home.swkls.org http://home.swkls.

org/mikrotik-vlan-trunk-and-unifi-ap/

Mikrotik VLAN Trunk and Unifi AP

Suppose we have an access point capable of multiple SSID and VLAN. We want to set up an open hotspot for
public access on one channel, and a secured channel for staff. For this exercise, we will use a Ubiquiti Unifi AP
and set up two WLANs. The first WLAN will be called “Public” and be assigned to VLAN ID 20. The second WLAN
will be called “Secured” and be assigned to VLAN ID 10. Our basic diagram looks something like this:

The general idea will be to create a VLAN trunk between the AP and the Mikrotik router to pass traffic for both
VLANs. In addition, the Unifi AP will be in it’s own subnet for management purposes and needs to be untagged
(not assigned to a VLAN). The “Public” WLAN will be given it’s own subnet and will pass through a hotspot
configured on the Mikrotik, while the “Secured” WLAN will be part of the regular wired LAN.

The Unifi AP is already configured with the two WLANs / VLANs, is adopted by a controller at the default address
(http://unifi:8080/inform ), and has a static IP of 192.168.250.199.
If we are not running a DNS server of our own, we can tell the AP to use the Mikrotik router’s IP (192.168.88.1) for
DNS and then insert a static entry to forward requests to the appropriate:

/ip dns
static

add address=1.1.1.1 disabled=yes name=unifi

Obviously, change 1.1.1.1 to your controller’s IP address.

Next, let’s use port 5 of the router and construct a trunk for both VLANs and the untagged management subnet of
the AP. We need to un-assign the master port option for port 5 if it is set as a slave to another port. The name of
the interface has been set to ‘ether5-vlan-wireless’. We create our two VLANs:

/interface vlan
 add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594
mtu=\

1500 name=vlan10secured use-service-tag=no vlan-

add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594

1500 name=vlan20public use-service-tag=no vlan-

Now, what we want to do is create a bridge which will include both port 2 (regular LAN / wired clients) and
VLAN10 (secured wireless). We need to then assign / move the DHCP server that was running on port 2 to the
bridge. First, create the bridge:

add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes

disabled=no forward-delay=15s l2mtu=1594 max-message-age=20s mtu=1500

name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-

Now, assign both port 2 and vlan10 to the bridge:

/interface bridge
port

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none

interface=vlan10secured path-cost=10 point-to-point=auto

add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none

interface=ether2-master-local path-cost=10 point-to-point=auto

0x80

In my case, I prefer to assign IP addresses to secured wireless machines via the alternate configuration tab in
Windows TCP/IP settings. But for this to work, the wireless client must not see any DHCP services running on the
secured WLAN it is connecting to. So, we create a bridge filter rule to block DHCP on VLAN10:

/interface bridge
settings
 set use-ip-
firewall=yes

/interface bridge
filter

add action=drop chain=input disabled=no in-interface=vlan10secured

ip-protocol=udp mac-protocol=ip src-port=67-

Notice the first line that tells the bridge to use firewall rules. Very important!

As for IP addresses on the local interfaces, we have the following:

/ip
address

add address=192.168.88.1/24 comment="default configuration" disabled=no

interface=ether2-master-local network=192.168.88.0

add address=192.168.151.1/24 disabled=no interface=vlan20public

192.168.151.0

add address=192.168.250.1/24 disabled=no interface=ether5-vlan-wireless

network=192.168.250.0

These addresses are for the normal LAN (192.168.88.0/24), the public wireless (192.168.151.0/24), and the Unifi
management subnet (192.168.250.0/24). The Unifi needs an untagged or non-vlan path to communicate with a
controller. If we didn’t care about the AP communicating with a controller, we could drop the IP assignment for the
physical port 5. Please note that if you are using ‘guest portal’ on the Unifi, you need the controller.

Now, we move or create a DHCP service for the bridge interface and VLAN20:

/ip dhcp-
server

add address-pool=default-dhcp authoritative=after-2sec-delay bootp-

static disabled=no interface=bridge1 lease-time=3d

static disabled=no interface=vlan20public lease-time=3d

/ip dhcp-server
network

add address=192.168.88.0/24 comment="default configuration" dhcp-option=""

dns-server=192.168.88.1 gateway=192.168.88.1 ntp-server="" wins-

add address=192.168.151.0/24 comment=vlan20public dhcp-option="" dns-

"" gateway=192.168.151.1 ntp-server="" wins-

A little explanation may be in order in regards to the DHCP stuff. The service needs to run on the bridge interface,
and will not work on a port assigned to a bridge. So, if we have the default DHCP server going on the default port
2, and then move port 2 into a bridge, DHCP stops. Furthermore, being as the DHCP service is now on the
bridge, it will also hand out leases to the wireless clients on VLAN10 as well as port 2, and whatever other ports
might be slaved to port2. Again, in my case, I didn’t want DHCP running across the VLAN10 interface, so it was
blocked by filter rules.

As for the hotspot service, we need to run it on the VLAN20 interface:

/ip
hotspot

add disabled=no idle-timeout=none interface=vlan20public keepalive-

/ip hotspot
profile

set [ find default=yes ] dns-name=spot.hot hotspot-address=192.168.151.1

This is just a snippet for the hotspot, but the main thing to take away is that the interface needs to be the VLAN
interface, not the physical port.

Let’s not forget to block traffic between our public and internal networks, and also block public traffic to the AP
management subnet:

/ip firewall
filter
add action=drop chain=input disabled=no dst-address=192.168.88.0/24
\

src-address=192.168.151.0/24

add action=drop chain=input disabled=no dst-address=192.168.250.0/24

src-address=192.168.151.0/24