Mikrotik DHCP Routing

[delid4ve]

Didn’t really know what to call this..

So I am trying to achieve the following
I have an ubiquiti wireless AP and a Mikrotik hapac2.
I want to have two wireless networks one of which will give internet access over a vpn (route 192.168.0.3) and the other straight to wan (route 192.168.0.3).
Now this is fine, however, I would like both Wi-fi ssids on the same network (192.168.8.0/24) in order for certain hardware devices and bonjour to work.

I have the AP using two vlans (10/20) at present through a managed switch and into ports 1&5 of the router. The rest of the network comes in on port 2.
I have tried adding a dhcp to each interface with split pools so I can mangle and Nat to the different dns/routes, then bridging and vlan filter and it kinda works, however no access to the hardwired stuff as soon as I turn on vlan filtering. DHCP says cant function on slave interfaces either but it does actually get addresses.

There must be an easier way to do this but I’m stumped..
I’m assuming a bridge has to be used somewhere as I can’t have same subnet of different interfaces. The main objective is to get anything on one ssid of the ubiquiti to use the separate gateway. I put it to the experts for a solution.. thanks in advance. Ps I’ve got plenty spare ports if I need to link out anything etc

 

[sfx2000]

First thoughts here...

Two VLAN's - VLAN1000 for primary, and VLAN1003 for your guest/direct WAN - use the default VLAN for management only...

The UBNT AP supports VLAN/SSID mapping, so one would have two SSID's - one again for primary, and the other for Guest/Direct - with Guest/Direct, enable AP isolation

@System Error Message is one of the more experience forums members here with MicroTik, he might have some other recommendations...

 

[delid4ve]

Hi sfx
I’ve already mapped the Ssids to vlans on the ubiquiti controller, it’s the actual routing to the different gateways whilst maintaining the same /24 subnet for wired and the two ssids I’m having trouble with getting my head around.
Separate subnets for each is fine, it’s the combining the whole lot that’s the issue as a bridge cannot do routing marks like the ip mangle can. Oh, and I did try enabling use ip firewall for the bridge but it maxes out the cpu with hardly any traffic

 

[sfx2000]

Just keep in mind - at a high level...

VLAN's are Layer 2 - ethernet
Subnets are Layer 3 - IP and TCP/UDP

 

[System Error Message]

doesnt seem like a mikrotik related question.
In mikrotik, the bridge/switch actually can do routing like ip mangle can, but it is much more tedious but mikrotik are one of the few that provides layer 2 NAT which can be used to bypass sflow and other NAT detectors. Bridge marks arent the same as firewall but you can test with a filler rule typically used for stats in the past. Within the same subnet, it is forwarding at layer 2 using the bridge unless you separate them via vlans means you will have to set up layer 3 routing (not bridging unless you have a layer 3 switch in which you set the switch chip to IP and set routes).

If you want both devices to talk to each other but separate internet ways, each assigned to an AP, thats very simple without double NATTing ofcourse. The router must first be connected to the VPN, it will have 2 gateways, it will need the internet gateway to be set as the preferred one (or better weightage). You can use layer 2 and tag packets based on their origin whether it is from the AP and tag

There are many ways to do this but i cant figure out the best one as they're all complicated. The easiest way is to just have the AP give its own IP block with the router as gateway, and rather than routing the whole subnet through the same WAN, you can set IP ranges instead but with the DNS set to the VPN one (prevent DNS leak).

 

[delid4ve]

So I have managed to crack it using a few posts here and there.

My setup is:
Ubiquiti WAP —> Netgear Switch —> hapac2

Ubiquiti - 4 x ssids - 2 for 1 gateway and 2 for a VPN gateway (1 each 2&5 ghz)
vlan 10 on VPN
vlan 20 for regular
cabled to switch port1 with the port set as tagged 10/20 and untagged 1
Port 2 on switch goes to hap port 1 (untagged 1)
Port 3 on switch goes to hap port 2 (tagged 10 untagged none PVID 10)
Port 4 on switch goes to hap port 3 (tagged 20 untagged none PVID 20)
Port 3&4 vlan only filtering enabled

Hap setup -
Set dns to normal dns
Add 2 x vlan interfaces 10/20 and set them to the respective ports
Add bridge and add all 3 ports plus the two vlans
Set horizon 10 on port 1/2/3 only
Add vlan 10 tagged ports: Bridge/port2/vlan10
Add vlan 20 tagged ports: Bridge/port3/vlan20
PVID of all ports is 1
Add dhcp server to bridge for whatever subnet you want and direct dns to the router
Add bridge filter to drop port 2/3 for forward traffic (the traffic is on the vlan not on the physical port and it will loop out)
Enable IP firewall and for vlans
Add mangle prerouting - mark routing - vlan 20 - routing mark ‘BypassVPN’
Add the additional route to your vpn gateway (mine being a Qnap NAS) with routing mark
Enable vlan filtering
Add DST Nat rule to redirect udp port 53 for anything with routing mark to vpn dns server

This gives everything on same subnet,
Able to use things such as apple screen mirroring, haven’t tried other types of broadcast.
Easy switching of Wi-fi networks depending whether you want vpn or not without having to manually change anything but can still access all lan resources (all the other ports on my switch)

Maybe not best practice but I haven’t found any issues as of yet provided you isolate all the ports as per the above.

Have noticed though that as soon as you enable logging for anything in the bridge it maxes out cpu (even before adding all the vlans)

Any advice/recommendations would be nice especially for things that may occur abnormally with this setup (I’m only self taught - with the help of google/nice people in the forums for all the I.T knowledge I have)

Oh, and if you have other routes you will also have to duplicate them all for the routing mark if you want to be able to access them

 

[coxhaus]

My one thought is don't bridge route. Only bridge if you get forced into.