Hi everyone,

I am in the process of kitting out my new house and wanted to take my network up a notch. As I have some previous good experiences with Mikrotik, I purchased an RB5009 to be used as the main router, and a CRS326 to be used as the main switch for the wired connections. For wireless I will be using Ubiqiti Unifi 6 Pro access points, only because I could not find a source for Mikrotik APs.

My main goals are to learn more on networking and configuration of Mikrotiks and at the same time improve the network access for my family, and to boot, improve the security of the whole setup. Please understand that my networking experience is limited to home use.

For the first step I wanted to divide the network into VLANs; Base, Home, IoT, Guest (and when all things are working later on add a Lab). I would also like to run a PiHole as DNS. I had this running on my network in my old house, and was always very happy with it.

I have been trying to configure them both, and after some teething problems, have got it to a decent working state. Largely because of the excellent article from @pcunite, viewtopic.php?f=13&t=143620. I used most of the configuration mentioned in this article as a base and moved from there to adopt it to my situation.

The RB5009 is handling the DHCP for each VLAN, and is connecting to the CRS326 through ether3. The devices connected to the CRS326 are receiving the IP addresses in the range of the DHCP pool assigned for the correct VLANs. Internet access is working properly. I know the firewall setup needs to be improved, and I still have to add PiHole, nas and network printer. I am focused atm to make the ubiqiti Unfi6 AP work with the setup.

I connected the AP to a port on the CRS that is in the home vlan and used the ubiquiti controller application to adopt the device first on the Home vlan. Next changed the IP address to static 10.0.0.5, DNS 10.0.0.1, netmask 255.255.255.0, and gateway to 10.0.0.1. I added the Home VLAN in the networks section by enabling vlan-only network and setting the vlan-id to 100. Switched the network from default to Home vlan. Subsequently I moved the wire connection from the CRS home vlan port to e4 on the RB5009. The AP boots up, broadcasts the SSID, works as expected. Only after a couple of minutes drops the SSID and becomes non-responsive. Rebooting the AP repeats the cycle. I am suspecting the setup of the Mikrotik to be at fault here as it seems to be working for a couple of minutes.

This is what I would like to ask you help with to debug, as I am a little lost with this atm. Any leads or questions to help get to the bottom is highly appreciated.

Attached the configuration of the RB5009 and CRS326, and a diagram of the envisioned network.

All smart devices should have their IP address associated with the base or managment vlan, it could be the home trusted VLAN.

What we need to know is if the ubiquiti products are expecting the managment vlan untagged and the rest of the vlans tagged ( vice the normal device which expects all vlans tagged).
If so then you need hybrid ports to the ubiquiti models.


where X is the managment/base vlan and assuming etherports 4,5 carry the same vlans.
TRUNK
/interface bridge port
add bridge=bridge interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,5 vlanids=X,Y,Z

HYBRID
/interface bridge port
add bridge=bridge interface=ether4 pvid=X
add bridge=bridge interface=ether5 pvid=X

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,5 vlanids=Y,Z where X is the managment/base vlan and assuming etherports 4,5 carry the same vlans.
add bridge=bridge tagged=bridge untagged=ether4,ether5 vlanid=X

Hi @anav, first thank you for the ultra fast response!

I made the switch to hybrid ports as suggested, wired the AP back to ether4 of the RB5009 and that seems to have done the trick! The SSID on the AP seems to be working as expected now. I will leave it running overnight to check if all goes ok. So I guess that the Ubiquiti Unifi6 Pro APs need the "odd" setup.

I do have an additional question for you. You mentioned that the smart devices (for which I assume you mean IOT) should be added to the base vlan or even part of the Home vlan. Could you tell me a little more why you would set it up like that? From my perspective I like to not trust anything those IOT device do. As such I would put them on their own VLAN with client isolation and explicitly allow what I believe they need to have access to, which would also include access from the home vlan towards those devices.

Sorry I should have said managed devices. Thus the access points that can read vlan tags, any switches that can read vlan tags etc...............
You are 100% correct, anything not trusted, iot, media, even cameras etc should be on their own separate vlans.

The fact that you worked from a solid base of understanding from pcunites direction meant that making the change was that much more easy to help guide you through!!

Oh that makes more sense now

Yeah the guide really helped a lot. What I found very useful are the rsc files, after making any changes (either through gui or terminal), you can easily generate the rsc yourself and side by side compare them. This can help spot errors very quickly. Of course it will not be a one-on-one copy, but applying some common sense will go a long way.