I am a Mikrotik/RouterOS noob and in general am not at all an expert in networking. The Vlan setup has been killing me. I have read through PCUnite's examples and have been trying to implement the RouterSwitchAP.rsc example. My setup is as follows:
Hap Ac2 with 5 Ethernet ports:
1 - WAN
2 - Attached to 2 Unmanaged 8 port Switches daisy chained. Multiple ethernet ports going to various rooms are connected to these switches, some of the ports are occupied with a printer and other devices - including 2 raspberry Pis, one running HomeAssistant at 192.168.0.200 and one pi at 192.168.0.151 running a pihole docker container generating a separate pihole DNS ip of 192.168.0.210. The pi at 192.168.0.151 also runs a Wireguard server.
3 - TV
4 - Soon to be installed Ethernet camera system
5 - currently unused
The router has 2 wifi ports (2 and 5 Mhz bands)
I'm trying to setup a separate Vlan use vlan tag filtering as follows (and have followed as closely as possible and/or adapted the Router-Switch-API configuration to do so):
- guest wifi (PVID 20)
- cameras (PVID 3),
- wifi enabled light switches (PVID 30)
- wifi untrusted devices (PVID 50, no internet and otherwise more isolated),
- vlan for ethernet 4 (PVID 4)
- vlan for ethernet 5 (PVID 5),
- a management VLAN (the BASE in pcunite's example) (PVID 99) - includes all hardwired ethernet devices plugged into the unmanaged switches that are plugged into ethernet 2 (devices include the pihole), plus the 2 and 5 Ghz virtual network containing same SSID (AcmeWireless)
Problems I am having:
1) The pihole DNS which has a static ip of 192.168.0.210 is not pingable and inaccessible from any of the VLANS including 99. I have only gotten internet access by adding 1.1.1.1 as an alternative DNS. The pihole seems not be be binding to its ip and/or some firewall rule is blocking it (I suspect a DHCP misconfiguration). The homeassistant server is also no accessible from a pc on the 99 VLAN. Pihole and homeassistant are both accessible fine without any implementation of vlans.
2) The 2ghz and 5 ghz wifi bands will not work (I do not get an assigned ip) unless I set the option in the VLAN tab on the port to "Admit All" but I believe the recommended option was admit only untagged and priority tagged.
Goals are to allow 192.168.0.210 (Pihole DNS to be accessible to all VLANS), general isolation of the VLANS, and any PC on VLAN to be able to access any device on the VLAs including the pis). Attached is the relevant portions of my /export hide-senstive configuration (edited somewhat to redact some additional info).
Would greatly appreciate any help you can give and tips to improve the setup. Thank you.