VLAN issues for hEX router

theblastmage · November 6, 2023, 4:44pm

I apologize if this is not the correct board, but it seemed apt as I’m still fairly new to Router OS in general.

I’ve been working on trying to get two VLANs to work together on at least one port of my hEX router, however only my native VLAN appears to work at all.

My current configuration is described here, if there is a way to export the actual config as text please let me know.

I have two networks and two VLAN interfaces
vlan1 – 10.1.10.1/24
vlan100 – 172.16.100.254/24

They are both on the bridge “VLAN_Bridge”
This bridge contains the following ports:
ether2, ether3, ether4, vlan1, vlan100
and one list:
LAN

Under the VLAN tab for bridges, I have configured:
Bridge ---- VLAN IDs ---- Current Tagged ---- Current Untagged
VLAN_Bridge ---- 1 ---- VLAN_Bridge, ether2, ether3, ether4 ---- vlan1
VLAN_Bridge ---- 100 ---- VLAN_Bridge, ether2, ether3, ether4, vlan100 ---- none

Lastly I have DHCP servers setup for each vlan:
Default VLAN ---- interface: vlan1
Guest VLAN ---- interface: vlan100
defconf ---- interface: bridge (the default bridge, set to only be on ether5 for management purposes)

With this configuration, vlan1 will assign IP addresses fine for any untagged traffic. But as soon as traffic gets tagged with vlan100, it refuses to acknowledge the devices. I’m not sure where i’m going wrong here and am running out of ideas for how to troubleshoot.

This dual VLAN configuration is needed so our Ubiquiti WiFi can designate a guest network that the mikrotik then isolates via the firewall. But the AP’s also broadcast an office WiFi (on vlan1) which will all travel through the same physical port.

I’ve been testing this configuration by setting VLAN ID 100 in my computers network adapter, but on the customer site we will have a 16-port Ubiquiti switch that will carry both tagged and untagged traffic to the router.

Thank you for your time and have a wonderful day!

anav · November 6, 2023, 5:31pm

See this post and I highlight the key para… http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Native, Base, & MGMT (management) VLAN:
As you create your VLANs and pick VLAN IDs for each one, understand that the base network that you used to initiate your first connection to a router or switch is often termed the Native VLAN. In our examples, we do not use this default network. Instead we implement a Base VLAN (our name for the management VLAN) with an ID of 99. Over this network will be device to device traffic (routing, etc.). We also default Winbox availability here as well.

A word of caution if you are thinking of using VLAN 1 in your network design. Most vendors use VLAN 1 as the native VLAN for their hardware. MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged. Therefore, unless you are prepared to change the default behavior in MikroTik and/or other vendors, it is simpler to use VLAN 2 and higher.

theblastmage · November 6, 2023, 8:54pm

Thank you very much! I think my main problem here was attempting to use the Native VLAN (vlan1) along side a tagged vlan. When I followed the steps to make my router’s ports all Trunk ports (carrying a new vlan10 instead of 1, and the guest vlan100) everything just worked!

I’m now in the process of limiting the Guest network’s access to other networks and also limit their bandwidth which should both be much easier to do now that the main problem has been solved.

Thank you again and have a wonderful day!