Skip to content

Instantly share code, notes, and snippets.

@marfillaster

marfillaster/guide.md

Last active May 26, 2026 11:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save marfillaster/bb95bce7959d150b264e54de9c496c65 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save marfillaster/bb95bce7959d150b264e54de9c496c65 to your computer and use it in GitHub Desktop.
Download ZIP
Ubiquiti UniFi Guest SSID on VLAN using MikroTik router hybrid port
Raw
guide.md

Ubiquiti UniFi Guest SSID on a VLAN via a MikroTik hybrid port

A guest SSID isolated on its own VLAN, where the UniFi AP rides a single hybrid trunk port: untagged frames are the main LAN (AP management + adoption), tagged frames carry the Guest SSID. One cable, no second management VLAN to onboard.

Part of a larger home-network build — full write-up with topology, IoT/Guest segmentation, IPv6-over-WireGuard, DoH, and the rationale behind every choice below: https://blog.homestack.space/mikrotik-home-network

Assumptions

  • Main LAN on 192.168.88.0/24, untagged VLAN 1.
  • Guest on 192.168.90.0/24, tagged VLAN 20 (renumber freely).
  • UniFi AP on ether2, managed from the main LAN.
  • MikroTik on a defconf RouterOS v7 setup; bridge named bridge.
  • IPv4 only — the IPv6 design is in the write-up linked above.

What changed from the naive version

Two things the blog build adopted that a basic guest-VLAN guide skips:

  • Isolation is enforced in forward, not by starving DHCP/DNS in input. The input chain accepts exactly the services Guest needs; the forward chain drops new flows into trusted networks. The drop goes before fasttrack / established accepts or it never matches.
  • Guest gets its own DHCPv4 resolver, kept off the trusted LAN's. The write-up swaps this for RA RDNSS + DoH; this guide stays plain IPv4.

Configuration

# --- Bridge VLAN: hybrid trunk on ether2 (untagged VLAN 1 + tagged VLAN 20) ---
/interface/bridge set [find name=bridge] vlan-filtering=yes

/interface/vlan add interface=bridge name=vlan-guest vlan-id=20

/interface/bridge/vlan
add bridge=bridge vlan-ids=1  untagged=bridge,ether2 comment="main LAN untagged"
add bridge=bridge vlan-ids=20 tagged=bridge,ether2   comment="Guest to UniFi AP"

/ip/address add address=192.168.90.1/24 interface=vlan-guest

# --- DHCPv4 ---
/ip/pool add name=guest-pool ranges=192.168.90.100-192.168.90.200
/ip/dhcp-server add name=guest-dhcp interface=vlan-guest address-pool=guest-pool lease-time=1d
/ip/dhcp-server/network add address=192.168.90.0/24 gateway=192.168.90.1 dns-server=1.1.1.1,8.8.8.8

/interface/list/member add list=LAN interface=vlan-guest

# --- IPv4 firewall: input accepts only what Guest needs; forward isolates ---
/ip/firewall/filter
add chain=input action=accept in-interface=vlan-guest protocol=udp dst-port=67-68 comment="GUEST: DHCPv4"
add chain=input action=accept in-interface=vlan-guest protocol=udp dst-port=53    comment="GUEST: DNS UDP"
add chain=input action=accept in-interface=vlan-guest protocol=tcp dst-port=53    comment="GUEST: DNS TCP"
# Place this BEFORE fasttrack / established accepts.
add chain=forward action=drop in-interface=vlan-guest out-interface=bridge connection-state=new comment="GUEST !-> LAN"

Verify

# From a guest client
ping 192.168.88.1        # MUST fail — isolation works
ping 1.1.1.1             # OK — internet works
nslookup cloudflare.com  # resolves via the DHCP-handed resolver
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment