I’ve got this Mikrotik RCS310-8G+2S Switch and I’ve been trying to set it up with three VLANs for my home lab. VLAN10 is for the client devices, and VLAN20 is for servers and NAS. I’ve got Fiber internet at home, so I have to use the Modem that came with it. This Modem is pretty cool, it’s got a built-in router and AP function, and it works pretty well, so I figured I’d let it handle the NAT and WIFI connections for all my mobile devices and laptops.

But here’s the thing, the LAN ports on the Modem are unmanaged (or at least, they don’t let me manage them). So, any connection from the switch to the router has to be untagged. I want to put all my WLAN clients under VLAN10. So, I hooked up ether1 of the switch to the router, and set it up as a Hybrid port on VLAN10. I also gave ether1 the IP address 192.168.2.2/24, and set the LAN port on the Router to 192.168.2.1/24, which is also the default gateway I added to the Switch as a static route.

Here’s what I’m aiming for:
1 - I want to set up three VLANs. VLAN10 for clients, VLAN20 for servers and NAS, and VLAN99 as the management VLAN, which I’ve given access to the sfp-sfpplus2 port. I’ve set the sfp-sfpplus1 port as an untagged port that connects to another unmanaged switch.
2 - The VLANs are bridge VLANs and can chat with each other. The whole network should be able to get on the Internet through NAT handled by the Router.
3 - WLAN clients should connect to the Router on VLAN10 and get an IP address from the VLAN10 DHCP.
4 - The Router should just handle NAT to the internet and act as an AP for WLAN client connections.

I’ve read loads of articles and the Mikrotik website documents, but I’ve hit a snag with the configuration. Everything seems to work fine, except the clients can’t get on the Internet. They can’t even ping the default gateway IP address. I’ve tried loads of configurations but I’m still stuck. I’m not sure what I’m missing here. I know it’s probably a simple question, but I’d really appreciate it if someone could point me in the right direction. Thanks!

Config:

/system reset-configuration no-defaults=yes skip-backup=yes

# create bridge
/interface bridge 
add protocol-mode=none ingress-filtering=yes name=bridge1 vlan-filtering=no

# create interface list
/interface list add name=LAN
/interface list add name=WAN
/interface list add name=MGMT

# update interface list
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN

# create vlan
/interface vlan
add interface=bridge1 name=vlan_main vlan-id=10
add interface=bridge1 name=vlan_lab vlan-id=20
add interface=bridge1 name=vlan_mgmt vlan-id=99


# ingress behavior
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-all interface=ether1 pvid=10 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=20 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=10 hw=yes
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=20 hw=yes

# egress behavior
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 vlan-ids=99


# add ip address to vlan interface and setup DHCP
/ip address add interface=vlan_main address=192.168.0.1/24
/ip pool add name=pool_vlan_main ranges=192.168.0.50-192.168.0.200
/ip dhcp-server add address-pool=pool_vlan_main interface=vlan_main name=dhcp-vlan_main disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=172.16.0.254 gateway=192.168.0.1 domain=lan

/ip address add interface=vlan_lab address=172.16.0.1/24
/ip pool add name=pool_vlan_lab ranges=172.16.0.50-172.16.0.200
/ip dhcp-server add address-pool=pool_vlan_lab interface=vlan_lab name=dhcp-vlan_lab disabled=no
/ip dhcp-server network add address=172.16.0.0/24 dns-server=172.16.0.254 gateway=172.16.0.1  domain=lan

/ip address add address=10.0.9.1/24 interface=vlan_mgmt
/ip pool add name=pool_vlan_mgmt ranges=10.0.9.50-10.0.9.200
/ip dhcp-server add address-pool=pool_vlan_mgmt interface=vlan_mgmt name=dhcp-vlan_mgmt disabled=no
/ip dhcp-server network add address=10.0.9.0/24 dns-server=172.16.0.254 gateway=10.0.9.1  domain=lan

# create fireware rule
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related


# Enable full hardware routing on LAN ports
:foreach i in=[/interface/list/member/find where list=LAN] do={/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=yes}
 
# Disable full hardware routing on WAN port
:foreach i in=[/interface/list/member/find where list=WAN] do={/interface/ethernet/switch/port set [/interface/list/member/get $i interface] l3-hw-offloading=no}
 
# Activate Layer 3 Hardware Offloading on the switch chip
/interface/ethernet/switch/set 0 l3-hw-offloading=yes

# verify the hardware routing setting
/interface/ethernet/switch print

/interface/ethernet/switch/port print

# connect WAN port (ether1) to the LAN port of the upstream router and setup IP address, routing and DNS
# The LAN side ip address of the upstream router is 192.168.2.1/24

/ip address
add interface=ether1 address=192.168.2.2/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1

/ip dns
set allow-remote-requests=yes servers=192.168.2.1

/ip neighbor discovery-settings set discover-interface-list=LAN

#######################################
# Turn on VLAN mode
/interface bridge set bridge frame-types=admit-only-vlan-tagged vlan-filtering=yes

I appreciate it if someone can give me some guidance on this problem.

create bridge

/interface bridge
add protocol-mode=none ingress-filtering=yes name=bridge1 vlan-filtering=no

Shouldn't that be vlan-filtering=yes ??

If you go now on your device in the CLI, type /interface/bridge and then "print" does that say "vlan-filtering=yes" on the config ?

https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1340s

It was set as ‘no’ in the beginning to void I being locked out accidentally. But It was changed to ‘yes’ if you move to the last line after everything was set.

To avoid the lockout scenario,
I now advocate and use a port set OFF the bridge and I ensure its part of a management list interface.
I give it an IP of like 192.168.55.1/30 and then set my latpop to IPV4 settings of 192.168.55.2 plug it in and configure safely.

Thanks. I followed the video and set up the Switch the same way but the problem remains the same. I’m wondering if this was caused by the router. The router is a Bell Fiber internet Modem (model Giga Hub). I did some research online. It appears that Bell use vlan 35 for the internet service. But should that be on the WAN side of the Modem? I tried to set VLAN 35 on the switch but it didn’t solve the problem. I have no idea what was wrong.