VLAN - Something is not working well

arthurpba · May 26, 2025, 2:34pm

I’m working on a network installation for a client that includes 3 Ethernet racks, but I’m facing issues getting everything to function correctly.

The load balancing setup is working reasonably well—it’s not perfect, but it’s stable enough.
However, the problems begin when I enable VLANs. Once VLANs are active, devices begin to randomly drop off the network and overall connectivity becomes unstable.

Equipment in Use:
Router:
1x MikroTik hEX S (Main Router – Rack 1)

Switches:
3x CRS326 (Racks 1, 2, and 3)
2x CSS326 (Racks 1 and 2)
3x Grandstream GWN7700P unmanaged PoE switches (Racks 1, 2, and 3)

Access Points:
3x Grandstream GWN7660 Wi-Fi 6 APs

A detailed wiring and device layout diagram is provided below.

WAN Setup:
3 Internet Providers:
ISP 1: 1000 Mbps PPPoE – Load Balanced via PCC (2/3 weight)
ISP 2: 500 Mbps DHCP with static IP – Load Balanced via PCC (1/3 weight)
ISP 3: 100 Mbps Static IP – Reserved for backup only

When using a flat LAN (no VLANs), the network performs well under this WAN configuration.

Problematic LAN/VLAN Setup:
VLAN 10 – General: Can communicate with VLANs 20 and 30, but cannot access VLAN 100 (IT)
VLAN 20 – Finance: Can communicate with VLANs 10 and 30, but cannot access VLAN 100 (IT)
VLAN 30 – Marketing: Can communicate with VLANs 10 and 20, but cannot access VLAN 100 (IT)
VLAN 100 – IT Management: Has full access to all VLANs
VLAN 200 – Guest: Can access only the internet

When this VLAN configuration is applied, devices begin disconnecting intermittently and experience unstable connections.
I’ve already tried disabling firewall rules, mangle rules, and other potential blockers, but the instability persists—so I don’t believe those are the root cause.

The configuration of my main router and first witch (all other follows the same setup)
bkp-r1-hexs-25-05-22.rsc (19.1 KB)
bkp-r1-crs-25-05-22.rsc (2.79 KB)
Any insights or recommendations would be greatly appreciated.

BartoszP · May 26, 2025, 2:51pm

\hi,

Nice to see you on the forum. Your post is the example how problems/questions should be reported/asked.

anav · May 26, 2025, 2:57pm

Sure, I dont see why you have separate vlans for 10,20,30.
If they can all access each other its really one vlan.
If its only certain IPs that should access the other vlans make applicable firewall address lists and use them in rules.

In other words, why have a manag3ment vlan that states has full access to all vlans, when all vlans already have access to all vlans LOL.
I see only need for three vlans
a. management
b. everything else (trusted work(
c. guests

Observations

Duplicate interface list entries and MISSING…
wan and INTERFACE-LIST-WAN ??
add name=MGMT
Modify
/interface bridge port
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ETHER5-TRUNK-R2-CRS
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ETHER4-TRUNK-R1-CRS
Should be management
/ip neighbor discovery-settings
set discover-interface-list=MGMT
Can be simplified since all tagged are the same…
/interface bridge vlan
add bridge=BRIDGE-VLAN tagged=BRIDGE-VLAN,ETHER5-TRUNK-R2-CRS,ETHER4-TRUNK-R1-CRS vlan-ids=10,20,30,100,200
Missing interface list member
add interface=VLAN100-TI list=MGMT
Firewall are a bloated mess. KISS
MISSING
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
Dont understand your routes at the moment.
How many users need access to your SERVER ( internal and external or only external ).
Suggesting, give external users wireguard access to Server as a much more secure practice, if not to many of course.

arthurpba · May 26, 2025, 3:24pm

Thanks for the insights.

We have these VLANs because in the future we want to make tree queues so we can give more bandwitdth to some VLANs. But for now, you’re right. It has no purpose

1 - Ok
2 - Ok, but if I put admit all could be a problem? Or is just a good practice?
3 - Ok
4 - Ok
5 - Ok
6 - I will try to simplify it, but even when I disable everything, it gets the same issues
7 - I will look into it.

THANK YOU A LOT

anav · May 26, 2025, 3:38pm

Looking at First switch, I would take one port off bridge and make it an emerg access port after using it as a primary change the config port.
Why are you adding a PVID to a trunk port on /bridge ports ???
add bridge=BRIDGE-R1-CRS interface=ETHER1-TO-HEXS-P04 pvid=100

WHY are you sending vlan tagged frames for vlans to the UNMANAGED GRANDSTREAM SWITCH?? It looks like they are connected only to cameras and a managed access point???

NO WONDER ONE FLAT NETWORK works and when you introduce vlans, things fall apart!!!

There is the main issue.
It would appear you can only power cameras and AP using POE.
So it would seem you need a smart POE switch
Or ( two other possibilities)

A. Use one port on CRS to unmanaged POE switch untagged for vlanXX, for the cameras.
use a different port on CRS, with a POE injector device tagged for all vlans, to send to the AP.
aka as long as you can cable all the way to the AP from the CRS all you need to do to fix this is get a decent poe injector

B. Use one port on the AP from switch CRS aka trunk, and the other port goes to POE switch with untagged vlan for cameras ( but this is highly dependent upon programming available on AP???)

arthurpba · May 26, 2025, 3:43pm

About routes:
Routing Table 1:

ISP 1 - Distance 1
ISP 2 - Distance 2

Routing Table 2:

ISP 2 - Distance 1
ISP 1 - Distance 2

Main (when doesn’t get any marking route):
ISP 1 - Distance 1
ISP 2- Distance 2
ISP 3- Distance 3

I have two routes to monitor internet with Netwatch

Mangle

Ignore communication between VLANs
Ignore PCC for LAN IPs in address list (not used right now)
Ignore PCC for WAN IPs in interface list (not used right now)
Mark Input connection CONN-LINK1 when it comes through LINK1-PPPOE
Mark Input connection CONN-LINK2 when it comes through LINK2-PPPOE
Mark outbound route Routing Table 1 when it has connection mark CONN-LINK1
Mark outbound route Routing Table 1 when it has connection mark CONN-LINK2
Mark LAN connections to internet when is new with PCC Rule 1 (3/0) CONN-LINK1
Mark LAN connections to internet when is new with PCC Rule 2 (3/1) CONN-LINK1
Mark LAN connections to internet when is new with PCC Rule 3 (3/2) CONN-LINK2
Mark route Table RT-LINK1 when conn mark is CONN-LINK1
Mark route Table RT-LINK2 when conn mark is CONN-LINK2

arthurpba · May 26, 2025, 3:53pm

Looking at First switch, I would take one port off bridge and make it an emerg access port after using it as a primary change the config port.
Why are you adding a PVID to a trunk port on /bridge ports ???
add bridge=BRIDGE-R1-CRS interface=ETHER1-TO-HEXS-P04 pvid=100

WHY are you sending vlan tagged frames for vlans to the UNMANAGED GRANDSTREAM SWITCH?? It looks like they are connected only to cameras and a managed access point???

NO WONDER ONE FLAT NETWORK works and when you introduce vlans, things fall apart!!!

There is the main issue.
It would appear you can only power cameras and AP using POE.
So it would seem you need a smart POE switch
Or ( two other possibilities)

A. Use one port on CRS to unmanaged POE switch untagged for vlanXX, for the cameras.
use a different port on CRS, with a POE injector device tagged for all vlans, to send to the AP.
aka as long as you can cable all the way to the AP from the CRS all you need to do to fix this is get a decent poe injector

B. Use one port on the AP from switch CRS aka trunk, and the other port goes to POE switch with untagged vlan for cameras ( but this is highly dependent upon programming available on AP???)

I thought I could use a port as trunk, but if it gets a untagged device, that port could Tag it.

Is this bellow your suggestion?
POE injector.jpg
My Access Point has an option to tag it to a mamagemente VLAN
AP Vlan MGMT.jpg

anav · May 26, 2025, 5:26pm

Yes your diagram is great and captures what I was thinking. Yes I would assume that you would physically assign a management vlan IP address to the AP, and then assign other vlans to SSIDs for the traffic required.