Hey there, I had a hEX router and a corresponding switch (CRS328-24P-4S+RM running SWitchOS) up and running together with my Unifi 6 Long-Range Access Point up and running and was living in a nice and cosy world. But then I opened up the vlan windows as I had planned long before. At first it all went well, because I wasn’t really using vlans but rather subnets based on different SSIDs from the AP.
Eventually yesterday night I did try to move everything into their corresponding vlan and now things aren’t working anylonger. Good thing is, I still have access via Webfig and ssh and thus I am hoping, you guys can help me to make things finally right1 
Soo, what I want is:
- 4 vlans: admin (10), personal (20), guest (30) and smart/IoT (50)
- 3 corresponding wifis for 20, 30 and 50
- a couple of ethernet-bound devices in 10, 20 and 50
- hEX, CRS and home server should be in vlan 10
- no restrictions at first (I felt quite comfortable setting those up in the pre-vlan-subnetting-only-world)
The problems started, when I started setting the vlans in the SwOS:
Actually I am mainly unsecure on what exeactly to configure in /interface bridge vlan and in the vlan setup of router OS. For instance, how to put my wifi AP and the switch in the admin vlan while they still transport traffic from other vlans. And how to make sure they are using the right DHCP server, as when I added a static lease in the admin subnet for the AP and the switch, things started to get weird 
Current config looks like this:
[MikroTik-hEX] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R eth1: fritzbox ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
1 RS eth2: switch ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
2 XS ether3 ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
3 RS ether4 ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
4 XS ether5 ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
5 X sfp1 ether 1500 1596 2026 08:55:WW:XX:YY:ZZ
6 R ;;; defconf
bridge bridge 1500 1596 08:55:WW:XX:YY:ZZ
7 R v1-default vlan 1500 1592 08:55:WW:XX:YY:ZZ
8 R v10-admin vlan 1500 1592 08:55:WW:XX:YY:ZZ
9 R v20-personal vlan 1500 1592 08:55:WW:XX:YY:ZZ
12 R v30-guest vlan 1500 1592 08:55:WW:XX:YY:ZZ
15 R v50-smart-offline vlan 1500 1592 08:55:WW:XX:YY:ZZ
…
[MikroTik-hEX] > /interface vlan print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 R v1-default 1500 enabled 1 bridge
1 R v10-admin 1500 enabled 10 bridge
2 R v20-personal 1500 enabled 20 bridge
5 R v30-guest 1500 enabled 30 bridge
8 R v50-smart-offline 1500 enabled 50 bridge
…
[MikroTik-hEX] > /interface bridge print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=08:55:WW:XX:YY:ZZ protocol-mode=rstp fast-forward=yes igmp-snooping=no
auto-mac=no admin-mac=08:55:WW:XX:YY:ZZ ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
…
[MikroTik-hEX] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ;;; defconf
eth2: switch bridge yes 1 0x80 10 10 none
1 I ;;; defconf
ether3 bridge yes 1 0x80 10 10 none
2 ;;; defconf
ether4 bridge yes 1 0x80 10 10 none
3 I ;;; defconf
ether5 bridge yes 1 0x80 10 10 none
4 XI ;;; defconf
sfp1 bridge 1 0x80 10 10 none
5 v30-guest bridge 30 0x80 10 10 none
6 v10-admin bridge 10 0x80 10 10 none
7 v20-personal bridge 20 0x80 10 10 none
8 v1-default bridge 1 0x80 10 10 none
9 v50-smart-offline bridge 50 0x80 10 10 none
…
[MikroTik-hEX] > /interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 1
10
20
30
50
…
[MikroTik-hEX] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.1.1/24 192.168.1.0 bridge
1 192.168.192.10/24 192.168.192.0 eth1: fritzbox
2 192.168.30.1/24 192.168.30.0 v30-guest
3 192.168.20.1/24 192.168.20.0 v20-personal
8 192.168.50.1/24 192.168.50.0 v50-smart-offline
10 10.0.10.1/24 10.0.10.0 v10-admin
…
[MikroTik-hEX] > /ip dhcp-server print
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 defconf bridge dhcp 10m
1 guest v30-guest dhcp-pool-guest 10m
2 smart-offline v50-smart-offline dhcp-pool-smart-offline 10m
4 personal v20-personal dhcp-pool-personal 10m
5 admin v10-admin dhcp-pool-admin 10m
…
[MikroTik-hEX] > /ip dhcp-server network print
Flags: D - dynamic
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; Administration und Infrastructure
10.0.10.0/24 10.0.10.1 192.168.1.10 admin
1 ;;; defconf
192.168.1.0/24 192.168.1.1 192.168.1.10 local
2 ;;; Personal
192.168.20.0/24 192.168.20.1 192.168.1.10 personal
3 ;;; Guests
192.168.30.0/24 192.168.30.1 192.168.1.10 guest
4 ;;; Smart Home (offline)
192.168.50.0/24 192.168.50.1 192.168.1.10 offline.smart
…
[MikroTik-hEX] > /ip pool print
# NAME RANGES
0 dhcp 192.168.1.201-192.168.1.254
1 dhcp-pool-guest 192.168.30.100-192.168.30.254
2 dhcp-pool-personal 192.168.20.100-192.168.20.254
7 dhcp-pool-smart-offline 192.168.50.220-192.168.50.254
9 dhcp-pool-admin 10.0.10.100-10.0.10.254
…
[MikroTik-hEX] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.192.1 1
1 ADC 10.0.10.0/24 10.0.10.1 v10-admin 0
4 ADC 192.168.1.0/24 192.168.1.1 bridge 0
5 ADC 192.168.20.0/24 192.168.20.1 v20-personal 0
8 ADC 192.168.30.0/24 192.168.30.1 v30-guest 0
11 ADC 192.168.50.0/24 192.168.50.1 v50-smart-offline 0
13 ADC 192.168.192.0/24 192.168.192.10 eth1: fritzbox 0
Okay, I hope that’s it
