Community discussions

MikroTik App
  4. RouterOS
  5. General

Bridge VLAN's and Unifi AP with multiple SSID

Post Reply
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 1:45 pm

Hi.

I'm struggling with configuring Bridge VLAN for my multiple SSID Unifi AP.

I was able to configure VLANs for Guest (VLAN 32 ) and iOT (VLAN 33) SSID and it seems to work well. However I'm not able to configure VLAN for Staff SSID (VLAN 31).

The idea is to have AP which is connected to Port 5 in VLAN 31 Network. I configure port5 as a access port via Bridge port:
add bridge=bridge-local interface=ether5 multicast-router=disabled pvid=31
and than tagged that port in Bridge VLAN:
add bridge=bridge-local tagged=bridge-local, ether5 untagged=ether2,ether3,ether4 vlan-ids=31
It was working for like a minute before the AP got disconected for some reason.

If the Bridge VLAN configuration is like this:
add bridge=bridge-local tagged=bridge-local untagged=ether2,ether3,ether4,ether5 vlan-ids=31
the Guest and ioT SSID is working properly but not the Staff SSID.

I'm not sure what I'm doing wrong. Can someone help, please?

Topology:
Image

Mikrotik Config:
# model = RB760iGS
# serial number = <CENSORED>

/interface bridge
add name=bridge-local vlan-filtering=yes

/interface vlan
add interface=bridge-local name=vlan31-staff vlan-id=31
add interface=bridge-local name=vlan32-guest vlan-id=32
add interface=bridge-local name=vlan33-iot vlan-id=33

/ip pool
add name=dhcp-pool-staff ranges=10.8.31.20-10.8.31.249
add name=dhcp-pool-guest ranges=10.8.32.20-10.8.32.249
add name=dhcp-pool-iot ranges=10.8.33.20-10.8.33.249

/ip dhcp-server
add address-pool=dhcp-pool-staff disabled=no interface=vlan31-staff name=dhcp-staff
add address-pool=dhcp-pool-guest disabled=no interface=vlan32-guest name=dhcp-guest
add address-pool=dhcp-pool-iot disabled=no interface=vlan33-iot name=dhcp-iot

/interface bridge port
add bridge=bridge-local interface=ether2 multicast-router=disabled pvid=31
add bridge=bridge-local interface=ether3 multicast-router=disabled pvid=31
add bridge=bridge-local interface=ether4 multicast-router=disabled pvid=31
add bridge=bridge-local interface=ether5 multicast-router=disabled pvid=31

/interface bridge vlan
add bridge=bridge-local tagged=bridge-local, ether5 untagged=ether2,ether3,ether4 vlan-ids=31
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=32
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=33

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=bridge-local list=LAN

/ip address
add address=10.8.31.1/24 interface=vlan31-staff network=10.8.31.0
add address=10.8.32.1/24 interface=vlan32-guest network=10.8.32.0
add address=10.8.33.1/24 interface=vlan33-iot network=10.8.33.0

/ip dhcp-client
add interface=bridge-local
add interface=ether1

/ip dhcp-server network
add address=10.8.31.0/24 dns-server=10.7.31.32,8.8.8.8 gateway=10.8.31.1
add address=10.8.32.0/24 dns-server=10.7.31.32,8.8.8.8 gateway=10.8.32.1
add address=10.8.33.0/24 dns-server=10.7.31.32,8.8.8.8 gateway=10.8.33.1

/ip dns
set servers=8.8.8.8

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.8.31.0/24
add action=masquerade chain=srcnat src-address=10.8.32.0/24
add action=masquerade chain=srcnat src-address=10.8.33.0/24
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 7:14 pm

Port's pvid is untagged vlan number, you don't want that when vlan 31 should be tagged there. Keep it default pvid 1 and you can enable filtering that will only accept tagged packets on ether5.
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 7:40 pm

Port's pvid is untagged vlan number, you don't want that when vlan 31 should be tagged there. Keep it default pvid 1 and you can enable filtering that will only accept tagged packets on ether5.
Thanks for feedback Sob. I tried that but it doesn't work since the ether5 where the AP is connected to need to be untagged too so the AP is manageable and gets an address from VLAN 31 network (10.8.31.0/24). I suppose the ether5 has to be hybrid port, maybe? Not sure how to configure it though to make it work.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9120
Joined: Mon Apr 20, 2009 9:11 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 8:03 pm

Hybrid ports exist and RouterOS can have them, but what you want is same VLAN id both tagged and untagged on one port. I don't think you can have that. Can't you tell AP to connect Staff SSID with untagged uplink?

Another way would be to use different VLAN id for untagged packets between router and AP, with point to point /32 IP addresses, and make AP's address available to the rest of subnets using proxy ARP. If L3 access would be enough, it would work. But it doesn't seem very nice.
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 8:43 pm

If you are using the UniFi controller default network, which is always untagged, for management just attach the Staff network SSID to that. You do not need a network defined for VLAN 31, only VLAN 32 & 33 to be able to link SSIDs to those.

Configure the Mikrotik port connected to the AP with VLAN 31 untagged, VLANs 32 & 33 tagged.
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 10:40 pm

If you are using the UniFi controller default network, which is always untagged, for management just attach the Staff network SSID to that. You do not need a network defined for VLAN 31, only VLAN 32 & 33 to be able to link SSIDs to those.

Configure the Mikrotik port connected to the AP with VLAN 31 untagged, VLANs 32 & 33 tagged.
If I let Stafff SSID use Default LAN Network in Unifi Controller than it seems that all SSID networks can access each other. (can ping Staff from Guest SSID) This is something I don't want.
add bridge=bridge-local tagged=bridge-local untagged=ether2,ether3,ether4,ether5 vlan-ids=31
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=32
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=33
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 10:52 pm

That has nothing to do with the VLANs being tagged or untagged, inter-VLAN access is determined by firewall rules on the Mikrotik.
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Sun Jun 12, 2022 11:06 pm

That has nothing to do with the VLANs being tagged or untagged, inter-VLAN access is determined by firewall rules on the Mikrotik.
From my understanding, if I connect to SSID Guest which is in different VLAN (32) then Staff SSID should not be able to access Staff SSID network by default since it's in different VLAN. Unless I configure firewall rules which will allow it. For some reason I however can even though no firewall rules are set which would allow it.

Currently firewall rules:
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.8.31.0/24
add action=masquerade chain=srcnat src-address=10.8.32.0/24
add action=masquerade chain=srcnat src-address=10.8.33.0/24[
When I was using my own tagged network in Unifi Controller I was not able to access different VLAN's. Now I can with the default network on Unifi Controller. It seems like the default network in Unifi Controller allow you to reach different SSID network.
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLAN's and Unifi AP with multiple SSID

Mon Jun 13, 2022 2:05 am

No. The default forward policy is allow, you have to explicitly add rules to drop inter-VLAN traffic.
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Mon Jun 13, 2022 8:20 pm

No. The default forward policy is allow, you have to explicitly add rules to drop inter-VLAN traffic.
OK. Thanks. I tried what you suggested.

* Used Unifi Controller default Network for Staff SSID
* Set VLANS
* Set firewall rules to block inter VLAN traffic between 10.8.31.0/24 (VLAN31) and 10.8.32.0/24 (VLAN32)

Vlans:
add bridge=bridge-local tagged=bridge-local untagged=ether2,ether3,ether4,ether5 vlan-ids=31
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=32
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=33
Firewall rules:
/ip firewall filter
add action=drop chain=forward dst-address=10.8.32.0/24 src-address=10.8.31.0/24
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.8.31.0/24
add action=masquerade chain=srcnat src-address=10.8.32.0/24
add action=masquerade chain=srcnat src-address=10.8.33.0/24
I also tried this:
/ip firewall filter
add action=drop chain=forward in-interface=vlan31-staff out-interface=vlan32-guest
For some reason the network is still reachable from VLAN31 to VLAN32. Setting firewall rules did not have any effect. Any idea why?

Also do you know why bridge-local has to be added as tagged in /interface bridge vlan ?
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLAN's and Unifi AP with multiple SSID

Mon Jun 13, 2022 9:01 pm

For some reason the network is still reachable from VLAN31 to VLAN32. Setting firewall rules did not have any effect. Any idea why?
Order of the rules is important, post all of the configuration not just small extracts.
Also do you know why bridge-local has to be added as tagged in /interface bridge vlan ?
That is the implicit bridge-to-CPU port which provides access from all of the other bridge ports to IP resources (e.g. DHCP, routing, etc.) on the Mikrotik itself, see viewtopic.php?t=173692
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Mon Jun 13, 2022 9:12 pm

For some reason the network is still reachable from VLAN31 to VLAN32. Setting firewall rules did not have any effect. Any idea why?
Order of the rules is important, post all of the configuration not just small extracts.
Also do you know why bridge-local has to be added as tagged in /interface bridge vlan ?
That is the implicit bridge-to-CPU port which provides access from all of the other bridge ports to IP resources (e.g. DHCP, routing, etc.) on the Mikrotik itself, see viewtopic.php?t=173692
Thanks for the link!

That's the thing. There are no other firewall rules than those I mentioned.

Config:
Code: Select all
# model = RB760iGS

/interface bridge
add name=bridge-local vlan-filtering=yes

/interface ethernet
set [ find default-name=sfp1 ] disabled=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=Test-Bridge password=*** user=***

/interface vlan
add interface=bridge-local name=vlan31-staff vlan-id=31
add interface=bridge-local name=vlan32-guest vlan-id=32
add interface=bridge-local name=vlan33-iot vlan-id=33

/interface list
add name=WAN
add name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp-pool-staff ranges=10.8.31.20-10.8.31.249
add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.254
add name=dhcp-pool-guest ranges=10.8.32.20-10.8.32.249
add name=dhcp-pool-iot ranges=10.8.33.20-10.8.33.249

/ip dhcp-server
add address-pool=dhcp-pool-staff disabled=no interface=vlan31-staff name=dhcp-staff
add address-pool=dhcp-pool-guest disabled=no interface=vlan32-guest name=dhcp-guest
add address-pool=dhcp-pool-iot disabled=no interface=vlan33-iot name=dhcp-iot

/port
set 0 name=serial0

/interface bridge port
add bridge=bridge-local frame-types=admit-only-untagged-and-priority-tagged interface=ether2 multicast-router=\
    disabled pvid=31
add bridge=bridge-local frame-types=admit-only-untagged-and-priority-tagged interface=ether3 multicast-router=\
    disabled pvid=31
add bridge=bridge-local frame-types=admit-only-untagged-and-priority-tagged interface=ether4 multicast-router=\
    disabled pvid=31
add bridge=bridge-local interface=ether5 multicast-router=disabled pvid=31

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface bridge vlan
add bridge=bridge-local tagged=bridge-local untagged=ether2,ether3,ether4,ether5 vlan-ids=31
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=32
add bridge=bridge-local tagged=ether5,bridge-local vlan-ids=33

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add disabled=yes interface=sfp1 list=LAN
add list=WAN
add interface=bridge-local list=LAN
add interface=Test-Bridge list=WAN

/ip address
add address=10.8.31.1/24 interface=vlan31-staff network=10.8.31.0
add address=10.8.32.1/24 interface=vlan32-guest network=10.8.32.0
add address=10.8.33.1/24 interface=vlan33-iot network=10.8.33.0

/ip dhcp-client
add interface=bridge-local
add interface=ether1

/ip dhcp-server lease
add address=10.8.31.2 client-id=ff:b6:22:f:eb:0:2:0:0:ab:11:c5:c0:54:f2:a7:4b:fd:1c mac-address=\
    1C:69:7A:A8:23:D1 server=dhcp-staff
add address=10.8.31.3 client-id=1:78:45:58:88:c8:33 mac-address=78:45:58:88:C8:33 server=dhcp-staff

/ip dhcp-server network
add address=10.8.31.0/24 dns-server=10.7.31.32,8.8.8.8 gateway=10.8.31.1
add address=10.8.32.0/24 dns-server=8.8.8.8 gateway=10.8.32.1
add address=10.8.33.0/24 dns-server=8.8.8.8 gateway=10.8.33.1

/ip dns
set servers=8.8.8.8

/ip firewall filter
add action=drop chain=forward dst-address=10.8.31.0/24 src-address=10.8.32.0/24

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.8.31.0/24
add action=masquerade chain=srcnat src-address=10.8.32.0/24
add action=masquerade chain=srcnat src-address=10.8.33.0/24

/ip route
add distance=1 dst-address=10.7.31.0/24 gateway=10.8.31.2
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1845
Joined: Sat May 05, 2018 11:55 am

Re: Bridge VLAN's and Unifi AP with multiple SSID

Tue Jun 14, 2022 1:25 am

Hopefully that isn't connected directly to the internet, not having any rules protecting it from external access.

As written the masquerade rules will act on all traffic, including between subnets, not just externally. It may be that, although the forward chain is processed before srcnat so the rule should work. How are you testing inter-VLAN access?
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Tue Jun 14, 2022 9:06 am

Hopefully that isn't connected directly to the internet, not having any rules protecting it from external access.

As written the masquerade rules will act on all traffic, including between subnets, not just externally. It may be that, although the forward chain is processed before srcnat so the rule should work. How are you testing inter-VLAN access?
Just figured, I was trying to ping the gateway 10.8.31.1 which is possible even with the firewall rule enabled:
Code: Select all
add action=drop chain=forward dst-address=10.8.31.0/24 src-address=10.8.32.0/24
Trying to access anything else on the network 10.8.31.0/24 is blocked as expected. Not sure why I can access the gateway though. Any ideas why & how can i block it as well?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11582
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Tue Jun 14, 2022 9:18 am

Just figured, I was trying to ping the gateway 10.8.31.1 which is possible even with the firewall rule enabled:
Code: Select all
add action=drop chain=forward dst-address=10.8.31.0/24 src-address=10.8.32.0/24
Trying to access anything else on the network 10.8.31.0/24 is blocked as expected. Not sure why I can access the gateway though. Any ideas why & how can i block it as well?

When pinging one of router's addresses packets will always hit firewall chain=input, regardless of actual dst-address and ingress interface. So you would have to construct a set of firewall filters, something like this:

Code: Select all
/ip firewall filter
add chain=input action=drop src-address=10.8.32.0/24 dst-address=!10.8.32.1 # you can use in-interface instead of src-address
# similar for other LAN IP subnets

IMO this is unnecessary stuff which doesn't bring any additional security, but if you like cosmetics, go ahead and implement the rules.
Top
 
jzizka
just joined
Topic Author
Posts: 19
Joined: Sun Jun 12, 2022 12:38 pm

Re: Bridge VLAN's and Unifi AP with multiple SSID

Tue Jun 14, 2022 12:50 pm

Just figured, I was trying to ping the gateway 10.8.31.1 which is possible even with the firewall rule enabled:
Code: Select all
add action=drop chain=forward dst-address=10.8.31.0/24 src-address=10.8.32.0/24
Trying to access anything else on the network 10.8.31.0/24 is blocked as expected. Not sure why I can access the gateway though. Any ideas why & how can i block it as well?

When pinging one of router's addresses packets will always hit firewall chain=input, regardless of actual dst-address and ingress interface. So you would have to construct a set of firewall filters, something like this:

Code: Select all
/ip firewall filter
add chain=input action=drop src-address=10.8.32.0/24 dst-address=!10.8.32.1 # you can use in-interface instead of src-address
# similar for other LAN IP subnets

IMO this is unnecessary stuff which doesn't bring any additional security, but if you like cosmetics, go ahead and implement the rules.
Thanks. I was able to make it all work. Will do some final touches but everything should be fine now.
Top
Post Reply

Who is online

Users browsing this forum: akakua, bertin, Bing [Bot], GoogleOther [Bot], hel, holvoetn, jfh, michael00, mozerd, NxtGen [Bot] and 79 guests
  4. RouterOS
  5. General