VLAN's have reduced throughput, glitch with Unifi

hey gurus..,

Studied the guides, by anav and others and followed ‘thenetworkberg’ tutorial to make vlan’s on my ros..
Have 1 rb5009, hap ac (backup), and 2 switches.. brocade icx7250/3com baseline 2948 (which will only run on 1g SFP+ Only)
My wan side is 5009 connected with 2 bridged mode modems,

SO VLAN’s are setup and;
-working actually
-DHCP also good
-Unify U6 Pro AP only works on Default SSID and not the ones which have my VLAN’s
Sfp as trunk and connected to brocade and all ports untagged and tagged on it as per guides (i didn’t say properly because i need some more conceptual understanding)

What i wanna diagnose is that where is my config wrong ? Because:
a) I am getting a 1/5th of my speed (as compared to a normal dhcp client and LAN scenarios on my device)
b) can,t do a speed test sometimes and and when i do its as above, at least 5 times lower than my original speed
c) VLAN’s working on brocade switch, also mikroitk, but not on Unifi, and thus this is where i scoured the forum and got more confused and want to learn;

• Access ports = Untagged & Trunk ports = Tagged Right ??

• Theoretically if i set an ether port as tagged am i correct to assume it can’t be untagged to all VLAN’s at the same time ?

• (Big ISSUE for me) = What in God’s name is this issue with default VLAN’s and them being necessarily untagged or something:
  While i was setting my switch ports on Brocade/3com both gave a similar squeak when i tried to change VLAN1 untagged.. Is the defgault VLAN supposed to have no trunk port and must be on ports as untagged ? I need to understand this as maybe this the reason my unifi AP won’t receive VLANs and only the default SSID’S works which is VLAN1

• secondly is PVID the same as VLAN id ? do i have to set it in bridge ports for all ports ?

• i hadn’t enabled ingress filtering before but did it after, .. also what about frame types, is it necessary to set them and why can’t i use admit all since VLAN filtering is already enabled

• I Realize from forums that Unifi has its stupid issues and wants an untagged (access) port to communicate with, but should i not connect it to a trunk as i have 4 VLAN’s that i want it to receive and broadcast as ssid’s, but an access port would limit it to just 1 VLAN or network segment, no ?

• many forums said mikroitk doesn’t prefer RSTP.., so STP or infact MSTP is better suited ? Is this correct ?;

• Because of this what should i set my brocade switch to ? as it does not have MSTP, should i use STP here then ?

Lastly.., am i in a double NAT Scenario ?
i have 3 buildings with the main one having a load balanced 5009 with 2 Bridged mode ISP’s and a 3rd smaller isp as WAN’s
i have run a dhcp server on it and this building (the one with the VLAN office environment) receives WAN via DHCP client..
Can this be a reason for any speed issues ? because without VLAN’s and just LAN before things were running smooth

# feb/27/2024 18:26:14 by RouterOS 7.9.2
# model = RB5009UG+S+

/interface bridge
add name=VLAN-Br protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=ether4-TRUNK
set [ find default-name=ether5 ] name=ether5-Access-v192
set [ find default-name=ether6 ] name=ether6-Access-v25
set [ find default-name=ether7 ] name=ether7-Access-v25
set [ find default-name=ether8 ] name="ether8-Mgmt only"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp+TRUNK speed=1Gbps

/interface vlan
add interface=VLAN-Br name=v12Guest vlan-id=12
add interface=VLAN-Br name=v25MRC vlan-id=25
add interface=VLAN-Br name=v192NVR vlan-id=192

/interface list
add name=LAN
add name=WAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=25.25.25.2-25.25.25.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool2 ranges=30.30.30.2-30.30.30.254
add name=dhcp_pool3 ranges=12.12.12.2-12.12.12.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=v25MRC name=dhcp1
add address-pool=dhcp_pool1 interface=v192NVR name=dhcp2
add address-pool=dhcp_pool3 interface=v12Guest name=dhcp3

/interface bridge port
add bridge=VLAN-Br interface=sfp+TRUNK
add bridge=VLAN-Br interface=ether4-TRUNK
add bridge=VLAN-Br interface=ether5-Access-v192
add bridge=VLAN-Br interface=ether6-Access-v25
add bridge=VLAN-Br interface=ether7-Access-v25

/interface bridge vlan
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether6-Access-v25,ether7-Access-v25 vlan-ids=25
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether5-Access-v192 vlan-ids=192
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether5-Access-v192 vlan-ids=12

/interface list member
add interface=ether2 list=WAN
add interface=v25MRC list=LAN
add interface=v192NVR list=LAN
add interface=ether4-TRUNK list=LAN
add interface=ether5-Access-v192 list=LAN
add interface=ether6-Access-v25 list=LAN

/ip address
add address=25.25.25.1/24 interface=v25MRC network=25.25.25.0
add address=192.168.100.1/24 interface=v192NVR network=192.168.100.0
add address=10.9.8.7/24 interface="ether8-Mgmt only" network=10.9.8.0
add address=12.12.12.1/24 interface=v12Guest network=12.12.12.0
/ip dhcp-client
add interface=ether2
/ip dhcp-server network
add address=12.12.12.0/24 gateway=12.12.12.1
add address=25.25.25.0/24 gateway=25.25.25.1
add address=30.30.30.0/24 gateway=30.30.30.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set servers=1.1.1.1

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=25.25.25.1-25.25.25.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward out-interface-list=WAN src-address-list=25.25.25.0/24
add action=accept chain=forward out-interface-list=WAN src-address-list=192.168.100.0/24
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=\
    !public src-address-list=not_in_internet

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=25.25.25.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.100.0/24

/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
[admin@MikroTik] >

Maybe you are affected by this:

https://community.ui.com/questions/U7-Pro-VLAN-Tagging-Speed-Bug/9a2f0833-f0ba-46e8-b07e-9053c2b79551

in the release notes it state “SSIDs using RADIUS assigned VLANs or on different VLANs from the native VLAN may operate at slower than expected speeds. This is our top priority to resolve.”

Well, currently this is for sure a config error as i already dont understand PVID well enough and maybe a mistake in filtering or tagging

All smart devices get IP on vlan11. (trusted or management network)
Why is ethernet 5 UNTAGGED FOR TWO different vlans. ILLEGAL !!! an access port or Hybrid port can only have one untagged vlan. THus I removed vlan12 as untagged on 5.

You have a mismatch between vlans and pools, plus I added a vlan.
What is pool for 30??? pool2 no such address etc… there is no such subnet… hence a mismatch somewhere.

/interface bridge
add name=VLAN-Br protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=ether4-TRUNK
set [ find default-name=ether5 ] name=ether5-Access-v192
set [ find default-name=ether6 ] name=ether6-Access-v25
set [ find default-name=ether7 ] name=ether7-Access-v25
set [ find default-name=ether8 ] name="ether8-Mgmt only"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=sfp+TRUNK speed=1Gbps

/interface vlan
add interface=VLAN-Br name=v12Guest vlan-id=12
add interface=VLAN-Br name=v25MRC vlan-id=25
add interface=VLAN-Br name=v192NVR vlan-id=192
add interface=VLAN-BR name=v11Home  vlan-id=11

/interface list
add name=LAN
add name=WAN
add name=MGMT

/interface list member
add interface=v12Guest list=LAN
add interfacev25MRC list=LAN
add interface=v192NVR list=LAN
add interface=v11Home  list=LAN
add interface=v11Home  list=MGMT
add interface="ether8-Mgmt only" list=MGMT

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=25.25.25.2-25.25.25.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool3 ranges=12.12.12.2-12.12.12.254
add name=dchp_pool11 ranges=192.168.11.2-192.168.11.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=v25MRC name=dhcp1
add address-pool=dhcp_pool1 interface=v192NVR name=dhcp2
add address-pool=dhcp_pool3 interface=v12Guest name=dhcp3
add address-pool=dhcp_pool311 interface=v11Home name=dhcp11

/interface bridge port
add bridge=VLAN-Br interface=sfp+TRUNK   ingress-filtering=yes  frame-types=admit-only-vlan-tagged
add bridge=VLAN-Br interface=ether4-TRUNK    ingress-filtering=yes  frame-types=admit-only-vlan-tagged
add bridge=VLAN-Br interface=ether5-Access-v192  ingress-filtering=yes  frame-types=admit-priority-and-untagged pvid=192
add bridge=VLAN-Br interface=ether6-Access-v25   ingress-filtering=yes  frame-types=admit-priority-and-untagged pvid=25
add bridge=VLAN-Br interface=ether7-Access-v25   ingress-filtering=yes  frame-types=admit-priority-and-untagged pvid=25

/interface bridge vlan
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether6-Access-v25,ether7-Access-v25 vlan-ids=25
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK untagged=ether5-Access-v192 vlan-ids=192
add bridge=VLAN-Br tagged=VLAN-Br,sfp+TRUNK,ether4-TRUNK  vlan-ids=12

/interface list member
add interface=ether2 list=WAN
add interface=v25MRC list=LAN
add interface=v192NVR list=LAN
add interface=ether4-TRUNK list=LAN
add interface=ether5-Access-v192 list=LAN
add interface=ether6-Access-v25 list=LAN

/ip address
add address=25.25.25.1/24 interface=v25MRC network=25.25.25.0
add address=192.168.100.1/24 interface=v192NVR network=192.168.100.0
add address=10.9.8.7/24 interface="ether8-Mgmt only" network=10.9.8.0
add address=12.12.12.1/24 interface=v12Guest network=12.12.12.0
add address=192.168.11.1/24 interface=v11Home network=192.168.11.0

/ip dhcp-server network
add address=12.12.12.0/24 gateway=12.12.12.1
add address=25.25.25.0/24 gateway=25.25.25.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.11.0/24 gateway=192.168.11.1 

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=25.25.25.1-25.25.25.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward out-interface-list=WAN src-address-list=25.25.25.0/24
add action=accept chain=forward out-interface-list=WAN src-address-list=192.168.100.0/24
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=\
    !public src-address-list=not_in_internet

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=25.25.25.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.100.0/24

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Why is ethernet 5 UNTAGGED FOR TWO different vlans. ILLEGAL !!!

Quite right and an oversight, was fixed asap, regardless it was not in use and thus is not the cause, as i am ‘trunked’ to a brocade at sfp and using access ports there.

All smart devices get ip on Vlan11

?? How ? You have not set it as an access port or a Tag anywhere ??
If so i where am i to connect my unifi u6 to .. Like set a port access and then ? Since Unifi is forwarding my vlan’s should i not be connecting it to a trunk/tag port ?

Lastly my pools are not mismatched somewhere and i have re-named and rechecked them again, pool 30 was actually me waiting to understand and setup a management/native Vlan (AND ASSIGN TO IT AFTER) which im still unclear about:
a 5s delay just for a simple google search must mean some config or pvid or tag error etc..

Well the config was incomplete and thus confusing.
Yes everysmart device gets an IP on the managment vlan.
Unifi devices as a default (backwards), assume the management vlan comes untagged and all the wifi vlans tagged.

Thus you need a hybrid port. X is tagged for data vlans but untagged for the management vlan.

add bridge=bridge interface**=etherX** pvid=YY ( where X is port to unifi AP, where YY is the management vlan ID )
add bridge=bridge tagged=bridge,trunkport1,trunkport2,X vlan-ids=A,B,C
add bridge=bridge tagged=bridge,trunkport1,trunkport2 untagged-=X vlan-ids=YY