VLANs not working

keg415 · April 4, 2025, 6:02pm

I currently have the network shown in network diagram current.drawio.pdf deployed with dual-WAN failover from Monkeybrains to 4G LTE. I need to move the 4G LTE modem now connected to the hAP ax2 router (“Border”) to Floor 1 to get a reliable signal, so I plan to replace the Netgear R6230 with a second hAP ax2 router (“Floor-1”) and configure three VLANs, Main, WAN2, and Guest as shown in network diagram planned.drawio. I’ve set up the test network shown in network diagram test.pdf, except for the 4G LTE modem (waiting for delivery), with the Border router configured as in spare-test-config.rsc and the Floor-1 router as in floor-1.rsc. I can easily switch the PC and VoIP adapter between the two routers for testing.

My first attempt was to configure each VLAN on a separate subnet, with separate DHCP servers for the Main and Guest VLANs. The Border router continued to function, but the Floor-1 router had no connectivity other than to ping the Main and Guest gateways.

To simplify, I’ve attempted to configure the VLANs just as interfaces, no IP addresses, with the Floor-1 router acting as a Layer 2 switch. The Border router has WAN connectivity, the DHCP client works, but my changes have broken the DHCP server. The Floor-1 router has no connectivity except to winbox by the MAC address. This is my first time setting up VLANs, so I’m probably missing something basic. Is this even a reasonable approach? Is there a relevent example configuration somewhere I can follow? Any help greatly appreciated!
floor-1.rsc (6.6 KB)
spare-test-config.rsc (15.7 KB)
network diagram test.drawio.pdf (59.9 KB)
network diagram current.drawio.pdf (85.6 KB)
network diagram planned.drawio.pdf (86.1 KB)

keg415 · April 4, 2025, 9:18pm

I found http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 which looks helpful. I’m going to try to configure the two routers with modified versions of router.rsc and switch.rsc just to see if I can get something with VLANs working.

What I don’t understand is how to configure the failover WAN2 VLAN for the 4G LTE modem connected to ether1 on the Floor-1 router. Specifically, in switch.rsc:

# WAN2 VLAN
add bridge=BR1 interface=ether1 pvid=20 comment="Netgear LM1200 4G LTE Modem -- Add to bridge?"
add bridge=BR1 interface=ether2 pvid=20

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1] comment="ether1 on bridge?"

The DHCP client for WAN2 would run on the Border router as I have it now, yes?

Also, the PalaceSecurity PC needs to manage the routers and all other devices on the Main VLAN, so it doesn’t seem to make sense to have the separate BASE VLAN for router management.

keg415 · April 6, 2025, 11:51pm

Got it working. Followed documentation at:
https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-VLANExample-TrunkandAccessPorts
https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration
https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-UntaggedaccesswithVLANfiltering