Helping newbie on VLAN set-up with M4100 and Mikrotik router

RouterOS Beginner Basics
1

(Cross-posting this from Netgear forum in case somebody here can help).

I wonder if somebody would be kind enough to give some top level pointers about how I go about setting up routing/VLAN for the following scenario. My knowledge of VLAN on managed switches is limited. The setup is:

Internet - Mikrotik router - Netgear M4100 switch - Mikrotik access point

The router is configured with LAN 192.168.88.0/24 and VLAN10 10.0.0.0/24. The access point is configured with no tagging on the LAN (private) Wi-Fi interface and VLAN10 on a virtual guest interface. Connecting to the private LAN via the access point works fine. However, try to connect via the guest interface and the client doesn’t get an IP. Remove the VLAN tagging on that interface OR plugging it directly into the Mikrotik router works fine (client gets 192.168.88.0/24 or 10.0.0.0/24 respectively).

So… VLAN routing I’m guessing needs setting up on the switch. The Netgear switch when it receives a broadcast on VLAN 10 doesn’t know where to route it? To the DHCP server handing out 10.0.0.0/24 addresses on the Mikrotik router.

I’ve never setup a managed switch some point top-level points would be much appreciated.

2

Config of both please…
MT is a separate vendor but not difficult as netgear switches are not all that different and I have used several.

3

Mikrotik router - mainly standard router config on a cAP ac with private network on 192.168.88.0/24 and guest network on VLAN10 10.0.0.0/24. Slight complication of a mesh link to a repeater.

# sep/06/2023 09:25:11 by RouterOS 6.49.10
# software id = Y0E5-M1XI
#
# model = RBcAPGi-5acD2nD
# serial number = <edit>
/interface bridge
add admin-mac=2C:C8:1B:7D:44:4E auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=guest-vlan vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=private \
    supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=croatia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge name=private-2g security-profile=private ssid=\
    "Sea Captain's House" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge name=private-5g security-profile=\
    private ssid="Sea Captain's House" wireless-protocol=802.11
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    2E:C8:1B:7D:44:51 master-interface=private-2g multicast-buffering=\
    disabled name=uplink-2g security-profile=private ssid=uplink-2g \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no mac-address=2E:C8:1B:7D:44:4F \
    master-interface=private-2g name=guest-2g security-profile=guest ssid=\
    "Sea Captain's Guest" vlan-id=10 vlan-mode=use-tag wds-default-bridge=\
    bridge wps-mode=disabled
add default-forwarding=no disabled=no mac-address=2E:C8:1B:7D:44:50 \
    master-interface=private-5g name=guest-5g security-profile=guest ssid=\
    "Sea Captain's Guest" vlan-id=10 vlan-mode=use-tag wds-default-bridge=\
    bridge wps-mode=disabled
/ip pool
add name=private-dhcp ranges=192.168.88.10-192.168.88.200
add name=guest-dhcp ranges=10.0.0.10-10.0.0.200
/ip dhcp-server
add address-pool=private-dhcp disabled=no interface=bridge lease-time=1h \
    name=private
add address-pool=guest-dhcp disabled=no interface=guest-vlan lease-time=1h \
    name=guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=private-2g
add bridge=bridge comment=defconf interface=private-5g
add bridge=bridge interface=guest-2g pvid=10
add bridge=bridge interface=guest-5g pvid=10
add bridge=bridge interface=uplink-2g
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.1/24 interface=guest-vlan network=10.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.199 client-id=1:2c:c8:1b:7d:44:b5 mac-address=\
    2C:C8:1B:7D:44:B5 server=private
add address=192.168.88.191 client-id=1:2e:c8:1b:7d:43:f9 mac-address=\
    2E:C8:1B:7D:43:F9 server=private
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="ROUTER 02"
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

Access point that doesn’t allow clients to get IP address on VLAN10 but works fine on LAN. Plugged into Netgear switch. If plugged directly into router the VLAN works. Remote the use tag and also works on switch although not on guest VLAN.

# sep/06/2023 09:26:10 by RouterOS 6.49.10
# software id = C9LS-Z9NL
#
# model = RBcAPGi-5acD2nD
# serial number = <edit>
/interface bridge
add name=bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=private \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=croatia disabled=no frequency=auto installation=indoor mode=\
    ap-bridge name=private-2g security-profile=private ssid=\
    "Sea Captain's House" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no frequency=auto mode=\
    ap-bridge name=private-5g security-profile=private ssid=\
    "Sea Captain's House" wireless-protocol=802.11
add default-forwarding=no disabled=no mac-address=2E:C8:1B:7D:43:F9 \
    master-interface=private-2g name=guest-2g security-profile=guest ssid=\
    "Sea Captain's Guest" vlan-id=10 wds-default-bridge=bridge wps-mode=\
    disabled
add default-forwarding=no disabled=no mac-address=2E:C8:1B:7D:43:FA \
    master-interface=private-5g name=guest-5g security-profile=guest ssid=\
    "Sea Captain's Guest" vlan-id=10 wds-default-bridge=bridge wps-mode=\
    disabled
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=private-2g
add bridge=bridge interface=private-5g
add bridge=bridge interface=guest-2g pvid=10
add bridge=bridge interface=guest-5g pvid=10
/ip dhcp-client
add disabled=no interface=bridge
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="AP 02 (Ground floor)"
5

Netgear switch confg - factory defaults:

!Current Configuration:
!
!System Description "M4100-26G-POE ProSafe 24-port Gigabit L2+ Intelligent Edge PoE Managed Switch, 10.0.2.20, B1.0.1.1"
!System Software Version "10.0.2.20"
!System Up Time          "0 days 0 hrs 5 mins 56 secs"
!Additional Packages     QOS,IPv6 Management,Routing
!Current SNTP Synchronized Time: SNTP Last Attempt Status Is Not Successful
! 
vlan database
vlan routing 1 1 
exit 
configure
time-range
line console
exit 
line telnet
exit 
line ssh
exit 
! 
interface 0/1
exit 
interface 0/2
exit 
interface 0/3
exit 
interface 0/4
exit 
interface 0/5
exit 
interface 0/6
exit 
interface 0/7
exit 
interface 0/8
exit 
interface 0/9
exit 
interface 0/10
exit 
interface 0/11
exit 
interface 0/12
exit 
interface 0/13
exit 
interface 0/14
exit 
interface 0/15
exit 
interface 0/16
exit 
interface 0/17
exit 
interface 0/18
exit 
interface 0/19
exit 
interface 0/20
exit 
interface 0/21
exit 
interface 0/22
exit 
interface 0/23
exit 
interface 0/24
exit 
interface 0/25
exit 
interface 0/26
exit 
interface lag 1 
exit 
interface lag 2 
exit 
interface lag 3 
exit 
interface lag 4 
exit 
interface lag 5 
exit 
interface lag 6 
exit 
interface lag 7 
exit 
interface lag 8 
exit 
interface lag 9 
exit 
interface lag 10 
exit 
interface lag 11 
exit 
interface lag 12 
exit 
interface vlan 1 
routing
ip address dhcp
exit 
exit
6

What I would do is two vlans.
Trusted (private) and GUEST.

MT ROUTER → trunk port to switch (two vlans carried)
SWITCH → Gets IP from trusted private vlan, trunk port in from router.
Trunk port to AP(two vlans carried).
MT AP → trunk port from switch
→ Gets IP from trusted(private VLAN).
→ wlans untagged for private WLANs
—> wlans untagged for guest WLANs

7

Changes mostly!!

MT ROUTER[/u
/interface bridge
add admin-mac=2C:C8:1B:7D:44:4E auto-mac=no comment=defconf name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=guest-vlan vlan-id=10
add interface=bridge name=private-vlan vlan-id=11

/ip dhcp-server
add address-pool=private-dhcp disabled=no interface=private-vlan lease-time=1h
name=private
add address-pool=guest-dhcp disabled=no interface=guest-vlan lease-time=1h
name=guest
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2 comment=“to switch”
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=uplink-2g pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=private-2g pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=private-5g pvid=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=guest-2g pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=guest-5g pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=uplink-2g,private-2g,private-5g pvid=11
add bridge=bridge tagged=bridge,ether2 untagged=guest-2g,guest-5g pvid=10

/interface list member
add comment=defconf interface=private-vlan list=LAN
add comment=defconf interface guest-vlan list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=private-vlan network=
192.168.88.0
add address=10.0.0.1/24 interface=guest-vlan network=10.0.0.0

/ip firewall filter-address { mostly with static leases }
add address=adminIP-1 list=Admin comment=“admin desktop”
add address=adminIP-2 list=Admin comment=“admin laptop”
add address=adminIP-3 list=Admin comment=“admin smartphone”
add address=adminIP-3 list=Admin comment=“admin remote mobile vpn like wireguard”

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“trusted vlan” in-interface=private-vlan src-address-list=Admin
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MT AP.. CHANGES mostly.

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=private-2g vlan-ids=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=private-5g vlan-ids=11
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=guest-2g vlan-ids=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=guest-5g vlan-ids=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=private-2g,private-5g vlan-ids=11
add bridge=bridge tagged=bridge untagged=guest-2g,guest-5g vlan-ids=10

/ip dhcp-client
add disabled=YES interface=bridge

/interface list
add name=manage

/interface list member
add interface=private-vlan list=manage
add interface=ether2-access list=manage

/ip neighbor discovery-settings
set discover-interface-list=manage

/ip address
add address=192.168.88.X/24 comment=defconf interface=private-vlan network=
192.168.88.0 interface=private-vlan n network=192.168.10.0 comment=“IP of capac on trusted subnet”
add address=192.168.55.1/24 interface=ether2-access network=192.168.55.0 comment=“ether2 access off bridge”

/ip dns
set allow-remote-requests=yes servers=192.168.88.1 { Note: Done so all dns requests use trusted subnet }
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 comment=“ensures route avail through trusted subnet gateway”
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=manage

8

On the capac, I took ether2 off the bridge, this allows you to access the router and config separate from teh bridge so far less likely to get locked out.
Its also useful as a backup to access the router in case the bridge burps at any time.
If the Capac is easily accessible easy, if not when installing it ensure you put a second cable attached to the capac and string the cable to a location where you could access it with a laptop.

One simply changes ipv4 settings to any IP within the subnet.

9

Thanks for this. Will digest over the next few days.

10

yes some new concepts for you. for instance, there is no reason for anyone on guest lan and for most people on private lan to have full access to the router, only the admin does.
but everyone does need access to typically dns services…