Good morning, some time ago I set up this network, which has a MikroTik router with failover configured and UniFi 6 Pro devices that were replaced by UniFi U7 Pro. Since then, I feel the network is not running smoothly and seems worse than before. In light of this, I started running tests, and yesterday VLAN 20 stopped working. I can’t find a way to make it work. I would appreciate any help you can provide.
Clarifications:
The Ether5 interface of the Mikrotik is connected to a Ruijie PoE switch, which powers 4 Unifi U7 Pro access points.
The Unifi controller has two Wi-Fi networks configured:
Private network: This is the default network.
Guest network (VLAN 20):
Devices in this segment (192.168.5.x) can communicate with each other, but they cannot access other networks or the Mikrotik.
All Unifi access points must broadcast both Wi-Fi networks.
The MikroTik Wi-Fi, although configured, is not being used for regular use.
# model = RBD52G-5HacD2HnD
/interface bridge
add arp=proxy-arp ingress-filtering=no name=LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=08:55:31:
set [ find default-name=ether2 ] mac-address=08:55:31:
set [ find default-name=ether3 ] mac-address=08:55:31:
set [ find default-name=ether4 ] mac-address=DC:2C:6E:
set [ find default-name=ether5 ] mac-address=DC:2C
/interface wireless
set [ find default-name=wlan1 ] arp=proxy-arp disabled=no mode=ap-bridge \
name=wlan3 ssid="Estado Router 2.4GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] arp=proxy-arp disabled=no mode=ap-bridge \
name=wlan4 ssid="Estado Router 5GHz" wireless-protocol=802.11
/interface wireguard
add listen-port=13233 mtu=1420 name=
/interface vlan
add interface=LAN name=VLAN_20 vlan-id=20
/interface list
add comment=Fibertel name="WAN 1"
add comment=Telecentro name="WAN 2"
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.70.130-192.168.70.254
add name=dhcp_pool1 ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN lease-script=":if (\$leaseBound = \"\
1\") do={\r\
\nglobal telegramMessage \"\$\"lease-hostname\" (\$leaseActMAC) entra en l\
a red \$leaseActIP from dhcp1\"\r\
\n:execute \"INGRESO_A_LA_RED\";\r\
\n}" lease-time=11h10m name=dhcp1
add address-pool=dhcp_pool1 interface=VLAN_20 name=dhcp2
/routing table
add fib name=to_ISP1
add fib name=to_ISP2
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=LAN ingress-filtering=no interface=ether3
add bridge=LAN ingress-filtering=no interface=ether4
add bridge=LAN ingress-filtering=no interface=ether5
add bridge=LAN interface=wlan3
add bridge=LAN interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN tagged=ether5,LAN vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 use-ipsec=yes
/interface list member
add interface=ether5 list="WAN 1"
add interface=ether4 list="WAN 2"
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.101.2/32 interface=Emanuel public-key=\
/ip address
add address=192.168.70.1/24 comment="RED LOCAL" interface=LAN network=\
192.168.70.0
add address=10.10.101.1/24 interface=Emanuel network=10.10.101.0
add address=192.168.5.1/24 interface=VLAN_20 network=192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no interface=ether1
add add-default-route=no interface=ether2
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.70.0/24 gateway=192.168.70.1
/ip firewall filter
add action=drop chain=forward dst-address=192.168.70.0/24 log=yes \
src-address=192.168.5.0/24
add action=drop chain=input dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=8291 in-interface=ether2 protocol=tcp
add action=drop chain=input disabled=yes src-address=192.168.5.0/24
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip route
add comment="CHECK DNS FIBERTEL" disabled=no distance=50 dst-address=\
8.8.8.8/32 gateway=190.247.21.1 pref-src=0.0.0.0 routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
add comment="CHACK DNS TELECENTRO" disabled=no distance=50 dst-address=\
1.1.1.1/32 gateway=192.168.0.1 pref-src="" routing-table=main scope=10 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="RUTA ESTATICA FIBERTEL" disabled=no distance=\
10 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="RUTA ESTATICA TELECENTRO" disabled=no \
distance=11 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system leds
add interface=*1 leds="" type=wireless-status
/system note
set show-at-login=no
/system resource irq rps
set ether5 disabled=no
set ether4 disabled=no
set ether3 disabled=no
set ether2 disabled=no
set ether1 disabled=no
/system script
add dont-require-permissions=yes name=SendToTelegram owner=Emanuel policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global telegramMessage\r\
\n:local botid\r\
\n:local chatid\r\
\n\r\
\nset botid \"605658hJefc\"\r\
\nset chatid \"-1001921\"\r\
\nif (\$telegramMessage != \"\") do={\r\
\n /tool fetch url=\"https://api.telegram.org/bot\$botid/sendMessage\?ch\
at_id=\$chatid&text=\$telegramMessage\" keep-result=no\r\
\n}"
add dont-require-permissions=no name=INGRESO_A_LA_RED owner=Emanuel policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global telegramMessage\r\
\n:local botid\r\
\n:local chatid\r\
\nset botid \"7h4fEIQsR-NI\"\r\
\nset chatid \"-4241\"\r\
\n/tool fetch url=\"https://api.telegram.org/bot\$botid/sendMessage\\\?cha\
t_id=\$chatid&text=\$telegramMessage\" keep-result=no\r\
\n:delay 2"
/tool netwatch
add disabled=no down-script="global telegramMessage \"Down PMO Ubiquiti Habita\
cion de Pablo \"\r\
\n/system script run SendToTelegram" host=192.168.70.100 http-codes="" \
interval=10s packet-interval=50ms test-script="" type=icmp up-script="glob\
al telegramMessage \"UP Ubiquiti Habitacion de Pablo \"\r\
\n/system script run SendToTelegram"
add disabled=no down-script="global telegramMessage \"Down quiti Habita\
cion Huesped \"\r\
\n/system script run SendToTelegram" host=192.168.70.101 http-codes="" \
interval=10s packet-interval=50ms test-script="" type=icmp up-script="glob\
al telegramMessage \"UP PMO Ubiquiti Habitacion Huesped \"\r\
\n/system script run SendToTelegram"
add disabled=no down-script="global telegramMessage \"Down PMO Ubiquiti Living\
\_\"\r\
\n/system script run SendToTelegram" host=192.168.70.102 http-codes="" \
interval=10s packet-interval=50ms test-script="" type=icmp up-script="glob\
al telegramMessage \"UP Ubiquiti Living \"\r\
\n/system script run SendToTelegram"
add disabled=no down-script="global telegramMessage \"Down PlayRoom \"\r\
\n/system script run SendToTelegram" host=192.168.70.103 http-codes="" \
interval=10s packet-interval=50ms test-script="" type=icmp up-script="glob\
al telegramMessage \"UP PMO PlayRoom \"\r\
\n/system script run SendToTelegram"