Community discussions

MikroTik App
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

VLAN Trunk to Netgear Managed Switch

Mon Nov 21, 2022 9:58 am

Hello all,

I'm stuck - I'm running a home network with a few different VLANs. Up to this point, the set up was fairly simple (although I still needed to get help from this forum to get it running). A hAP AC with with two Unifi ACs and a dumb switch. I am now adding a Netgear Managed POE switch to power my new security cameras (and at least one or more of the Unifi ACs). I've attached the configuration and the a network diagram.
I thought I'd be able to connect the Netgear P1 to P4 on the Mikrotik - currently the attached Unifi AC on the P4 Mikrotik port gets tagged as VLAN99 and tags SSIDs with the according VLAN IDs - and then set up P1 on the Netgear as Trunk and tag all other ports accordingly. That doesn't work and I'm not sure why, likely something stupid in my setup. Any pointers please?
Screenshot 2022-11-21 at 10.32.40.png
# nov/21/2022 09:19:01 by RouterOS 7.2.3
# software id = YL9S-LT57
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/interface vlan add interface=BR1 name=VLAN10 vlan-id=10
/interface vlan add interface=BR1 name=VLAN20 vlan-id=20
/interface vlan add interface=BR1 name=VLAN30 vlan-id=30
/interface vlan add interface=BR1 name=VLAN40 vlan-id=40
/interface vlan add interface=BR1 name=VLAN50 vlan-id=50
/interface pppoe-client add add-default-route=yes comment="Home Connect via Frogfoot" disabled=no interface=ether1 name=pppoe-out1 user=X
/interface list add name=WAN
/interface list add name=BASE
/interface list add name=VLAN
/interface list add name=VLAN_TRUSTED
/interface list add name=VLAN_UNTRUSTED
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=uiot supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b country="south africa" distance=indoors frequency=auto frequency-mode=manual-txpower installation=outdoor mode=ap-bridge security-profile=uiot ssid=auiote wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-681F66 wireless-protocol=802.11
/ip pool add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip pool add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
/ip pool add name=POOL_VLAN20 ranges=192.168.20.2-192.168.20.254
/ip pool add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
/ip pool add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
/ip pool add name=POOL_VLAN50 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/ip dhcp-server add address-pool=POOL_VLAN10 interface=VLAN10 name=DHCP_VLAN10
/ip dhcp-server add address-pool=POOL_VLAN20 interface=VLAN20 name=DHCP_VLAN20
/ip dhcp-server add address-pool=POOL_VLAN30 interface=VLAN30 name=DHCP_VLAN30
/ip dhcp-server add address-pool=POOL_VLAN40 interface=VLAN40 name=DHCP_VLAN40
/ip dhcp-server add address-pool=POOL_VLAN50 interface=VLAN50 name=DHCP_VLAN50
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/user group add name=homeassistant policy=read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!rest-api
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
/interface bridge port add bridge=BR1 interface=ether4 pvid=99
/interface bridge port add bridge=BR1 interface=ether5 pvid=99
/interface bridge port add bridge=BR1 ingress-filtering=no interface=wlan2 pvid=99
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=30
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40,50
/interface bridge vlan add bridge=BR1 tagged=BR1 untagged=ether2,wlan1,ether5,ether4 vlan-ids=99
/interface list member add interface=ether1 list=WAN
/interface list member add interface=VLAN10 list=VLAN
/interface list member add interface=VLAN20 list=VLAN
/interface list member add interface=VLAN30 list=VLAN
/interface list member add interface=VLAN40 list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=VLAN10 list=VLAN_TRUSTED
/interface list member add interface=VLAN20 list=VLAN_TRUSTED
/interface list member add interface=VLAN30 list=VLAN_UNTRUSTED
/interface list member add interface=pppoe-out1 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN_TRUSTED
/interface list member add interface=VLAN50 list=VLAN
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
/ip address add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip address add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip address add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-client add disabled=yes interface=ether1
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.20.2,192.168.10.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.20.2,192.168.20.1 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.20.2,192.168.30.1 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.20.2,192.168.40.1 gateway=192.168.40.1
/ip dhcp-server network add address=192.168.50.0/24 dns-server=192.168.20.2,192.168.50.1 gateway=192.168.50.1
/ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.20.2,192.168.99.1 gateway=192.168.99.1
/ip dns set allow-remote-requests=yes servers=192.168.20.2,1.1.1.1,8.8.8.8
/ip firewall filter add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow VLAN (ICMP!)" in-interface-list=VLAN protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow VLAN (DNS tcp) (TRUSTED ONLY)" dst-port=53 in-interface-list=VLAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow VLAN (DNS - udp) (TRUSTED ONLY)" dst-port=53 in-interface-list=VLAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
/ip firewall filter add action=drop chain=input comment="Drop all else"
/ip firewall filter add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="VLAN Internet Access " connection-state=new in-interface-list=VLAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow Main Vlan (10) access to IoT and IoT Untrusted" connection-state=new in-interface=VLAN10 in-interface-list=VLAN
/ip firewall filter add action=accept chain=forward comment="Allow Home Assistant access to untrusted iot" connection-state=new in-interface=VLAN20 out-interface=VLAN30 src-mac-address=DC:A6:32:42:B0:EC
/ip firewall filter add action=accept chain=forward comment="Allow Home Assistant access to camera vlan" connection-state=new in-interface=VLAN20 out-interface=VLAN50 src-mac-address=DC:A6:32:42:B0:EC
/ip firewall filter add action=drop chain=forward comment=Drop
/ip firewall nat add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.20.2 to-addresses=192.168.0.150
/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.150 in-interface-list=VLAN to-addresses=192.168.20.2
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Africa/Johannesburg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk to Netgear Managed Switch

Mon Nov 21, 2022 2:16 pm

(1) The error is on the settings for P4
Remember unifi devices need a hybrid port meaning untagged (pvid) for 99
Whereas the netgear switch is NORMAL, and expects a TRUNK PORT
By the way your ether5 is wrong on the diagram unifi requires hybrid port not trunk port...............
On the netgear switch you need a hybrid port to the unifi pro.......untagged vlan99 and tagged 10,20,30,40

Thus from
/interface bridge port add bridge=BR1 interface=ether4 pvid=99

TO
/interface bridge port add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4

(2) Also you have the wlan1 setup which looks good but then you have wlan2 like this.
/interface bridge port add bridge=BR1 ingress-filtering=no interface=wlan2 pvid=99
No reason it cant be like wlan1

/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=99

(3) I dont understand your bridge vlan settings.....................
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40,50 (missing vlan20 and 50 is not correct (not on unifi lite))
/interface bridge vlan add bridge=BR1 tagged=BR1 untagged=ether2,wlan1,ether5,ether4 vlan-ids=99 ( ether4 is trunk to managed switch, not untagged )

But this is how I would set them up.
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 untagged=ether2,ether3,ether5 vlan-ids=99
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 vlan-ids=50
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,20,30,40
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Tue Nov 22, 2022 9:21 pm

Hey anav,

thanks so much for once again bailing me out!

1) Ah that makes sense! Will I then be able to use the Unifi on the Netgear switch though? I assume I'd have to mark P2 on the Netgear as TRUNK, as the Unifi will tag the wifi traffic with the according vlans. That should leave the Unifi itself still as untagged, which then eventually would get vlan 99 on the Mikrotik based on the config? I hope I understood that right
2) Good spot. I'm actually not using either wlans on the Mikrotik - these are old settings. I'm going to remove it all since I only use the Unifis
3) Thank you. I've tried many times to wrap my head around the bridge vlan settings and ... I just don't understand it well enough. /interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20 was meant to tag everything on ether2 as vlan20 (that part is working currently)

I'm going to try the new settings after my wife finishes work tomorrow (past lessons learned not to mess with the home network during work hours...). Will update afterwards.

Thanks again!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk to Netgear Managed Switch

Tue Nov 22, 2022 9:55 pm

(1) P2 on the netgear leading to a unifi device will have to be set up as a HYBRID PORT. Untagged will be vlan99 and tagged will be vlans 10.20,30,40

(3) Thanks for bringing that to my attention. There is still a couple of errors in the config my bad. I forgot to account for ethernet port 2, which has vlan 20 going untagged to a dummy switch!
So your config was actually spot on and should be inserted and thus one other rule has to be adjusted. I also missed the fact that vlan99 has no business on etherport2 !

Therefore please find the corrected config part below:
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 untagged=ether3,ether5 vlan-ids=99
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 vlan-ids=50
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40

Looking at that one can conclude rapidly.
ether4 is tagged on all vlans, a trunk port ( correct its connected to a managed switch )
ether5 is tagged on most vlans except 50 and untagged for vlan99 , a hybrid port ( correct attached to unifi AP )
ether3 is untagged for vlan99, access port ( correct attached to dumb pc device )
ether2 is untagged for vlan20, access port ( correct attached to dumb switch )

Also, typical for Trunk ports, vlans with the same etherport/wlans can be combined on one line,
For example instead of
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40
you could have.......
interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10
interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=30
interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=40
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Tue Nov 22, 2022 10:22 pm

thanks again!

1) I'll have to play with that tomorrow. From what I could see so far, the GS308E doesn't allow hybrid ports, it's either trunk or tagged. I'll go dig on the netgear forums. Worst case, I keep the unifis off the Netgear
3) No worries, thanks for the updated config & explanation.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk to Netgear Managed Switch

Tue Nov 22, 2022 10:52 pm

Should be doable, the key here is to assume vlan99 is like the management BASE vlan and the gs308e should get its IP address on that vlan from the router (set manually is probably easiest).

Use the advanced configuration.
You have 8 ports
they should all be untagged for vlan1 by default leave this as it is...............
The only time this is changed/removed is if the port is a hybrid port or an access port and the port should be untagged for that particular vlan and not vlan1

Then just fill in the tagged ports per vlan

In this case P2 untagged for vlan99, and its a tagged member for vlans 10,20,30,40
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 7:01 am

I don't have a Netgear GS308EP but I do have a GS908E (a discontinued model).

On the GS908E, the "out of the box" config is the "No VLANs" dumb switch mode, where all ports are in the same broadcast domain, and the switch is vlan-transparent (meaning that it ignores the ethtype following the srcmac address in the ethernet header. So it can "relay" tagged frames, but not change them.

When you configure the switch with 802.1Q-based VLAN (Advanced Mode), it starts with only a single vlan defined (vlan 1 - with no name attached) and all ports as members of vlan 1. And all ports also have pvid set to 1. So all ports are access ports in vlan 1. For most situations this will appear to work the same as the "No vlan" mode, but it is not vlan-transparent, and any tagged frames will be dropped, so you can't use this mode to transparently extend a trunk link, because all tagged frames will be dropped. You can define each vlan that will be in the trunk, but there is probably a limit (like 32) for the number of vlans you can define.

My belief is that the GSx08Ex devices (I assume this applies to the GS108E and GS308E devices as well as the GS908E) are always configured in "hybrid" mode, if hybrid means that there is a vlan associated with untagged frames. This is the PVID (the port vlan id), what Cisco calls the native vlan, and if you don't change it, it will be set to vlan 1. As far as I know, there is no way to not have a PVID defined; about the only thing you can do to drop untagged frames is to create "port specific blackhole vlans" (e.g. 4001 for port 1 ... 4008 for port 8 ) and then define the pvid to that blackhole vlan on each port. Then since there is only a single port that is a member of those blackhole vlans, the switch won't have any other port to forward the untagged frame to, and it will just be dropped. But if you want to have vlan 99 be the untagged (native vlan, access vlan), then after you have added the port to the vlan membership for vlan 99, go to the "pvid table" screen and set the pvid to 99.

On the GS908E, the pvid will have a * beside it in the pvid table for each port.
GS908E_vlan_membership.png
GS908E_pvid_table.png
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Wed Nov 23, 2022 7:29 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 2:29 pm

Why waste our time with the wrong model, especially when you can easily find and download the correct user guide for the gs308e?
https://www.downloads.netgear.com/files ... _UM_EN.pdf
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 9:40 pm

I made some progress, the switch and Unifi AC are now working, as are all downstream wifi connected devices.

1) The first issue I ran into was with this line:

/interface bridge port add bridge=BR1 interface=ether4 pvid=99

As soon as I tried to restrict to admit-only-vlan-tagged I couldn't access the switch. Does that mean I have to change
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 untagged=ether5,ether3 vlan-ids=99
to
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 untagged=ether5,ether4,ether3 vlan-ids=99
so that the switch's management layer gets tagged as 99?

2) Took me a while to figure out the Netgear config. First, you'll definite want the Advanced 802.1Q VLAN settings, otherwise you won't be able to leave ports untagged. Then I realised that you have to add P1 (uplink trunk) to each VLAN as 'tagged', ie for VLAN20 to pass through from my Unifi on P2 to the Mikrotik, I had to configure Vlan20 as 'tagged' on P1 and P2. And for the security camera, VLAN50 as 'tagged' on P1 and 'untagged' on P4.

3) My newly added vlan50 doesn't seem to want to work yet. If I move the camera on p4 to BASE (99), it manages to grab an IP from the DHCP and I can connect to it. As soon as I move it to vlan50, it's not able to get an IP. I also tried to set a static IP (192.168.50.5) but no joy connecting to it. Can't see an obvious issue, but I wonder whether it's actually an issue with my firewall settings. I'll dig tomorrow with a fresh mind.

For reference (and in case it helps anyone with the same issues):

Current config for the Netgear
Screenshot 2022-11-23 at 21.38.20.png
Current config for the Mikrotik (abbreviated)
/interface bridge add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-681F66 wireless-protocol=802.11
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/interface vlan add interface=BR1 name=VLAN10 vlan-id=10
/interface vlan add interface=BR1 name=VLAN20 vlan-id=20
/interface vlan add interface=BR1 name=VLAN30 vlan-id=30
/interface vlan add interface=BR1 name=VLAN40 vlan-id=40
/interface vlan add interface=BR1 name=VLAN50 vlan-id=50
/interface list add name=WAN
/interface list add name=BASE
/interface list add name=VLAN
/interface list add name=VLAN_TRUSTED
/interface list add name=VLAN_UNTRUSTED
/ip pool add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
/ip pool add name=POOL_VLAN20 ranges=192.168.20.2-192.168.20.254
/ip pool add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
/ip pool add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
/ip pool add name=POOL_VLAN50 ranges=192.168.50.2-192.168.50.254
/ip pool add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server add address-pool=POOL_VLAN10 interface=VLAN10 name=DHCP_VLAN10
/ip dhcp-server add address-pool=POOL_VLAN20 interface=VLAN20 name=DHCP_VLAN20
/ip dhcp-server add address-pool=POOL_VLAN30 interface=VLAN30 name=DHCP_VLAN30
/ip dhcp-server add address-pool=POOL_VLAN40 interface=VLAN40 name=DHCP_VLAN40
/ip dhcp-server add address-pool=POOL_VLAN50 interface=VLAN50 name=DHCP_VLAN50
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=30
/interface bridge port add bridge=BR1 interface=ether4 pvid=99
/interface bridge port add bridge=BR1 interface=ether5 pvid=99
/interface bridge port add bridge=BR1 ingress-filtering=no interface=wlan2 pvid=99
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 untagged=ether5,ether3 vlan-ids=99
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4 vlan-ids=50
/interface list member add interface=ether1 list=WAN
/interface list member add interface=VLAN10 list=VLAN
/interface list member add interface=VLAN20 list=VLAN
/interface list member add interface=VLAN30 list=VLAN
/interface list member add interface=VLAN40 list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=VLAN10 list=VLAN_TRUSTED
/interface list member add interface=VLAN20 list=VLAN_TRUSTED
/interface list member add interface=VLAN30 list=VLAN_UNTRUSTED
/interface list member add interface=pppoe-out1 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN_TRUSTED
/interface list member add interface=VLAN50 list=VLAN
/interface list member add interface=VLAN50 list=VLAN_UNTRUSTED
/ip address add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
/ip address add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip address add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip address add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-client add disabled=yes interface=ether1
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.20.2,192.168.10.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.20.2,192.168.20.1 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.20.2,192.168.30.1 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.20.2,192.168.40.1 gateway=192.168.40.1
/ip dhcp-server network add address=192.168.50.0/24 dns-server=192.168.20.2,192.168.50.1 gateway=192.168.50.1
/ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.20.2,192.168.99.1 gateway=192.168.99.1
/ip dns set allow-remote-requests=yes servers=192.168.20.2,1.1.1.1,8.8.8.8
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
You do not have the required permissions to view the files attached to this post.
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 9:47 pm

Interesting, thanks @buckeye, that explains why I had to define each vlan to be in the trunk. I'll play with the suggestion you made about blackhole vlans tomorrow - that might then also fix issue 1) for me hopefully
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 9:55 pm

hm, you can't actually edit the PVID for default. When you try to change the ports, the error message tells you to change the PVID first, but the field is not editable...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN Trunk to Netgear Managed Switch

Wed Nov 23, 2022 11:12 pm

Yes the logic on the netgear you applied makes sense.
P1 the uplink would need to be considered a trunk port, tagged with vlans 10,20,30,40 ( all going tagged to unifi ap on P2 ) and tagged with vlan 99 for two reasons,

a. because the switch needs it since its the management vlan where switch gets its IP etc.
b. because it will be sent to P2 as untagged, making P2 a hybrid port.

YOu want to change the pvid of p2 on the switch to 99.
So in effect, the pvids for all your ports on the switch should be left at the default of 1.
The ones that can be modifed are
- P2, which you should change to 99.
- p4 which you should change to 50
= p5 which you should change to 50.
.....
pvid.JPG
...........

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

As far as ether4 on the mikrotik, its a trunk port so there should be no issue to set frame=types=admit-only-tagged.
The only reason I can see the router doesnt like it is because you have it identified as untagged somewhere in /interface bridge vlans settings.

As always would need to see your latest config to comment intelligently ( abbreviated configs are not helpful ) Use code tags to decrease footprint......also easier to read.
/export file=anynameyouwish ( minus router serial number and any public WANIP informaiton )
You do not have the required permissions to view the files attached to this post.
 
User avatar
robotpandarocket
just joined
Topic Author
Posts: 18
Joined: Wed Jun 16, 2021 8:48 am

Re: VLAN Trunk to Netgear Managed Switch

Thu Nov 24, 2022 12:06 pm

YES! It's working, I can finally get to my vlan50/camera - as you suggested, changing the PVID table did the trick. I also set P1 to 99 which fixed the Mikrotik issue too. Admit only vlan tagged now works correctly.

Many many thanks for the help once again!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 67 guests