Noob can't seem to integrate VLAN, despite following guide

ge0rge · Fri Mar 28, 2025 1:03 am

I have a RB4011 that does all the heavy lifting, DHCP etc around the house. IOT, phones, cameras, switches and APs are all running on the same subnet, and I would like to finally get around to fixing that.

I've read the guide, and tried essentially to integrate what I have already got that works and the Router-Switch-AP, with the goal of getting the guest VLAN working, and then replicating from there the other VLANs I want to create. Not stopping everything from working all at once also has very high wife acceptance factor while I try to make the VLANs work.

Ether10 goes to a Unifi wireless bridge and on to another RB4011 a couple of Km away that provides my internet access. That unit has the firewall on it, hence mine is really bare.

RB4011 lives out in a workshop. Ether 1 connects to an Aruba switch which is in the house, as well as an Aruba AP, configured to create an SSID that is tagged with VLAN40. If I connect a wireless device to the VLAN40 SSID, I get an IP address from the VLAN40 pool on the RB4011, so I think I have got that part sorted and working. What I don't seem to be able to sort is getting VLAN40 to the internet - and I can't quite work out what I'm missing - trying to combine my working setup with the wireless bridge and the VLAN guide is obviously not going quite to plan.

# 2025-03-28 11:38:52 by RouterOS 7.17.1
# software id = XNUF-D3YG
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add name=bridge1 port-cost-mode=short
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add comment="Guest VLAN" interface=bridge1 name=vlan40 vlan-id=40
/interface list
add name=LAN
add name=WAN
add name=VLAN
add name=BASE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.100.200-192.168.100.254
add name=dhcp_pool40 ranges=192.168.140.2-192.168.140.254
add name=BASE_POOL ranges=192.168.110.10-192.168.110.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=10m name=dhcp1
add address-pool=dhcp_pool40 comment="Guest VLAN" interface=vlan40 name=\
    dhcp40
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=\
    10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge1 interface=ether9 pvid=99
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=40
add bridge=bridge1 tagged=bridge1 vlan-ids=99
/interface list member
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether10 list=WAN
add interface=vlan40 list=VLAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:9F:0C:A3:AF:3D name=ovpn-server1
/ip address
add address=192.168.120.1/24 interface=ether10 network=192.168.120.0
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=192.168.140.1/24 interface=vlan40 network=192.168.140.0
add address=192.168.110.1/24 interface=BASE_VLAN network=192.168.110.0
/ip dhcp-server lease
add address=192.168.100.4 client-id=1:f0:9f:c2:9:d4:6a comment=\
    "Workshop Switch 8 150W" mac-address=F0:9F:C2:09:D4:6A server=dhcp1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.101 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=192.168.100.101 gateway=192.168.100.1
add address=192.168.140.0/24 dns-server=192.168.100.101 gateway=192.168.140.1
/ip dns
set servers=114.23.1.1
/ip firewall address-list
add address=192.168.120.0/24 list=Allowed_Internet
add address=192.168.100.0/24 list=Allowed_Internet
add address=192.168.140.0/24 list=Allowed_Internet
/ip firewall filter
add action=accept chain=forward comment="Our Networks <-> Our Networks" \
    dst-address-list=Allowed_Internet src-address-list=Allowed_Internet
add action=accept chain=forward comment="Our Networks -> Internet" \
    out-interface=ether10 src-address-list=Allowed_Internet
add action=accept chain=forward comment="Internet -> Our Networks" \
    dst-address-list=Allowed_Internet in-interface=ether10
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=\
    192.168.120.0/24
add action=masquerade chain=srcnat dst-address=192.168.120.0/24 src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 protocol=udp \
    src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.120.6
/ip service
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
# address pool error: pool not found: test (4)
add from-pool=test interface=sfp-sfpplus1
/ipv6 dhcp-client
add add-default-route=yes interface=ether10 pool-name=test \
    pool-prefix-length=56 request=prefix use-peer-dns=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Pacific/Auckland
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=162.159.200.123
add address=192.107.172.20
/system resource irq rps
set sfp-sfpplus1 disabled=no

It would be great if some of the wiser and more learned members here could point out any obvious errors that I've made, so I can build the rest of the VLANs from there.

Thanks.

budiyantoblim · Fri Mar 28, 2025 4:00 am

Hi, ge0rge

Previously the internet access from the AP was working before the addition of the VLAN?
I see under DHCP pool the dns is set to 192.168.100.101, does this DNS server still active?

ge0rge · Fri Mar 28, 2025 4:17 am

Yes, there is still an SSID on that AP without a VLAN attached to it, devices connecting via that SSID get a 192.168.100.x IP, and can still access the internet ok.

I have found since my previous post that a device connected to the VLAN40 SSID can ping and traceroute to 1.1.1.1 and 8.8.8.8 fine, but can't ping google.com etc. I am thinking I may have a DNS issue, but also wonder if that's a red herring.

edit to add 192.168.100.101 is my PiHole address, this provides DNS fine for the devices not connected to VLAN40.

budiyantoblim · Fri Mar 28, 2025 4:27 am

Few things to try:
1. to do nslookup to www.google.com from the client connect to the AP in vlan40
2. "put [resolve www.google.com]" from your workshop rb4011 terminal, to check whether your the mikrotik is able to resolve name
3. I saw your bridge have not enabled the vlan-filtering yet (Don't enable until you are sure all required configuration in place, and you have physical admin access port to the mikrotik to avoid locking yourself out from the router)
Edited - Please ensure you have direct access/physical port assigned for your access to the mikrotik router.
4. Need to check the Ether1 and the aruba switch settings, if trunk / inter vlan communication is allowed. (in example vlan40 client trying to access your pihole dns in vlan1/subnet 192.168.100.0/24)

I'm still learning also, and i used the same VLAN guide by PCunite on my setup.

anav · Fri Mar 28, 2025 3:15 pm

Two recommendations
a. take one port off the bridge and safely do all configuration from this port
b. go all vlans, remove bridge from dhcp etc, and simple move this subnet to another vlan.

Willing to go this route let me know.

ge0rge · Sat Mar 29, 2025 5:03 am

Two recommendations
a. take one port off the bridge and safely do all configuration from this port
b. go all vlans, remove bridge from dhcp etc, and simple move this subnet to another vlan.

Willing to go this route let me know.

Thanks for the offer. Yes, I'm keen and willing to go down this route.

/ip address add address=192.168.88.1/24 interface=ether8 network=192.168.88.0

has been done, management access only from my shed via cable.

I'm happy to bin or refine any of the configuration that's already there.
Thanks again.

anav · Sat Mar 29, 2025 6:48 pm

1. Adjusted as required.

add name=bridge1 port-cost-mode=short vlan-filtering=yes { add the YES as last rule change)

/interface ethernet
set [ find default-name=ether8 ] name=OffBridge8

/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
add comment="Guest VLAN" interface=bridge1 name=vlan40 vlan-id=40
add interface=bridge1 name=homevlan10 vlanid=10

/interface list
add name=LAN
add name=WAN
add name=TRUSTED

add name=dhcp_pool1 ranges=192.168.100.200-192.168.100.254
add name=dhcp_pool40 ranges=192.168.140.2-192.168.140.254
add name=BASE_POOL ranges=192.168.110.10-192.168.110.254
add name=home_pool ranges=192.168.10.10-192.168.10.254

/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=10m name=dhcp1
add address-pool=dhcp_pool40 comment="Guest VLAN" interface=vlan40 name=\
dhcp40
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
add address-pool=home_pool interface=homevlan10 name=home_server

Note: Not knowing your actual port needs ( no network diagram provided), I made up something. I didnt see any smart devices attached (switch, AP)
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether1 pvid=40 comment="guestPC"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10 comment="homePC"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether9 pvid=99 comment="adminPC"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=sfp-sfpplus1 pvid=10 comment="homeserver"

/ipv6 settings
set services=disabled { Assuming not using IPV6 }

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=40
add bridge=bridge1 tagged=bridge1 untagged=ether9 vlan-ids=99

/interface list member
add interface=ether10 list=WAN
add interface=BASE_VLAN list=LAN
add interface=homevlan10 list=LAN
add interface=vlan40 list=LAN
add interface=BASE_VLAN list=TRUSTED
add interface=Offbridge8 list=TRUSTED

/ip address
add address=192.168.120.1/24 interface=ether10 network=192.168.120.0
add address=192.168.100.1/24 interface=homevlan10 network=192.168.100.0
add address=192.168.140.1/24 interface=vlan40 network=192.168.140.0
add address=192.168.110.1/24 interface=BASE_VLAN network=192.168.110.0
add address=192.168.88.1/30 interface=OffBridge8 network=192.168.88.0

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
add address=192.168.110.0/24 dns-server=192.168.110.1 gateway=192.168.110.1
add address=192.168.140.0/24 dns-server=192.168.140.1 gateway=192.168.140.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1

/ip firewall address-list
EMPTY for now.

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { insert this rule here last of all rules so you dont lock yourself out }
+++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN\
add action=accept chain=forward comment="admin to all subnets" in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disable=yes { enable if required or remove }
add action=drop chain=forward comment="Drop all else"

Only one rule required for NAT.........
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Add some missing entries:

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

+++++++++++++++++++
Should get you close to success.

ge0rge · Sat Mar 29, 2025 9:43 pm

Fantastic, thanks very much for taking the time to write that out.

From a network diagram perspective, that above is essentially what I am aiming for. Currently it all occurs on the 192.168.100.x subnet, however I have got the guest vlan40 configured on the APs and the switches.

With the above in mind, does that just change what gets tagged on the bridge interface and VLAN?

anav · Sat Mar 29, 2025 11:12 pm

So theree switches means three trunk ports BUT.................
The unifi expects the trusted or managament vlan untagged and the data vlans tagged. If they are consistent in setup.

I'm assuming the arubas are more standard switches.
What are the AP types??

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk to Aruba8"
add bridge=bridge1 ingress-filtering=no frame-types=admit-all interface=ether2 pvid=99 comment="hybrid to unifi8"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 comment="trunk to Aruba40"

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether2,sfp-sfpplus1 vlan-ids=40
add bridge=bridge1 tagged=bridge1,ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=99

you could combine the first two lines as
add bridge=bridge1 tagged=bridge1,ether1,ether2,sfp-sfpplus1 vlan-ids=10,40

ge0rge · Sat Mar 29, 2025 11:19 pm

The Aruba switches are 2930s, I've got them sorted to pass what they need to where at this stage. The APs are Aruba's as well - 315s. I've been able to set up the vlan ssids on them without issue, and pass them back through the Aruba switches to the router. Wireless clients are getting the correct IP from the router depending on which ssid they connect to. I haven't started on the unifi switch yet.

anav · Sat Mar 29, 2025 11:21 pm

The arubas will need to be setup with vlans. They should get their IP address on the VLAN99

ge0rge · Sat Mar 29, 2025 11:34 pm

haha ah yes, of course they do. In that case, I have yet to sort the switches out.

I'll work on that, along with the other instructions you have posted.

Thanks again for your time, it's most appreciated.

Noob can't seem to integrate VLAN, despite following guide

Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide

Re: Noob can't seem to integrate VLAN, despite following guide