Studied the guides, by anav and others and followed 'thenetworkberg' tutorial to make vlan's on my ros..
Have 1 rb5009, hap ac (backup), and 2 switches.. brocade icx7250/3com baseline 2948 (which will only run on 1g SFP+ Only)
My wan side is 5009 connected with 2 bridged mode modems,
SO VLAN's are setup and;
-working actually
-DHCP also good
-Unify U6 Pro AP only works on Default SSID and not the ones which have my VLAN's
Sfp as trunk and connected to brocade and all ports untagged and tagged on it as per guides (i didn't say properly because i need some more conceptual understanding)
What i wanna diagnose is that where is my config wrong ? Because:
a) I am getting a 1/5th of my speed (as compared to a normal dhcp client and LAN scenarios on my device)
b) can,t do a speed test sometimes and and when i do its as above, at least 5 times lower than my original speed
c) VLAN's working on brocade switch, also mikroitk, but not on Unifi, and thus this is where i scoured the forum and got more confused and want to learn;
- Access ports = Untagged & Trunk ports = Tagged Right ??
- Theoretically if i set an ether port as tagged am i correct to assume it can't be untagged to all VLAN's at the same time ?
- (*Big ISSUE for me*) = What in God's name is this issue with default VLAN's and them being necessarily untagged or something:
While i was setting my switch ports on Brocade/3com both gave a similar squeak when i tried to change VLAN1 untagged.. Is the defgault VLAN supposed to have no trunk port and must be on ports as untagged ? I need to understand this as maybe this the reason my unifi AP won't receive VLANs and only the default SSID'S works which is VLAN1
- secondly is PVID the same as VLAN id ? do i have to set it in bridge ports for all ports ?
- i hadn't enabled ingress filtering before but did it after, .. also what about frame types, is it necessary to set them and why can't i use admit all since VLAN filtering is already enabled
- I Realize from forums that Unifi has its stupid issues and wants an untagged (access) port to communicate with, but should i not connect it to a trunk as i have 4 VLAN's that i want it to receive and broadcast as ssid's, but an access port would limit it to just 1 VLAN or network segment, no ?
- many forums said mikroitk doesn't prefer RSTP.., so STP or infact MSTP is better suited ? Is this correct ?;
- Because of this what should i set my brocade switch to ? as it does not have MSTP, should i use STP here then ?
Lastly.., am i in a double NAT Scenario ?
i have 3 buildings with the main one having a load balanced 5009 with 2 Bridged mode ISP's and a 3rd smaller isp as WAN's
i have run a dhcp server on it and this building (the one with the VLAN office environment) receives WAN via DHCP client..
Can this be a reason for any speed issues ? because without VLAN's and just LAN before things were running smooth
Code: Select all
# feb/27/2024 18:26:14 by RouterOS 7.9.2
# model = RB5009UG+S+
/interface bridge
add name=VLAN-Br protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=ether4-TRUNK
set [ find default-name=ether5 ] name=ether5-Access-v192
set [ find default-name=ether6 ] name=ether6-Access-v25
set [ find default-name=ether7 ] name=ether7-Access-v25
set [ find default-name=ether8 ] name="ether8-Mgmt only"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp+TRUNK speed=1Gbps
/interface vlan
add interface=VLAN-Br name=v12Guest vlan-id=12
add interface=VLAN-Br name=v25MRC vlan-id=25
add interface=VLAN-Br name=v192NVR vlan-id=192
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=25.25.25.2-25.25.25.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool2 ranges=30.30.30.2-30.30.30.254
add name=dhcp_pool3 ranges=12.12.12.2-12.12.12.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=v25MRC name=dhcp1
add address-pool=dhcp_pool1 interface=v192NVR name=dhcp2
add address-pool=dhcp_pool3 interface=v12Guest name=dhcp3
/interface bridge port
add bridge=VLAN-Br interface=sfp+TRUNK
add bridge=VLAN-Br interface=ether4-TRUNK
add bridge=VLAN-Br interface=ether5-Access-v192
add bridge=VLAN-Br interface=ether6-Access-v25
add bridge=VLAN-Br interface=ether7-Access-v25
/interface bridge vlan
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether6-Access-v25,ether7-Access-v25 vlan-ids=25
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether5-Access-v192 vlan-ids=192
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether5-Access-v192 vlan-ids=12
/interface list member
add interface=ether2 list=WAN
add interface=v25MRC list=LAN
add interface=v192NVR list=LAN
add interface=ether4-TRUNK list=LAN
add interface=ether5-Access-v192 list=LAN
add interface=ether6-Access-v25 list=LAN
/ip address
add address=25.25.25.1/24 interface=v25MRC network=25.25.25.0
add address=192.168.100.1/24 interface=v192NVR network=192.168.100.0
add address=10.9.8.7/24 interface="ether8-Mgmt only" network=10.9.8.0
add address=12.12.12.1/24 interface=v12Guest network=12.12.12.0
/ip dhcp-client
add interface=ether2
/ip dhcp-server network
add address=12.12.12.0/24 gateway=12.12.12.1
add address=25.25.25.0/24 gateway=25.25.25.1
add address=30.30.30.0/24 gateway=30.30.30.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=25.25.25.1-25.25.25.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward out-interface-list=WAN src-address-list=25.25.25.0/24
add action=accept chain=forward out-interface-list=WAN src-address-list=192.168.100.0/24
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=\
!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=25.25.25.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.100.0/24
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
[admin@MikroTik] > 
