I am setting up a vlan using a mikrotik RB500 router running v3.10 and a netgear FS726T managed switch.

The switch supports vlans (802.1Q and Port Based)

The router is setup using nat with ether1 connected to the wan and ether2 connected to the lan. The vlan is setup on the ether2 interface like this:
- On the switch, the default VLAN Id is 1.
- Added a second vlan with id 2
- On Switch Port 1 I set vlan 2 to tag egress ports
- On Switch Port 24 I set vlan 2 to untag egress ports
- Changed the PVID on switch port 24 to 2
- Removed switch port 24 from vlan 1

When I plug into switch port 24, I recieve a dhcp address from the router from the vlan2 subnet. Trouble is, I can ping across to the subnet on the ether2 interface.

I have added a firewall rule to prevent cross subnet talking, but I was under the impression that this was not something that needed to be done when setting up a vlan. Can anyone give me some insight into this as to what I may be missing. I have tried modifying some settings on the switch etc, with the same results so I am wondering if it is something the Mikrotik allows by design.

If you need further config details, just ask. Thanks for your time.

You should put 10.10.10.x ether2 traffic on a vlan as well instead of mixing tagged and untagged traffic on the same port. Otherwise, it might be possible elsewhere to pick up or join the vlan2 traffic on the untagged 10.10.10.x network. It may not fix your problem, but it's a better way of keeping those two network separate. A switch port can have multiple tagged vlans for that reason.

Thanks for the reply. That does make sense and the thought crossed my brain that I may have needed to do more. I will give that a try, if adding two vlan's and using those works, I will do just that.

I will post back soon after this is tested.

Thanks again for your time.