NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

fattom23's avatar
fattom23
Aspirant
Mar 04, 2024

WAX214 VLAN set up Correctly?

I'm trying to set VLANs on my network based on SSID and can't seem to find out where things are going wrong. I have an SSID set on my WAX214 with VLAN Isolation activated and the VLAN ID set to 20. W...
Troubleshooting
schumaku's avatar
schumaku
Guru - Experienced User
Mar 04, 2024
fattom23 wrote:
I don't have the v2, but I should be able to borrow a POE injector to try and plug directly into an access port straight on the router.

What should this test be good for? You want to test a specific SSID mapping into a certain (tagged) VLAN.

 

Tell us more about the config of your router, and he switches along of the data path.

fattom23's avatar
fattom23
Aspirant
Mar 04, 2024

I have a Mikrotik routerboard with Port 2 going to Port 1 on a Zyxel switch (its a GS1900-24). Port 7 on that switch goes to Port 5 on a Netgear switch (it's a Netgear GS308EPP). I use this switch because it's POE (which neither the switch or router are).

 

The APs (2 WAX214s) are plugged into Ports 3 and 4 of the Netgear switch. Both switches (for testing purposes) have all ports listed as Trunk (tagged) ports for VLAN 20. The SSID LaPortaPile-Test is mapped to VLAN 20 on the AP.

 

I've attached screenshots of the relevant screens from the AP, and have the config from the router and additional screenshots from the switches if it becomes helpful.

  • fattom23's avatar
    fattom23
    Aspirant
    Mar 04, 2024

    This is the router config:

     

    # mar/03/2024 20:26:25 by RouterOS 6.49.11
    # software id = DD4H-LACA
    #
    # model = RB3011UiAS
    # serial number = HFG097R51BQ
    /interface bridge
    add admin-mac=78:9A:18:D8:75:F2 auto-mac=no comment=defconf name=bridge
    /interface ethernet
    set [ find default-name=ether9 ] name="ether9(Management)"
    /interface vlan
    add interface=bridge name=vlan1 vlan-id=20
    /interface list
    add comment=defconf name=WAN
    add comment=defconf name=LAN
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip pool
    add name=default-dhcp ranges=192.168.88.10-192.168.88.254
    add name=dhcp_pool1 ranges=98.111.140.2-98.111.140.254
    add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.254
    add name=dhcp_pool13 ranges=10.0.0.2-10.0.0.254
    /ip dhcp-server
    add address-pool=dhcp_pool3 disabled=no interface=bridge name=dhcp1
    add address-pool=dhcp_pool13 disabled=no interface=vlan1 name=dhcp2
    /interface bridge port
    add bridge=bridge comment=defconf interface=ether2
    add bridge=bridge comment=defconf interface=ether3 pvid=20
    add bridge=bridge comment=defconf interface=ether4
    add bridge=bridge comment=defconf interface=ether5
    add bridge=bridge comment=defconf interface=ether6
    add bridge=bridge comment=defconf interface=ether8
    add bridge=bridge comment=defconf interface=sfp1
    add bridge=bridge interface=ether7
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /interface list member
    add comment=defconf interface=bridge list=LAN
    add comment=defconf interface=ether1 list=WAN
    add interface="ether9(Management)" list=LAN
    /ip address
    add address=192.168.1.1/24 interface=bridge network=192.168.1.0
    add address=192.168.100.1/24 interface="ether9(Management)" network=\
    192.168.100.0
    add address=10.0.0.1/24 interface=vlan1 network=10.0.0.0
    /ip cloud
    set ddns-enabled=yes
    /ip dhcp-client
    add comment=defconf disabled=no interface=ether1 use-peer-dns=no
    /ip dhcp-server lease
    add address=192.168.1.246 mac-address=B8:AB:62:2E:A4:BD server=dhcp1
    add address=192.168.1.23 mac-address=DC:E5:5B:5F:EC:94 server=dhcp1
    add address=192.168.1.128 mac-address=10:BF:48:8D:AA:A0 server=dhcp1
    add address=192.168.1.168 client-id=\
    ff:f6:86:2c:2f:0:2:0:0:ab:11:67:e9:d2:38:8f:d2:99:5c mac-address=\
    54:80:28:4E:FE:E9 server=dhcp1
    add address=192.168.1.214 client-id=1:90:6a:eb:bf:b9:61 mac-address=\
    90:6A:EB:BF:B9:61 server=dhcp1
    add address=192.168.1.241 client-id=\
    ff:eb:7c:56:8d:0:1:0:1:2a:34:d6:82:e8:4e:6:9b:1e:1e mac-address=\
    B8:27:EB:7C:56:8D server=dhcp1
    add address=192.168.1.109 client-id=1:d8:c0:a6:20:3c:91 mac-address=\
    D8:C0:A6:20:3C:91 server=dhcp1
    add address=192.168.1.146 client-id=1:c4:3c:b0:62:c5:3 mac-address=\
    C4:3C:B0:62:C5:03 server=dhcp1
    add address=192.168.1.15 client-id=1:e0:46:ee:14:98:92 mac-address=\
    E0:46:EE:14:98:92 server=dhcp1
    add address=192.168.1.47 client-id=1:d8:ec:e5:d3:bb:5e mac-address=\
    D8:EC:E5:D3:BB:5E server=dhcp1
    add address=192.168.1.51 mac-address=80:CC:9C:48:D8:20 server=dhcp1
    add address=192.168.1.52 mac-address=80:CC:9C:48:FF:29 server=dhcp1
    add address=192.168.1.31 client-id=1:8:bf:b8:b8:e:d9 mac-address=\
    08:BF:B8:B8:0E:D9 server=dhcp1
    /ip dhcp-server network
    add address=10.0.0.0/24 gateway=10.0.0.1
    add address=10.10.10.0/24 gateway=10.10.10.1
    add address=98.111.140.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
    98.111.140.1
    add address=172.16.0.0/24 gateway=172.16.0.1
    add address=172.16.1.0/24 gateway=172.16.1.1
    add address=192.168.0.0/24 gateway=192.168.0.1
    add address=192.168.1.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
    192.168.1.1
    add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
    /ip dns
    set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
    /ip dns static
    add address=192.168.88.1 comment=defconf name=router.lan
    /ip firewall address-list
    add address=hfg097r51bq.sn.mynetname.net list=WAN-IP
    /ip firewall filter
    add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
    add action=drop chain=input src-address=112.227.133.59
    add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
    add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
    add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=masquerade chain=srcnat comment="Hairpin NAT - Not Working" \
    dst-address=192.168.1.0/24 src-address=192.168.1.0/24
    add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
    add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=32400 \
    protocol=tcp to-addresses=192.168.1.168
    add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
    tcp to-addresses=192.168.1.168
    add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
    protocol=tcp to-addresses=192.168.1.168
    add action=dst-nat chain=dstnat comment="Needed for Xbox" dst-port=53 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.214 to-ports=53
    add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.214
    add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.214 to-ports=88
    add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
    udp to-addresses=192.168.1.214 to-ports=3074
    add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.214 to-ports=500
    add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
    udp to-addresses=192.168.1.214 to-ports=3544
    add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
    udp to-addresses=192.168.1.214 to-ports=4500
    add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.214 to-ports=53
    add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=80
    /ip service
    set telnet disabled=yes
    set ssh address=192.168.1.0/24
    /system clock
    set time-zone-name=America/New_York
    /system package update
    set channel=upgrade
    /tool mac-server
    set allowed-interface-list=LAN
    /tool mac-server mac-winbox
    set allowed-interface-list=LAN

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Mar 05, 2024

      Great, and that VLAN 20 is trunked (tagged) throughout the ZyXEL switch on the data path (switch ports) connecting the router and the Netgear Plus switch?

      • fattom23's avatar
        fattom23
        Aspirant
        Mar 05, 2024
        It seems to be (see attached screenshot). I obviously went wild trunking the ports and don't need all this, but I figured I should reduce the chance of misconfiguration for now.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More