Router and switchAP with VLAN, non-management VLANs not connectting

I have a network with a hex-router and a hap ac-lite setup as an AP and switch. I am having difficulties getting my VLANs to work. Configuration files are attached for both these devices, and the network diagram is attached as well.

I have these observations:

• A windows PC 10.0.0.5 connected to a mgmt access port of hap-taller appears to work fine
• A Mac connected to a home access port of hap-taller does not work (ethernet or wireless). I cannot ping the AP
• If the Mac is connected to a mgmt access port and configured with a static IP the connection is flaky
• I can access the static IP devices connected to the nsw-dryroom switch, including from the PC
• I have made extensive use of Using RouterOS to VLAN your network http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and other similar sources. I’ve tried to do all my setup using scripts so that they are reproducible.

This is my first project using VLANs. I’ve been at this for a while and am hoping someone is kind-hearted enough to point out my obvious configuration mistakes. The ultimate goal is to use the VLANs to educate myself regarding networks, partition my smart home devices, video feeds, NAS and other devices, plus a guest network, and to somehow automagically switch between two ISPs to prevent any downtime.

I also find it interesting that I have not found any higher-level configuration panels or tools that can help generate RSC files for multiple devices. I’ve been working on such a tool for myself, using the basic ideas from the RouterOS to VLAN article. But I have to believe someone else has done this too, and I just haven’t found the tool.
hap-taller_20240225.rsc (7.33 KB)
hex-router_20240225.rsc (7.3 KB)

AP SWITCH CHANGES

1- Should only have one vlan entry
/interface vlan
add comment=“Management” network" interface=LAN_BRIDGE name=MGMT_VLAN vlan-id=99

2 - Should only have one entry.
/interface list
add name=MGMT_LIST

3 - REMOVED ETHER3 from bridge ports.
As you defined it: set [ find default-name=ether3 ] comment=“Management access port (static IP only)”
You already have management access port on ether2 and home access port on ether4
Ether 3 is an independent OFF bridge access in case the vlan filtering and bridge get screwed up.
Simply assign the Ip address as per below, if you need access set your laptop to ipv4 settings 192.168.55.5 for example…

4 - Modified for correctness iaw 2-
/ip neighbor discovery-settings
set discover-interface-list=MGMT_LIST

5- I prefer to manually insert untags on /interface bridge vlans so they show up on the export and I can cross check easily with bridge port settings.
/interface bridge vlan
add bridge=LAN_BRIDGE comment=“traffic tagged 99 (MGMT) can forward from LAN_B
RIDGE via ports ether1,ether5” tagged=LAN_BRIDGE,ether1,ether5 untagged=ether2
vlan-ids=99
add bridge=LAN_BRIDGE comment=“traffic tagged 10 (HOME) can forward from LAN_B
RIDGE via ports ether1,ether5” tagged=ether1,ether5 untagged=ether4,
HOME_WLAN1_2G,HOME_WLAN2_5G vlan-ids=10
add bridge=LAN_BRIDGE comment="traffic tagged 20 (GUEST) can forward from LAN
BRIDGE via ports ether1,ether5" tagged=ether1,ether5 untagged=GUEST_WLAN1_2G,
GUEST_WLAN2_5G vlan-ids=20
add bridge=LAN_BRIDGE comment=“traffic tagged 30 (NOT) can forward from LAN_BR
IDGE via ports ether1,ether5” tagged=ether1,ether5 untagged=NOT_WLAN1_2G
vlan-ids=30
add bridge=LAN_BRIDGE comment=“traffic tagged 40 (IOT) can forward from LAN_BR
IDGE via ports ether1,ether5” tagged=ether1,ether5 untagged=IOT_WLAN1_2G
vlan-ids=40_

6- Corrected
/interface list member
add interface=MGMT_VLAN list=MGMT_LIST
add interface=HOME_VLAN list=MGMT_LIST
add interface=ether3 list=MGMT_LIST

7- Reduced, Only two addresses required.
/ip address
add address=10.0.0.26/24 interface=MGMT_VLAN network=10.0.0.0
add address=192.18.55.1/24 interface=ether3 network=192.168.55.0

8- ADDED!!
/tool mac-server mac-winbox
set allowed-interface-list=MGMT_LIST

ROUTER

1- MISSING~~ You have five vlans

• missing vlan99 pool
• missing vlan99 dhcp server
• missing vlan99 dhcp server-network
• at least you do have the iP address LOL…
  
  
  2- INCORRECT Sloppy!!!
  add bridge=LAN_BRIDGE comment=“HOME Access Port, access port” frame-types=
  admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=
  10 trusted=yes

Should be:
add bridge=LAN_BRIDGE comment=“HOME Access Port, access port” frame-types=
admit-priority-and-untagged interface=ether2 internal-path-cost=10 path-cost=
10 trusted=yes pvid=10

3- INCORRECT AGAIN… you state
set [ find default-name=ether5 ] comment=“Mgmt Access Port”

add bridge=LAN_BRIDGE comment=“Mgmt Access Port, access port” frame-types=
admit-only-vlan-tagged interface=ether5 internal-path-cost=10 path-cost=
10 trusted=yes

should be: ( just like ether4 )
add bridge=LAN_BRIDGE comment=“Mgmt Access Port, access port” frame-types=
admit-priority-and-untagged interface=ether5 internal-path-cost=10 path-cost=
10 trusted=yes pvid=99

BUT WAIT!! Similar to the AP/Switch, there is no point in having two mgmt ports on the same device…
Instead use ether5, for an OFF BRIDGE emergency access or config access.
SO RECOMMEND REMOVING ETHER5 from the bridge. ( and add to management interface list !! )

/ip address
add address=192.168.55.1/24 interface=ether5 network=192.168.55.0

4- Should be MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT_LIST

5- Interface list members - removed bridge etc… only need one WAN list…!!
/interface list member
add interface=ether1 list=WAN_LIST
add interface=MGMT_VLAN list=VLAN_LIST
add interface=HOME_VLAN list=VLAN_LIST
add interface=NOT_VLAN list=VLAN_LIST
add interface=IOT_VLAN list=VLAN_LIST
add interface=GUEST_VLAN list=VLAN_LIST
add interface=MGMT_VLAN list=MGMT_LIST
add interface=HOME_VLAN list=MGMT_LIST { if required }
add interface=ether5 list=MGMT_LIST { if ether5 is off bridge access }

6- firewall rules…
NO to this rule - if you want home vlan to access router for config purposes as well then add it to the interface list → MGMT_LIST which you already have !!!
add action=accept chain=input comment=“Allow all non-guest”
in-interface-list=HOME_LIST

NO to this rule, You do NOT want to give all vlans access to MGMT vlan…wrongO
add action=accept chain=forward in-interface-list=VLAN_LIST out-interface=
MGMT_VLAN

Missing invalid rule in forward chain… Dont need connection=new in rules, its redundant!

/ip firewall filter
add action=accept chain=input comment=“accept established,related,untracked”
connection-state=established,related,untracked
add action=drop chain=input comment=“drop connection-state=invalid”
connection-state=invalid
add action=accept chain=input comment=“check ICMP” protocol=icmpadd action=accept chain=input comment=“Allow all authorized”
in-interface-list=MGMT_LIST
add action=accept chain=input comment=“accept DNS (LAN only)” dst-port=53
in-interface-list=VLAN_LIST protocol=udp
add action=accept chain=input comment=“accept DNS (LAN only)” dst-port=53
in-interface-list=VLAN_LIST protocol=tcp
add action=drop chain=input
++++++++++++++++
add action=fasttrack-connection chain=forward comment=“established, related”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“accept established, related, untracked” connection-state=
established,related,untrackedadd action=drop chain=forward comment=“drop connection-state=invalid”
connection-state=invalid
add action=accept chain=forward comment=“VLAN internet access only”
in-interface-list=VLAN_LIST out-interface-list=WAN_LIST
add action=accept chain=forward comment=“MGMT access all LAN devices”
in-interface=MGMT_VLAN out-interface-list=VLAN_LIS
add action=accept chain=forward comment=“For port forwarding to VLANs”
connection-nat-state=dstnat
add action=drop chain=forward comment=Drop

6- ADD!!
/tool mac-server mac-winbox
set allowed-interface-list=MGMT_LIST

Thanks very much for this reply! There is lots in here for me to process and test out, so it will take a few days (we have visitors at the house).

AP Switch 1 - I didn’t understand well enough to know to do this, even though I’ve seen reference to only adding the one vlan interface.
Router 1 - I thought it made sense to only have static IPs on this subnet. However, that does have the inconvenience of having to set the IP address of any laptop you want to temporarily plug in for mgmt. so yes, thanks for suggesting I simply turn on dhcp, when there is not really a reason to not do so.
Router 6 - some of the rules were for trying to get things to work. thanks for all your comments on these.

Not required, the additional IP address on the offbridge port does not require dhcp-server/dhcp-server network, but thats your call if you want to avoid putting in an IP via iPV4 settings.

I think I have this solved. But I’m not entirely sure. For sure there are a few tweeks still needed. I need more time to learn the monitoring capabilities of RouterOS so that I can manually inspect the traffic (what about unit and integration testing?).

Here’s an updated diagram and the attached RSC files (exported from the devices, and run thru a scrubber). I’ve thrown back in a few subnets that I hid from the original post to reduce the noise. I’ve also renamed the MGMT subnet/VLAN to BASE. I have NOT connected the Ubiquity APs yet.

hap-taller.rsc (6.67 KB)
hex-router.rsc (8.3 KB)
hap-brain.rsc (7.39 KB)

1. Based on looking at the diagrams, are you sure the connections to the uNIFI APs are trunks?
   Default setup on them is to be hybrid, expecting vLANBASE untagged and the rest of the data vlans tagged.
   They can be modified to be like other smart APs and receive all vlans tagged ( aka a trunk port ).

2. Looking at hex this line is missing something or should be removed (/interface bridge vlans)
   add bridge=LAN_BRIDGE tagged=LAN_BRIDGE ??? vlan-ids=50 comment=“traffic tagged 50 (REOLINK) can forward from LAN_BRIDGE”

3. simplify
   /interface list
   add name=WAN
   add name=BASE_LIST
   add name=HOME_LIST
   add name=VLAN_LIST
   /interface list member
   add interface=ether1 list=WAN
   add interface=ether2 list=BASE_LIST
   add interface=BASE_VLAN list=BASE_LIST
   add interface=HOME_VLAN list=BASE_LIST
   add interface=BASE_VLAN list=HOME_LIST
   add interface=HOME_VLAN list=HOME_LIST
   add interface=NOT_VLAN list=HOME_LIST
   add interface=IOT_VLAN list=HOME_LIST
   add interface=REOLINK_VLAN list=HOME_LIST
   add interface=TPLINK_VLAN list=HOME_LIST
   add interface=UNIFI_VLAN list=HOME_LIST
   add interface=BASE_VLAN list=VLAN_LIST
   add interface=HOME_VLAN list=VLAN_LIST
   add interface=GUEST_VLAN list=VLAN_LIST
   add interface=NOT_VLAN list=VLAN_LIST
   add interface=IOT_VLAN list=VLAN_LIST
   add interface=REOLINK_VLAN list=VLAN_LIST
   add interface=TPLINK_VLAN list=VLAN_LIST
   add interface=UNIFI_VLAN list=VLAN_LIST

The home list is just one less ( aka does not include guest wifi).
This can probably be reduced when your vlan to vlan requirements are not so vague.

4. add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
   add action=accept chain=forward connection-state=established,related,untracked
   add action=drop chain=forward connection-state=invalid comment=“drop connection-state=invalid”
   add action=accept chain=forward in-interface-list=VLAN_LIST out-interface-list=WAN comment=“VLAN internet access only”
   add action=accept chain=forward in-interface-list=HOME_LIST out-interface-list=VLAN_LIST comment=“InterVLAN is unrestricted, for now”
   add action=accept chain=forward connection-nat-state=dstnat comment=“For port forwarding to VLANs”
   add action=drop chain=forward comment=Drop
   /ip firewall nat
   add action=masquerade chain=srcnat out-interface-list=WAN comment=“Default masquerade”

1. No I am not sure they are configured to be used on a trunk line. I’ve got them disconnected at the moment, and will experiment with them before bringing them back online. Thanks for the heads up. I’ll be watching for this now.

2. My idea is to put the Reolink cameras and NVR on their own dedicated switch, then have just one port from that switch to a different, managed switch (not shown) that will tag the traffic with VLAN ID 50. My home assistant instance will want to access the cameras on-demand. And the cameras will all have their own static IP addresses. I don’t know that my idea is a good one. It is also complicated by the fact that a couple of the cameras may end up being too far away to be connected to the dedicated reolink switch.

3. Agreed. I have an RSC generator that I wrote, and I haven’t removed that yet.

4. Is there a reason calling it WAN_LIST wouldn’t work, or is this just a preference. The naming is an artifact of my RSC generator, which appends “_LIST” to all lists.

Thanks for the feedback!

1. Why does HAP T have any ports for UNIFI, your diagram shows them on the HAP B ???

2. Your HAP B bridge port for unifi are wrong!!
   If the mangement port is base vlan then that is the vlan 99 that should be pvid to the unifi (hybrid port with management subnet untagged)
   If the unifi is setup so that it accept all vlans tagged (incl management vlan) then its a trunk port and no pvid ).
   
   
   no preference only, really should have said only need one WAN list, name doesnt matter

There is a unifi.myhouse ssid that is for legacy devices on my old network (192.169.1.0). This is different from the trunk ports to the two unifi APs. I hope to get those devices migrated over and close this ssid down.