home.swkls.org http://home.swkls.org/mikrotik-vlan-trunk-and-unifi-ap/

Steve Andrews

Mikrotik VLAN Trunk and Unifi AP

Suppose we have an access point capable of multiple SSID and VLAN. We want to set up an open hotspot forpublic access on one channel, and a secured channel for staff. For this exercise, we will use a Ubiquiti Unifi APand set up two WLANs. The first WLAN will be called Public and be assigned to VLAN ID 20. The second WLANwill be called Secured and be assigned to VLAN ID 10. Our basic diagram looks something like this:

The general idea will be to create a VLAN trunk between the AP and the Mikrotik router to pass traffic for bothVLANs. In addition, the Unifi AP will be in its own subnet for management purposes and needs to be untagged(not assigned to a VLAN). The Public WLAN will be given its own subnet and will pass through a hotspotconfigured on the Mikrotik, while the Secured WLAN will be part of the regular wired LAN.

The Unifi AP is already configured with the two WLANs / VLANs, is adopted by a controller at the default address(http://unifi:8080/inform ), and has a static IP of 192.168.250.199.If we are not running a DNS server of our own, we can tell the AP to use the Mikrotik routers IP (192.168.88.1) forDNS and then insert a static entry to forward requests to the appropriate:

/ip dnsstatic

add address=1.1.1.1 disabled=yes name=unifittl=1d

Obviously, change 1.1.1.1 to your controllers IP address.

Next, lets use port 5 of the router and construct a trunk for both VLANs and the untagged management subnet ofthe AP. We need to un-assign the master port option for port 5 if it is set as a slave to another port. The name ofthe interface has been set to ether5-vlan-wireless. We create our two VLANs:

/interface vlan

add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594mtu=\

1500 name=vlan10secured use-service-tag=no vlan-id=10

add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594mtu=\

1500 name=vlan20public use-service-tag=no vlan-id=20

Now, what we want to do is create a bridge which will include both port 2 (regular LAN / wired clients) andVLAN10 (secured wireless). We need to then assign / move the DHCP server that was running on port 2 to thebridge. First, create the bridge:

add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes\

disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500\

name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6

Now, assign both port 2 and vlan10 to the bridge:

/interface bridgeport

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none\

interface=vlan10secured path-cost=10 point-to-point=autopriority=0x80

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none\

interface=ether2-master-local path-cost=10 point-to-point=autopriority=\

0x80

In my case, I prefer to assign IP addresses to secured wireless machines via the alternate configuration tab inWindows TCP/IP settings. But for this to work, the wireless client must not see any DHCP services running on thesecured WLAN it is connecting to. So, we create a bridge filter rule to block DHCP on VLAN10:

/interface bridgesettings

set use-ip-firewall=yes

/interface bridgefilter

add action=drop chain=input disabled=no in-interface=vlan10secured\

ip-protocol=udp mac-protocol=ip src-port=67-68

Notice the first line that tells the bridge to use firewall rules. Very important!

As for IP addresses on the local interfaces, we have the following:

/ipaddress

add address=192.168.88.1/24 comment="default configuration" disabled=no\

interface=ether2-master-local network=192.168.88.0

add address=192.168.151.1/24 disabled=no interface=vlan20publicnetwork=\

192.168.151.0

add address=192.168.250.1/24 disabled=no interface=ether5-vlan-wireless\

network=192.168.250.0

These addresses are for the normal LAN (192.168.88.0/24), the public wireless (192.168.151.0/24), and the Unifimanagement subnet (192.168.250.0/24). The Unifi needs an untagged or non-vlan path to communicate with acontroller. If we didnt care about the AP communicating with a controller, we could drop the IP assignment for thephysical port 5. Please note that if you are using guest portal on the Unifi, you need the controller.

Now, we move or create a DHCP service for the bridge interface and VLAN20:

/ip dhcp-server

add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=\

static disabled=no interface=bridge1 lease-time=3dname=default

add address-pool=vlan20public authoritative=after-2sec-delay bootp-support=\

static disabled=no interface=vlan20public lease-time=3dname=vlan20public

/ip dhcp-servernetwork

add address=192.168.88.0/24 comment="default configuration" dhcp-option=""\

dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-server=""

add address=192.168.151.0/24 comment=vlan20public dhcp-option="" dns-server=\

"" gateway=192.168.151.1 ntp-server="" wins-server=""

A little explanation may be in order in regards to the DHCP stuff. The service needs to run on the bridge interface,and will not work on a port assigned to a bridge. So, if we have the default DHCP server going on the default port2, and then move port 2 into a bridge, DHCP stops. Furthermore, being as the DHCP service is now on thebridge, it will also hand out leases to the wireless clients on VLAN10 as well as port 2, and whatever other portsmight be slaved to port2. Again, in my case, I didnt want DHCP running across the VLAN10 interface, so it wasblocked by filter rules.

As for the hotspot service, we need to run it on the VLAN20 interface:

/iphotspot

add disabled=no idle-timeout=none interface=vlan20public keepalive-timeout=\

/ip hotspotprofile

set [ find default=yes ] dns-name=spot.hot hotspot-address=192.168.151.1\

This is just a snippet for the hotspot, but the main thing to take away is that the interface needs to be the VLANinterface, not the physical port.

Lets not forget to block traffic between our public and internal networks, and also block public traffic to the APmanagement subnet:

/ip firewallfilter

add action=drop chain=input disabled=no dst-address=192.168.88.0/24\

src-address=192.168.151.0/24

add action=drop chain=input disabled=no dst-address=192.168.250.0/24\

src-address=192.168.151.0/24

Mikrotik VLAN Trunk and Unifi AP