagged=bridge,sfp-sfpplus1,ether7,ether8 untagged=ether5 vlan-ids=2

Ether6 is missing but luckily the router creates the untagging dynamically based on the pvid setting in /interface bridge port, so one is covered.
I prefer as you are doing to show all the untags in the manual rules so its easy to cross check for errors and because it will show up in /export .

  1. Ether3 is not mentioned at all on /interface bridge vlan so assume that is the single port served by the bridge. Purpose???
    One should simply create a vlan for this call it vlan-88 with interface bridge, move ip address from bridge to this interface, as well as /ip dhcp-server and add to interface list member group of VLAN and remove bridge from interface list member.

  2. Would rejig like so. Assuming unifi by default requires management port untagged and the rest of the vlans tagged.
    /interface bridge port
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=88
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=4
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=2
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=2
    add bridge=bridge interface=ether7 pvid=10 comment=“hybrid port”
    add bridge=bridge interface=ether8 pvid=10 comment=“hybrid port”
    add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether7,ether8 untagged=ether5,ether6 vlan-ids=2
add bridge=bridge tagged=bridge,ether7,ether8 vlan-ids=3
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether7,ether8 untagged=ether4 vlan-ids=4
add bridge=bridge tagged=bridge,sfp-sfpplus1 untagged=ether2,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=88

9

Now moving to firewall rules…

  1. Dont understand your logic at all.
    For example why do you include the second rule when the first rule covers everybody already…
    Who in the MGMT interface is not already in list VLAN… :slight_smile:
    Further, why do you want everybody besides those in MGMT interface full access to the router (input chain=to router).
    add action=accept chain=input comment=“allow VLAN” in-interface-list=VLAN
    add action=accept chain=input comment=“allow MGMT full access” in-interface-list=MGMT

  2. Rejigged proper order etc…

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow MGMT full access” in-interface-list=MGMT
add action=accept chain=input comment=“allow VLAN” in-interface-list=VLAN dst-port=53 protocol=udp
add action=accept chain=input comment=“allow VLAN” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { add this rule last so you dont lock yourself out }

add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“allow HA to NAS” dst-address=192.168.87.2 src-address=192.168.86.2
add action=accept chain=forward comment=“allow HA to ratgdo” dst-address=192.168.87.5 src-address=192.168.86.2
add action=accept chain=forward comment=“allow home to HA” dst-address=192.168.86.2 in-interface=home_vlan
+++++ ADD ANY OTHER ALLOW RULES HERE ++++++
add action=drop chain=forward comment=“Drop all else”

now about this confusing bit… I didnt understand it all so a bit more explanation is required.
— This is what I want —
add action=accept chain=forward comment=“allow AP to UGK” disabled=yes dst-address=192.168.87.4 src-address=192.168.84.10
add action=accept chain=forward comment=“allow AP to UGK” disabled=yes dst-address=192.168.87.4 src-address=192.168.84.20

— This is what I am forced to do right now —
add action=accept chain=forward comment=“allow UGK to AP” dst-address=192.168.87.4 src-address=192.168.88.10
add action=accept chain=forward comment=“allow UGK to AP” dst-address=192.168.87.4 src-address=192.168.88.20

10

Not clear what you are trying to accomplish with layer7 rules. I think it could be a total waste of time.
I see some dstnat rules attempting to capture some traffic to send to a specific dns server on the LAN.g
The users or devices being captured, are they in a specific subnet, or are they a group of mixed IP addresses???
What is the goal here…

11

VLANs

  1. Thanks, will do

  2. I started with the base configuration shipped with the RB5009, and edited it using what I have learned about VLANs. You are right, no example used DHCP on the main bridge, but the router is shipped with DHCP on the main bridge. Side note: you must be retired because if you talked to anyone in a work environment like this, either they leave or you get fired. Please be better, I am trying to learn, and being a jerk does not help anyone here.

  3. Mistake from learning that was still there, removed.

  4. yep, added ether6 to untagged. Must have missed because that port is unused at the moment.

  5. In case I got locked out of DHCP on the default VLAN1, I wanted a physical port to be able to configure the APs while this config is still hanging around. This will go away when DHCP 192.168.88.0/24 is removed and the APs are on MGMT

  6. I will try to set the PVID on port 7/8 to 10 once again, and see what happens given the configuration changes above.

Firewall

I’m still learning all of the firewall related configuration, so bear with me.

I realize I could have explained that part a little better. The APs are controlled by a UniFi Cloud Key, a controller of sorts, which also doubles as an NVR in my case. I have those rules in there so that the controller can access and configure the APs from the home VLAN to the management VLAN. Though right now, they are on the 88.1 subnet, and I want to access them on the management subnet.

And the Layer7 rules are there but not working properly. I have an immich server being hosted and going through a reverse proxy, and a home assistant server going through a cloudflare zero trust tunnel. This was my attempt at hairpin NAT by intercepting the DNS requests from LAN devices and routing those to the internal service. I stumbled on this method here: http://forum.mikrotik.com/t/redirect-dns-to-local-server/125235/1

12

Sorry, no kid gloves here. By the way, after the 1000th person who says they read the article and know what they are doing in vlans, only to trip on their own 3rd leg, it gets old, and thus sometimes I lack patience!

I understand the angst of getting locked out.
Hence I always do the following → Take one port OFF the bridge to then do the config in a safe spot!!!
/interface ethernet
set [ find default-name=eth9 ] name=OffBridge9
/ip address
add address=192.168.75.1/30 interface=OffBridge9 network=192.168.75.0
/interface list member
add interface=OffBridge9 list=LAN
and if you have a management interface
add interface=OffBridge9 list=TRUSTED

Then plug in laptop to ether9 set ipv4 settings to 192.168.75.2 and you should be in. A must safer and nice location to do the config from.

+++++++++++++++++++++++++++++++

Okay the tricky part is that the controller is not on the same vlan as the APs themselves??
As noted previously, or perhaps not, ALL smart devices should be on the same management or trusted vlan.
Therefore the controller and APs should be on the same VLAN.
The difference or oddity is unifi APs come default expecting the management vlan to come into the AP untagged and the data vlans tagged.

If not possible for some reason, then we have to get funky with the APs themselves to know where to look for the controller, thinking DHCP options maybe for these devices but will have to get back to you on that.

The firewall rules will not direct the APs to look for the controller on a different subnet so that is the issue…

++++++++++++++++++++++++++++++

Okay so you have a server on the LAN, IMMICH and it has a specific IP address.
What does it mean going through a reverse proxy??
Who accesses this server, internal users only, external only, both?
For external users, can you create a source address list of their public static IPs and also include their own dyndns URL domain names for dynamic IPs ( many free ones on the internet )

  • another option why not cloudflare trust this traffic as well.
  • another option is for external users to wireguard in with access only to server?

Secondarily you have a second server, calling it home assistant. Assuming it has an IP?
You have this smartly setup going through a cloudflare zero trust tunnel.
How is this accomplished ( on the router? container? ) or some other mechanism (aka on server itself and thus transparent to the router.

Hairpin NAT is for which server, assuming the IMMICH?
The easiest way and recommended to avoid to use hairpin is simply create another vlan and only put the IMMICH on this subnet.
All local users will be able to access without any funky hairpin nat rules.
If not possible the rule required is put this rule first in NAT rules
add chain=sourcenat action=masquerade src-address=subnetOFserver dst-address=subnetOFserver.


I would drop the layer7 stuff until the rest is sorted!!

13

I have been running the AP’s on a different subnet for a while now. In my current configuration, they live on the 192.168.88.1 subnet, while the controller is on the 192.168.87.1 (home) subnet. It won’t be able to find the APs through network discovery, so I need to ssh into the APs themselves and tell them where the controller is, and then they can be adopted as normal. So in my new config, I would like the APs on either home or management. I would prefer them on management, since it’s where all my network equipment lives. I consider the UniFi controller more as an NVR than a network appliance, so I prefer this to stay on home.

A reverse proxy is an nginx server which forwards traffic from the server’s main address to an internal service on the network or on the server itself. In this case, anything matching my domain name coming in port 443 will be proxied to port 8091 on the same server, and the proxy handles SSL handshakes as well. A zero-trust tunnel cannot be used for this because some of the uploads exceed the max 100MB file size that can travel through the tunnel. Cloudflare also forbids using tunnels for media.
Everything here is working great, I just wanted that set up to avoid a round trip outside the network (upload speeds here suck), when syncing photos and videos on the internal network. The reason I want the hairpin to work is because the iphone and android app doesn’t have an option for internal vs. external IP addresses. Immich is like open-source google photos by the way. I also intend to use this hairpin NAT for hassio (home assistant), which controls all my IOT.

14

Attached a screenshot of what I am seeing. Set port 8 PVID to 10, the AP gets the DHCP address of 192.168.84.14 (management VLAN), but is then unreachable. And yes, I am doing this on the DESKTOP-NPP4QHK computer.

I tried doing this on the home VLAN before. The UniFi controller could see the AP broadcasting its adoption on that subnet, but when it tried to adopt it (connect to it), it would fail.

I am starting to think that this is more vendor-specific than a misconfiguration on my part.
vlan_ap.jpg

15

I figured it out. Turns out it was vendor-specific. I went into the AP configuration, and buried in there was the ability to specify the VLAN that the AP was sitting on. So I changed that to my management VLAN, then set ports 7 and 8 to only allow VLAN tagged traffic, then deleted all the DHCP/pools/networks related to the default bridge.
Yay! thanks for being my rubber duck anav :slight_smile:

16

No worries, I do the same with several gurus…
I saw this on another thread which reminded me of APs trying to talk to controller.
This was the way…

/ip dhcp-server option
add code=43 name=unifi value=0x0104C0A81E02

So I recalled previous work on this front;.
This is but an example but should allow the APs to talk to the controller even if on different vlans.

LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20

DHCP server settings for LANB
Go to DHCP and tab options: Create an OPTION , call it Option UNIFI
select code 43
select unifi IP address 10.10.10.15 we need to add 0104 in front of it according to searches.
so enter this for the value entry----> 0x0104’10.10.10.15’
Hit Apply and OK, The MT router will convert this to HEX and a raw value!!

Then Go to DHCP NETWORKS.
select LANB
select tab DHCP Options
select UNIFI.

Now the dhcp server will provide the AP with a local IP (offer) and tell the AP the controlling device IP address…
The APs will now send traffic to that IP and we must provide a path there ( in this case a firewall rule permitting traffic from AP to controller).

17

There is another way as well to accomplish the same using DNS and probably is the easier method.
LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20

/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 domain=ammo.home gateway=192.168.168.1

/ip dns static
add address=10.10.10.15 name=unifi**.ammo.home** type=A

NOTE: The assumption is that the unifi APs are looking for two ways to connect to the unif controller.
a via DHCP option 43 contents. (as shown in previous post)
b. each device on the subnet will ask for DHCP configuration and will get, the IP address and mask, the gateway, the DNS server and the name of the “local” domain.
The AP is expecting to see a local domain. Then the AP asks DNS to return an address specifically for unifi.domain.name and in this case will then receive 10.10.10.15

Again using firewall rules we have to ensure the APs can reach the controller.