Suppose we have an access access point capable o f mu multiple ltiple SSI SSID and VL VLAN. We want want t o s et up an open o pen hot spo t f or publ public ic access access on o ne channel, channel, and and a secured channel channel fo r s taf f . For For this exerc exercise, ise, we will will use a Ubiquiti Ubiquiti Unif i AP and set up two WL WLAN ANs. s. T he f irst WL WLAN AN will will be called called “Public” “Public” and be ass igned to VL VLAN AN ID ID 20. T he seco nd WLAN WLAN will will be called “Secured” “Secured” and be as signed t o VL VLAN AN ID ID 10. Our Our bas ic diagram loo ks s omething like this:
T he general general idea idea will will be be to create a VL VLAN trunk between the AP and the Mikrotik Mikrotik rout er to pass traf f ic f or bot h VLANs. VLANs. In addition, t he Unifi AP AP will will be in it’s o wn subnet f or management management purpo ses and needs to be untagged (no t as signed t o a VLAN VLAN). ). The “Public” “Public” WLAN WLAN will will be given given it’s o wn subnet and will will pass thr through ough a hot spo t co nf igured on the Mikro Mikrott ik, while the “Secured” WLAN WLAN will be part of o f the regular wired LAN. LAN. T he Unif Unif i AP is already conf conf igu igured red with the t wo WLAN WLANs s / VLAN VLANs, s, is adopted by a cont roller at t he def aul aultt address (ht (http://uni tp://uniff i: i:8080/inf 8080/info o rm ), and has a stat ic IP IP of 192. 192.168. 168.250. 250.199. 199. If we are not not runni running ng a DNS DNS server of our o wn, we we can tell the AP to use t he Mikrotik Mikrotik rout er’s IP (192.168. (192. 168.88. 88.1) 1) f or DNS and and then insert insert a st atic entry to f orward request request s t o t he appropriate: appropriate:
/ip /i p dns dns s t atic add address=1.1.1.1 disabled=yes name=unifi ttl=1d Obviously, change 1.1.1.1 to your controller’s IP address. Next, let’s us e port 5 of the ro uter and const ruct a trunk f or bo th VLAN Next, VLANs s and the untagged manag managem ement ent subnett o f the AP subne AP. We need need to un-ass ig ign n the master master port option f or po rt 5 if it is s et as a s la lave ve to another port . T he name name of the interf ace has has been set to ‘ether5-vlan ‘ether5-vlan-- wire wireless’. less’. We We create our t wo VLAN VLANs: s:
/intt erface vl /in vlan an
add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594 mtu=\ 1500 na name=vl me=vlan an10s 10s ec ecur ured ed use- se rvi rvice ce-- t ag=n ag=no o vla vlan-id=10 n-id=10 add arp=enabled disabled=no interface=ether5-vlan-wireless l2mtu=1594 mtu=\ 1500 na name=vl me=vlan an20publi 20public c use- se rvi rvice ce-- t ag=n ag=no o vla vlan-id=20 n-id=20 Now, what what we want t o do is create a bridge which will will include include bot h port por t 2 (regular ( regular LAN LAN / wired clients clients ) and VLAN10 (secured wireless). We need to then assign / move the DHCP server that was running on port 2 to the bridge. First, create the bridge:
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \ disabled=n disabl ed=no o f orwa orward-delay= rd-delay=15s 15s l2mt l2mtu u=1594 ma max-mes x-mes sage- age=20s mt mtu u=1500 \ name=br na me=briidge1 pri priori oritt y= y=0x8000 0x8000 prot oco ocol-mode=n l-mode=none one t ra ransmi nsmitt - hol holdd-coun countt =6 Now,, assign bot h port 2 and vlan1 Now vlan10 0 to the bridge:
/intt erface bri /in bridge dge port po rt add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \ intt erface=vl in erface=vlan an10se 10se cur cured ed pat path h- cos t =10 poin pointt - t o- poin pointt =a =auto uto pri priori oritt y=0x y=0x80 80 add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \ intt erface=et her in her22-ma mast st er er-- local pat path-cos h-cos t =10 poin pointt - t o- poin pointt =a =au ut o pri priori oritt y=\ 0x80 In my case, case, I pref pref er to ass ign IP IP address address es t o secured wireless wireless machines machines via the alternate conf igura iguratio tio n tab in Windows Windows T CP CP/I /IP P sett ing ings. s. But But f or this to work, the wireless wireless cli client ent must not see any DHCP DHCP services services running on the t he secured WLAN WLAN it is co nnecting to . So, we create a bridge f ilter rule to block DHCP on VLAN10:
/in /i nt erface bridge bridge s et t ings set use-ip-firewall=yes /interface bridge filter add act ion= ion=drop drop cha c hain in=i =inpu nputt disabled=no inin- in intt erf erface=vla ace=vlan10se n10secured cured \ ip-prot oco ocoll=u =udp dp ma macc- prot protoco ocoll=i =ip p src- port port=67-68 =67-68 Not ice the f irst lin line e that tells t he bridge bridge to use f irew irewall all rules. rules. Very import import ant!
As f o r IP addres s es o n the t he local lo cal interf int erf aces aces,, we have t he f o llo llowing: wing:
/ip addres address s add address =192. =192.168.88.1/24 168.88.1/24 commen commentt =" ="def def au aullt configur configurat atiion" disabled=n disabled=no o\ intt erface=et her in her22-ma mast st er er-- local net network= work=192.168.88.0 192.168.88.0 add address=192.168.151.1/24 disabled=no interface=vlan20public network=\ 192.168.151.0 add address =192. =192.168.250.1/24 168.250.1/24 di disabled=n sabled=no o in intt erface=et her her55-vl vlan an-- wi wirel reles ess s\ network=192.168.250.0 T hese addres ses are f o r t he normal no rmal LAN LAN (192.168. (192.168.88. 88.0/24), 0/24), the public wireless (192. (192.168. 168.151. 151.0/24), 0/24), and the Unif i managem management ent s ubnet (192.168.250. (192.168.250.0/24). 0/24). T he Unifi Unif i needs an untagged or non- vlan path to communicate comm unicate with a co ntr ntroller. oller. If we didn’t didn’t care abo ut t he AP comm communicating unicating with a cont ro ller ller,, we could drop the IP IP ass ass ign ignm ment f or t he physical physical port 5. Pl Please ease not e that if you are using ‘guest ‘guest po rtal’ on t he Unif Unif i, you you need the co ntro lle llerr. Now, we we move or create a DHCP service f or the bridge interf inter f ace and VL VLAN2 AN20: 0:
/ip dhcp-server add address address -poo l=defau =defaullt -dhcp au autt hori oritt ativ ative=a e=aft ft er er-2s -2s ec- del delay ay boot boo t p-s upport=\ st at atiic disabl disabled=n ed=no o inte nterface=bri rface=bridge1 dge1 lease ease-- t ime=3d na name=defaul me=defaultt add address-pool=vlan20public authoritative=after-2sec-delay bootp-support=\ s t at atic ic disabled=n disabled=no o in intt erf erface=vla ace=vlan20publ n20public ic lease- t im ime=3d e=3d na name=vl me=vlan an20publi 20public c /ip dhcpdhcp- se server rver net network work add address=192. address =192.168.88.0/24 168.88.0/24 commen c ommentt =" ="def def au aullt configur configurat atiion" dhcpdhcp- opt ion= on="" "" \ dns-se dnsserver rver=192. =192.168.88.1 168.88.1 gat gateway= eway=192.168.88.1 192.168.88.1 ntp- se server rver=" =""" wi win ns- se serv rver=" er=""" add address=192.168.151.0/24 comment=vlan20public dhcp-option="" dns-server=\ "" gat gateway eway=192.168. =192.168.151.1 151.1 nt pp-se server rver=" =""" wi wins-s ns-s erver= erver="" ""
A litt le explanat io ion n may be in order or der in regards r egards t o t he DHCP st uf f . The s ervice needs t o run o n the t he bridge interf ace, and will will not wo rk on a po rt ass ign igned ed to a bridge. bridge. So, if we have have the def ault DHCP DHCP server going on the def aul aultt port 2, and then move move po rt 2 into a bridge, bridge, DHCP DHCP sto ps. Furtherm Furthermore, ore, being as t he DHCP DHCP service is is no w on t he bridge, bridge, it will will also hand out leases t o the wireless wireless cli clients ents on VLAN VLAN10 10 as well as po rt 2, and whatever other ports might be slaved to port2. Again, in my case, I didn’t want DHCP running across the VLAN VL AN10 10 interf ace, so it was blo cke cked d by f ilter rules. As f o r t he ho t sp spo o t se service, rvice, we need t o run it o n the t he VLAN20 VLAN20 interf inter f ace:
/ip /i p hot hot spot add disabled=no idle-timeout=none interface=vlan20public keepalive-timeout=\ /ip /i p hots pot profil profile e set [ find find def au aullt =y =yes es ] dnsdns- nam ame=spot e=spot .h .hot ot hot spot -address=192. -address=192.168. 168.151. 151.1 1\ This is ju just st a snippet snippet f or t he hotspot , but the mai main n thing thing to take away away is is t hat the interface needs needs to be the VLAN VL AN interf interf ace, not the physical port. Let’s no t f orget t o block traf f ic between our public public and and internal internal networks networks , and also block public public traf f ic to the AP managem management ent subnet :
/ip firewall firewall filt filt er add action=drop chain=input disabled=no dst-address=192.168.88.0/24 \ src-address=192.168.151.0/24 add act ion ion=dr =drop op cha chain in=i =in nput disabl disabled=n ed=no o dst - addr addres ess=192.168.250.0/24 s=192.168.250.0/24 \ src-address=192.168.151.0/24