VLAN Can't see the internet...

I’m struggling to create a GUEST vlan for use by Unifi APs

I have a handfull of Unifi APs, a CISCO SG300-10PP switch, and a Mikrotik RB850Gx2.

I’ve created a GUEST VLAN for the WIFI guests (VLAN ID: 184, 10.89.184.0/24) and set up the Switch, and assigned the VLAN id to the guest network in the Unifi user interface, i’ve enabled 2 DHCP pools in the 850Gx2, that all seems to be working :-

• when i connect my phone to the guest network I get an address in the correct range
  
  
  
• I can ping router from the switch on both IPs (10.89.183.1 & 10.89.184.1)
  
  
  
• I can ping switch from the router on both IPs (10.89.183.215 & 10.89.184.2)

But i can’t access the internet from my phone, when connected to the GUEST wifi.

Could i be a routing thing? NAT from the VLAN? no idea really.. out of my depth!!!

Here’s my config.. someone please help…

/interface bridge
add admin-mac=0E:DC:82:E5:1E:10 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=00000013443 use-peer-dns=yes user=00000013443@abc
/interface vlan
add interface=ether3 name=GUEST-VLAN vlan-id=184
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.89.183.100-10.89.183.254
add name=guest-pool ranges=10.89.184.100-10.89.184.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=guest-pool disabled=no interface=GUEST-VLAN name=guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=10.89.183.1/24 comment=defconf interface=ether2 network=10.89.183.0
add address=10.89.184.1/24 interface=GUEST-VLAN network=10.89.184.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=10.89.183.0/24 comment=defconf gateway=10.89.183.1 netmask=24
add address=10.89.184.0/24 gateway=10.89.184.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.89.183.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.89.184.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

A few things are not quite right:

• you have ether2-ether5 members of bridge and yet you set LAN IP address on ether2. This is not right, LAN IP address should be set no bridge interface.
  For doing it, you better connect to router via MAC (winbox can do it) so that your management connection doesn’t rely on working IP address.
• you have ether3 member of bridge any yet you have GUEST-VLAN interface anchored to ether3. This is not right, VLAN interface should be anchored to “master” interface, in this case it’s bridge interface.
  After you move VLAN interface to bridge, you will have to /interface bridge set [ find name=bridge ] vlan-filtering=yes on bridge. However, this can potentially be a killer command and you rally should enable safe mode before executing it.
• the second NAT config line (add action=masquerade chain=srcnat out-interface-list=WAN src-address=10.89.184.0/24) doesn’t do anything, the first one is general enough that it should do the trick. You can remove this config line.

Beware that enabling VLANs on bridge will kill HW offload and all switched/bridged traffic (between LAN ports) will be handled by CPU instead of switch chip. Depending on particular HW type you might be able to configure VLANs in the way HW offload is still active.