Community discussions

MikroTik App
 
nunizgb
just joined
Topic Author
Posts: 5
Joined: Tue Sep 06, 2022 6:44 pm

Crs326 and Unifi Pro AP

Sat Jun 03, 2023 6:33 pm

Hello,

I have set up my CRS309 with vlan where RJ45 is coonected to WAN and from ether 8 (SFP) is connected CRS326.

On CRS309 i have made MGMT VLAN 80, Wifi VLAN 2, WIFI GUEST VLAN 3, IOT VLAN 4, Local VLAN 5 and for all VLAN i have made DHCP

So Ether 8 on CRS309 is Trunk port where pvid = 1 and admit all.
On bridge vlan for all vlan i have put this for exemple for
MGMT VLAN
Bridge : Local
Vlan ID : 80
Tagged : Local, ,Ether8 (link to CRS3206)
Untagged : Ether2, Ether3,Ether4,Ether5,Ether6,Ether7

Local VLAN
Bridge : Local
Vlan ID : 5
Tagged : Local, ,Ether8
Untagged : Ether2, Ether3,Ether4,Ether5,Ether6,Ether7

Wifi VLAN
Bridge : Local
Vlan ID : 2
Tagged : Local, ,Ether8
Untagged : Ether2, Ether3,Ether4,Ether5,Ether6,Ether7

On my CRS3206 on my Ether 9 where is connected Unifi AP on bridge port i have made this :
Pvid : 80
Frame Types : Admit All

So my Unifi get IP Addresse for MGMT POOL.

On My Unifi AP i make Wifi Vlan 5 et 2

So if someone connect to Wifi Home it will gett IP adresse from vlan POOL

But When i connect to wifi 2 which is vlan 2 i can not get my IP Adresse from Wifi Lan POOL ?

I have heard that for unifi it must be Hybrid port, so how can i make hybrid port 5 when a switch is connected to crs309 from Trunk port ?

Could someone help me please
Thank
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Crs326 and Unifi Pro AP  [SOLVED]

Sat Jun 03, 2023 6:51 pm

Cant help with switch vlan setup.
But for a hybrid bridge vlan setup,

its
/interface bridge port
add bridge=bridge inteface=etherX pvid=YY ( where X is the port and YY is the vlan that needs to go untagged --> typically the UNIFY vlan )

/interface bridge vlan
add bridge=bridge tagged=bridge,etherX,????,????? vlan-ids=AA { where ??? represents other ports being tagged for example }
add bridge=bridge tagged=bridge,etherX,????,????? vlan-ids=BB

Where, AA and BB are vlans that are probably destined for wifi traffic.

Note if AA and BB are the only vlans going to the access point besides the unifi controll vlan then it can be
add bridge=bridge tagged=bridge,etherX vlan-ids=AA,BB
 
nunizgb
just joined
Topic Author
Posts: 5
Joined: Tue Sep 06, 2022 6:44 pm

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 7:48 pm

Thank For reply

I have made for exemple wifi guest this correction of your help anav, thanks :
Wifi VLAN
Bridge : Local
Vlan ID : 2
Tagged : Bridge,SFP1 (link to CRS309 gateway to internet) ,Ether9 (unifi ap)

I got my DHCP IP Adresse for all my wifi vlan from unifi AP and on my CRS309 where is wan, on firewall i put this
Chain : srcnat
SrcAdress : 192.XXX.YY.0/24 ==<w Wifi Vlan 2
Out Interface List : Wan
Action : masquerade

I have my IP Adresse and Internet

I have one more question how can i make that users from Wifi Guest vlan 5 can see Vlan 2

What should i put in Firewall ?

One more time thanks anav for your help which made me working Unifi AP
Cant help with switch vlan setup.
But for a hybrid bridge vlan setup,

its
/interface bridge port
add bridge=bridge inteface=etherX pvid=YY ( where X is the port and YY is the vlan that needs to go untagged --> typically the UNIFY vlan )

/interface bridge vlan
add bridge=bridge tagged=bridge,etherX,????,????? vlan-ids=AA { where ??? represents other ports being tagged for example }
add bridge=bridge tagged=bridge,etherX,????,????? vlan-ids=BB

Where, AA and BB are vlans that are probably destined for wifi traffic.

Note if AA and BB are the only vlans going to the access point besides the unifi controll vlan then it can be
add bridge=bridge tagged=bridge,etherX vlan-ids=AA,BB
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 8:08 pm

Well its hard to say without seeing your current firewall.
Typically LAN traffic is not blocked,
But if it is then simply add forward chain accept rule before any last rule that
states the originating subnet (src-address) .0./24 and the receiving subnet (dst-address) .0/24
 
nunizgb
just joined
Topic Author
Posts: 5
Joined: Tue Sep 06, 2022 6:44 pm

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 8:50 pm

Ok Thanks
For the Exemple if i put this filter on
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related disabled=yes
add action=accept chain=input comment="Allow VLAN" disabled=yes in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" disabled=yes in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop disabled=yes add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related disabled=yes
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new disabled=yes in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop disabled=yes

What this do ?

And for my nat i have already this :

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN src-address=192.XXX.YY.0/24
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN src-address=192.XXX.BB.0/24
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN src-address=192.XXX.CC.0/24
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN src-address=192.XXX.DD.0/24

So how to do that IP DD can only go on internet but local traffic is forbiden and can not go on same site ?

And how to do that IP CC can only go on local but not internet except some IP ==> this is for IOT for exemple device A can only get update from when IP all other wan acces is bloked but can be see local

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 9:08 pm

The simple, clean way..........

{forward chain}
(default rules)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
***********************************************************************
add action=drop chain=forward comment="drop all else"

***** This is where you need to add any ALLOW RULES............ as all traffic other than already permitted is blocked!!!

+++++++++++++++++++++++++++++++++++++++++++++++

So the ruleset above allows
a. all LAN to INTERNET
b. any port forwardings if applicable, if not you can disable or remove the port forwarding rule.
c. nothing else.

Therefore if you have traffic between subnets you wish to allow you have to add it, because right now it is blocked.

To prevent some IP addresses from going out internet create a firewall address list call it LOCAL-ONLY
/ip fireawll address ilst
add ip-address=x.x.x.x list=LOCAL-ONLY
add ip-address=y.y.y.y list=LOCAL-ONLY
add ip-address=z.z.z.z list=LOCAL-ONLY

Then you have two choices, either add a rule before the allow all LAN to internet rule or modify the allow all to internet rule.

A. (additional rule added)
(admin rules)
add action=drop chain=forward comment="block internet traffic" src-address-list=LOCAL-ONLY out-interface-list=WAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN


THis is clear and obvious, we block access to the WAN for the identified IP addresses, first, then allow the rest of the LAN to the WAN.

B/ ( modify existing rule)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN src-address-list=!LOCAL-ONLY out-interface-list=WAN

This is bit more efficient but not as clearly stated. In this case we state an additional condition to it has to be from the LAN and going out the WAN, with,
AND any address not on the address list. In other words, by itself the new rule would state, any address 0.0.0.0/0 except the ones we identified in the address list are allowed out to the WAN.
Since we also have the condition in-interface-list=LAN, the rule really means ANY address existing on the LAN interface, except the ones identified in the address list are allowed out the WAN.
 
nunizgb
just joined
Topic Author
Posts: 5
Joined: Tue Sep 06, 2022 6:44 pm

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 9:12 pm

Thanks i will try to understand and put it on to test it :-)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Crs326 and Unifi Pro AP

Sat Jun 03, 2023 9:15 pm

There are three things you need to understand,
Firewall rules either allow or block traffic. They are permission rules.
They do not move or direct traffic, the router simply uses these to see if the desired traffic should be allowed to travel........
The IP routes and routing rules etc. create PATHS for the traffic.
Sourcenat is to modify the source address of outgoing traffic for some purpose.
The usual one is out the WAN, so the WWW alway sees our public IP address visiting sites.
The return traffic gets sent back to our public IP and the router then translates that back to the private IP.......

All to say I dont understand your sourcenat rules.
Unless you have a specific purpose, the default rule suffices to provide any outgoing traffic with the public IP of your router.
Attempting to use it to sort of apply any other logic (such as allowed traffic) is normally not required and best handled in firewall rules.

All you need!!!
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN

Who is online

Users browsing this forum: dioeyandika, dmconde, jookraw, mtest001, rapix61 and 46 guests