VLAN Bridging - Multiple SSIDs/VLANS on Unifi AP

Kruger99 · April 12, 2021, 6:51pm

Hello everyone,

Can someone please help with the VLAN Bridging of the following setup?
Apologies if this is straight forward, I’ve spent the entire day reading about VLANS and Bridging, however I just don’t understand it.

I have 1x RB2011 as my dialup router, 2x Unifi AP’s, and 1x unmanaged switch.
My goal is to setup the APs to broadcast 3 different SSIDs, each on their own VLAN (10, 20 and 30).
The switch and all devices connected to it will be on VLAN10.

My current config is as follows:

ether2 goes to switch
ether 6,7 goes to ap’s

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name="vlan10 - admin" vlan-id=10
add interface=bridge1 name="vlan20 - staff" vlan-id=20
add interface=bridge1 name="vlan30 - guest" vlan-id=30

/ip pool
add name=dhcp_pool0 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="vlan10 - admin" name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface="vlan20 - staff" name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="vlan30 - guest" name=dhcp3

/interface bridge port
add bridge=bridge1 interface=ether2 multicast-router=disabled pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10 

/ip address
add address=192.168.10.1/24 comment="ADMIN DATA" interface="vlan10 - admin" \
    network=192.168.10.0
add address=192.168.11.1/24 comment="ADMIN VOIP" interface="vlan10 - admin" \
    network=192.168.11.0
add address=192.168.20.1/24 comment="STAFF WIFI" interface="vlan20 - staff" \
    network=192.168.20.0
add address=192.168.30.1/24 comment="GUEST WIFI" interface="vlan30 - guest" \
    network=192.168.30.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Can someone please point me in the right direction?
Somewhere between the tagged and untagged interfaces I’m getting very confused and lost…
Screenshot 2021-04-12 at 20.30.04.png

Kruger99 · April 13, 2021, 7:14am

I’ve managed to get the setup working now, however there is one red warning which concerns me - can anyone elaborate on what it means?

“port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry”

Current config

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name="vlan10 - admin" vlan-id=10
add interface=bridge1 name="vlan20 - staff" vlan-id=20
add interface=bridge1 name="vlan30 - guest" vlan-id=30

/ip pool
add name=dhcp_pool0 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.1.50-192.168.1.254
add name=dhcp_pool4 ranges=192.168.1.2-192.168.1.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface="vlan10 - admin" name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface="vlan20 - staff" name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="vlan30 - guest" name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp4

/interface bridge port
add bridge=bridge1 interface=ether2 multicast-router=disabled pvid=10
add bridge=bridge1 interface=ether6 multicast-router=disabled

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=bridge1 tagged=bridge1,ether6 vlan-ids=10,20,30

/ip address
add address=192.168.10.1/24 comment="ADMIN DATA" interface="vlan10 - admin" \
    network=192.168.10.0
add address=192.168.11.1/24 comment="ADMIN VOIP" interface="vlan10 - admin" \
    network=192.168.11.0
add address=192.168.20.1/24 comment="STAFF WIFI" interface="vlan20 - staff" \
    network=192.168.20.0
add address=192.168.30.1/24 comment="GUEST WIFI" interface="vlan30 - guest" \
    network=192.168.30.0
add address=192.168.1.1/24 comment=MGMNT interface=bridge1 network=192.168.1.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dns
set servers=8.8.8.8

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

anav · April 13, 2021, 11:34am

I would get rid of the management interface its not needed think of the vlan10 as your admin/management interface.

As for the error
From
/interface bridge vlan

port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry

add bridge=bridge1 tagged=bridge1,ether6 vlan-ids=10,20,30

TO

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6 vlan-ids=20,30
add bridge=bridge1 tagged=bridge1,ether6 untagged=ether2 vlan-ids=10

Kruger99 · April 13, 2021, 4:10pm

Hi Anav,
Thank you for your reply. Unfortunately with this setup I was unable to get my Controller to communicate with my APs. I’ve instead opted for the following config - it’s not perfect, but it works. I’’ add some firewall rules still to block traffic between the VLANs etc.

/interface bridge
add name=bridge1

/interface vlan
add interface=bridge1 name="vlan20 - staff" vlan-id=20
add interface=bridge1 name="vlan30 - guests" vlan-id=30

/ip pool
add name=dhcp_pool0 ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface="vlan20 - staff" name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface="vlan30 - guests" name=dhcp3

/interface bridge port
add bridge=bridge1 interface=ether2 multicast-router=disabled
add bridge=bridge1 interface=ether6 multicast-router=disabled

/ip address
add address=192.168.10.1/24 comment="ADMIN / MGMNT" interface=bridge1 network=192.168.10.0
add address=192.168.20.1/24 comment=STAFF interface="vlan20 - staff" network=192.168.20.0
add address=192.168.30.1/24 comment=GUEST interface="vlan30 - guests" network=192.168.30.0
add address=192.168.11.1/24 comment=VOICE interface=bridge1 network=192.168.11.0

/ip dhcp-client
add disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8 gateway=192.168.30.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

anav · April 13, 2021, 4:57pm

Ah yes UNIFI is a weird beast.
They need it done differently from the rest of the worlds equipment. (hybrid port)
In this case this should work , Using vlan 10 as management…

/interface bridge port
add bridge=bridge1 interface=ether2 multicast-router=disabled frame-types=only priority tagged and untagged frames allowed pvid=10
add bridge=bridge1 interface=ether6 multicast-router=disabled pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6 vlan-ids=20,30
add bridge=bridge1 tagged=bridge1, untagged=ether2**,ether6** vlan-ids=10

Kruger99 · April 17, 2021, 10:44am

Epic! Thanks!