I have the following network topology at home:
I want to follow this guide for setting up my WiFi to provide different networks on different VLANs.
My question is, how do I need to configure the PoE Switch in between to pass the tagged frames to the router? Currently, no VLAN settings are configured:
Ports 15 & 16 are configured as LAG and set to `balance rr` on Mikrotik side.
My CAPs are connected on ports 1 & 2.
Do I need to set them all to `tagged`?
How to set up VLAN to pass traffic through a managed switch?
You do not have the required permissions to view the files attached to this post.
Re: How to set up VLAN to pass traffic through a managed switch?
Set up both VLANs as tagged on the LAG interface. If the access points are set up for tagging, set up the appropriate VLAN as tagged on the corresponding ports, otherwise as untagged, possibly by setting the PVID.
Different vendors have different approaches.
Different vendors have different approaches.
Re: How to set up VLAN to pass traffic through a managed switch?
To setup vlan filtering on both RB4011 and CAP products use this guide: --> viewtopic.php?t=143620
Recommend for each MT device you do the config from a safe location, namely an off bridge port.
So in case of Caps, use ether2 off bridge, on RB4011 use ether8 and remove from /interface bridge port
/interface ethernet
set [ find default-name=etherX ] name=OffBridgeX
/interface list member
add interface=OffBridgeX list=LAN ( or trusted list )
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0
Now all you need to do is plug in your laptop to the appropriate port X, change IPV4 settings to 192.168.77.2 and you should be in!!
++++++++++++++++++++
The RB4011 lets say has vlan10 home and vlan20 guests, and vlan10 is the trusted subnet and thus all smart devices should get an IP address on this subnet ( as per article above ).
Trunk port from RB4011 to Switch and trunk ports to both CAPs.
On the netgear switch all trunk ports retain vlan1 untagged on the port. PVID setting remains at 1 for these ports.
On the netgear switch all access ports ( going to dumb devices ) are untagged on that port going to the device and tagged for trunk ports. PVID is changed to relevant vlan ID.
On all MT devices
access ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-prioirity-and-untagged
trunk ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-vlan-tagged
Ref the diagram above. The only time you need to change settings for vlan 1, is to remove the untagging for any ports going to dumb devices associated with a different vlan id.
We dont use vlan1 in any settings on MT, it works in the background. Other wise leave the rest alone.
For each particular vlanID on the netgear switch, ensure its tagged for trunk ports if appropriate ( data needs to flow to the next smart device ) or if its the management vlan ( sometimes its also the trusted vlan) AND untagged if going to a dumb device for the appropriate vlan.
Be sure to set the management vlan if that is an option on the netgear to vlan10 in this case and it should get a fixed IP address on vlan10.
Recommend for each MT device you do the config from a safe location, namely an off bridge port.
So in case of Caps, use ether2 off bridge, on RB4011 use ether8 and remove from /interface bridge port
/interface ethernet
set [ find default-name=etherX ] name=OffBridgeX
/interface list member
add interface=OffBridgeX list=LAN ( or trusted list )
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0
Now all you need to do is plug in your laptop to the appropriate port X, change IPV4 settings to 192.168.77.2 and you should be in!!
++++++++++++++++++++
The RB4011 lets say has vlan10 home and vlan20 guests, and vlan10 is the trusted subnet and thus all smart devices should get an IP address on this subnet ( as per article above ).
Trunk port from RB4011 to Switch and trunk ports to both CAPs.
On the netgear switch all trunk ports retain vlan1 untagged on the port. PVID setting remains at 1 for these ports.
On the netgear switch all access ports ( going to dumb devices ) are untagged on that port going to the device and tagged for trunk ports. PVID is changed to relevant vlan ID.
On all MT devices
access ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-prioirity-and-untagged
trunk ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-vlan-tagged
Ref the diagram above. The only time you need to change settings for vlan 1, is to remove the untagging for any ports going to dumb devices associated with a different vlan id.
We dont use vlan1 in any settings on MT, it works in the background. Other wise leave the rest alone.
For each particular vlanID on the netgear switch, ensure its tagged for trunk ports if appropriate ( data needs to flow to the next smart device ) or if its the management vlan ( sometimes its also the trusted vlan) AND untagged if going to a dumb device for the appropriate vlan.
Be sure to set the management vlan if that is an option on the netgear to vlan10 in this case and it should get a fixed IP address on vlan10.
Re: How to set up VLAN to pass traffic through a managed switch?
You mean 'all trunk ports retain vlan10', correct? Spelling mistake?On the netgear switch all trunk ports retain vlan1 untagged on the port. PVID setting remains at 1 for these ports.
On the netgear switch all access ports ( going to dumb devices ) are untagged on that port going to the device and tagged for trunk ports. PVID is changed to relevant vlan ID.
I am a bit confused by these two sentences. I have four trunk ports on the switch. Two going to the CAPs and two going to the router. The Switch with a separate router (RoaS) example from your link suggests to use tagging, if I am not mistaken.
Code: Select all
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN 99)
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=10
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=20
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
Re: How to set up VLAN to pass traffic through a managed switch?
I was referring ONLY to the display vlan1, where you only change the port from U to Nothing (no affiliation) for any ports that are untagged (access ports for other vlans).
In addition you would need to change the pvid of that port from1 to the untagged port vlan id.
For review post pages for each vlan being used, the pvid page, the admin page showing the IP assigned to the switch etc.
In addition you would need to change the pvid of that port from1 to the untagged port vlan id.
For review post pages for each vlan being used, the pvid page, the admin page showing the IP assigned to the switch etc.
Re: How to set up VLAN to pass traffic through a managed switch?
Only for the switch as you asked at the beginning - first of all you have to add needed vlans with apriopriate VLAN ID's. Than in the "VLAN Membership" page you need to change the letter from U (untagged) to T (tagged) on LAG interface and ports 1 & 2 (all trunks). This has to be done for all required VLAN's.My question is, how do I need to configure the PoE Switch in between to pass the tagged frames to the router?
EDIT: In the "Port PVID Configuration" the PVID for all that trunk ports should be 1.
Re: How to set up VLAN to pass traffic through a managed switch?
Thanks for all the help so far! I haven't had a change to try it out yet. There are members in the house very unhappy about the WiFi not being accessible. Will keep you posted, though!
Re: How to set up VLAN to pass traffic through a managed switch?
Cannot be that unhappy, you posted on JAN 08, and only getting to it now??? Must have been in the hospital or on vacation.
Re: How to set up VLAN to pass traffic through a managed switch?
Haha, no. In the past, when I tried to get the configuration of my VLANs right, I regularly locked myself out (and everyone else in the house). They are unhappy when I 'play' with the router and configuration.Cannot be that unhappy, you posted on JAN 08, and only getting to it now??? Must have been in the hospital or on vacation.
Re: How to set up VLAN to pass traffic through a managed switch?
My current config on the managed switch. Now with three VLANs (mgmt, home, guest):
You do not have the required permissions to view the files attached to this post.
Re: How to set up VLAN to pass traffic through a managed switch?
What is the management vlan or trusted vlan, and do the capacs and switch get an IP address from this VLAN?
In other words do not see vlan99 above, and it should be going from rb4011 to both capacs as well.
In other words do not see vlan99 above, and it should be going from rb4011 to both capacs as well.
Re: How to set up VLAN to pass traffic through a managed switch?
The Netgear config looks okay but the virtual LAG interface also should be tagged (I cannot see it on screenshots) - I have to admit that I didn't need to use LAG's on Netgears so maybe it's somehow done automatically.
But as anav have mentioned, the vlans ID's are different from what you've paste earlier:
You have posted screenshots but didn't let us know about effect - that is rude...
But as anav have mentioned, the vlans ID's are different from what you've paste earlier:
Is it working? And the Mikrotik config was just an example or was copied from another forum post or something?Code: Select all# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN 99) add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=10 add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=20 add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=30 add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
You have posted screenshots but didn't let us know about effect - that is rude...
Re: How to set up VLAN to pass traffic through a managed switch?
So far, I configured the switch only and testing with one Wi-Fi only while keeping the old non-VLAN setup on the side.
The CAPs are CAPsMANed. When connecting to the `guest` Wi-Fi, I cannot obtain IP address from the DHCP.
But I think the tagging of the LAG is a good pointer. Unfortunately, I couldn't find any such configuration option in the Netgear UI so far.
My full router config:
The CAPs are CAPsMANed. When connecting to the `guest` Wi-Fi, I cannot obtain IP address from the DHCP.
But I think the tagging of the LAG is a good pointer. Unfortunately, I couldn't find any such configuration option in the Netgear UI so far.
My full router config:
Code: Select all
# 2025-01-22 09:20:57 by RouterOS 7.17
# software id = REDACTED
#
# model = RB4011iGS+
# serial number = REDACTED
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="b\C3\BCro"
set [ find default-name=ether6 ] comment=knx
/interface wireguard
add listen-port=13232 mtu=1420 name=jellyfin1
add listen-port=21841 mtu=1420 name=seedbox1
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=guest vlan-id=300
add interface=sfp-sfpplus1 name=sfpv7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether7,ether8
add mode=balance-xor name=switch slaves=ether9,ether10 transmit-hash-policy=\
layer-2-and-3
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=sfpv7 \
name=telekom use-peer-dns=yes user=REDACTED
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
add bridge=bridge comment=guest disabled=no name=guest-datapath vlan-id=300
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=guest-sec
/interface wifi configuration
add channel.reselect-interval=10m..30m comment=family disabled=no mode=ap \
name=family security=family-sec security.connect-priority=0 .ft=yes \
.ft-over-ds=yes ssid=BuddhasBlessedBunch
add comment=guest country=Germany datapath=guest-datapath disabled=no mode=ap \
name=guest security=guest-sec ssid=BuddhasBlessedGuests
/ip kid-control
add disabled=yes mon=9h-21h name="Stop Internet "
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=mgmt ranges=192.168.90.100-192.168.90.254
add name=home ranges=192.168.91.100-192.168.91.254
add name=guest ranges=192.168.92.100-192.168.92.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2h name=defconf
add address-pool=guest comment=guest interface=guest name=guest
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 remote=nas.lan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment=wireguard interface=wireguard1 list=LAN
add comment=jellyfin interface=jellyfin1 list=LAN
add interface=sfpv7 list=WAN
add interface=telekom list=WAN
add interface=guest list=LAN
/interface ovpn-server server
add mac-address=REDACTED name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=5ghz disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
5ghz-ax
add action=create-dynamic-enabled comment=2ghx disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32 client-address=192.168.87.10/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=pixel preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"zA3KVqkFdyeYs8SeH5bBty5q8a6aqZjHmywineHN0EQ="
add allowed-address=192.168.87.11/32 client-address=192.168.87.11/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=tuxedo preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"hYoazZbXFmbE148jFN8s6v0D3cRCkTawVtaaXySosEE="
add allowed-address=192.168.87.12/32 client-address=192.168.87.12/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=travelrouter preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"PaIB5Rp1hI1pRtadUrtSDAFEOI//urx6fhApJaZqrDM="
add allowed-address=192.168.87.13/32 client-address=192.168.87.13/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=iphone preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"FHB9LwPAgM7MoR2pSOqO1RnvaAXy77XkpJ4Mo62qPis="
add allowed-address=192.168.86.11/32 client-address=192.168.86.11/32 \
client-dns=192.168.86.1 client-endpoint=REDACTED \
interface=jellyfin1 name=rieckmanns preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"HJl4GXRRVzEdIlCNxw7c2k0oADNBxtkpxnT+C6h45Ss="
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
51026 interface=seedbox1 name=seedbox public-key=\
"Tq7MDaNyunVrfko5mLMWoN8rZ08hSJOCpJEPUfQcHVo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=wireguard interface=wireguard1 network=\
192.168.87.0
add address=10.102.6.2/24 comment=seedbox interface=seedbox1 network=\
10.102.6.0
add address=192.168.86.1/24 comment=jellyfin interface=jellyfin1 network=\
192.168.86.0
add address=192.168.1.2/24 comment=luleey interface=sfp-sfpplus1 network=\
192.168.1.0
add address=192.168.92.1/24 comment=guest interface=guest network=\
192.168.92.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.14 domain=\
lan gateway=192.168.88.1 netmask=24
add address=192.168.92.0/24 comment=guest dns-server=192.168.92.1 gateway=\
192.168.92.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.3 name=proxmox2.lan type=A
add address=192.168.88.5 name=zigbee2mqtt.lan type=A
add address=192.168.88.6 name=nas.lan type=A
add address=192.168.88.7 name=jellyfin.lan type=A
add address=192.168.88.8 name=syncthing.lan type=A
add address=192.168.88.11 name=box.lan type=A
add address=192.168.88.12 name=jellyseerr.lan type=A
add address=192.168.88.14 name=homeassistant.lan type=A
add address=192.168.88.16 name=flaresolverr.lan type=A
add address=192.168.88.17 name=zigbeecoordinator.lan type=A
add address=192.168.88.20 name=proxmox3.lan type=A
add address=192.168.88.21 name=proxmox.lan type=A
# bad CNAME data
add cname=nginx.lan. name=jellyfin.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=jellyseerr.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=radarr.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=sonarr.REDACTED type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=mqtt.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=radarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=sonarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=prowlarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=nginx.lan type=CNAME
/ip firewall address-list
add address=192.168.88.7 comment=jellyfin list=jellyfin
add address=192.168.88.12 comment=jellyseer list=jellyfin
add address=192.168.88.13 comment=nginx list=jellyfin
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow Jellyfin (Wireguard)" dst-port=\
13232 protocol=udp
add action=accept chain=input comment="allow Seedbox (Wireguard )" dst-port=\
21841 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="allow jellyfin access only" \
dst-address-list=!jellyfin in-interface=jellyfin1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment=luleey dst-address=192.168.1.1 \
out-interface=sfp-sfpplus1 to-addresses=192.168.1.2
add action=masquerade chain=srcnat comment=luleey out-interface=sfp-sfpplus1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=seedbox out-interface=seedbox1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=92:66:00:A0:AD:52 name="MacBook Pro " user="Stop Internet "
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system logging
add action=remote topics=critical,error,warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add comment=strato interval=1h name=dyndns on-event=\
"/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-10-20 start-time=17:57:15
/system script
add comment=strato dont-require-permissions=no name=dyndns owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface.\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n }\
\n }\
\n :if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info (\"DynDNS: Update IP needed. Sending UPDATE...!\")\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfresh\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddnsuse\
r password=\$ddnspass mode=https dst-path=(\"/DynDNS.\$ddnshost1\")\
\n :delay 1\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n :log info \"DynDNS: dont need changes\";\
\n }\
\n}"
/tool e-mail
set from="Router <mikrotik@REDACTED>" port=587 server=\
smtp.protonmail.ch tls=yes user=mikrotik@REDACTED
/tool graphing interface
add allow-address=192.168.88.0/24 interface=sfp-sfpplus1
add allow-address=192.168.88.0/24 interface=nas
add allow-address=192.168.88.0/24 interface=switch
/tool graphing resource
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: How to set up VLAN to pass traffic through a managed switch?
I just bought a new switch now. According to the Netgear community the current switch only partially supports VLAN management.
Will check in again once it arrived.
Will check in again once it arrived.
Re: How to set up VLAN to pass traffic through a managed switch?
Isn't it somoehow the problem of mismatch betwwen 100, 200, 300 VLANs in the switch and 10,20,30 in the router according to config snippets?
Re: How to set up VLAN to pass traffic through a managed switch?
The first config snippet was from the guide anav posted. Not my config.
My config is a few posts above. Currently, I only have the VLAN 300 (guest) configured, since I wanted to start with it.
Ultimately, I want three VLANs:
My config is a few posts above. Currently, I only have the VLAN 300 (guest) configured, since I wanted to start with it.
Ultimately, I want three VLANs:
- 100: One management, where I can access the router, the WiFi APs, the NAS etc.
- 200: One home, where my family can use the local network, Jellyfin, Homeassistant etc.
- 300: One guest, where only access to the internet is possible, but locked out of the local network.
Re: How to set up VLAN to pass traffic through a managed switch?
Okay, coming back to this now with the new switch. I cannot make it work right now. Testing access to the guest WiFi and obtaining an IP address fails.
This is the current VLAN setup for the guest VLAN on the switch. This is the current LAG setup on the switch. From what I understand so far, this should be alright.
AP config:
Router config:
So if anyone dares to have a look here, I would appreciate it very much.
EDIT: To add a note. My goal here is to only configure a second SSID (guests) with gated access via VLAN at the moment. If I can understand how to properly configure it, I am confident to take it from there.
This is the current VLAN setup for the guest VLAN on the switch. This is the current LAG setup on the switch. From what I understand so far, this should be alright.
AP config:
Code: Select all
# 2025-02-01 05:56:05 by RouterOS 7.17.1
# software id = REDACTED
#
# model = cAPGi-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=48:A9:8A:A2:9D:29 auto-mac=no comment=defconf name=bridgeLocal \
vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN F4:1E:57:0D:41:A7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN F4:1E:57:0D:41:A7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal comment=guest tagged=bridgeLocal,ether1 vlan-ids=50
/interface ovpn-server server
add mac-address=FE:81:CE:1B:D8:03 name=ovpn-server1
/interface wifi cap
set caps-man-addresses=192.168.88.1 discovery-interfaces=bridgeLocal enabled=\
yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system identity
set name="AP Hauswirtschaftsraum"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
Router config:
Code: Select all
# 2025-02-01 06:30:16 by RouterOS 7.17.1
# software id = REDACTED
#
# model = RB4011iGS+
# serial number = REDACTED
/interface bridge
add admin-mac=F4:1E:57:0D:41:A7 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="b\C3\BCro"
set [ find default-name=ether6 ] comment=knx
/interface wireguard
add listen-port=21841 mtu=1420 name=seedbox1
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp-sfpplus1 name=sfpv7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether7,ether8
add mode=802.3ad name=switch slaves=ether9,ether10 transmit-hash-policy=\
layer-2-and-3
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=sfpv7 \
name=telekom use-peer-dns=yes user=REDACTED
/interface vlan
add interface=switch name=guest vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
add bridge=bridge comment=guest disabled=no name=guest-datapath vlan-id=50
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=guest-sec
/interface wifi configuration
add channel.reselect-interval=10m..30m comment=family disabled=no mode=ap \
name=family security=family-sec security.connect-priority=0 .ft=yes \
.ft-over-ds=yes ssid=BuddhasBlessedBunch
add comment=guest country=Germany datapath=guest-datapath disabled=no mode=ap \
name=guest security=guest-sec ssid=BuddhasBlessedGuests
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=mgmt ranges=192.168.90.100-192.168.90.254
add name=home ranges=192.168.91.100-192.168.91.254
add name=guest ranges=192.168.50.100-192.168.50.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2h name=defconf
add address-pool=guest comment=guest interface=guest name=guest
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 bsd-syslog=yes remote=192.168.88.6 syslog-facility=syslog
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=guest tagged=switch,bridge vlan-ids=50
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment=wireguard interface=wireguard1 list=LAN
add comment=jellyfin interface=*13 list=LAN
add interface=sfpv7 list=WAN
add interface=telekom list=WAN
add interface=guest list=LAN
/interface ovpn-server server
add mac-address=FE:97:BD:F3:AB:5D name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=5ghz disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
5ghz-ax
add action=create-dynamic-enabled comment=2ghx disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32 client-address=192.168.87.10/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=pixel preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"zA3KVqkFdyeYs8SeH5bBty5q8a6aqZjHmywineHN0EQ="
add allowed-address=192.168.87.11/32 client-address=192.168.87.11/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=tuxedo preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"hYoazZbXFmbE148jFN8s6v0D3cRCkTawVtaaXySosEE="
add allowed-address=192.168.87.12/32 client-address=192.168.87.12/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=travelrouter preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"PaIB5Rp1hI1pRtadUrtSDAFEOI//urx6fhApJaZqrDM="
add allowed-address=192.168.87.13/32 client-address=192.168.87.13/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=iphone preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"FHB9LwPAgM7MoR2pSOqO1RnvaAXy77XkpJ4Mo62qPis="
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
51026 interface=seedbox1 name=seedbox public-key=\
"Tq7MDaNyunVrfko5mLMWoN8rZ08hSJOCpJEPUfQcHVo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=wireguard interface=wireguard1 network=\
192.168.87.0
add address=10.102.6.2/24 comment=seedbox interface=seedbox1 network=\
10.102.6.0
add address=192.168.1.2/24 comment=luleey interface=sfp-sfpplus1 network=\
192.168.1.0
add address=192.168.50.1/24 comment=guest interface=guest network=\
192.168.50.0
/ip dhcp-server network
add address=192.168.50.0/24 comment=guest dns-server=192.168.50.1 gateway=\
192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.14 domain=\
lan gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.3 name=proxmox2.lan type=A
add address=192.168.88.4 name=myspeed.lan type=A
add address=192.168.88.5 name=zigbee2mqtt.lan type=A
add address=192.168.88.6 name=nas.lan type=A
add address=192.168.88.7 name=jellyfin.lan type=A
add address=192.168.88.8 name=syncthing.lan type=A
add address=192.168.88.9 name=paperless.lan type=A
add address=192.168.88.11 name=box.lan type=A
add address=192.168.88.12 name=jellyseerr.lan type=A
add address=192.168.88.14 name=homeassistant.lan type=A
add address=192.168.88.16 name=flaresolverr.lan type=A
add address=192.168.88.17 name=zigbeecoordinator.lan type=A
add address=192.168.88.20 name=proxmox3.lan type=A
add address=192.168.88.21 name=proxmox.lan type=A
add cname=nginx.lan name=jellyfin.REDACTED type=CNAME
add cname=nginx.lan name=jellyseerr.REDACTED type=CNAME
add cname=nginx.lan name=radarr.REDACTED type=CNAME
add cname=nginx.lan name=sonarr.REDACTED type=CNAME
add cname=nginx.lan name=myspeed.REDACTED type=CNAME
add cname=nginx.lan name=paperless.REDACTED type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=mqtt.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=radarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=sonarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=prowlarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=nginx.lan type=CNAME
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow Seedbox (Wireguard )" dst-port=\
21841 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=seedbox out-interface=seedbox1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=Router
/system logging
set 0 topics=info,!wireless
add action=remote topics=info
add action=remote topics=debug
add action=remote topics=warning
add action=remote topics=critical
add action=remote topics=error
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add comment=strato interval=1h name=dyndns on-event=\
"/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-10-20 start-time=17:57:15
/system script
add comment=strato dont-require-permissions=no name=dyndns owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface.\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n }\
\n }\
\n :if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info (\"DynDNS: Update IP needed. Sending UPDATE...!\")\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfresh\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddnsuse\
r password=\$ddnspass mode=https dst-path=(\"/DynDNS.\$ddnshost1\")\
\n :delay 1\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n :log info \"DynDNS: dont need changes\";\
\n }\
\n}"
/tool e-mail
set from="Router <mikrotik@REDACTED>" port=587 server=\
smtp.protonmail.ch tls=yes user=mikrotik@REDACTED
/tool graphing interface
add allow-address=192.168.88.0/24 interface=sfp-sfpplus1
add allow-address=192.168.88.0/24 interface=nas
add allow-address=192.168.88.0/24 interface=switch
/tool graphing resource
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
EDIT: To add a note. My goal here is to only configure a second SSID (guests) with gated access via VLAN at the moment. If I can understand how to properly configure it, I am confident to take it from there.
You do not have the required permissions to view the files attached to this post.
Re: How to set up VLAN to pass traffic through a managed switch?
I didnt have to look far into your router, its missing vlans, only guest is identified.
Re: How to set up VLAN to pass traffic through a managed switch?
Thanks for having another look!I didnt have to look far into your router, its missing vlans, only guest is identified.
Can I not have both VLAN traffic an non-VLAN traffic in the same network? My first goal is to only configure the guest VLAN properly, then take it from there.
I ran Torch on the AP: I ran the same settings on the router and didn't get any traffic.
You do not have the required permissions to view the files attached to this post.
Re: How to set up VLAN to pass traffic through a managed switch?
I just created a guide for setting up InterVLAN routing on the MikroTik. I posted it in the user submitted articles section. Do a search on InterVLAN routing. I have about 16 VLANs I am using to route along with normal LAN traffic.
Re: How to set up VLAN to pass traffic through a managed switch?
Okay this time will be less polite LOL.......... use the phucking guide --> viewtopic.php?t=143620 ( one bridge, all vlans, bridge does no dhcp )Can I not have both VLAN traffic an non-VLAN traffic in the same network? My first goal is to only configure the guest VLAN properly, then take it from there.I didnt have to look far into your router, its missing vlans, only guest is identified.
The switch and AP get trunk ports between each other including the base or managment vlan and the switch and AP get an IP address from this vlan. Only the managment vlan gets tagged to the bridge on the AP.
Re: How to set up VLAN to pass traffic through a managed switch?
From that thread:
And I use CAPsMAN in my setup as well.
The only deviation comes when you start using capsman but thats another topic ( datapath is used to assign vlans or something like that)
And I use CAPsMAN in my setup as well.
Re: How to set up VLAN to pass traffic through a managed switch?
You adapt CAPsMAN configuration to VLANs, not the other way around. So do the VLANs properly first, then worry about CAPsMAN.
And yes, if one doesn't know exactly what he's doing, he will break things ... and probably break them hard. So it's questionable if it's worth doing things only partially in order to not break current setup.
And yes, if one doesn't know exactly what he's doing, he will break things ... and probably break them hard. So it's questionable if it's worth doing things only partially in order to not break current setup.
Re: How to set up VLAN to pass traffic through a managed switch?
Okay, okay, I followed your advice and went all VLAN now. Adapted the CAPsMAN config to it by following the guidance in this thread here: viewtopic.php?p=1123309#p1123309.
Most of the setup works:
Router config:
AP Ground floor config:
AP First floor config:
Most of the setup works:
- cAPs get their IP address from the mgmt VLAN/DHCP
- home WiFi devices get an IP from the home VLAN/DHCP
- guest WiFi devices get an IP from the guest VLAN/DHCP
Router config:
Code: Select all
# 2025-02-02 18:32:38 by RouterOS 7.17.1
# software id = REDACTED
#
# model = RB4011iGS+
# serial number = REDACTED
/interface bridge
add admin-mac=F4:1E:57:0D:41:A7 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="b\C3\BCro"
set [ find default-name=ether6 ] comment=knx
/interface wireguard
add listen-port=21841 mtu=1420 name=seedbox1
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=guest-vlan50 vlan-id=50
add interface=bridge name=home-vlan40 vlan-id=40
add interface=bridge name=iot-vlan60 vlan-id=60
add interface=bridge name=mgmt-vlan30 vlan-id=30
add interface=sfp-sfpplus1 name=sfp-vlan7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether7,ether8
add mode=802.3ad name=switch slaves=ether9,ether10 transmit-hash-policy=\
layer-2-and-3
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
sfp-vlan7 name=telekom use-peer-dns=yes user=REDACTED
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
add name=MGMT
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
add comment=guest disabled=no name=guest-datapath vlan-id=50
add comment=home disabled=no name=home-datapath vlan-id=40
add comment=iot disabled=no name=iot-datapath vlan-id=60
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=guest-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=iot-sec
/interface wifi configuration
add channel.reselect-interval=10m..30m comment=family datapath=home-datapath \
disabled=no mode=ap name=family security=family-sec \
security.connect-priority=0 .ft=yes .ft-over-ds=yes ssid=\
BuddhasBlessedBunch
add comment=guest datapath=guest-datapath disabled=no mode=ap name=guest \
security=guest-sec ssid=BuddhasBlessedGuests
add comment=iot datapath=iot-datapath disabled=no mode=ap name=iot security=\
iot-sec ssid=BuddhasBlessedDevices
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=mgmt ranges=192.168.30.100-192.168.30.254
add name=home ranges=192.168.40.100-192.168.40.254
add name=guest ranges=192.168.50.100-192.168.50.254
add name=iot ranges=192.168.60.100-192.168.60.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2h name=defconf
add address-pool=mgmt comment=mgmt-vlan30 interface=mgmt-vlan30 name=mgmt
add address-pool=home comment=home-vlan40 interface=home-vlan40 name=home
add address-pool=guest comment=guest-vlan50 interface=guest-vlan50 name=guest
add address-pool=iot comment=iot-vlan60 interface=iot-vlan60 name=iot
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 bsd-syslog=yes remote=192.168.88.6 syslog-facility=syslog
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=30
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=vlan tagged=switch,bridge vlan-ids=30,40,50,60
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment=wireguard interface=wireguard1 list=LAN
add interface=sfp-vlan7 list=WAN
add interface=telekom list=WAN
add comment=home interface=home-vlan40 list=LAN
add comment=mgmt interface=mgmt-vlan30 list=LAN
add comment=mgmt interface=mgmt-vlan30 list=MGMT
/interface ovpn-server server
add mac-address=FE:97:BD:F3:AB:5D name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=mgmt-vlan30 package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=5ghz disabled=no \
master-configuration=family slave-configurations=guest,iot \
supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=2ghx disabled=no \
master-configuration=family slave-configurations=guest,iot \
supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32 client-address=192.168.87.10/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=pixel preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"zA3KVqkFdyeYs8SeH5bBty5q8a6aqZjHmywineHN0EQ="
add allowed-address=192.168.87.11/32 client-address=192.168.87.11/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=tuxedo preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"hYoazZbXFmbE148jFN8s6v0D3cRCkTawVtaaXySosEE="
add allowed-address=192.168.87.12/32 client-address=192.168.87.12/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=travelrouter preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"PaIB5Rp1hI1pRtadUrtSDAFEOI//urx6fhApJaZqrDM="
add allowed-address=192.168.87.13/32 client-address=192.168.87.13/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=iphone preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"FHB9LwPAgM7MoR2pSOqO1RnvaAXy77XkpJ4Mo62qPis="
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
51026 interface=seedbox1 name=seedbox public-key=\
"Tq7MDaNyunVrfko5mLMWoN8rZ08hSJOCpJEPUfQcHVo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=wireguard interface=wireguard1 network=\
192.168.87.0
add address=10.102.6.2/24 comment=seedbox interface=seedbox1 network=\
10.102.6.0
add address=192.168.50.1/24 comment=guest interface=guest-vlan50 network=\
192.168.50.0
add address=192.168.30.1/24 comment=mgmt interface=mgmt-vlan30 network=\
192.168.30.0
add address=192.168.40.1/24 comment=home interface=home-vlan40 network=\
192.168.40.0
add address=192.168.60.1/24 comment=iot interface=iot-vlan60 network=\
192.168.60.0
/ip dhcp-server network
add address=192.168.30.0/24 comment=mgmt-vlan30 dns-server=192.168.30.1 \
domain=vlan30.lan gateway=192.168.30.1
add address=192.168.40.0/24 comment=home-vlan40 dns-server=192.168.40.1 \
domain=vlan40.lan gateway=192.168.40.1
add address=192.168.60.0/24 comment=iot-vlan60 dns-server=192.168.60.1 \
domain=vlan60.lan gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.14 domain=\
lan gateway=192.168.88.1 netmask=24
add address=192.169.50.0/24 comment=guest-vlan50 dns-server=192.168.50.1 \
domain=vlan50.lan gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.3 name=proxmox2.lan type=A
add address=192.168.88.4 name=myspeed.lan type=A
add address=192.168.88.5 name=zigbee2mqtt.lan type=A
add address=192.168.88.6 name=nas.lan type=A
add address=192.168.88.7 name=jellyfin.lan type=A
add address=192.168.88.8 name=syncthing.lan type=A
add address=192.168.88.9 name=paperless.lan type=A
add address=192.168.88.11 name=box.lan type=A
add address=192.168.88.12 name=jellyseerr.lan type=A
add address=192.168.88.14 name=homeassistant.lan type=A
add address=192.168.88.16 name=flaresolverr.lan type=A
add address=192.168.88.17 name=zigbeecoordinator.lan type=A
add address=192.168.88.20 name=proxmox3.lan type=A
add address=192.168.88.21 name=proxmox.lan type=A
add cname=nginx.lan name=jellyfin.REDACTED type=CNAME
add cname=nginx.lan name=jellyseerr.REDACTED type=CNAME
add cname=nginx.lan name=radarr.REDACTED type=CNAME
add cname=nginx.lan name=sonarr.REDACTED type=CNAME
add cname=nginx.lan name=myspeed.REDACTED type=CNAME
add cname=nginx.lan name=paperless.REDACTED type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=mqtt.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=radarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=sonarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=prowlarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=nginx.lan type=CNAME
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow Seedbox (Wireguard )" dst-port=\
21841 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=log chain=forward comment="guest log" in-interface=guest-vlan50 \
out-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=seedbox out-interface=seedbox1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system logging
set 0 topics=info,!wireless
add action=remote topics=info
add action=remote topics=debug
add action=remote topics=warning
add action=remote topics=critical
add action=remote topics=error
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add comment=strato interval=1h name=dyndns on-event=\
"/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-10-20 start-time=17:57:15
/system script
add comment=strato dont-require-permissions=no name=dyndns owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface.\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n }\
\n }\
\n :if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info (\"DynDNS: Update IP needed. Sending UPDATE...!\")\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfresh\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddnsuse\
r password=\$ddnspass mode=https dst-path=(\"/DynDNS.\$ddnshost1\")\
\n :delay 1\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n :log info \"DynDNS: dont need changes\";\
\n }\
\n}"
/tool e-mail
set from="Router <mikrotik@REDACTED>" port=587 server=\
smtp.protonmail.ch tls=yes user=mikrotik@REDACTED
/tool graphing interface
add allow-address=192.168.88.0/24 interface=sfp-sfpplus1
add allow-address=192.168.88.0/24 interface=nas
add allow-address=192.168.88.0/24 interface=switch
/tool graphing resource
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
AP Ground floor config:
Code: Select all
# 2025-02-02 18:34:20 by RouterOS 7.17.1
# software id = REDACTED
#
# model = cAPGi-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=48:A9:8A:A2:9D:29 auto-mac=no comment=defconf name=bridgeLocal \
vlan-filtering=yes
/interface vlan
add comment=mgmt interface=ether1 name=mgmt-vlan30 vlan-id=30
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN F4:1E:57:0D:41:A7%mgmt-vlan30, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN F4:1E:57:0D:41:A7%mgmt-vlan30, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal comment=vlan tagged=bridgeLocal,ether1 vlan-ids=\
30,40,50,60
/interface ovpn-server server
add mac-address=FE:81:CE:1B:D8:03 name=ovpn-server1
/interface wifi cap
set discovery-interfaces=mgmt-vlan30 enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=mgmt-vlan30
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="AP Hauswirtschaftsraum"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
AP First floor config:
Code: Select all
# 2025-02-02 18:33:23 by RouterOS 7.17.1
# software id = REDACTED
#
# model = cAPGi-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=48:A9:8A:A2:8F:9C auto-mac=no comment=defconf name=bridgeLocal \
vlan-filtering=yes
/interface vlan
add interface=ether1 name=mgmt-vlan30 vlan-id=30
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN F4:1E:57:0D:41:A7%mgmt-vlan30, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 5720/ax/eeeC/D
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN F4:1E:57:0D:41:A7%mgmt-vlan30, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 2467/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/ipv6 settings
set max-neighbor-entries=15360 min-neighbor-entries=3840 \
soft-max-neighbor-entries=7680
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=30,40,50,60
/interface wifi cap
set discovery-interfaces=mgmt-vlan30 enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=mgmt-vlan30
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="AP Dachboden"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
Re: How to set up VLAN to pass traffic through a managed switch?
However, connecting to the guest and iot WiFi doesn't grant me access to the internet now.
Could be it's because you're blocking access to DNS server on router itself from !LAN subnets (blocked by general "drop input all not from LAN"). You'll have to create allow rules for both TCP and UDP port 53 ... and be careful not to allow it from WAN interface list. These rules then have to be above the "drop input from not LAN" rule.
Re: How to set up VLAN to pass traffic through a managed switch?
You can set which interface gets DCHP requests. You should really have a separate VLAN set up for your LAN that is different from the management VLAN of your switches. Put all your LAN traffic on that VLAN (maybe you do - I'll be honest I haven't read the entire thread). Then set the DHCP server to hand out addresses on that interface:
In my case VLAN 5 is the LAN. See the pic:
You should need minimal firewall rules to pass traffic between VLANS unless you want to limit certain traffic between them. If you have the interfaces set up properly then the traffic just flows. Again - see the guide I wrote.
In my case VLAN 5 is the LAN. See the pic:
You should need minimal firewall rules to pass traffic between VLANS unless you want to limit certain traffic between them. If you have the interfaces set up properly then the traffic just flows. Again - see the guide I wrote.
You do not have the required permissions to view the files attached to this post.
Re: How to set up VLAN to pass traffic through a managed switch?
Here's the link to the writeup I did. It was only thanks to Lurker88 that I was able to do this:
viewtopic.php?t=214252
I have 16 VLANs. Two managed switches and the Mikrortik all connected by 10G links. Traffic routes smoothly through all of them and between all of them.
I'm not an expert on this in any shape or form. Just did this to try to help people out and reinforce what I learned by putting it to paper.
viewtopic.php?t=214252
I have 16 VLANs. Two managed switches and the Mikrortik all connected by 10G links. Traffic routes smoothly through all of them and between all of them.
I'm not an expert on this in any shape or form. Just did this to try to help people out and reinforce what I learned by putting it to paper.
Re: How to set up VLAN to pass traffic through a managed switch?
Yes, this partly solved it. I added both to my LAN interface list which should grant them access to the router (for now).However, connecting to the guest and iot WiFi doesn't grant me access to the internet now.
Could be it's because you're blocking access to DNS server on router itself from !LAN subnets (blocked by general "drop input all not from LAN"). You'll have to create allow rules for both TCP and UDP port 53 ... and be careful not to allow it from WAN interface list. These rules then have to be above the "drop input from not LAN" rule.
However, the guest one still doesn't go through. I explicitly set the DNS server to 192.168.50.1 and tested it on a device connected to the guest network. All working as expected. However, when I try to access this forum for example or run a speedtest = no connection.
Re: How to set up VLAN to pass traffic through a managed switch?
Thanks, that is my setup exactly. The DHCP requests look fine. Depending on which SSID I am connected to, I get different IP addresses of the respective pools.You can set which interface gets DCHP requests. You should really have a separate VLAN set up for your LAN that is different from the management VLAN of your switches.
Re: How to set up VLAN to pass traffic through a managed switch?
No you have me curious and I’ll have to read this whole thread! 
. But I have a five hour drive ahead of me.
Have you added the guest vlan as an interface of the LAN?
. But I have a five hour drive ahead of me. Have you added the guest vlan as an interface of the LAN?
Re: How to set up VLAN to pass traffic through a managed switch?
ROUTER
VeRY confUsing!!
Make up your mind.
1. USE VLANS, do not assign dhcp to bridge etc.
2. a. What should NOT be on your router anywhere is 192.168.88.0
- if you need it assign another vlan but you already have a home subnet, and a management subnet, so WTF is 192.168.88 ???
b. What should be on your router everywhere is the management vlan 30 and you have it covered the only thing I dont understand is what is the meaning of capdp on the wifi datapath settings?
c. You will note that
- the unknown 192.168.88 does not have a datapath assignment,
- the unknown 192.168.88 is going to ports 1,2,4,5,6 ( and if its not home, iot, home, guest, or management ?????????????? )
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Conclusion --> Before proceeding need to know what is the purpose of the 192.168.88 network. If I had to guess, which I hate to do, is that its the WIRED home network and in reality there should be only ONE home network and for some reason you have split the two up. So the question is do you need actually need a separate call it WORK network that is wired that home users should not automatically access over Layer 2 ( just one simple home subnet) and which the wired home users should not be able to access the wifi home users automatically...... ????????????
PS Also what is purpose of capds setting??
+++++++++++++++++++++++
Ground AP,
1. what the heck is attached to ether2 ???
2. WHy do you have datacap stuff for vlan 30, when you are not sending any wifi out 30 and you have dhcp already set client set to vlan30.
Much easier to turn dhcp client OFF, and set a fixed static IP address on vlan30 for each AP.
3. The interface for the management vlan should be the bridge, not ether1
4. I dont see any assignment of data vlans on the AP ??? what is on wifi1 and wifi2 ?????? how do vlans 40,50,60 get assigned???
+++++++++++++++++++++++++
AP first floor
ALL SAME COMMENTS.
VeRY confUsing!!
Make up your mind.
1. USE VLANS, do not assign dhcp to bridge etc.
2. a. What should NOT be on your router anywhere is 192.168.88.0
- if you need it assign another vlan but you already have a home subnet, and a management subnet, so WTF is 192.168.88 ???
b. What should be on your router everywhere is the management vlan 30 and you have it covered the only thing I dont understand is what is the meaning of capdp on the wifi datapath settings?
c. You will note that
- the unknown 192.168.88 does not have a datapath assignment,
- the unknown 192.168.88 is going to ports 1,2,4,5,6 ( and if its not home, iot, home, guest, or management ?????????????? )
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Conclusion --> Before proceeding need to know what is the purpose of the 192.168.88 network. If I had to guess, which I hate to do, is that its the WIRED home network and in reality there should be only ONE home network and for some reason you have split the two up. So the question is do you need actually need a separate call it WORK network that is wired that home users should not automatically access over Layer 2 ( just one simple home subnet) and which the wired home users should not be able to access the wifi home users automatically...... ????????????
PS Also what is purpose of capds setting??
+++++++++++++++++++++++
Ground AP,
1. what the heck is attached to ether2 ???
2. WHy do you have datacap stuff for vlan 30, when you are not sending any wifi out 30 and you have dhcp already set client set to vlan30.
Much easier to turn dhcp client OFF, and set a fixed static IP address on vlan30 for each AP.
3. The interface for the management vlan should be the bridge, not ether1
4. I dont see any assignment of data vlans on the AP ??? what is on wifi1 and wifi2 ?????? how do vlans 40,50,60 get assigned???
+++++++++++++++++++++++++
AP first floor
ALL SAME COMMENTS.
Re: How to set up VLAN to pass traffic through a managed switch?
I presume you mean the LAN interface list? Yes, I did.Have you added the guest vlan as an interface of the LAN?
Regarding your guide: I think my setup is similar, except that I do use the mgmt VLAN to hand out IP addresses instead. What is your reasoning to adding this additional LAN VLAN?
Re: How to set up VLAN to pass traffic through a managed switch?
With most managed switches (Cisco, Ubiquiti, etc), the management VLAN is non-routable. So if you want to route from your LAN to other VLANs and back, you need to use a routable VLAN. Some switch models I've seen do allow it on the management VLAN but most do not. When I was setting up the VLAN routing on the Mikrotik and Lurer88's help, he told me it is best practice to use a different VLAN for the LAN than the management VLAN. So glad I was doing something correctly all these years!
Re: How to set up VLAN to pass traffic through a managed switch?
I was the one who recommended adding an additional management VLAN. The reason, that many L3 switches are hard-wired config-wise to have one is one of the reasons.
The other being that in larger deployments (anything commercial/enterprise) you have to deal with security and uptime issues. Having a management VLAN limits the attack surface to the gateway(s) used to access this VLAN. It's quite common to run several devices worth (several) thousand dollars each, and not want to update them. (A few reasons: The manufacturer doesn't, or is slow to release a software update; the manufacturer wants a "support" contract, with its associated costs; you want to test the new version extensively before upgrading production; you have to wait for or allocate a maintenance window for such and upgrade...) If you don't run anything of importance then of course this doesn't apply to you. It's still best (and down the line actually easier) to follow best practices. At first it might seem inconvenient, but believe me, it very soon becomes second nature to do so. It also makes life much more easier when using equipment from multiple vendors; and perversely the higher the tier of the equipment, the more often such a configuration is the expected (or the only supported) one.
Many management VLANs do hand out addresses via DHCP (and I usually set them up like this.) This is just to simplify connecting something to it, and not have to manually reconfigure the network interface each time.
The other being that in larger deployments (anything commercial/enterprise) you have to deal with security and uptime issues. Having a management VLAN limits the attack surface to the gateway(s) used to access this VLAN. It's quite common to run several devices worth (several) thousand dollars each, and not want to update them. (A few reasons: The manufacturer doesn't, or is slow to release a software update; the manufacturer wants a "support" contract, with its associated costs; you want to test the new version extensively before upgrading production; you have to wait for or allocate a maintenance window for such and upgrade...) If you don't run anything of importance then of course this doesn't apply to you. It's still best (and down the line actually easier) to follow best practices. At first it might seem inconvenient, but believe me, it very soon becomes second nature to do so. It also makes life much more easier when using equipment from multiple vendors; and perversely the higher the tier of the equipment, the more often such a configuration is the expected (or the only supported) one.
Many management VLANs do hand out addresses via DHCP (and I usually set them up like this.) This is just to simplify connecting something to it, and not have to manually reconfigure the network interface each time.