Utilizing VLANs on CRS125 using the switch chip with Unifi

acsuser · January 25, 2015, 6:54pm

I’m fairly new to RouterOS and VLANS in general. I’m trying to utilize the switch chip in my CRS125 to create a VLAN for a guest network using 4 Unifi UAPs. I’ve read and re-read a lot posts but I can’t figure out how to make it work. It looks to be easier to set up VLANs using a bridge setup but I’d like to learn how to configure them using the switch chip. My network is setup as follows:
LAN = 192.168.2.0/24
WAN1 = Ether1
WAN2 = Ether2 (future)
Masterport = Ether3 (all other ports set to Ether3 as master port)
Unifi AP1= Ether18
Unifi AP2 = Ether20
Unifi AP3 = Ether22
Unifi AP4= Ether 24
SSID 1 = unrestricted access (would like to have untagged so it can reach wired LAN)
SSID 2 = Guest network with VLAN 200

From the CRS examples page I’ve done the following:

admin@CRS125-1-381-05661] /interface ethernet switch ingress-vlan-translation> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ports=ether18,ether20,ether22,ether24 service-vlan-format=any customer-vlan-format=tagged customer-vid=1 new-customer-vid=100 pcp-propagation=no 
     sa-learning=yes

I read that you need to assign untagged traffic a tag when it was on a port with tagged traffic. I used VID 100. Is this correct?

admin@CRS125-1-381-05661] /interface ethernet switch egress-vlan-tag> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID TAGGED-PORTS                                                                                                                                      
 0 D    4095
 1 X     200 ether3-master-local                                                                                                                               
             ether18                                                                                                                                           
             ether20                                                                                                                                           
             ether22                                                                                                                                           
             ether24

admin@CRS125-1-381-05661 /interface ethernet switch vlan> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   VLAN-ID PORTS                                                   SVL LEARN FLOOD INGRESS-MIRROR QOS-GROUP                                                  
 0 D    4095 WAN-1                                                   no  no    no    no             none                                                       
             WAN-2                                                  
             switch1-cpu                                            
 1 X     100 ether3-master-local                                     no  yes   no    no             none                                                       
             ether18                                                
             ether20                                                
             ether22                                                
             ether24                                                
 2 X     200 ether3-master-local                                     no  yes   no    no             none                                                       
             ether18                                                
             ether20                                                
             ether22                                                
             ether24

When I enable all of the above, I can still connect on SSID 1 but not on SSID 2. I won’t even get a DHCP assignment on SSID 2. When using the switch chip do I still need to add an IP pool, etc to VLAN 200? Or should it pull from the existing IP pool used by SSID 1? Where does the switch chip interface come it to play? Do i have to tag the VLANs on the switch chip as well as the master port?

I’d appreciate anyone that can jump in and straighten me out, Thanks.

43north · January 26, 2015, 3:29am

I don’t know that you can specifically tag VLAN traffic on MikroTiks… I assume you have your VLAN setup in the Unifi controller? I would create your guest VLAN on the Tik with its own subnet and pool of addresses. If the UAP ports are set to master port 3 it should work. If not then you need to create a bridge to include all the UAP ports and the VLAN.

acsuser · January 26, 2015, 11:17am

I do have the VLAN setup in the UAPs also. I was hoping to utilize the switch chip to do this instead of bridging but I may have to resort to that as I’ve hit a wall and can’t get it to work.

43north · January 27, 2015, 4:07am

You are correct, a bridge may be in order…