I’ve spent far longer than expected to set up an VLAN on my network for IoT devices which I don’t want to have access to the internet. I’m running RB4011iGS+ router with RouterOS 6.48.4 and what I thought was a simple change took the whole network down for a while.
Granted, I’m not the most skilled network admin around, but I have built networks in the past and I’m (partly) maintaining them at work, but apparently I’m approaching this somehow from the wrong angle.
The current setup is a single subnet (172.17.0.0/24) where Mikrotik manages firewalling and DHCP without VLAN. WAN side has SPF module for the uplink, couple of bridged ports for that to provide raw internet to my server, some static mappings on the DHCP and things like that, pretty basic stuff. Other hardware includes Unifi access points, manageable switch and various stuff which just connects to the network.
Now, I’d like to add a VLAN (id 20, not that it matters) on the setup so I could have another /24 subnet for IOT devices. What I tought would be enough to take couple of ports from the existing LAN bridge, create a new bridge, set up an VLAN interface with IP, DHCP server and just connect tagged port on my switch, connect laptop for testing for untagged port and configure switch so that I could have another SSID on access points on that VLAN and connect couple of other things directly on the switch.
There’s plenty of guides around the net, but when I attempted to follow them I ended up in a situation where untagged port just would not work with ARP. I could dump traffic on my laptop with wireshark and there’s ARP ‘who-has’ requests running, but Mikrotik won’t reply on those no matter what I do. Same of course goes with DHCP requests and all traffic in general. My laptop would receive ARP query when attempting to ping it from the router, and laptop would respond, but sniffing traffic from the mikrotik port the reply just disappears somewhere. No matter if I have the switch in between to untag VLAN for the port or directly connecting cable to the mikrotik or even moving the laptop to VLAN20 and using that as a test setup.
What I’m currently assuming is that the problem is with non-tagged “general” network I’m running. As in VLAN20 and VLANnothing somehow are fundamentally incompatible on RouterOS, but that seems kind of backwards.
The end goal would be to have a trunk port on the router and on the switch and distribute VLAN to ports as needed. Or even a port for generic use and another for VLAN networks. Maybe someone here is more experienced with RouterOS and could point me to the right direction?
15 years of ros experience if you need help. Just dm me and we’ll set something up.
Thank you for the offer, but I got it figured out and now I’ve got a separate network for Gree heatpumps (among other things) which would love to send all of their data to the manufacturer. Even the adoption process was pretty complicated where it required an account (of course) and wouldn’t connect to my separate wifi at all if I didn’t permit a temporary internet access trough it.
At the end the biggest issue was actually EdgeRouter which is runnign as glorified PoE -switch (I have older 24V passive POE unifi hardware still around). It should manage VLANs without any issues, but apparently even two separate IP addresses is enough to cause various issues on the thing. When I got that one out of the way the rest was pretty straightforward.