Community discussions

MikroTik App
 
titopuentes
just joined
Topic Author
Posts: 23
Joined: Tue Apr 14, 2020 1:02 pm

Please need help! vlan switch

Mon Nov 22, 2021 7:59 pm

Hi,

I need to config a MT hexS as a vlan switch since I receive a switch I ordered and that is taking a lot time to arrive.

My configuration is simple:
I have a MT as hotspot. No vlan is defined for all customers (so MT assigns vlan1). Network is 192.168.1.0/24
And I just created a vlan (vlan id 66) for network devices (switches, APs...) Network is 172.16.2.0/25

I'm doing configuration before putting on my hexS.
I want ether1-ether4 that work as hybrid port: vlan1 for access mode and vlan66 trunk mode (switches and APs are managed through vlan66, and customers can't access to them)
Ether5: vlan66 access mode

The reason that I want ether5 on access mode is because to configure some ubiquiti aps I need they get a vlan66 IP (cloud key can't work with vlans) to adopt them, after aps are configured, I can move to other port.
Actually I have that config, but I don't know if it's correct:
/interface bridge add name=bridge-vlans

/interface vlan add name=vlan1 vlan-id=1 interface=bridge-vlans
/interface vlan add name=vlan66 vlan-id=66 interface=bridge-vlans

/ip address add address=10.0.11.2/24 interface=vlan1
/ip address add address=172.16.2.99/25 interface=vlan66

/interface bridge port add bridge=bridge-vlans interface=ether1,ether2,ether3,ether4 pvid=1

/interface bridge vlan add bridge=bridge-vlans tagged=bridge-vlans,ether1,ether2,ether3,ether4,ether5 vlan-ids=66

/interface bridge set bridge-vlans vlan-filtering=yes
Thank you very much
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Please need help! vlan switch  [SOLVED]

Mon Nov 22, 2021 9:07 pm

Almost entirely incorrect:
/interface bridge add name=bridge-vlans

/interface vlan add name=vlan1 vlan-id=1 interface=bridge-vlans
/interface vlan add name=vlan66 vlan-id=66 interface=bridge-vlans

/ip address add address=10.0.11.2/24 interface=vlan1bridge-vlans
/ip address add address=172.16.2.99/25 interface=vlan66

/interface bridge port add bridge=bridge-vlans interface=ether1,ether2,ether3,ether4 pvid=1
/interface bridge port add bridge=bridge-vlans interface=ether1 pvid=1
/interface bridge port add bridge=bridge-vlans interface=ether2 pvid=1
/interface bridge port add bridge=bridge-vlans interface=ether3 pvid=1
/interface bridge port add bridge=bridge-vlans interface=ether4 pvid=1
/interface bridge port add bridge=bridge-vlans interface=ether5 pvid=66


/interface bridge vlan add bridge=bridge-vlans tagged=bridge-vlans,ether1,ether2,ether3,ether4,ether5 vlan-ids=66

/interface bridge set bridge-vlans vlan-filtering=yes


I've left pvid=1 in the /interface bridge port entries - it can be omitted as it is the default, the same holds for the bridge itself.

With UniFi I usually leave the management network untagged as the traffic is SSH or HTTPS and make all of the client networks tagged, it makes readopting after reset much more simple.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please need help! vlan switch

Mon Nov 22, 2021 11:52 pm

For the record, it wasn't as much incorrect, that vlan1 interface is possible config too, if you set tagged=bridge1 for it in "/interface bridge vlan". I'm just not sure about bridge1's default pvid=1, if that can have any unwanted side effects if left there.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Please need help! vlan switch

Tue Nov 23, 2021 12:07 am

I'm just not sure about bridge1's default pvid=1, if that can have any unwanted side effects if left there.
It likely will. To do it that way either set the PVID to something unused (i.e. not 1 or 66 in this case), or more properly use ingress-filtering=yes frame-types=admit-only-vlan-tagged to disable any PVID on the bridge-to-CPU interface.
 
titopuentes
just joined
Topic Author
Posts: 23
Joined: Tue Apr 14, 2020 1:02 pm

Re: Please need help! vlan switch

Mon Dec 13, 2021 9:43 am

With UniFi I usually leave the management network untagged as the traffic is SSH or HTTPS and make all of the client networks tagged, it makes readopting after reset much more simple.
Do you think this is the best way to work with unifi APs?
I'm having problems with 2 UAP-AC-M and this vlan. The other 6 UAP-AC-PRO work great with management vlan (and was simply to addopt) and I'm thinking of changing management vlan to untagged as you indicate if all APs are going to give me less problems.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Please need help! vlan switch

Mon Dec 13, 2021 6:23 pm

Having used UniFi devices since before tagged management was possible in the controller and device firmware we stuck with having the UniFi management untagged. As the managment traffic is secure (TLS or SSH) there isn't really a need to wrap it in a VLAN, if someone disconnects the AP and plugs in a PC it doesn't get an address as the devices either have static addresses or static DHCP leases.

I'm not sure why an UAP-AC-M would behave any differently to a UAP-AC-PRO, unless you are trying to use it with a wireless uplink which maybe causing an unexpected issue - not having tried this I couldn't say.

Who is online

Users browsing this forum: bkuyk1, cmmike, JR2, lurker888 and 26 guests