Unifi Switches vs Mikrotik Switches - Adivce

Hi Folks

After a long time my various components have started trickling in. As discussed above i am going with

PFSENSE (on a PC hardware) —> Mikrotik CRS328-24P-4S+RM → Mikrotik RB260GS (Multimedia centre) and Mikrotik cAP AC

Finalized on Mikrotik because got tired of waiting for Unifi switches/access points to be available in stock here.

So far i have got the Mikrotik CRS328-24P-4S+RM and RB260GS. What remains is 2 Mikrotik cAP AC which will take another month to arrive.

I was initially planning to use the CRS328 with the SWITCHOS only, but then on doing some research i came across the Mikrotik Dude Monitoring software which can be used for monitoring the network and creating network chart. I liked this. But this can be installed only on ROUTEROS so i will have retain ROUTER OS and configure it as a switch within that.

For this i plan to the following on the Switch CRS328

  1. Create a Bridge port
  2. Add all the ports (24 Gigaports + 4 SFP+ ports) to that bridge port
  3. Create VLANs in the SWITCH CHIP option of RouterOS (matching the VLANs i created in PFSENSE)
  4. Enable SNMP service if not already enabled

On the Switch RB260GS since it only runs SWITCHOS i need to do the following

  1. Create the VLANS (matching the VLANs i created in PFSENSE)
  2. Enable SNMP service so that Dude server can talk to this switch.

There are some things I am not clear on and would like some guidance.

  1. From a design perspective is it better to connect the MMC switch (RB260GS) directly to PFSENSE or to the CRS328 switch ? Would that make the configuration of PFSENSE more complicated?
  2. Do i need to create all the VLANs or only the VLANs being used by the switch RB260GS, Since this is a multimeadia centre (MMC) switch and all the ports of this switch will be in the same VLAN, can i simply map the port on CRS328 or PFSENSE (whichever the RB260GS connects to) to the MMC VLAN and create only that in the RB260GS
  3. Do i need to configure a static IP on the switches (CRS328 and RB260GS) or will PFSENSE assign them a dynamic IP ? Can i to address reservation for the Switches on PFSENSE
  4. Once the setup is complete. Assume during normal operation the PFSENSE box fails. This would cause my home network to fail. If i am not available immediately to correct the situation is there a simple solution for someone else in the household (who does not understand Switches and routers or networks for that matter) to restore basic network connectivity with internet access.

Thanks

This is the wrong way with CRS3xx devices, that is for all the other devices. You should not be going into the switch menu at all, you will set up the VLANs in the birdge menu. And it will have a bridge set up and all the ports added to it by default. https://help.mikrotik.com/docs/display/ROS/CRS3xx+series+switches

It will be easier to have it connected to the CRS328 and to only have one LAN port on PFSense.

Yes if all the ports in the MMC will be in the same VLAN then you can skip any VLAN setup on that switch, and just set the port connecting to it to be untagged for whichever VLAN. This just means that the MMC switch itself will also be in that VLAN.

Generally Mikrotik devices (even their switches) default to 192.168.88.1/24 as a static IP. I recommend keeping them as static IPs but of course change them to fit in your network.

No not really, unless you keep a cheap
router on hand so they can swap in the WAN and LAN cables to it, this would mean that only VLAN1 would have internet but it would be better than nothing. Or leave a low end mikrotik router as the backup device. Either way you’d want to pre-configure the device for minimal service.

@brwainer Thanks a lot for the timely tip on setting up VLAN in bridge menu. Saved me a lot of pain.

I am facing an issue with the VLANs. I have created the VLANS on PFSENSE and given then different IP ranges. Also each VLAN has a DHCP server configured on PFSENSE.

Now the mikrotek switch CRS328 that connects to the LAN interface of PFSENSE has been setup with an IP in the same range as the LAN subnet of PFSENSE and the Gateway is configured as the LAN IP of pfsense

In the switch i have created the same VLANS in the Bridge Menu, Assigned the tagged and untagged ports and in the PORTS tab selected the PVID for each port (except the trunk ports)

Now when i test by connecting a device to any of the ports on the switch it always gets an IP from the LAN ip pool of the PFSENSE. It does not get an IP from the corresponding VLAN DHCP.

Its seems obvious that i seem to be missing some configuration, cant figure out what that is ?

EDIT :

OK so the problem was i had not enabled VLAN FILTERING. I enabled the same and gave the default VLAN ID of one of the VLANs created. Now the VLANs work as in i get the IP from the PFSENSE VLAN DHCP Server, but I lost access to PFSENSE and the SWITCH Management pages. Any idea how to recover ?

I haven’t actually used a CRS3xx switch, but you may need to have an entry for VLAN1 in the bridge vlan settings and have that set as untagged for the trunk port to PFSense and to the bridge itself (the interface that shows for the bridge represents the connection between the switch chip and the CPU)

Now i am totally confused. The situation so far is that i can now access the switch using an IP belonging to the VLAN i marked as default VLAN when enabling VLAN Filtering. But i still cant access PFSENSE. But suprisingly i get correct IP adress if i connect to any of the RJ45 ports, but if i connect to the SFP PLUS ports it cant seem to get an IP basically it cant find the DHCP server.

So now reloaded the backup up took just before this mess happened. Now as adviced i created a new VLAN 1 in the Bridge menu. In this i added the port connecting to PFSENSE and the bridge itself as Unmanaged.

Enabling this caused the same problem. Cant access switch or Pfsense. This time though the VLAN also are not working. So connected the console cable and reset the device. No back to square 1 just before enabling the VLAN filtering.

Just cant seem to figure out what is wrong.

One question on the basic. The IP of the switch whcih pool should it belong to. Should it be the same pool as the LAN on PFSENSE.

Unfortunately this is why Mikrotik switches in RouterOS mode aren’t recommended for beginners. Even though the new Bridge method of configuration is a vast improvement, there are still some gotchas in the configuration. Most switches handle things like making sure the management CPU has the appropriate configuration on the internal switch chip link, but Mikrotik is trying to keep the maximum number of options for advanced users (SwitchOS manages this for you). I’m not wanting to get into troubleshooting right now. You likely have just one or two things wrong that are simple, but it can take a while to sort out.

I am not giving up. I am going to solve this. Too invested to fall back.

Made some progress. I re-created the VLAN 1 and in it put the port used to link to PFSENSE as tagged and put another port as untagged. This other port i removed from all other VLANS.

After doing this, the VLANS work fine. I can access the PFSENSE mange screen. But the Mikrotick config screen can be accessed only from the port that i added to VLAN 1.

Ok after a long few days managed to setup the 2 switches and pfSense the way i want. This also includes a management VLAN. The configuration pages of the switches will open up only if the PC is plugged in into a Management VLAN port.

But i have a few queries

  1. I realize that if i plug my PC into the TRUNK ports also i can access the configuration pages of the switches that should have been accessible only from the mgmt VLAN. Is this normal ?
  2. There is a weird issue with my PC. Whenever i shutdown and restart my PC the port connected to the management VLAN does not initialize and get an IP. After the PC boots up i have to manually disable and enable this ethernet port (from windows 10) and then it automatically gets an IP. Not sure if this is a PC problem or a configuration problem.
  1. A non-VLAN-aware device (your computer) plugged into a Trunk port will placed into whatever the PVID for that port is set to - default is VLAN1. So unless that PVID is set to your management VLAN, you need to look at your firewall rules.
  2. Does your management VLAN allow internet access? Windows 10 tries to be helpful and only enable the single connection that allows internet access.
  1. The PVID is set to 1 for the trunk port. But MGMT VLAN for the switch is not done through firewalls but through the switch itself. As per their manual, created a MGMT VLAN in the interfaces tab (same id as my MGMT VLAN in pfSense) and created the IP address on this interface. Now i can access the configuration page only if am i connected to ports tagged to MGMT VLAN or the trunk ports. For the setup part i gave all VLANS access to all other VLANS. Basically set to free access so that i can make sure i am not dealing with Firewall issues when setting up the switches.

  2. MGMT port does allow internet access, but that is the only port enabled on my PC. All other ports are disabled in windows 10

By “firewalls” I meant on your router. So if you have it set that all the VlANs can reach each other, then of course while you’re going to see that a device on VLAN1 can reach IPs in your management VLAN. If you don’t want that, then put a firewall rule in your router that nothing can initiate a connection into the management VLAN.

Actually thats the confusing part. I dont have a separate router, my pfSense box acts as the router. And on pfSense i have not created a VLAN1. and yes all VLANs can talk to all VLANS.

But on the switch I can access the configuration page only if i plug into a MGMT VLAN Port or the TRUNK port, plug in into any other VLAN port will not allow me to access the configuration page of the switch. I believe this is a feature of the switch. So i am not sure why is it allowing access to trunk switch…

Whatever VLAN is the PVID on a port means that traffic going out that port from that VLAN will be untagged. Meaning in your PFSense it would be seen as the base interface that you’ve built all your other VLANs on top of. I know that your PFSense box is your router/firewall, that’s where you need to make the firewall rules to separate the VLANs.