I am replacing a Cisco RV340 with an RB4011. I have a Cisco SG300 switch that I have three VLANs coming through.
I have studying the informative post on VLAN configs and used a config from the page to get started.
The switch is on the IP range 10.7.0.x connected to the bridge on port 5 on the router.
I have three VLANS configured on the Bridge GUEST, CAMERAS & INTERNAL.
I can’t ping any of the VLAN’s from the management port I have setup on 10.101.0.1 on Port 8. I also can’t ping back to the router from a PC connected to the switch.
In essence I can access any of the VLAN’s configured but I can get to IP’s configured directly to the ports.
Any assistance is appreciated. I have tried to keep the config bare bones to get started. vlan-config.rsc (3.64 KB)
What is connected to each port on the RB4011,
ether2,ether3,ether4,ether5, ether6, ether7 ???
It seems you have every vlan going to every port??
if so then this can be shortened TO: /interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10,20,30,99
Add ether8 to your VLAN list ( so it can access internet if required etc… ) I personally keep the LAN interface name and dont change it to VLAN as LAN is not a construct of only VLANS.
Missing /ip neighours
set discovery interface-list=BASE
Not sure why you have a manual route selected…why not just use default route in IP DHCP client ???
Modify TO: /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Firewall rules can and should be modified /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“admin access” in-interface-list=BASE
add action=accept chain=input comment=“users to dns” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input comment=“users to dns” in-interface-list=VLAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++ add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment=“internet traffic” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“admin to vlans” in-interface-list=BASE out-interface-list=VLAN
add action=drop chain=forward comment=Drop
Now as to the switch issue, thats a config error. ALL smart devices should get their IP from the management VLAN,
So the switch itself should get an IP from 192.168.88.X
Sorry about the delay,
I have worked on this and have a better config with Guest WIFI and VLANS working on the Router itself. I can’t get the Cisco SG300 in L2 mode to work on tagged VLAN’s
I’m not sure where I’m going wrong. The switch is on ether3-uplink. All other ports on the switch are Access ports. I can’t seem to get it to trunk VLAN traffic. VLAN 30 is working only back and forth from the switch because of set that as the untagged VLAN ID. I have the port in Trunk mode on the switch and allowing Tagged traffic for VLAN ID’s 10,20 & 30.
Where to from here please? Is the config simplified enough for assistance? nearlyworking.rsc (7.81 KB)
Missing camera pool and base pool settings
Missing camera and base dhcp-server settings
Missing camera and base dhcp-server network settings
Two addresses for camera vlan??
What is the purpose of this route?? /ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main
Missing wireguard peer settings… ( just dont include keys or endpoint address )
Input chain rules are convoluted and out of order… but will not address until above is discussed.
suffice to say source address list on input wireguard port rule is useless.
dont understand roaming wireguard port nonsense either.