Community discussions

MikroTik App
 
Spiralout615
just joined
Topic Author
Posts: 1
Joined: Sun Feb 26, 2023 12:27 am

Bridge Vlan Filtering, Home/Guest for Unifi AP

Sun Feb 26, 2023 1:23 am

I have a HexS that I am trying to replace my OpenWRT router with. I have a Home and Guest VLAN, home is Native ID1 and Guest is ID 3. Port 2 of the HexS will go to an 8 port unmanaged switch which has home LAN devices plugged in and a Unifi AP. The Unifi AP has a Guest SSID (VLAN 3) and a HOME SSID (VLAN 1). I have tried to replicate my config in the Open WRT within Router OS, but as soon as I enable Bridge VLAN filtering I lose access (Safe Mode) and then it resets my config. What am I doing wrong? The tagging and untagging and PVIDs doesn't seem to align with OpenWRTs use of them. Config Below:











MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK

[admin@MikroTik] > export hide-sensitive
# jan/02/1970 01:38:23 by RouterOS 7.7
# software id = 8GPG-EPZ6
#
# model = RB760iGS
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:86:03:9B auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN_AP
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=VLANGUEST3 vlan-id=3
add interface=bridge name=VLANHOME1 vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=HOMEPOOL ranges=192.168.69.100-192.168.69.254
add name=GUESTPOOL ranges=192.168.70.100-192.168.70.150
/ip dhcp-server
add address-pool=HOMEPOOL interface=VLANHOME1 lease-time=4h name=HOMEDHCP
add address-pool=GUESTPOOL interface=VLANGUEST3 name=GUESTPOOL
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN_AP
add bridge=bridge comment=defconf interface=ether3-LAN
add bridge=bridge comment=defconf interface=ether4-LAN
add bridge=bridge comment=defconf interface=ether5-LAN
add bridge=bridge comment=defconf disabled=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
ether2-LAN_AP,ether3-LAN,ether4-LAN,ether5-LAN vlan-ids=1
add bridge=bridge tagged=bridge,ether2-LAN_AP,ether3-LAN,ether4-LAN,ether5-LAN \
vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.69.69/24 interface=VLANHOME1 network=192.168.69.0
add address=192.168.70.1/24 interface=VLANGUEST3 network=192.168.70.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.69.0/24 comment=defconf dns-server=9.9.9.9,1.1.1.1 gateway=\
192.168.69.69
add address=192.168.70.0/24 dns-server=9.9.9.9,1.1.1.1 gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >


Thanks !

Who is online

Users browsing this forum: Amazon [Bot] and 42 guests