I'm stuck - I'm running a home network with a few different VLANs. Up to this point, the set up was fairly simple (although I still needed to get help from this forum to get it running). A hAP AC with with two Unifi ACs and a dumb switch. I am now adding a Netgear Managed POE switch to power my new security cameras (and at least one or more of the Unifi ACs). I've attached the configuration and the a network diagram.
I thought I'd be able to connect the Netgear P1 to P4 on the Mikrotik - currently the attached Unifi AC on the P4 Mikrotik port gets tagged as VLAN99 and tags SSIDs with the according VLAN IDs - and then set up P1 on the Netgear as Trunk and tag all other ports accordingly. That doesn't work and I'm not sure why, likely something stupid in my setup. Any pointers please?
Code: Select all
# nov/21/2022 09:19:01 by RouterOS 7.2.3
# software id = YL9S-LT57
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/interface vlan add interface=BR1 name=VLAN10 vlan-id=10
/interface vlan add interface=BR1 name=VLAN20 vlan-id=20
/interface vlan add interface=BR1 name=VLAN30 vlan-id=30
/interface vlan add interface=BR1 name=VLAN40 vlan-id=40
/interface vlan add interface=BR1 name=VLAN50 vlan-id=50
/interface pppoe-client add add-default-route=yes comment="Home Connect via Frogfoot" disabled=no interface=ether1 name=pppoe-out1 user=X
/interface list add name=WAN
/interface list add name=BASE
/interface list add name=VLAN
/interface list add name=VLAN_TRUSTED
/interface list add name=VLAN_UNTRUSTED
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys name=uiot supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b country="south africa" distance=indoors frequency=auto frequency-mode=manual-txpower installation=outdoor mode=ap-bridge security-profile=uiot ssid=auiote wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-681F66 wireless-protocol=802.11
/ip pool add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip pool add name=POOL_VLAN10 ranges=192.168.10.2-192.168.10.254
/ip pool add name=POOL_VLAN20 ranges=192.168.20.2-192.168.20.254
/ip pool add name=POOL_VLAN30 ranges=192.168.30.2-192.168.30.254
/ip pool add name=POOL_VLAN40 ranges=192.168.40.2-192.168.40.254
/ip pool add name=POOL_VLAN50 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/ip dhcp-server add address-pool=POOL_VLAN10 interface=VLAN10 name=DHCP_VLAN10
/ip dhcp-server add address-pool=POOL_VLAN20 interface=VLAN20 name=DHCP_VLAN20
/ip dhcp-server add address-pool=POOL_VLAN30 interface=VLAN30 name=DHCP_VLAN30
/ip dhcp-server add address-pool=POOL_VLAN40 interface=VLAN40 name=DHCP_VLAN40
/ip dhcp-server add address-pool=POOL_VLAN50 interface=VLAN50 name=DHCP_VLAN50
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/user group add name=homeassistant policy=read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!rest-api
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=99
/interface bridge port add bridge=BR1 interface=ether4 pvid=99
/interface bridge port add bridge=BR1 interface=ether5 pvid=99
/interface bridge port add bridge=BR1 ingress-filtering=no interface=wlan2 pvid=99
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=30
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 untagged=ether2 vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=BR1,ether4,ether5 vlan-ids=10,30,40,50
/interface bridge vlan add bridge=BR1 tagged=BR1 untagged=ether2,wlan1,ether5,ether4 vlan-ids=99
/interface list member add interface=ether1 list=WAN
/interface list member add interface=VLAN10 list=VLAN
/interface list member add interface=VLAN20 list=VLAN
/interface list member add interface=VLAN30 list=VLAN
/interface list member add interface=VLAN40 list=VLAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=VLAN10 list=VLAN_TRUSTED
/interface list member add interface=VLAN20 list=VLAN_TRUSTED
/interface list member add interface=VLAN30 list=VLAN_UNTRUSTED
/interface list member add interface=pppoe-out1 list=WAN
/interface list member add interface=BASE_VLAN list=VLAN_TRUSTED
/interface list member add interface=VLAN50 list=VLAN
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
/ip address add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip address add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip address add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-client add disabled=yes interface=ether1
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.20.2,192.168.10.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 dns-server=192.168.20.2,192.168.20.1 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 dns-server=192.168.20.2,192.168.30.1 gateway=192.168.30.1
/ip dhcp-server network add address=192.168.40.0/24 dns-server=192.168.20.2,192.168.40.1 gateway=192.168.40.1
/ip dhcp-server network add address=192.168.50.0/24 dns-server=192.168.20.2,192.168.50.1 gateway=192.168.50.1
/ip dhcp-server network add address=192.168.99.0/24 dns-server=192.168.20.2,192.168.99.1 gateway=192.168.99.1
/ip dns set allow-remote-requests=yes servers=192.168.20.2,1.1.1.1,8.8.8.8
/ip firewall filter add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Allow VLAN (ICMP!)" in-interface-list=VLAN protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow VLAN (DNS tcp) (TRUSTED ONLY)" dst-port=53 in-interface-list=VLAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow VLAN (DNS - udp) (TRUSTED ONLY)" dst-port=53 in-interface-list=VLAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
/ip firewall filter add action=drop chain=input comment="Drop all else"
/ip firewall filter add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="VLAN Internet Access " connection-state=new in-interface-list=VLAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow Main Vlan (10) access to IoT and IoT Untrusted" connection-state=new in-interface=VLAN10 in-interface-list=VLAN
/ip firewall filter add action=accept chain=forward comment="Allow Home Assistant access to untrusted iot" connection-state=new in-interface=VLAN20 out-interface=VLAN30 src-mac-address=DC:A6:32:42:B0:EC
/ip firewall filter add action=accept chain=forward comment="Allow Home Assistant access to camera vlan" connection-state=new in-interface=VLAN20 out-interface=VLAN50 src-mac-address=DC:A6:32:42:B0:EC
/ip firewall filter add action=drop chain=forward comment=Drop
/ip firewall nat add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip firewall nat add action=src-nat chain=srcnat src-address=192.168.20.2 to-addresses=192.168.0.150
/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.150 in-interface-list=VLAN to-addresses=192.168.20.2
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Africa/Johannesburg