I’ve spent far longer than expected to set up an VLAN on my network for IoT devices which I don’t want to have access to the internet. I’m running RB4011iGS+ router with RouterOS 6.48.4 and what I thought was a simple change took the whole network down for a while.
Granted, I’m not the most skilled network admin around, but I have built networks in the past and I’m (partly) maintaining them at work, but apparently I’m approaching this somehow from the wrong angle.
The current setup is a single subnet (172.17.0.0/24) where Mikrotik manages firewalling and DHCP without VLAN. WAN side has SPF module for the uplink, couple of bridged ports for that to provide raw internet to my server, some static mappings on the DHCP and things like that, pretty basic stuff. Other hardware includes Unifi access points, manageable switch and various stuff which just connects to the network.
Now, I’d like to add a VLAN (id 20, not that it matters) on the setup so I could have another /24 subnet for IOT devices. What I tought would be enough to take couple of ports from the existing LAN bridge, create a new bridge, set up an VLAN interface with IP, DHCP server and just connect tagged port on my switch, connect laptop for testing for untagged port and configure switch so that I could have another SSID on access points on that VLAN and connect couple of other things directly on the switch.
There’s plenty of guides around the net, but when I attempted to follow them I ended up in a situation where untagged port just would not work with ARP. I could dump traffic on my laptop with wireshark and there’s ARP ‘who-has’ requests running, but Mikrotik won’t reply on those no matter what I do. Same of course goes with DHCP requests and all traffic in general. My laptop would receive ARP query when attempting to ping it from the router, and laptop would respond, but sniffing traffic from the mikrotik port the reply just disappears somewhere. No matter if I have the switch in between to untag VLAN for the port or directly connecting cable to the mikrotik or even moving the laptop to VLAN20 and using that as a test setup.
What I’m currently assuming is that the problem is with non-tagged “general” network I’m running. As in VLAN20 and VLANnothing somehow are fundamentally incompatible on RouterOS, but that seems kind of backwards.
The end goal would be to have a trunk port on the router and on the switch and distribute VLAN to ports as needed. Or even a port for generic use and another for VLAN networks. Maybe someone here is more experienced with RouterOS and could point me to the right direction?
I’m no routeros guy but I don’t trust mixing default and tagged packets. I do believe on UniFi stuff you can mix as default is tagged 1 on trunk ports. I’d just make a vlan for each network. Raw internet, IoT and LAN