Device not accessible a few seconds after connecting it to an Switch

Tropaion · November 3, 2025, 2:18pm

Hello Community,

I self-learned most of the network stuff and need some help.

I have an RB2011UiAS Router (will be upgraded soon) and I just added an 10G switch (CRS304-4XG-IN) in my cellar to provide ethernet to some rooms/devices. And I have two Ubiquiti APs, Home and Garden.

I have three VLANs, Server, Private and Guests.

I configured a trunk port to go from the router to the switch and set VLAN IDs for the other ports. Now, I have a device (Modbus TCP, ether 4) which is accessible a few seconds after connecting it to switch and then is not reachable anymore, even though alledgedly it has an ip address.

Does someone have an idea what I did wrong? Since I’m there are probably a few mistakes, but here is my config:

router.rsc (75.3 KB)

switch.rsc (29.9 KB)

Thanks for your help

rextended · November 3, 2025, 3:37pm

No one wants to read thousands of useless lines with verbose export.

You have to do the normal export; with verbose, won't understand a thing.

Tropaion · November 3, 2025, 3:52pm

@rextended Ok, sorry, it thought this is maybe relevant in some way.

Here without verbose:

router.rsc (16.4 KB)

switch.rsc (1.6 KB)

anav · November 3, 2025, 5:49pm

Are the APs connected to the switch and if so which ports
Assuming ether5 is not used currently
Assuming you consider the pRivate VLAN the trusted vlan so no need to make up a management vlan.

Tropaion · November 3, 2025, 6:17pm

The HouseAP is connected to the Router, ether2.

The GardenAP is connected to the Switch, also ether2, which is working.

Private and Server VLAN is trusted.

The device which is not working is connected to switch ether 4, which should connect to ServerVLAN. Which it does, but only for a very short time.

anav · November 3, 2025, 7:57pm

Well if they are ubiquiti Access points, they typically accept the trusted vlan as untagged and the other data vlans are tagged. Will assume this is the case. Typically a bad security idea to consider servers in any management interface ( I meant where admin may likely want to access config from )

Be advised all smart devices ( switches and APs ) that can read vlan tags should get their IP address from the Management or trusted vlan, in this case vlan15 private.

The switch is setup incorrectly in regards to /interface bridge ports, as its is contradictory to state aka, OP is confused, admit only vlan tags (which indicates a trunk port ) but then apply a PVID as well, (which indicates an access port).

Now with ubiquiti devices expecting both an untagged and tagged vlans, would be considered a hybrid port and in this case frame types is the default (ALL) and a pvid is included.

Decide on what IP addresses you want to give to smart devices, in this case the MT switch, create the static lease in the router for mac address and assigned IP. Then simply make the address on the switch and get rid of ip dhcp client.

To configure switch or any MT device from a safe location, unaffected by vlan or bridge screw ups which do happen. Configure on offbridge port. In the case below once done, simply plug laptop into ether5 change ipv4 settings to 192.168.77.2 and with username and password should be in.

SWITCH

/interface bridge
add admin-mac=04:F4:1C:47:77:F4 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes  frame-types=admit-only-vlan-tagged
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface vlan
add interface=bridge name=PrivateVLAN vlan-id=15
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment="Router trunk port" frame-types=admit-only-vlan-tagged \
    interface=ether1
add bridge=bridge comment="Garden AP - Hybrid Port" frame-types=admit-all \
    interface=ether2 pvid=15
add bridge=bridge comment="S. Fabian - Access Port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=15
add bridge=bridge comment=PV-Anlage frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
/interface list
add name=MGMT
/interface list member
add interface=privateVLAN list=MGTM
add interface=OffBridge5 list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip address
add address=192.168.44.xx interface=PrivateVLAN  network=192.168.44.0  \
  { set a static lease on the router that matches for mac and IP }
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/interface bridge vlan
add bridge=bridge comment=ServerPorts tagged=ether1,ether2 untagged=ether4 \
    vlan-ids=10
add bridge=bridge comment=PrivatePorts tagged=ether1 untagged=ether2,ether3 \
    vlan-ids=15
add bridge=bridge comment=GuestPorts tagged=ether1,ether2 vlan-ids=20
/ip dns
set server=192.168.44.1
/ip route
dst-address=0.0.0/0 gateway=192.168.44.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Now if in your case the AP, the ubiquiti is not setup bass ackwards and is like normal smart devices ( all vlans come in tagged aka a trunk port the following would have to be amended for ether2 stuff.

/interface bridge port
add bridge=bridge comment="Router trunk port" frame-types=admit-only-vlan-tagged \
    interface=ether1
add bridge=bridge comment="Garden AP -Trunk port" interface=ether2
add bridge=bridge comment="S. Fabian - Access Port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=15
add bridge=bridge comment=PV-Anlage frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
/interface bridge vlan
add bridge=bridge comment=ServerPorts tagged=ether1,ether2 untagged=ether4 \
    vlan-ids=10
add bridge=bridge comment=PrivatePorts tagged=ether1,ether2   untagged=ether3 \
    vlan-ids=15
add bridge=bridge comment=GuestPorts tagged=ether1,ether2 vlan-ids=20

Tropaion · November 3, 2025, 8:49pm

Thanks for your reply. In VLAN 10 (Server) is running my own rack server where the ubiquity network manager is hosted. I configured the APs so that the trusted VLAN is 10, so that the network manager can access and manage them.

I don’t really understand what you mean. I have 3 DHCP-Servers, one for each VLAN.

From what I read in the mikrotik documentation, Trunk-Port + PVID = Hybrid Port, which is automatically enabled, when a PVID is set for an trunk port. I though it wouldn’t be bad, if somhow data without a vlan tags comes in, that it well be redirected to an default vlan. Or did I misunderstand something?

I do set static leases for every smart device, but somehow the one on ether 4 on switch is only accessible for a few seconds after plugging it in, which is my main issue.

ether5 is currently used as management port (kept the default configuration)

anav · November 3, 2025, 9:38pm

Well then, it would appear you dont need my advice. Perhaps something wrong with that device??