Community discussions

MikroTik App
 
mikehhhhhhh
just joined
Topic Author
Posts: 10
Joined: Tue Apr 27, 2021 10:47 am

Guest VLAN issues

Wed May 05, 2021 3:57 pm

I'm trying to setup a guest Wifi network

Router is Mikrotik 4011, Switch is an old Netgear GS724TP, APs are Unifi U6-Lite

I've created the network and SSID in Unifi for my APs
I've created the VLAN on my managed switch and assigned it to every port as tagged

I've then setup everything in the Mikrotik according to what I could find in the documentation and various forum posts in the hope of creating a new VLAN Interface on bridge with a new DHCP server issuing leases from a separate "guest" pool.

When I connect a device to that network (I've tried many after seeing DHCP issues with Apple products), I see a lease with state `offered` before getting a log entry that it was offered without success. I've tried setting IP manually inside the new network and I'm unable to ping the router.

I'm guessing something must be working if I'm getting a lease offered from the correct DHCP server, but I'm guessing something L2 is configured incorrectly.

# may/05/2021 13:43:22 by RouterOS 6.48.2
# software id = Y7QR-K6J3
#
# model = RB4011iGS+
/interface bridge
add admin-mac=00:BB:01:32:00:00 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1526 mtu=1508
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1500 max-mtu=\
    1500 name=pppoe-out1 use-peer-dns=yes user=*
/interface vlan
add interface=bridge mtu=1504 name="Guest Wifi" vlan-id=93
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add name=Lily
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=guest ranges=192.168.93.2-192.168.93.254
/ip dhcp-server
add address-pool=guest bootp-support=none disabled=no interface="Guest Wifi" \
    name=dhcp1
/queue simple
add limit-at=512k/512k max-limit=512k/512k name=ICMP packet-marks=icmp-pkt \
    priority=6/6 target=""
add dst=pppoe-out1 max-limit=100M/0 name=queue1 target=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=bridge,ether2,ether4,ether5,ether6,ether7 vlan-ids=1
add bridge=bridge tagged=bridge,ether2 vlan-ids=93
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether3 list=WAN
add interface="Guest Wifi" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.93.1/24 comment="Guest Network" interface="Guest Wifi" \
    network=192.168.93.0
/ip dhcp-client
add comment=defconf interface=ether1
add add-default-route=no !dhcp-options disabled=no interface=ether3

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=lan \
    gateway=192.168.88.1
add address=192.168.93.0/24 dns-server=192.168.93.1 gateway=192.168.93.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=icmp-con \
    passthrough=yes protocol=icmp
add action=mark-connection chain=postrouting new-connection-mark=icmp-con \
    passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp-con \
    new-packet-mark=icmp-pkt passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp-con \
    new-packet-mark=icmp-pkt passthrough=yes protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "Mark all management traffic to this router as priority 1" \
    dst-address-type=local dst-port=21,22,23,80,443,8291,8728,8729 \
    new-connection-mark=p1 protocol=tcp
add action=mark-connection chain=prerouting comment="VOIP to our VOIP gateways" \
    connection-mark=no-mark new-connection-mark=p1 src-address-list=\
    VOIP_Gateways
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=2 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.8.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=51.148.72.22 scope=10
/system clock
set time-zone-name=Europe/London
/tool graphing interface
add interface=pppoe-out1
/tool graphing queue
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Guest VLAN issues

Wed May 05, 2021 4:20 pm

I prefer not to use VLAN 1 in a multi VLAN network. You might want to consider changing that in accordance to this great tutorial:
viewtopic.php?t=143620
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Guest VLAN issues

Wed May 05, 2021 4:21 pm

Nothing immediately obvious, changing the MTU under /interface vlan is unnecessary and may cause other issues.

Have you tried connecting the UniFi AP directly to the Mikrotik via a PoE injector to rules out configuration of the Netgear switch?

The add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN rule will prevent access from the new guest network to the Mikrotik, so no response to ICMP or DNS lookups for example.

Probably unrelated, but there is a bug in older Mikrotik default configs which incorrectly attaches the LAN IP address to one of the members instead of the parent bridge
add address=192.168.88.1/24 comment=defconf interface=ether2bridge network=192.168.88.0
 
mikehhhhhhh
just joined
Topic Author
Posts: 10
Joined: Tue Apr 27, 2021 10:47 am

Re: Guest VLAN issues

Wed May 05, 2021 4:29 pm

Appreciate the tips, guys!

So it seems like I may have misunderstood what `vlan-filtering` on bridge does.

I've removed this, and everything is good now.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Guest VLAN issues

Wed May 05, 2021 4:38 pm

Removing vlan-filtering=yes makes the bridge act as an unmanaged switch so any VLAN-tagged traffic can egress from all ports, usually undesirable.
 
mikehhhhhhh
just joined
Topic Author
Posts: 10
Joined: Tue Apr 27, 2021 10:47 am

Re: Guest VLAN issues

Wed May 05, 2021 5:05 pm

Removing vlan-filtering=yes makes the bridge act as an unmanaged switch so any VLAN-tagged traffic can egress from all ports, usually undesirable.
Ok, so that's no good!

Interestingly setting EtherType 0x88a8 works but I'm not sure if that effectively turns off filtering or if vlan tagging is somehow 802.1ad
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Guest VLAN issues

Wed May 05, 2021 5:24 pm

That would only filter packets using 0x88a8 ethertype for tagging, UniFi uses regular 802.1Q 0x8100
 
mikehhhhhhh
just joined
Topic Author
Posts: 10
Joined: Tue Apr 27, 2021 10:47 am

Re: Guest VLAN issues

Wed May 05, 2021 6:27 pm

Yeah, I had a feeling that was the case.

How frustratingly bizare.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest VLAN issues

Wed May 05, 2021 6:53 pm

Not frustrating if you read the link provided, very easy to setup as for understanding this may help.

viewtopic.php?p=849580#p849580

Who is online

Users browsing this forum: donkeyKong, ItchyAnkle, Soleous75 and 88 guests