ho me.swkls.o rg http://home.swkls.org/mikro tik-vlan-trunk-and-unifi-ap/

Steve Andrews

Mikrotik VLAN Trunk and Unifi AP

Suppose we have an access point capable of multiple SSID and VLAN. We want to set up an open hotspotf or public access on one channel, and a secured channel f or staf f . For this exercise, we will use a Ubiquit iUnif i AP and set up two WLANs. The f irst WLAN will be called “Public” and be assigned to VLAN ID 20. Thesecond WLAN will be called “Secured” and be assigned to VLAN ID 10. Our basic diagram looks somethinglike this:

The general idea will be to create a VLAN trunk between the AP and the Mikrotik router to pass traf f ic f orboth VLANs. In addition, the Unif i AP will be in it ’s own subnet f or management purposes and needs to beuntagged (not assigned to a VLAN). The “Public” WLAN will be given it ’s own subnet and will pass through ahotspot conf igured on the Mikrotik, while the “Secured” WLAN will be part of the regular wired LAN.

The Unif i AP is already conf igured with the two WLANs / VLANs, is adopted by a controller at the def aultaddress (http://unif i:8080/inf orm ), and has a static IP of 192.168.250.199.If we are not running a DNS server of our own, we can tell the AP to use the Mikrotik router ’s IP(192.168.88.1) f or DNS and then insert a static entry to f orward requests to the appropriate:

/ip dns stat ic

add address=1.1.1.1 disabled=yes name=unifi tt l=1d

Obviously, change 1.1.1.1 to your controller ’s IP address.

Next, let’s use port 5 of the router and construct a trunk f or both VLANs and the untagged managementsubnet of the AP. We need to un-assign the master port option f or port 5 if it is set as a slave to anotherport. The name of the interf ace has been set to ‘ether5-vlan-wireless’. We create our two VLANs:

/interface vlan

add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594 mtu=\

1500 name=vlan10secured use-service-tag=no vlan-id=10

add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594 mtu=\

1500 name=vlan20public use-service-tag=no vlan-id=20

Now, what we want to do is create a bridge which will include both port 2 (regular LAN / wired clients) andVLAN10 (secured wireless). We need to then assign / move the DHCP server that was running on port 2 tothe bridge. First, create the bridge:

add admin-mac=00:00:00:00:00:00 ageing-t ime=5m arp=enabled auto-mac=yes \

disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500 \

name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6

Now, assign both port 2 and vlan10 to the bridge:

/interface bridge port

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \

interface=vlan10secured path-cost=10 point-to-point=auto priority=0x80

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \

interface=ether2-master-local path-cost=10 point-to-point=auto priority=\

0x80

In my case, I pref er to assign IP addresses to secured wireless machines via the alternate conf iguration tabin Windows TCP/IP settings. But f or this to work, the wireless client must not see any DHCP servicesrunning on the secured WLAN it is connecting to. So, we create a bridge f ilter rule to block DHCP onVLAN10:

/interface bridge sett ings

set use-ip-firewall=yes

/interface bridge filter

add action=drop chain=input disabled=no in-interface=vlan10secured \

ip-protocol=udp mac-protocol=ip src-port=67-68

Notice the f irst line that tells the bridge to use f irewall rules. Very important!

As f or IP addresses on the local interf aces, we have the f ollowing:

/ip address

add address=192.168.88.1/24 comment="default configuration" disabled=no \

interface=ether2-master-local network=192.168.88.0

add address=192.168.151.1/24 disabled=no interface=vlan20public network=\

192.168.151.0

add address=192.168.250.1/24 disabled=no interface=ether5-vlan-wireless \

network=192.168.250.0

These addresses are f or the normal LAN (192.168.88.0/24), the public wireless (192.168.151.0/24), and theUnif i management subnet (192.168.250.0/24). The Unif i needs an untagged or non-vlan path tocommunicate with a controller. If we didn’t care about the AP communicating with a controller, we could dropthe IP assignment f or the physical port 5. Please note that if you are using ‘guest portal’ on the Unif i, youneed the controller.

Now, we move or create a DHCP service f or the bridge interf ace and VLAN20:

/ip dhcp-server

add address-pool=default-dhcp authoritat ive=after-2sec-delay bootp-support=\

stat ic disabled=no interface=bridge1 lease-t ime=3d name=default

add address-pool=vlan20public authoritat ive=after-2sec-delay bootp-support=\

stat ic disabled=no interface=vlan20public lease-t ime=3d name=vlan20public

/ip dhcp-server network

add address=192.168.88.0/24 comment="default configuration" dhcp-option="" \

dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-server=""

add address=192.168.151.0/24 comment=vlan20public dhcp-option="" dns-server=\

"" gateway=192.168.151.1 ntp-server="" wins-server=""

A litt le explanation may be in order in regards to the DHCP stuf f . The service needs to run on the bridgeinterf ace, and will not work on a port assigned to a bridge. So, if we have the def ault DHCP server going onthe def ault port 2, and then move port 2 into a bridge, DHCP stops. Furthermore, being as the DHCPservice is now on the bridge, it will also hand out leases to the wireless clients on VLAN10 as well as port 2,and whatever other ports might be slaved to port2. Again, in my case, I didn’t want DHCP running across theVLAN10 interf ace, so it was blocked by f ilter rules.

As f or the hotspot service, we need to run it on the VLAN20 interf ace:

/ip hotspot

add disabled=no idle-t imeout=none interface=vlan20public keepalive-t imeout=\

/ip hotspot profile

set [ find default=yes ] dns-name=spot.hot hotspot-address=192.168.151.1 \

This is just a snippet f or the hotspot, but the main thing to take away is that the interf ace needs to be theVLAN interf ace, not the physical port.

Let’s not f orget to block traf f ic between our public and internal networks, and also block public traf f ic tothe AP management subnet:

/ip firewall filter

add action=drop chain=input disabled=no dst-address=192.168.88.0/24 \

src-address=192.168.151.0/24

add action=drop chain=input disabled=no dst-address=192.168.250.0/24 \

src-address=192.168.151.0/24