Hi, I am quite desperate, can not figured out following settings.
Tried to follow wiki documentation as well as mikrotik forum, still no success.
Read this documentation,
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Try again,
Then post your config
/export hide-sensitive file=anynameyouwish
I have this configuration now, (ipsec, wan etc.doesnt matter for now, its in lab condition) ether2 is untagged and give me IP address from 192.168.3.1/24 pool, but ether5 doesnt recognized unifi AP.
# sep/13/2020 10:22:26 by RouterOS 6.47.3
# software id = HF6Y-C8EN
#
# model = 2011UiAS-2HnD
# serial number = 7A6607D319BD
/interface bridge
add name=bridge-host pvid=60 vlan-filtering=yes
add name=bridge-podnik pvid=30 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes mac-address=E4:8D:8C:28:E0:A1 \
speed=100Mbps
set [ find default-name=ether2 ] mac-address=E4:8D:8C:28:E0:A2 speed=100Mbps
set [ find default-name=ether3 ] mac-address=E4:8D:8C:28:E0:A3 speed=100Mbps
set [ find default-name=ether4 ] mac-address=E4:8D:8C:28:E0:A4 speed=100Mbps
set [ find default-name=ether5 ] mac-address=E4:8D:8C:28:E0:A5 speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
E4:8D:8C:28:E0:A6
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
E4:8D:8C:28:E0:A7
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
E4:8D:8C:28:E0:A8
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
E4:8D:8C:28:E0:A9
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
E4:8D:8C:28:E0:AA
set [ find default-name=sfp1 ] mac-address=E4:8D:8C:28:E0:A0
/interface vlan
add interface=bridge-podnik name=vlan30 vlan-id=30
add interface=bridge-host name=vlan60 vlan-id=60
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=ep \
supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=guest \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=kavka \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country="czech republic" disabled=no frequency=2452 mode=station-bridge \
name=wlan security-profile=kavka ssid=elephant wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-192 name=profile_1 \
nat-traversal=no proposal-check=claim
/ip ipsec peer
add address=193.85.247.170/32 name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,3des \
pfs-group=modp1536
/ip pool
add name=dhcp-podnik ranges=192.168.3.100-192.168.3.150
add name=dhcp-host ranges=192.168.6.100-192.168.6.150
/ip dhcp-server
add address-pool=dhcp-podnik authoritative=after-2sec-delay bootp-support=\
none disabled=no interface=bridge-podnik lease-time=30m name=dhcp-podnik
add address-pool=dhcp-host disabled=no interface=bridge-host name=dhcp-host
/ppp profile
add dns-server=10.19.0.1 local-address=10.19.0.2 name=PHA remote-address=\
10.19.0.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 target=memory
/interface bridge port
add bridge=bridge-podnik interface=ether2 pvid=30
add bridge=bridge-host interface=vlan60 pvid=60
add bridge=bridge-podnik interface=vlan30 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge-podnik tagged=vlan30,ether5 untagged=ether2 vlan-ids=30
add bridge=bridge-host tagged=ether5,vlan60 untagged=bridge-host vlan-ids=60
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=ether10 list=mactel
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10 list=mac-winbox
add list=mactel
add interface=sfp1 list=mac-winbox
add list=mactel
add list=mac-winbox
add list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.3.1/24 interface=bridge-podnik network=192.168.3.0
add address=192.168.6.1/24 interface=bridge-host network=192.168.6.0
add address=193.179.125.246/30 disabled=yes interface=ether1 network=\
193.179.125.244
/ip dhcp-client
add comment="default configuration" interface=ether1 use-peer-dns=no
add disabled=no interface=wlan
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.251.11,192.168.3.1 gateway=\
192.168.3.1 netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.6.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.251.11,8.8.8.8
/ip dns static
add address=192.168.251.31 name=server.envipur.cz
add address=192.168.251.30 name=mail.envi-pur.cz
add address=192.168.251.30 name=mail.envipur.cz
add address=192.168.251.11 name=adserver.envipur.cz
add address=192.168.1.5 name=sbiserver
add address=192.168.1.5 name=sbiserver.envipur.cz
add address=192.168.251.32 name=aserver.envipur.cz
add address=192.168.3.7 name=dlinknas
add address=192.168.251.31 name=server
add address=192.168.251.11 name=adserver
add address=192.168.251.32 name=aserver
add address=192.168.251.32 name=srv32-FServer02
/ip firewall address-list
add address=192.168.3.0/24 list=EP_Podnik
add address=192.168.1.0/24 list=EP_Podnik
/ip firewall filter
add action=jump chain=forward comment=DDoS connection-state=new disabled=yes \
jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-limit=\
32,32,dst-address/1m40s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1d chain=detect-ddos disabled=yes dst-address-list=!EP_Podnik \
src-address-list=!EP_Podnik
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1d chain=detect-ddos disabled=yes dst-address-list=!EP_Podnik \
src-address-list=!EP_Podnik
add action=drop chain=forward connection-state=new disabled=yes \
dst-address-list=ddosed log=yes src-address-list=ddoser
add action=drop chain=forward disabled=yes dst-address=192.168.4.0/24 \
src-address=192.168.3.0/24
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=\
192.168.6.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.6.0/24
add action=drop chain=forward dst-address=192.168.251.0/24 src-address=\
192.168.6.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface-list=!mactel
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=\
192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.251.0/24 log=yes \
src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 log=yes \
src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 log=yes \
src-address=192.168.6.0/24
add action=accept chain=srcnat comment=tsss dst-address=192.168.6.0/24 log=\
yes src-address=192.168.3.0/24
add action=masquerade chain=srcnat src-address=192.168.6.0/24
add action=masquerade chain=srcnat src-address=192.168.3.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.251.0/24 peer=peer1 sa-dst-address=193.85.247.170 \
sa-src-address=0.0.0.0 src-address=192.168.3.0/24 tunnel=yes
set 1 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.1.0/24 peer=peer1 sa-dst-address=193.85.247.170 \
sa-src-address=0.0.0.0 src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=wlan
add disabled=yes distance=1 gateway=193.179.125.245
add distance=1 dst-address=192.168.1.0/24 gateway=*D
add distance=1 dst-address=192.168.251.0/24 gateway=*D
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh disabled=yes
set www-ssl certificate=vlcovka disabled=no
set api disabled=yes
set api-ssl disabled=yes
You need to have:
- Only one bridge
- ether2 and ether5 added as bridge ports to that bridge
- Two vlan-interfaces created on that bridge (created on, not added like the bridge ports) - one for each of the vid’s.
- Add IP configuration to vlan-interfaces
5a) Vlan filtering done in switch menu if you want to keep hw-offloading.
5b) …or in bridge menu if it doesn’t matter.
The guide to the whole process with option 5a:
https://wiki.mikrotik.com/wiki/Manual:Switch_Router (without the last section “Isolated VLANs”)
and for trunk port:
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29
Also mind the note for Atheros8327 switch chip.
The guide to the whole process with option 5b:
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.233_.28InterVLAN_Routing_by_Bridge.29
and for trunk port:
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.231_.28Trunk_and_Access_Ports.29
I tried to follow wiki manual, still unifi AP is nto visible on trunk port ether5.
sep/13/2020 14:49:02 by RouterOS 6.47.3
software id = HF6Y-C8EN
model = 2011UiAS-2HnD
serial number = 7A6607D319BD
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes mac-address=E4:8D:8C:28:E0:A1
speed=100Mbps
set [ find default-name=ether2 ] mac-address=E4:8D:8C:28:E0:A2 speed=100Mbps
set [ find default-name=ether3 ] mac-address=E4:8D:8C:28:E0:A3 speed=100Mbps
set [ find default-name=ether4 ] mac-address=E4:8D:8C:28:E0:A4 speed=100Mbps
set [ find default-name=ether5 ] mac-address=E4:8D:8C:28:E0:A5 speed=100Mbps
set [ find default-name=ether6 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
E4:8D:8C:28:E0:A6
set [ find default-name=ether7 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
E4:8D:8C:28:E0:A7
set [ find default-name=ether8 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
E4:8D:8C:28:E0:A8
set [ find default-name=ether9 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
E4:8D:8C:28:E0:A9
set [ find default-name=ether10 ] advertise=
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=
E4:8D:8C:28:E0:AA
set [ find default-name=sfp1 ] mac-address=E4:8D:8C:28:E0:A0
/interface vlan
add interface=bridge1 name=VLAN30 vlan-id=30
add interface=bridge1 name=VLAN60 vlan-id=60
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=ep
supplicant-identity=“”
add authentication-types=wpa-psk,wpa2-psk eap-methods=“”
management-protection=allowed mode=dynamic-keys name=guest
supplicant-identity=“”
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=kavka
supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC
country=“czech republic” disabled=no frequency=2452 mode=station-bridge
name=wlan security-profile=kavka ssid=elephant wps-mode=disabled
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-192 name=profile_1
nat-traversal=no proposal-check=claim
/ip ipsec peer
add address=193.85.247.170/32 name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,3des
pfs-group=modp1536
/ip pool
add name=dhcp-podnik ranges=192.168.3.100-192.168.3.150
add name=dhcp-host ranges=192.168.6.100-192.168.6.150
/ip dhcp-server
add address-pool=dhcp-podnik authoritative=after-2sec-delay bootp-support=
none disabled=no interface=VLAN30 lease-time=30m name=dhcp-podnik
add address-pool=dhcp-host disabled=no interface=VLAN60 name=dhcp-host
/ppp profile
add dns-server=10.19.0.1 local-address=10.19.0.2 name=PHA remote-address=
10.19.0.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 target=memory
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=30
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=60
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7 list=mactel
add interface=ether6 list=mac-winbox
add interface=ether8 list=mactel
add interface=ether7 list=mac-winbox
add interface=ether9 list=mactel
add interface=ether8 list=mac-winbox
add interface=ether10 list=mactel
add interface=ether9 list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10 list=mac-winbox
add list=mactel
add interface=sfp1 list=mac-winbox
add list=mactel
add list=mac-winbox
add list=mac-winbox
add interface=ether1 list=WAN
/ip address
add address=192.168.3.1/24 interface=VLAN30 network=192.168.3.0
add address=192.168.6.1/24 interface=VLAN60 network=192.168.6.0
add address=193.179.125.246/30 disabled=yes interface=ether1 network=
193.179.125.244
/ip dhcp-client
add comment=“default configuration” interface=ether1 use-peer-dns=no
add disabled=no interface=wlan
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.251.11,192.168.3.1 gateway=
192.168.3.1 netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.6.1
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.251.11,8.8.8.8
/ip dns static
add address=192.168.251.31 name=server.envipur.cz
add address=192.168.251.30 name=mail.envi-pur.cz
add address=192.168.251.30 name=mail.envipur.cz
add address=192.168.251.11 name=adserver.envipur.cz
add address=192.168.1.5 name=sbiserver
add address=192.168.1.5 name=sbiserver.envipur.cz
add address=192.168.251.32 name=aserver.envipur.cz
add address=192.168.3.7 name=dlinknas
add address=192.168.251.31 name=server
add address=192.168.251.11 name=adserver
add address=192.168.251.32 name=aserver
add address=192.168.251.32 name=srv32-FServer02
/ip firewall address-list
add address=192.168.3.0/24 list=EP_Podnik
add address=192.168.1.0/24 list=EP_Podnik
/ip firewall filter
add action=jump chain=forward comment=DDoS connection-state=new disabled=yes
jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-limit=
32,32,dst-address/1m40s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1d chain=detect-ddos disabled=yes dst-address-list=!EP_Podnik
src-address-list=!EP_Podnik
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1d chain=detect-ddos disabled=yes dst-address-list=!EP_Podnik
src-address-list=!EP_Podnik
add action=drop chain=forward connection-state=new disabled=yes
dst-address-list=ddosed log=yes src-address-list=ddoser
add action=drop chain=forward disabled=yes dst-address=192.168.4.0/24
src-address=192.168.3.0/24
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=
192.168.6.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=
192.168.6.0/24
add action=drop chain=forward dst-address=192.168.251.0/24 src-address=
192.168.6.0/24
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input disabled=yes in-interface-list=!mactel
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=
192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.251.0/24 log=yes
src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 log=yes
src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 log=yes
src-address=192.168.6.0/24
add action=accept chain=srcnat comment=tsss dst-address=192.168.6.0/24 log=
yes src-address=192.168.3.0/24
add action=masquerade chain=srcnat src-address=192.168.6.0/24
add action=masquerade chain=srcnat src-address=192.168.3.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
“/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=60”
I see both VLAN30 and 60 tagged towards the Unifi …
/interface bridge vlan
add bridge=bridge1 tagged=bridge1**,ether5** untagged=ether2 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=60
Unifi is not visible on ether5, only on VLAN30 and VLAN60 and maybe via bridge if untagged packets are allowed.
Leaving aside the fact, that you’ve chosen the less desirable configuration approach, and keeping in mind the mistake, that bpwl already mentioned, I can’t see anything wrong in your config at first glance.
Recheck whether you have a unifi AP configured properly.
Yes i tried several configuration, also puted back ether5 as tagged. Will try to connect antoher L3 switch instead AP, will see if problem is in tricky UNIFI AP.
I expected to see unifi in arp table at least.
Yes i tried several configuration, also puted back ether5 as tagged. Will try to connect antoher L3 switch instead AP, will see if problem is in tricky UNIFI AP.
I expected to see unifi in arp table at least.
Setting ether5 tagged or not is not some trial and error. Not adding ether5 to VLAN 30 is not allowing or not sending traffic for VLAN30 on ether5.
Always surprised in this forum by the emphasis on ARP. ARP table is a translation table for IP<->MAC. A tuple ip-MAC appears in the ARP table whenever the device did an ARP request because of an imminent IP communication, and received the ARP response packet for this or for another reason. ARP tuples have a limited lifetime (“arp_timeout”, default 30sec, or up to 10 minutes if an ip-route entry was created). It is not because there is a device directly connected to an interface, that it’s MAC address will be in the ARP table.
The Unifi AP, should somewhere have the VLAN 30 and 60 defined, and be reachable/manageable over one of those VLAN’s. If the AP is just using VLAN30 and 60 for wifi SSID’s, then the Unifi itself will not be visible or reachable. (I have no knowledge on Unifi config, so can’t tell where to look).
Are you sure the UniFi AP is configured to use tagged VLANs only?
We use UniFi APs and switches with Mikrotik routers frequently, and usually leave the UniFi management interface untagged so APs can acquire IP addresses, discover and be adopted by a controller. In the newer versions of UniFi I believe it is possible to configure the management to be on a tagged VLAN, but only after a device has been adopted and configured, which complicates the initial install.
“Unifi is not visible on ether5, only on VLAN30 and VLAN60 and maybe via bridge if untagged packets are allowed.”
For the non-VLAN traffic initiated by or destined for the MKT, the bridge should have it’s own IP-address, and maybe the Unifi expects even a DHCP-server on the bridge for that subnet (unless it has a static IP address in the same subnet as the bridge)
Problem was with tricky unifi AP settings, its managed by software (unifi controler), there is also profile settings where can be configured “switches port” and add tagged and untaggad lan.
Anyway MikroTik vlan bridge is fine and thank you for your help.
PS. I do not like these unifi white things..