VLANs between Unifi and MikroTik

DeltaCreek · Sun Mar 17, 2024 10:43 am

Hello. I have a hEX S that I wasn't using and decided to play around and learn more about VLANs. The rest of the network is powered by Unifi. In its management console I've created a VLAN with ID 3 called Guest. There's also a DHCP server for the 192.168.3.0/24 subnet for that VLAN.

I'd like the MikroTik to act as a switch but to only allow traffic with VLAN ID 3 set. Normally I think you'd do this on the Unifi switch connected to the MikroTik device. It's a cheap Flex Mini, however, and doesn't support configuring assigning individual ports to a VLAN.

Requirements: all traffic into the hEX S's ethernet port 1 from the Unifi switch must be tagged with ID 3 and then untagged (I think this is done at the bridge level). All traffic out of the ethernet port 1 should have ID 3 tagged.

I've looked at the docs and hammered out the below configuration. Is there a better way to do this? Am I doing anything unnecessary? Thanks.

/interface bridge
add name=bridge
/interface vlan
add interface=ether1 name=vlan3 vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=vlan3 vlan-ids=3
/ip dhcp-client
add disabled=no interface=bridge
/system clock
set time-zone-name=Europe/London

xrlls · Sun Mar 17, 2024 12:37 pm

Hi,

Is your configuration currently working? It looks a bit odd to me.

I am assuming that you want the Hex to act as a switch and acquire a DHCP lease for itself on VLAN3, right?

If so, I am not sure why you have the DHCP client on the brigde while ether1, connecting to your Unifi network is not.

I would suggest changing the following:

Move the VLAN interface to the bridge

/interface vlan
add interface=bridge name=vlan3 vlan-id=3

Add ether1 to the bridge with VLAN3 tagged

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3

Change the DHCP client to the VLAN interface:

/ip dhcp-client
add disabled=no interface=vlan3

After doing all this, check:

/interface bridge vlan

You will see an overview of your VLANS, and on which ports they are tagged and untagged.

xrlls · Sun Mar 17, 2024 12:44 pm

Your device has a MT7621 switch chip: https://i.mt.lv/cdn/product_files/RB76 ... 180523.png

Hence this example is relevant: https://help.mikrotik.com/docs/display ... witchchips

DeltaCreek · Sun Mar 17, 2024 4:12 pm

Is your configuration currently working? It looks a bit odd to me.

It does seem to be working, yes

The missing piece for me was adding the vlan3 interface to the bridge itself instead of the ether1. I tried to imagine ether1 -> vlan3 taking the place of a cable between a port configured on the Flex Mini itself and the MikroTik device, kind of like the ether1 port in the default AP Switch configuration. This is also why I added the DHCP client to the bridge. It did pick up the right IP address as did a machine that I plugged into another port.

I'll give your tweaks a shot and report back.

DeltaCreek · Sun Mar 17, 2024 5:08 pm

I tried making those changes but when I plug a laptop into another port, I'm getting an IP address from the default network. This suggests packets aren't being tagged with VLAN ID 3 on their way out of the bridge (or router... I think?).

Is the `/interface bridge vlan` section correct? What about the other ports? Do I need to turn on vlan filtering? Turning that on tends to lead to a hard reset

[admin@MikroTik] > /export hide-sensitive 
# mar/17/2024 14:59:12 by RouterOS 6.49.13
# model = RB760iGS
/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=3
/ip dhcp-client
add disabled=no interface=vlan3
/system clock
set time-zone-name=Europe/London
[admin@MikroTik] > /interface bridge vlan
[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE           VLAN-IDS  CURRENT-TAGGED          CURRENT-UNTAGGED         
 0   bridge           3

anav · Sun Mar 17, 2024 5:17 pm

Assuming for example vlan3 gateway is 192.168.33.1

(1) Why do you assign a PVID on the trunk port?? Remove it.
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3

(2) You can add to each bridge port ingress-filtering=yes

(3) There is no need set dhcp client, this is a private network and you should set the IP statically like so would remove ip dhcp client and replace with:

/ip address
add address=192.168.33.XY interface=vlan3 network=192.168.33.0 comment="hex address"

(4) Other rules for optimal switch functionality.
/interface list
add name=MGMT
/interface list members
add interface=vlan3 list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip dns
set allow-remote-requests=yes servers=192.168.33.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.33.1 routing-table=main
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Edit: As per the next poster, quite right, the last step is to add van-filtering=yes to the bridge itself.

xrlls · Sun Mar 17, 2024 11:08 pm

Regarding (1) @anav is absolutely right, adding the pvid is an oversight that results in the vlan being untagged, which is not what you need, as your port is a trunk port.

To specify what ports the vlan is available on, tagged, instead do this:

/interface bridge vlan
add vlan-ids=3 tagged=ether1

No need to add the untagged interfaces, as you have specified the pvids on the ports.

Also, as you are onto yourself, you need to enable vlan-filtering on the bridge.

DeltaCreek · Sun Mar 17, 2024 11:51 pm

I've updated the configuration to the below but when I enabled VLAN filtering, I lost access to the router's management console. Prior to enabling VLAN filtering, I still received `192.168.0.165` from the DHCP server which indicates something is still office. Hmm

/interface bridge
add name=bridge pvid=3 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=3
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.3.11/24 interface=vlan3 network=192.168.3.0

xrlls · Mon Mar 18, 2024 9:44 am

Hi, the problem with VLANs is not cutting the branch you are sitting on... It is not obvious which interface you are using to connect when performing the configuration, but you would want to keep the configuration of that interface unchanged until you have verified the remainder of your configuration. Since ether1 is your trunk port, you would need to configure this port, so maybe connect to ether 2 through 5 during configuration, and do not add the port you chose to the bridge until everything else is working.

Possibly consider adding an IP address specifically to the port you are using for configuration.

Best regards,
Xrlls

DeltaCreek · Tue Mar 19, 2024 12:16 pm

Possibly consider adding an IP address specifically to the port you are using for configuration.

Thanks, I did this and the below configuration did the trick. The issue was the the "pvid=3" in

/interface bridge add name=bridge pvid=3 vlan-filtering=yes

. Removing that and adding "frame-types=admit-only-vlan-tagged" fixed it.

Some follow up questions if you have the time:

Why is the vlan's interface being set to the bridge? How does that bring the interface into play? I'm confused about ether1 being *on* the bridge itself vs vlan's interface set to bridge but not on it. For example, what is the flow of a DHCPDISCOVER request from a device on ether2 to a raspberry PI connected to a Unifi switch?

Is this correct? Do I need "bridge" tagged as well?

/interface bridge vlan add bridge=bridge tagged=ether1,bridge vlan-ids=3

Should I set
Code: Select all
```
ingress-filtering=yes
```
on all ports, including ether1?

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=3
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=3
/ip address
add address=192.168.3.11/24 interface=vlan3 network=192.168.3.0

xrlls · Tue Mar 19, 2024 10:56 pm

Regarding your follow up questions:

The bridge is a layer2 device, not unlike an Ethernet switch. Traffic is allowed to pass between ports when the ports are on the same bridge. On a device like yours with a switch chip, configuring the bridge correctly offloads the VLAN processing to hardware. This allows traffic to pass between ports without involving the CPU of the device. Mikrotiks examples all outlines adding the VLAN interface to the bridge, if the interface used is added to a bridge. In general you should only configure VLAN interface directly on Ether ports, if the port is not part of a bridge. While other configurations may work, going creative will likely result in the hardware acceleration being disable and the layer2 traffic being handled by the CPU. I have not tried myself You can see if hardware acceleration is enabled for an Ethernet interface in /interface bridge port. For the raspberry pi example, the DHCPDISCOVER flows untagged into Ether2, over the (hardware accelerated, i.e. switch chip) bridge, and leaves tagged on Ether1.

You should have the bridge tagged as well, to enable layer2 connectivity to the CPU. When, specifying the VLAN you can specify a list or range of VLAN IDs in one go, setting all of them as tagged. If specifying a range as tagged on the bridge, you can then select which of them you want to work with when adding interfaces to /interface vlan

The documentation states that ingress filtering is on by default from ROS7. https://help.mikrotik.com/docs/display ... rtSettings

VLANs between Unifi and MikroTik [SOLVED]

VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik [SOLVED]

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Re: VLANs between Unifi and MikroTik

Who is online