NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

fattom23's avatar
fattom23
Aspirant
Mar 04, 2024

WAX214 VLAN set up Correctly?

I'm trying to set VLANs on my network based on SSID and can't seem to find out where things are going wrong. I have an SSID set on my WAX214 with VLAN Isolation activated and the VLAN ID set to 20. W...
Troubleshooting
fattom23's avatar
fattom23
Aspirant
Mar 04, 2024

This is the router config:

 

# mar/03/2024 20:26:25 by RouterOS 6.49.11
# software id = DD4H-LACA
#
# model = RB3011UiAS
# serial number = HFG097R51BQ
/interface bridge
add admin-mac=78:9A:18:D8:75:F2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether9 ] name="ether9(Management)"
/interface vlan
add interface=bridge name=vlan1 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=98.111.140.2-98.111.140.254
add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool13 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridge name=dhcp1
add address-pool=dhcp_pool13 disabled=no interface=vlan1 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=20
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="ether9(Management)" list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.100.1/24 interface="ether9(Management)" network=\
192.168.100.0
add address=10.0.0.1/24 interface=vlan1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.246 mac-address=B8:AB:62:2E:A4:BD server=dhcp1
add address=192.168.1.23 mac-address=DC:E5:5B:5F:EC:94 server=dhcp1
add address=192.168.1.128 mac-address=10:BF:48:8D:AA:A0 server=dhcp1
add address=192.168.1.168 client-id=\
ff:f6:86:2c:2f:0:2:0:0:ab:11:67:e9:d2:38:8f:d2:99:5c mac-address=\
54:80:28:4E:FE:E9 server=dhcp1
add address=192.168.1.214 client-id=1:90:6a:eb:bf:b9:61 mac-address=\
90:6A:EB:BF:B9:61 server=dhcp1
add address=192.168.1.241 client-id=\
ff:eb:7c:56:8d:0:1:0:1:2a:34:d6:82:e8:4e:6:9b:1e:1e mac-address=\
B8:27:EB:7C:56:8D server=dhcp1
add address=192.168.1.109 client-id=1:d8:c0:a6:20:3c:91 mac-address=\
D8:C0:A6:20:3C:91 server=dhcp1
add address=192.168.1.146 client-id=1:c4:3c:b0:62:c5:3 mac-address=\
C4:3C:B0:62:C5:03 server=dhcp1
add address=192.168.1.15 client-id=1:e0:46:ee:14:98:92 mac-address=\
E0:46:EE:14:98:92 server=dhcp1
add address=192.168.1.47 client-id=1:d8:ec:e5:d3:bb:5e mac-address=\
D8:EC:E5:D3:BB:5E server=dhcp1
add address=192.168.1.51 mac-address=80:CC:9C:48:D8:20 server=dhcp1
add address=192.168.1.52 mac-address=80:CC:9C:48:FF:29 server=dhcp1
add address=192.168.1.31 client-id=1:8:bf:b8:b8:e:d9 mac-address=\
08:BF:B8:B8:0E:D9 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=98.111.140.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
98.111.140.1
add address=172.16.0.0/24 gateway=172.16.0.1
add address=172.16.1.0/24 gateway=172.16.1.1
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1,129.168.1.1 gateway=\
192.168.1.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=hfg097r51bq.sn.mynetname.net list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input src-address=112.227.133.59
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT - Not Working" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=32400 \
protocol=tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 protocol=\
tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=443 \
protocol=tcp to-addresses=192.168.1.168
add action=dst-nat chain=dstnat comment="Needed for Xbox" dst-port=53 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.214 to-ports=53
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.214
add action=dst-nat chain=dstnat dst-port=88 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=88
add action=dst-nat chain=dstnat dst-port=3074 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=3074
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=500
add action=dst-nat chain=dstnat dst-port=3544 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=3544
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.214 to-ports=4500
add action=dst-nat chain=dstnat dst-port=53 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.214 to-ports=53
add action=dst-nat chain=dstnat dst-address-list=WAN-IP dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=192.168.1.1 to-ports=80
/ip service
set telnet disabled=yes
set ssh address=192.168.1.0/24
/system clock
set time-zone-name=America/New_York
/system package update
set channel=upgrade
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

schumaku's avatar
schumaku
Guru - Experienced User
Mar 05, 2024

Great, and that VLAN 20 is trunked (tagged) throughout the ZyXEL switch on the data path (switch ports) connecting the router and the Netgear Plus switch?

  • fattom23's avatar
    fattom23
    Aspirant
    Mar 05, 2024
    It seems to be (see attached screenshot). I obviously went wild trunking the ports and don't need all this, but I figured I should reduce the chance of misconfiguration for now.
  • fattom23's avatar
    fattom23
    Aspirant
    Mar 05, 2024
    Now that I'm looking at it, the ports in question (2 and 7) are Tagged for VLAN 20 and Untagged for VLAN 1 on the Zyxel (which seems like not the correct configuration). I'll bet the problem is with the configuration of the Zyxel, because those should be Tagged for both in order for it to work, correct?
  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Mar 05, 2024
    fattom23 wrote:
    Now that I'm looking at it, the ports in question (2 and 7) are Tagged for VLAN 20 and Untagged for VLAN 1 on the Zyxel (which seems like not the correct configuration). I'll bet the problem is with the configuration of the Zyxel, because those should be Tagged for both in order for it to work, correct?

    In case 2 and 7 making up the trunk connections, sure, 7 needs to be tagged, too. Unfortunately, the ports are not labeled on the switch, so hard to say what is connected there. So best guess Yes 8-)

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More