VLANS, Guest Portal and UniFi Controller

RouterOS General
1

5 x 5GHz point-to-point/bridge connections (Ubiquiti NanoStation M5’s) linked to 5 x 2.4GHz AP’s (Ubiquiti UAP-LR and UAP – outdoor’s) on static IP’s. These are connected to a PoE switch (Ubiquiti PoE TOUGHSwitch) on 192.168.1.48 with a connection going out to a MikroTik RB750UP routerboard on 192.168.1.49, in turn connected to the LAN with gateway on 192.168.1.1. This provides 2 x guest networks and 1 x staff network with seamless handover between AP’s, usergroup based speed and download restrictions.

This should provide me 3 Wi-Fi networks;
• SSID OranaNet (access LAN, access internet, user group “Staff”, WPA2 encrypted, not captive portal)
• SSID OranaWiFi (block LAN, access internet, user group “Guest”, no encryption, captive portal, redirect to landing page on authorization, VLAN2, 192.168.10.x, 192.168.11.x)
• SSID SchoolWiFi (block LAN, access internet, user group “Student”, no encryption, captive portal, redirect to landing page on authorization, VLAN3, 192.168.20.x, 192.168.21.x)

The Ubiquiti TOUGHSwitch;
• Ports 2-6 PoE 24v
• Port 1 passes to MikroTik RB750UP
• Ports are trunked

On the MikroTik RB750UP routerboard I have;
• Ethernet port from TOUGHSwitch bridged to Ethernet port to our LAN/gateway
• VLAN2 and VLAN3 on this bridge
• Bridge and VLANs set to use Firewall
• Web-Proxy on port 9000 ‘attached’ to bridge above
• a DHCP Server for each VLAN (OranaWiFi 192.168.10.x and SchoolWiFi 192.168.20.x),
• a DHCP Relay (OranaNet 192.168.1.x)
• NAT rule to redirect port 80 traffic through port 9000 (Web-Proxy) ie transparent proxy
• Web-Proxy Access settings to deny Dst.Host :proxy, :porn, *.exe, *.zip, *.rar and *.apk
• Web-Proxy Access settings to deny Path *.exe, *.zip, *.rar and *.apk
The Problem;
#1: In this configuration OranaNet connections are perfect, Web-Proxy is caching and blocking, and appropriate IP address for VLAN/SSID is allocated BUT OranaWiFi and SchoolWiFi do not present the portal (Terms of Use acceptance) and authorize connection. So no one can use them

feb/24/2014 08:54:46 by RouterOS 6.7

software id = FHBY-80SJ

/interface bridge
add l2mtu=1598 name=Bridge-OranaNet
/interface ethernet
set [ find default-name=ether1 ] name="LAN (Orana)"
set [ find default-name=ether2 ] name="WiFi (TOUGHSwitch)"
set [ find default-name=ether3 ] name=ethernet-port-3
set [ find default-name=ether4 ] name=ethernet-port-4
set [ find default-name=ether5 ] name=ethernet-port-5
/interface vlan
add interface=Bridge-OranaNet l2mtu=1594 name=VLAN2-OranaWiFi vlan-id=2
add interface=Bridge-OranaNet l2mtu=1594 name=VLAN3-SchoolWiFi vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=POOL2-OranaWifi ranges=192.168.11.0/24
add name=POOL2-SchoolWiFi ranges=192.168.21.0/24
add name=POOL-OranaWiFi next-pool=POOL2-OranaWifi ranges=192.168.10.10-192.168.10.255
add name=POOL-SchoolWiFi next-pool=POOL2-SchoolWiFi ranges=192.168.20.10-192.168.20.255
/ip dhcp-server
add address-pool=POOL-OranaWiFi disabled=no interface=VLAN2-OranaWiFi lease-time=8h name=DHCP-OranaWiFi
add address-pool=POOL-SchoolWiFi disabled=no interface=VLAN3-SchoolWiFi lease-time=8h name=DHCP-SchoolWiFi
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add interface=ethernet-port-3
add interface=ethernet-port-4
add interface=ethernet-port-5
add bridge=Bridge-OranaNet interface="LAN (Orana)"
add bridge=Bridge-OranaNet interface="WiFi (TOUGHSwitch)"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.49/24 interface="LAN (Orana)" network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN2-OranaWiFi network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN3-SchoolWiFi network=192.168.20.0
/ip dhcp-relay
add dhcp-server=192.168.1.10 disabled=no interface=Bridge-OranaNet name="DHCP Relay-OranaNet"
/ip dhcp-server config
set store-leases-disk=8m
/ip dhcp-server network
add address=192.168.10.2/32 dns-server=122.56.237.1,210.55.111.1 gateway=192.168.10.1
add address=192.168.20.2/32 dns-server=122.56.237.1,210.55.111.1 gateway=192.168.20.1
/ip dns
set servers=192.168.1.49,122.56.237.1,210.55.111.1
/ip firewall filter
add action=drop chain=input dst-port=8080 protocol=tcp src-address=xx.xx.xx.xx
/ip firewall nat
add action=redirect chain=dstnat comment="redirect all port 80 traffic to web-proxy on port 9000" dst-port=80 in-interface=Bridge-OranaNet protocol=tcp to-ports=9000
add action=dst-nat chain=dstnat comment="forward port 8080 (device inform), 8443 (controller UI API), 8880 (portal redirect port for HTTP), 8843 (portal redirect port for HTTPs) on VLANs to UniFi Controller" dst-port=8080 in-interface=Bridge-OranaNet protocol=tcp to-addresses=192.168.1.110 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8443 in-interface=Bridge-OranaNet protocol=tcp to-addresses=192.168.1.110 to-ports=8443
add action=dst-nat chain=dstnat dst-port=8880 in-interface=Bridge-OranaNet protocol=tcp to-addresses=192.168.1.110 to-ports=8880
add action=dst-nat chain=dstnat dst-port=8843 in-interface=Bridge-OranaNet protocol=tcp to-addresses=192.168.1.110 to-ports=8843
/ip proxy
set cache-administrator=Proxy-WiFi cache-on-disk=yes enabled=yes port=9000
/ip proxy access
add action=deny dst-host=:proxy
add action=deny dst-host=:porn
add action=deny path=.exe
add action=deny path=.zip
add action=deny path=.rar
add action=deny path=.apk
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.1.110
add distance=1 dst-address=192.168.20.0/24 gateway=192.168.1.110
/ip service
set api disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system clock manual
set time-zone=+12:00
/system identity
set name="WiFi Routerboard"
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.78.240.38 secondary-ntp=27.54.95.12
/system routerboard settings
set cpu-frequency=250MHz

any help VERY welcome

2

well here is version #2, a ground up rewrite based on Mikrotik startup template for VLANs but still no luck;

/interface bridge
add l2mtu=1598 name=Bridge-OranaNet
add l2mtu=1594 name=Bridge-OranaWiFi
add l2mtu=1594 name=Bridge-SchoolWiFi
/interface ethernet
set [ find default-name=ether1 ] name=“LAN (Orana)”
set [ find default-name=ether2 ] name=“WiFi (TOUGHSwitch)”
/interface vlan
add interface=“WiFi (TOUGHSwitch)” l2mtu=1594 name=VLAN2-OranaWiFi vlan-id=2
add interface=“WiFi (TOUGHSwitch)” l2mtu=1594 name=VLAN3-SchoolWiFi vlan-id=3
/ip neighbor discovery
set VLAN2-OranaWiFi discover=no
set VLAN3-SchoolWiFi discover=no
/ip pool
add name=POOL-OranaWiFi ranges=192.168.10.10-192.168.10.255
add name=POOL-SchoolWiFi ranges=192.168.20.10-192.168.20.255
/ip dhcp-server
add address-pool=POOL-OranaWiFi disabled=no interface=Bridge-OranaWiFi lease-time=8h name=DHCP-OranaWiFi
add address-pool=POOL-SchoolWiFi disabled=no interface=Bridge-SchoolWiFi lease-time=8h name=DHCP-SchoolWiFi
/interface bridge port
add bridge=Bridge-OranaNet interface=“LAN (Orana)”
add bridge=Bridge-OranaNet interface=“WiFi (TOUGHSwitch)”
add bridge=Bridge-OranaWiFi interface=VLAN2-OranaWiFi
add bridge=Bridge-SchoolWiFi interface=VLAN3-SchoolWiFi
/ip address
add address=192.168.1.49/24 interface=Bridge-OranaNet network=192.168.1.0
add address=192.168.10.1/24 interface=Bridge-OranaWiFi network=192.168.10.0
add address=192.168.20.1/24 interface=Bridge-SchoolWiFi network=192.168.20.0
/ip dhcp-relay
add dhcp-server=192.168.1.10 disabled=no name=“DHCP Relay-OranaNet”
/ip dhcp-server config
set store-leases-disk=8h
/ip dhcp-server network
add address=192.168.10.2/24 dns-server=122.56.237.1,210.55.111.1 gateway=192.168.10.1
add address=192.168.20.2/24 dns-server=122.56.237.1,210.55.111.1 gateway=192.168.20.1
/ip dns
set servers=122.56.237.1,210.55.111.1
/ip firewall filter
add action=drop chain=input dst-port=8080 protocol=tcp src-address=x.x.x.x.
/ip firewall nat
add action=redirect chain=dstnat comment=“redirect all port 80 traffic to web-proxy on port 9000” dst-port=80 in-interface=all-vlan protocol=tcp to-ports=9000
/ip proxy
set cache-administrator=Proxy-WiFi cache-on-disk=yes enabled=yes port=9000
/ip proxy access
add action=deny dst-host=:proxy
add action=deny dst-host=:porn
add action=deny path=.exe
add action=deny path=.zip
add action=deny path=.rar
add action=deny path=.apk
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system clock manual
set time-zone=+12:00
/system identity
set name=“WiFi Routerboard”
/system ntp client
set enabled=yes mode=unicast primary-ntp=202.78.240.38 secondary-ntp=27.54.95.12
/system routerboard settings
set cpu-frequency=250MHz


any help MUCH appreciated!

3

I see you’ve got a /ip hotspot user profile, but I can’t see any “/ip hotspot” server, or an ip hotspot server profile
e.g.Hotspot server

/ip hotspot
add address-pool=POOL-OranaWiFi disabled=no idle-timeout=10m interface=wlan1 name=hotspot1 profile=hsprof2

and hotspot server profile

/ip hotspot profile
set [ find default=yes ] dns-name=my.domain login-by=mac,http-chap mac-auth-password=secret
add dns-name=my.domain hotspot-address=192.168.10.1 login-by=mac,http-chap mac-auth-password=secret name=hsprof2

or any /ip hotspot users

4

Thanks everyone who had a peek and made suggestions - resolved with update to UniFi 3.16!

5

Hi, can you help me with my configuration?
http://forum.mikrotik.com/t/mikrotik-rb2011-unifi-2-ssid-and-local-network/83014/4