Wednesday 9 September 2015

Ubiquiti AirOS 5.6 Virtual SSID Step by Step

14:18 Posted by Jurgens Krause , , , , , , 23 comments

One of the big gripes that people have with Ubiquiti is the lack of support for Virtual SSIDs. Here is a step by step tutorial for setting up VSSIDs on Airos 5.6 devices with Vlans back to the upstream router. Please note that you will not be able to use Airmax when you have Virtual SSIDs.

This tutorial is based on information from the Ubiquiti Forums, specifically this post by AnubisSL.

Step 1 - Make sure you are running the latest version of AirOS


Step 2 - Configure the first SSID as you would under normal circumstances

Step 3 - Download the config file from the device and open it using a text editor

Step 4 - Edit the config file

4.1a - Without VLAN use this if you don't need to vlan the second SSID
Under the "bridge" section, create a new bridge port. The port number, "3" in this example should be incremented by one from the previous highest number. The devname, in this case "ath1" is also one more than the previous, in this case "ath0"
bridge.1.port.3.devname=ath1
bridge.1.port.3.prio=20
bridge.1.port.3.status=enabled

4.1b - With VLAN use this if you want to place the clients on the second SSID in a VLAN
Under the "bridge" section, create a new bridge, incrementing the last used by one. Add the ethernet interface, as well as the new (virtual) wireless interface (created later on). The ethernet device name is noted as eth0.vlanid (in this case vlan10).
The device name for bridge.2 would be br1  for bridge.3 it would be br2 and so on.
bridge.2.comment=Management
bridge.2.devname=br1
bridge.2.port.1.devname=eth0.10
bridge.2.port.1.status=enabled
bridge.2.port.2.devname=ath1
bridge.2.port.2.status=enabled
bridge.2.status=enabled
bridge.2.stp.status=disabled
4.2 Under the "ebtables" section, add the new device, incrementing the number "2" as appropriate, and using the device name created above.

Without VLAN
ebtables.sys.eap.2.status=enabled
ebtables.sys.eap.2.devname=ath1
ebtables.sys.arpnat.2.status=enabled
ebtables.sys.arpnat.2.devname=ath1

With VLAN (note, you can also create the VLAN using the web interface)
ebtables.sys.eap.2.status=enabled
ebtables.sys.eap.2.devname=ath1
ebtables.sys.arpnat.2.status=enabled
ebtables.sys.arpnat.2.devname=ath1
ebtables.sys.vlan.1.comment=VirtualSSID
ebtables.sys.vlan.1.devname=eth0
ebtables.sys.vlan.1.id=10
ebtables.sys.vlan.1.status=enabled
ebtables.sys.vlan.status=enabled
4.3 Under the "netconf" section add the information below incrementing "4" as needed. make sure you use the same device name as above
netconf.4.up=enabled
netconf.4.status=enabled
netconf.4.role=bridge_port
netconf.4.promisc=enabled
netconf.4.netmask=255.255.255.0
netconf.4.mtu=1500
netconf.4.ip=0.0.0.0
netconf.4.hwaddr.status=disabled
netconf.4.hwaddr.mac=
netconf.4.devname=ath1
netconf.4.autoip.status=disabled
netconf.4.allmulti=enabled

4.4 Add the following under the "radio" section, specifying radio.1 as the parent device, and incrementing the virtual device number as needed
radio.1.virtual.1.status=enabled
radio.1.virtual.1.devname=ath1
radio.1.virtual.1.mode=master

4.5 Add the following under the "wireless" section, using the next available number, and choose a sensible SSID name

wireless.2.wmm=enabled
wireless.2.wds.status=disabled
wireless.2.status=enabled
wireless.2.ssid=NEWSSID     <= CHANGE TO ACTUAL SSID OF VIRTUAL AP
wireless.2.l2_isolation=enabled    <= CHANGE TO 'disabled' IF NO ISOLATION IS REQUIRED
wireless.2.hide_ssid=disabled
wireless.2.autowds=disabled
wireless.2.authmode=1
wireless.2.ap=
wireless.2.addmtikie=enabled
wireless.2.devname=ath1

4.6 Unless you need security, you can save the file and upload it to your device. That is all.

4.6 If you want to enable security, add the following under the "aaa" section, changing the values appropriately
aaa.2.devname=ath1     <= CHANGE TO ACTUAL DEVICE OF VIRTUAL AP
aaa.2.driver=madwifi
aaa.2.radius.auth.1.status=disabled
aaa.2.ssid=NEWSSID     <= CHANGE TO ACTUAL SSID OF VIRTUAL AP
aaa.2.status=enabled
aaa.2.wpa.1.pairwise=TKIP CCMP
aaa.2.wpa.key.1.mgmt=WPA-PSK
aaa.2.wpa.psk=PASSWORD     <= CHANGE TO REQUIRED PASSWORD OF VIRTUAL AP
aaa.2.wpa.mode=2

That's it, you can now upload the new config, and reboot the device!

Limitations:
NO AIRMAX!
NO 10MHZ channels
i think that's it

23 comments:

  1. Other limitation would be the amount of VAP's you can do.. as long as i remember was 8 doesn't it?

    ReplyDelete
  2. hi, sorry but for my not work, work with 1 ssid wpa2 an 1 virtual open, but is impossible for my make two ssid with wpa2 security, how I will can make this work? I am use ver 5.5.6

    ReplyDelete
    Replies
    1. You should check that you use minimum 8 printable ASCII chars, maximum 63 for WPA passphrase.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Hi!
    Can someone explain me briefly the real benefits of the hyped AirMax technology in I'm using a single airRouter at home ?

    I mean, what would I lose if AirMax is disabled ?

    ReplyDelete
  5. Don't forget to check the config setting:
    ebtables.sys.arpnat.status=enabled
    Without this (at least in Bridge mode) my additional virtual SSIDs were visible, and could be associated with, but had no network connectivity.

    ReplyDelete
  6. was up dudes, it work in XM and XW firmwares? and 5.6.8 version?

    ReplyDelete
  7. Hi, I have been trying to get a Ubiquiti bullet to have multiple SSID's and it keeps failing. Could you lend me a hand? How do I get in touch?

    ReplyDelete
  8. Hello
    Would it be possible to have another subnet or ip for the guest ssid ?

    ReplyDelete
  9. Hi - this was a very useful post and I had a working system for 18 months, but when I upgraded to XM 6.0.4 recently the config stopped working. Would you have a change to update this excellent tutorial to be compatible with the latest AirOs? I have reached out for help on the community forums to see if someone can help me with an issue I am having (I have almost got it working on V6).

    https://community.ubnt.com/t5/Wireless-Networking/Setting-up-Multiple-SSIDs-in-AirOs-V6-x/m-p/1918952

    thx

    ReplyDelete
    Replies
    1. I found the solution, apply the configuration on version 5.6, and then update to version 6.

      Delete
    2. Hello, have you found the solutions? I have configured one primary and two virtual aps, all worked fine. The problem is only the last virtual ap ask wpa other seems open even they are configured for wpa-psk.
      Please help.

      Delete
  10. Hi Jurgens - did you get a chance to check the config in the link I posted above? I am still hoping for a solution but if not, then next month I will go back to V5.x and stick with it until a solution eventually comes along.
    thx!
    Greg

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Configured two SSID. Trying to use WPA-EAP (radius Authentication but the one configured in the GUI is open and the virtual interface which I copied and changed the aaa.1. to aaa.2. works as expected. Any suggestions on how to fix this?

    ReplyDelete
    Replies
    1. me also have same problem. I have configured three virtual aps(including main ap) with wpa-spk. Only the 3rd virtual ap asks for password(shows protected ap) and others two of them became open. I removed 3rd virtual ap again the 2nd ap asks for password remaining first became open. Have you got any solution?

      Delete
    2. Hello Rabin, I have same issue as you, please let me know if you have resolved it. Running on v6.3.6 (XM)

      Delete
    3. This comment has been removed by the author.

      Delete
    4. Dear VCI, I downgraded the firmware to 5.6 than it works as expected.

      Delete