AP Device: U6LR (3 ssids: Vlan 20,30 and third under default ‘LAN’{MGMT Vlan} ).
Mikrotik: RBG450GX4 (eth1 -connected to internet, eth2 -connected to AP, eth3 connected to downstream switch that has Unifi controller connected,eth4,5 other devices )
would like: Vlan20 clients to have only internet access and no other access
Vlan30 : access to eth4,5+internet
‘LAN’/MGMT VLAN : ALL access
Question:
a) is eth2 considered hybrid port and does Unifi Management traffic pass as untagged? should Unifi AP have atleast one of its SSIds with ‘LAN’ setup for management traffic(adoption etc) to work correctly?
a) how would switch level settings in RouterBoard need to be set for each port (under switch section).
b) the settings should make sure Unifi AP is able to talk to controller.
c) currently eth2,3,4,5 are in a bridge. are there special bridge settings to be done apart from attaching 3 vlans and running DHCP server for each?
sample setup for above would help with explanation
The onus is on your setup of the Unifi AP.
I believe it comes by default as a bastardized unit which needs the management VLAN untagged and the data vlans tagged.
Every other dog in the world simply has all VLANS tagged to the smart AP.
I believe you can change the setup on the UNIFI so that it accepts all vlans including the Managment vlan on a standard trunk port.
Then its dirt simple.
++++++++++++++++++++++++++++++++++++++++++++
If you cannot then the port from the MT device to the UNIFI should be in hybrid format which means ONE untagged vlan and the rest as tagged vlans.
For bridge ports would look like
add bridge=bridge interface=etherX ingress-filtering=yes pvid=management vlan #
For bridge vlans
add bridge=bridge tagged=bridge,etherY untagged=etherX vlan-ids=management vlan # (if there is another port requirement manamgent vlan that is what etherY represents).
add bridge=bridge tagged=bridge,etherX vlan-ids=second vlan # on unifi
add bridge=bridge tagged=bridge,etherX vlan-ids=third vlan # on unifi
Thanks to both of you for replies(it was a great primer to read) .
Anav: for Routerborad RBG450GX4 i gather from documentation that
/interface ethernet switch vlan
{}
and
/interface ethernet switch port
{including switch port}
are the way to set it up.
how would the management LAN setup look like with above(Keeping Unifi AP untagged packets in mind) with vlan mode secure.
also there are few things to keep in mind for switch chip Atheros8327 in RouterBoard:
“Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (the vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.”
“On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to”
"In QCA8337 and Atheros8327 chips when vlan-mode=secure is used, it ignores switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress port.
VLANTable:
“Packets without VLAN tag are treated just like if they had a VLAN tag with port default-vlan-id. If vlan-mode=check or vlan=mode=secure is configured, in order to forward packets without VLAN tags you have to add an entry to the VLAN table with the same VLAN ID according to default-vlan-id.”
Vlanmode secure settings related for switch1-cpu:
“on devices with QCA8337 and Atheros8327 switch chips it is possible to use any other default-vlan-id(other than 1) as long as it stays the same on switch-cpu and trunk ports”
The link I posted is for a switch. Your scenario is for a router, which has a switch included.
All you need to do, for the switch part is to understand which port is a trunk and which is an access port.
Also do not add eth1 to the Bridge, as this will be the link to your ISP.
So eth2 is a trunk, as it will need MGMT (possibly untagged) and VL20/30 from SSIDs
Assuming eth3 is a trunk as well, as there my be hosts in VL20/30 as well upstream.
eth4 / eth5 are either access ports (if devices connected can not use tagged VLANs) or trunk ports…set the default VID to that of the device which cannot generated tagged traffic.
would like: Vlan20 clients to have only internet access and no other access
Vlan30 : access to eth4,5+internet
‘LAN’/MGMT VLAN : ALL access
…this is not a matter of the switch chip / VLAN config but rather that of your firewall.
should Unifi AP have atleast one of its SSIds with ‘LAN’ setup for management traffic(adoption etc) to work correctly?
The SSIDs do not have to be associated with the management traffic network - you can have the management untagged, using the default “LAN” network in the controller, and create “VLAN Only” networks (old user interface, or hidden away as Network Isolation under Advanced Features in the new user interface) to be used with each SSID.
Whilst you can make the management network tagged it makes adopting new devices difficult - they will always attempt to acquire an address with DHCP untagged, discover the controller with the various layer2 and layer3 mechanisms available, then once adopted use the networking configuration pushed from the controller. There is no real issue to having the Ubiquiti management network untagged, you could consider it to be untrusted for access to the Mikrotik itself.
Unless you have significant traffic between ports on the same VLAN I would recommend not using the switch chip and sticking with a single VLAN-aware bridge, it provides no advantage for VLAN-to-VLAN or VLAN-to-WAN traffic.
I am only comfortable with the vlan filtering method.
In this case WLANS are directly associated with specfic vlans. (SSIDS are simply visible names for wlans)
So if you want separate WLANs, simply use vlans for that purpose.
make vlans with interface bridge
associate vlans to wlans at the interface bridge port settings
here are my switch related settings on my RouterBoard.
to test: had one guest vlan id 10 and another management vlan 20.
since mine had atheros 8327, when you turn on vlan-mode secure..it does all the magic of tagging/untagging(using setting of default-vlan-id) with vlanheader setting being not relevant (leave-as-is) .
also the switch-cpu port default-vlan-id should not be set in this case (leave it as default. i set it to 20 in below example and had trouble getting IP address from DHCP)
/interface ethernet switch
set 0 name=InternalMikrotikSwitch
/interface ethernet switch port
set 2 default-vlan-id=20 vlan-mode=secure
set 3 default-vlan-id=20 vlan-mode=secure
set 4 default-vlan-id=20 vlan-mode=secure
set 5 default-vlan-id=0 vlan-mode=secure
Zerotier :
a) without VLans my zerotier setup was working great. i was able to hit webfig UI from another computer in internet running zerotier(part of same zerotier network)
with above VLAN setup zerotier access stopped working:
Question:
a) should the WAN port be defined in specific way in switch chip (Under ports sections/VLAN section)
b) any additional considerations from firewall standpoint
attached is firewall log on input. let me know if i missed something
You might want to check the ZeroTier flow rules. By default they don’t allow VLAN tags to pass though ZeroTier network. So on the ZeroTier central (my.zerotier.com), you could try adding VLAN’s ethertype 0x8100, if you have the default rules you add one line, so it look like this:
drop
not ethertype ipv4
and not ethertype arp
and not ethertype ipv6
and not ethertype 0x8100
;
accept;
Although I can’t say I’ve used switch chip tagging with ZeroTier, so hard to know if that’s help.
issue was related to zerotier interface not getting zerotier address.this was working before.
now, you need to set ‘allow managed’ flag in zerotier interface configuration screens in winbox.
after setting it the interface gets ip address and things work
