Hi,

I got a brand new hEX S and a CSS326.

I got a Proxmox-Server with 3 NICs. One NIC should be used for webservers and forbid any connections to my LAN, therefore it has to be in a VLAN.

I want my "normal" LAN without VLAN just running. Thus, I can replace in emergency cases the mikrotik with another router and everything will run without VLANs.

Eth1 of the hEX is connected to my "modem", better "router" from my ISP. I forward every port to the mikrotik. This works and worked before. My LAN is in 192.168.0.1/24 (this is the IP of my hEX).

Eth5 is connected to the CSS.

At first I want 2 VLANs:

- VLAN10 (192.168.10.1/24) on eth4. this should be only accessible by three LXCs (IPs: 192.168.10.10-12) connected in Port 17 of the CSS) and to the internet. How can I prevent a loop to eth5?

- VLAN20 (192.168.20.1/24) on eth5 and probably eth2. This should be used for my printers and WLAN. Therefore, a VLAN-routing to my normal LAN should be possible.



I tried but I can't get it running (better: I failed hard..) and now I'm just back at 0 to start from scratch again.

What do I have to do in RouterOS, SwOS and PVE? Is a bridge in the hEX neccessary?

Please help me with the GUI, not with CLI

This is my setup in the RouterOS:
and this is the Switch:

And here you can see my PVE-Setup:
But the Test-LXC doesn't get a DHCP-IP nor can it ping google.com

You want us to design your VLAN, that is understandable because with MikroTik, you would have needed to be reading about it for several weeks by now. If you want help around here, then start off with a really nice shiny diagram of what you envision your network should be.

How can I make a shiny diagram?

How can I make a shiny diagram?

Here is an online tool to make a diagram.

I made one quick and dirty.
Hope you can see what I want

The Webserver are: Reverse Proxy, Nextcloud and Wordpress (three different IPs).

Your diagram helps, a little, but it does not match your written description. Also, I don't know how to configure the CSS326 switches, only the CRS326 (note the R) versions. However, I believe I can talk you through the correct MikroTik terminology none the less. Also, I believe that what you are wanting is not the best approach. So, now that I understand your goals a little better, I will make you a better diagram.

If you can, return the CSS and get the CRS so that you have flexibility (RouterOS & SwOS) to learn MikroTik systems. Wow, did I really just say that?

Sorry for the confusion. I tried so much the past days and I'm confused myself

I appreciate your help very much.

I can't return the CSS, since I use it for 4 years or so now. It is a good switch, that's why I purchased the hEX S.

Here is where we can start the discussion from. I have created a sample diagram for you to work with and edit. Download it and load it into the draw.io website.

Notes:
router = HexS
switch = CSS326
WifiAP = ?
Another switch = ?

Update the XML diagram with VLANs as you see fit. Also make corrections about how the Proxmox server connects to local PCs. Is there a local switch there? Probably should be, or does both the Server and all its clients connect to ports on the CSS326 switch?

VLANS:
For each VLAN, you will have a different subnet, so VLAN10 = 192.168.10.x, VLAN20 = 192.168.20.x. When desiging vlans, note that there is always a native vlan (VLAN1) in a vlan network. This will be, I assume your 192.168.0.x network.

Connections:
Router ether1 plugged into the modem. Router ether5 plugged into Switch ether1. Everything else is plugged into free ports on the switch.

that looks like a great idea

I plugged the NIC of my webservers into the router (eth4) with an own address (192.168.100.0/24) without VLAN and it works. Thus, the problem must be something with SwOS and/or Proxmox.