Community discussions

MikroTik App
 
rjmessing
just joined
Topic Author
Posts: 9
Joined: Tue Jun 07, 2022 6:59 am

Can't connect to hEX after setting up vlans

Tue Jun 07, 2022 7:55 am

I'm revising my home network and instead of the same old crap routers and getting disappointed in having under performing equipment, I bought a Mikrotik hEX. I wanted a hEX POE but due to supply settled for now with the hEX to try to improve my network.

My network has been utilizing old equipment that I've had for 10+ years in some cases, and on some of those devices have loaded OpenWrt on them (of those that could).

I have/had the following equipment setup
Linksys EA6500 v2 = OpenWrt Router (main router)
Wireless Disabled, running as wired router only
VLANs configured to segregate network
VLANS 53, 57, 99, 107
DHCP Servers for each VLAN
hEX router replaced this router with similar config

Asus RT-AX92U Mesh Pair = Stock Firmware (wireless for vlan 57)
Configured as AP
Connected to Main router on a port in VLAN 57 (untagged)
Basic config

TP-Link Archer A6 = OpenWrt AP (Wireless for vlans 53, 99, 107)
Wireless SSID for each VLAN
VLANs configured same as main router

Pi-Hole
Configured to see all vlans and provide ad blocking to all.

Netgear GS108E = Manged Switch (mainly VLAN 99)
Tried making port 1 a Trunk with ALL VLANs.
Would like to have 1 port for each of the other vlans for testing/troubleshooting

I configured the hEX to be as similar to the OpenWrt router as possible. VLANs 53, 57 and 107 seem to be working correctly, testing with wireless tablet connecting to each vlan gives correct IP per VLAN and has internet access. VLAN 99 for wireless works like the others, but for the wired connections unless the switch (Netgear GS108E) is configured for VLAN 99 will not allow internet access. Having the switch configured kills access to the router via winbox. I'm guessing that this is due to a misconfiguration in either or both the hEX and the Switch.

I have attached a copy of my '/export hide_sensitive', and a snap shot of the switch VLAN config.

If this information helps.
I'd like to do away with VLAN1 and managed the hEX from vlan99. I've tried changing the PVID of the bridge to 99 but when applied seemed to just keep me out period....even from a vlan99 computer.

Any insight and help is appreciated.
You do not have the required permissions to view the files attached to this post.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Can't connect to hEX after setting up vlans

Tue Jun 07, 2022 12:29 pm

You have
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
# with default pvid=1
but
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4 untagged=ether5 vlan-ids=99

so mixing tagged on ingress and untagged on egress for VLAN 99. You haven't shown the Netgear VLAN membership and port PVID pages but it is likely when 'working' the traffic is tagged in one direction and untagged in the other.
 
rjmessing
just joined
Topic Author
Posts: 9
Joined: Tue Jun 07, 2022 6:59 am

Re: Can't connect to hEX after setting up vlans

Tue Jun 07, 2022 2:41 pm

@TDW

The VLAN membership of the Netgear only shows 1 VLAN at a time so I'll post here what it is. As for Port PVID, all ports I put in VLAN 99.

VLAN Membership of switch is as follows
Port 1 has all VLANS tagged
Port 2-8 are all Untagged in VLAN 99
Vlan 1 has no tagged or untagged ports

I have changed the following on the router
/interface bridge vlan
add bridge=bridge tagged=bridge, ether3, ether4 untagged=ether5
vlan-ids=99
to
/interface bridge vlan
add bridge=bridge tagged=bridge, ether3, ether4, ether5 untagged=
vlan-ids=99

Doing so drops my connection to the hEX router and it tries to connect but can't with reason of "Could not connect". Looking on Neighbors tab of WinBox, router is not found.

Am I needing to change the PVID of the bridge port to 99, instead of 1? Last time I tried that I had to fully reset the router, nuking my config.

Thanks
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Can't connect to hEX after setting up vlans

Tue Jun 07, 2022 3:46 pm

The VLAN membership of the Netgear only shows 1 VLAN at a time so I'll post here what it is. As for Port PVID, all ports I put in VLAN 99.

VLAN Membership of switch is as follows
Port 1 has all VLANS tagged
As with the Mikrotik you are mixing untagged and tagged operation for the same VLAN ID.

Any VLAN declared as tagged on a port either in the Netgear UI or on the mikrotik under /interface bridge vlan should never have the same VLAN ID set for the PVID. On the Netgear for a tagged-only port you can leave the PVID set to 1 and VLAN membership 1 set to E (excluded). On a Mikrotik to make a port tagged-only you can include the parameters frame-types=admit-only-vlan-tagged ingress-filtering=yes for the port membership under /interface bridge port, this ignores the pvid= setting and removes the automatic untagged bridge vlan membership.

Am I needing to change the PVID of the bridge port to 99, instead of 1? Last time I tried that I had to fully reset the router, nuking my config.
No, the
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=99

configuration is sufficient, but the Netgear must match.

Using safe mode is good, or in cases where you would be legitimately disconnected and do not want changes rolled back either a MAC (instead of the ususal IP) Winbox connection, configuring one port not to be part of the bridge whilst making significant changes, or using a USB-to-serial adapter for console access are options.
 
rjmessing
just joined
Topic Author
Posts: 9
Joined: Tue Jun 07, 2022 6:59 am

Re: Can't connect to hEX after setting up vlans

Wed Jun 08, 2022 7:13 am

As with the Mikrotik you are mixing untagged and tagged operation for the same VLAN ID.
I'm not sure what you mean. On the Mikrotik or even the Netgear, wouldn't I need to place all VLANS I'm wanting to be on the Trunk as tagged? Yes I had ether5 being untagged on the vlan99, so I'm guessing you were pointing to this as being the mixing of the tagged/untagged. On the Netgear shouldn't I mark the ports I want in a certain VLAN as untagged, and set PVID as that vlan?
On a Mikrotik to make a port tagged-only you can include the parameters frame-types=admit-only-vlan-tagged ingress-filtering=yes for the port membership under /interface bridge port, this ignores the pvid= setting and removes the automatic untagged bridge vlan membership
Tried this and lost all network for vlan 99 which caused me to nuke config again (because I forgot to enable safe mode) :(
I believe vlans 53 and 57 were working as I was getting streaming and updates from cameras.
On the Netgear for a tagged-only port you can leave the PVID set to 1 and VLAN membership 1 set to E (excluded).
Port 1 which is where I have the Mikrotik connected on the Netgear, I have all my vlans set to tagged. I was unable to exclude the port as the firmware for the Netgear doesn't allow that, I get an error that says I can't remove Port 1 from vlan, change its PVID first.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5 vlan-ids=99
configuration is sufficient, but the Netgear must match.
Netgear Is tagged on Port1 for all vlans I want at the switch. All other ports are excluded from any vlan currently, but I figure that I should be configuring them as untagged for whichever vlan I want on the port.

I'm using Safe mode now as I configure the Mikrotik. Which will help, if I can remember to enable it before I start making changes. :P I'm also making backups of the config to help restore incase I have to nuke again
I'll keep plugging away at the config of both trying to see whats messed up and where. I've tried setting PVID on the NetGear of my PC port to 99 and lose connection to the Router (can't even see it in Neighbors of Winbox). I change the PVID to the default 1 and lose internet ><. I can't win atm.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Can't connect to hEX after setting up vlans

Wed Jun 08, 2022 10:10 am

I'm not sure what you mean. On the Mikrotik or even the Netgear, wouldn't I need to place all VLANS I'm wanting to be on the Trunk as tagged? Yes I had ether5 being untagged on the vlan99, so I'm guessing you were pointing to this as being the mixing of the tagged/untagged. On the Netgear shouldn't I mark the ports I want in a certain VLAN as untagged, and set PVID as that vlan?
You should have the ports on the Netgear to be members of every vlan you want them to have direct access to (assuming they are vlan-aware devices), and only those vlans. The PVID is used to specify the single vlan that a "non-vlan-aware" device will be classified into on the switch. E.g. if you want to plug a PC (using standard ethernet, not IEEE 802.1Q tagged frames) into the switch and have it get an ip address from 192.168.99.0/24 then the PVID of that switchport should be 99, so the PC will be classified into vlan 99 implicitly. When ethernet frames have IEEE 802.1Q tags, then the vlan is explicitly specified, but to avoid odd problems, both ends of the ethernet trunk cable should be plugged into identically configured ports, i.e. if vlan 99 is tagged on the port at one end of the cable, then the port on the other end of the cable should also expect vlan 99 to be tagged.

Both ends of a wired connection should agree on what vlans are present and which one is untagged.

It will "work" if the untagged vlans don't match, but it will be confusing. See this for what I mean.

But I think what is locking you out is that when you use 99, you are connecting to the hEX via vlan 99, and that is blocked by your filewall, since you didn't add your vlans to the LAN list. The dhcp server will still give out ip addresses, but my guess is that the ip address your PC had was from the bridge base interface's subnet 192.168.88.0/24.

You need to add your vlans to the /interface list member stanza

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan53 list=LAN
add interface=vlan57 list=LAN
add interface=vlan99 list=LAN
add interface=vlan107 list=LAN


At least until you get things working. Then you can refine the firewall.
 
rjmessing
just joined
Topic Author
Posts: 9
Joined: Tue Jun 07, 2022 6:59 am

Re: Can't connect to hEX after setting up vlans

Fri Jun 24, 2022 4:09 pm

Just an update. Adding the vlans to the LAN as Buckeye mentioned, has me working where I can access the Router using Winbox. I haven't done much since as other things have come up.

I'm not sure what settings I need to add to the Firewall. I'd like to have vlan99 able to access all devices in any vlan. I'd also like it to where the other vlans can't talk to any device in their vlan nor any other vlan.

Who is online

Users browsing this forum: 0xAA55, Bing [Bot], GoogleOther [Bot] and 43 guests