Multiple Networks over a wireless link using Ubiquti NanoStations & Mikrotik Routerboards

Scenario:
You have multiple different networks on different subnets (lets say an IP Phone system and your internal data network and a security camera network), and you wish to send these over a wireless link.

 

Equipment were using:

2x Ubiquti NanoStation M5

2x Mikrotik RB750

For ease, lets says that that the IP ranges we’re using are as follows (and at the same time, lets make up some VLAN’s to go with it)

Internal Network – 192.168.10.0/24 – VLAN 10
Phone Network – 192.168.20.0/24 – VLAN 20
Camera Network – 192.168.30.0/24 – VLAN 30

For Management IP's
RB750 - Main - 192.168.10.254
NanoStation Main- 192.168.10.253
NanoStation Remote- 192.168.10.252
RB750 - Remote - 192.168.10.251


Network Diagram:

 
For the main RB750:

/system identity
set name=RTR-MAIN

# Here we will make the bridges for our 3 networks
/interface bridge
add disabled=no name=10-Data-Bridge
add disabled=no name=20-Phone-Bridge
add disabled=no name=30-Security-Bridge

# Lets make the VLAN's that will look after each of the networks
/interface vlan
add disabled=no interface=ether5 name=ether5.10 vlan-id=10
add disabled=no interface=ether5 name=ether5.20 vlan-id=20
add disabled=no interface=ether5 name=ether5.30 vlan-id=30

# We will add the ports that the networks come in on, and also the new VLAN's into the bridges
/interface bridge port
add bridge=10-Data-Bridge disabled=no interface=ether1
add bridge=20-Phone-Bridge disabled=no interface=ether2
add bridge=30-Security-Bridge disabled=no interface=ether3

add bridge=10-Data-Bridge disabled=no interface=ether5.10
add bridge=20-Phone-Bridge disabled=no  interface=ether5.20
add bridge=30-Security-Bridge disabled=no interface=ether5.30

# And add a management IP address
/ip address
add address=192.168.10.254/24 disabled=no interface=10-Data-Bridge network=192.168.10.0

On the NanoStation M5:
Set the mode to Station and enable WDS and add some security


Next go to the network tab, and choose Advanced configuration mode. Enter in the management IP address




In the VLAN Network options, Add the VLAN for each LAN and WAN interfaces. Once you've done this, make a bridge for each VLAN and add the LAN and WAN interface for each.

Make sure in the Management Network Settings, The Management Interface selected is the one that you are using for your management VLAN.

On the Remote NanoStation:
On the wireless tab, set the mode to Access Point and enable WDS and add some security


On the network tab, add your management IP address

 

And add your VLAN's, create some bridges and add the interfaces to them, like we did on the first one. Don't forget to ensure that the Management interface is the bridge that has your management IP on it (VLAN 10)










Lets make sure the link is working before proceeding (Hurrah!)



So coming out of the Remote NanoStation M5's ethernet port, we should have 3x trunked VLAN's, let's configure the remote Mikrotik RB750 to see if we have..

/system identity
set name=RTR-REMOTE

#Here we will make the bridges for our 3 networks
/interface bridge
add disabled=no name=10-Data-Bridge
add disabled=no name=20-Phone-Bridge
add disabled=no name=30-Security-Bridge

#Lets make the VLAN's
/interface vlan
add disabled=no interface=ether5 name=ether5.10 vlan-id=10
add disabled=no interface=ether5 name=ether5.20 vlan-id=20
add disabled=no interface=ether5 name=ether5.30 vlan-id=30

#Here we make sure the VLAN's coming in, go into the correct bridge, and then also selecting what port they're to go out on
/interface bridge port
add bridge=10-Phone-Bridge disabled=no interface=ether5.10
add bridge=20-Data-Bridge disabled=no  interface=ether5.20
add bridge=30-Security-Bridge disabled=no interface=ether5.30

add bridge=10-Phone-Bridge disabled=no interface=ether1
add bridge=20-Data-Bridge disabled=no interface=ether2
add bridge=30-Security-Bridge disabled=no interface=ether3

#And add a management IP address
/ip address
add address=192.168.10.251/24 disabled=no interface=10-Data-Bridge network=192.168.10.0



This should be complete! Let's see if we can ping from the remote RB750, through to the default gateway


[admin@RTR-REMOTE] > /ping 192.168.10.1
HOST                                     SIZE TTL TIME  STATUS                  
192.168.10.1                               56  64 4ms 
    sent=1 received=1 packet-loss=0% min-rtt=4ms avg-rtt=4ms max-rtt=4ms

[admin@RTR-REMOTE] > /ping 192.168.20.1
HOST                                     SIZE TTL TIME  STATUS                  
192.168.20.1                               56  64 9ms 
    sent=1 received=1 packet-loss=0% min-rtt=9ms avg-rtt=9ms max-rtt=9ms

[admin@RTR-REMOTE] > /ping 192.168.30.1
HOST                                     SIZE TTL TIME  STATUS                  
192.168.30.1                               56  64 9ms 
    sent=1 received=1 packet-loss=0% min-rtt=9ms avg-rtt=9ms max-rtt=9ms 



Now if you plug a PC or a Switch into port 1 on the remote RB750, you'll get the VLAN 10 (192.168.10.0/24) Network, and likewise for Port 2 and 3.