# VLAN Setup Plan v3 - Safe Mode Approach **Created:** 2026-01-31 **Status:** PLANNING **Approach:** Safe Mode with atomic commands for auto-rollback protection --- ## Lessons Learned from Previous Failures 1. **IP on bridge stops working** when VLAN filtering is enabled 2. **Duplicate same IP** on bridge + VLAN interface causes routing confusion 3. **VLAN interface doesn't receive traffic** until VLAN filtering is enabled 4. **Solution**: Use Safe Mode + atomic script execution --- ## Prerequisites - Router: MikroTik hAP ax³ - Current IP: 192.168.1.1/24 on bridge - Access: WinBox connected via **MAC address** (not IP!) - CAPsMAN: Already configured and working --- ## Phase 1: Preparation (No Risk) ### Step 1.1: Backup Current Configuration ```routeros /system backup save name=before-vlan-v3 /export file=before-vlan-v3 ``` Download both files from WinBox → Files. ### Step 1.2: Verify Current State ```routeros /ip address print /interface bridge print /interface bridge port print /interface bridge vlan print /ip dhcp-server print ``` **Expected:** - IP 192.168.1.1/24 on bridge - VLAN filtering = no - No bridge VLANs configured --- ## Phase 2: Create VLAN Infrastructure (Safe - No Filtering Yet) ### Step 2.1: Create VLAN 40 Interface ```routeros /interface vlan add interface=bridge name=vlan40-catchall vlan-id=40 ``` **Verify:** ```routeros /interface vlan print ``` ### Step 2.2: Add VLAN 40 to Bridge Table All LAN ports untagged, bridge tagged (for CPU access): ```routeros /interface bridge vlan add bridge=bridge vlan-ids=40 tagged=bridge untagged=ether2,ether3,ether4,ether5,wifi1,wifi2 ``` **Verify:** ```routeros /interface bridge vlan print detail ``` ### Step 2.3: Set PVID on All LAN Ports ```routeros /interface bridge port set [find interface=ether2] pvid=40 /interface bridge port set [find interface=ether3] pvid=40 /interface bridge port set [find interface=ether4] pvid=40 /interface bridge port set [find interface=ether5] pvid=40 /interface bridge port set [find interface=wifi1] pvid=40 /interface bridge port set [find interface=wifi2] pvid=40 ``` **Verify:** ```routeros /interface bridge port print ``` **Expected:** All ports show PVID=40 ### Step 2.4: Add IP to VLAN Interface This creates a "duplicate" IP temporarily: ```routeros /ip address add address=192.168.1.1/24 interface=vlan40-catchall comment="VLAN40-Management" ``` **Verify:** ```routeros /ip address print ``` **Expected:** Two entries for 192.168.1.1 (bridge and vlan40-catchall) ### Step 2.5: Create VLAN40 DHCP Pool (if not exists) ```routeros /ip pool add name=pool-vlan40 ranges=192.168.1.10-192.168.1.250 ``` ### Step 2.6: Verify Everything Before Critical Step ```routeros :put "=== VLAN Interface ===" /interface vlan print :put "=== Bridge VLANs ===" /interface bridge vlan print detail :put "=== Bridge Ports (check PVID) ===" /interface bridge port print :put "=== IP Addresses ===" /ip address print :put "=== Ping Test ===" /ping 8.8.8.8 count=2 ``` **STOP HERE if anything is wrong!** --- ## Phase 3: Enable VLAN Filtering (Critical - Use Safe Mode) ### Step 3.1: Enter Safe Mode in WinBox 1. In WinBox, press **Ctrl+X** 2. You'll see "Safe Mode" indicator in title bar 3. All changes will auto-rollback if connection is lost ### Step 3.2: Create the Activation Script Create a script that does everything atomically: ```routeros /system script add name=activate-vlan source={ # Enable VLAN filtering /interface bridge set bridge vlan-filtering=yes # Move DHCP server to VLAN interface /ip dhcp-server set [find name~"defconf"] interface=vlan40-catchall # Wait 2 seconds for changes to apply :delay 2s # Remove duplicate IP from bridge (keep only VLAN interface IP) /ip address remove [find interface=bridge and address~"192.168.1.1"] :put "VLAN activation complete" } ``` ### Step 3.3: Run the Script (While in Safe Mode!) ```routeros /system script run activate-vlan ``` ### Step 3.4: Verify Immediately ```routeros /ping 8.8.8.8 count=3 /ip address print /interface bridge print ``` ### Step 3.5: If Everything Works - Exit Safe Mode Press **Ctrl+X** again to confirm and save changes. ### Step 3.6: If Connection Lost - Wait up to 10 minutes - Router will auto-rollback to previous state - Reconnect via WinBox (MAC address) --- ## Phase 4: Verification ### Step 4.1: Check All Settings ```routeros :put "=== Bridge VLAN Filtering ===" /interface bridge print where name=bridge :put "=== IP Addresses ===" /ip address print :put "=== DHCP Server ===" /ip dhcp-server print :put "=== Internet Test ===" /ping 8.8.8.8 count=3 ``` **Expected:** - vlan-filtering=yes on bridge - IP 192.168.1.1/24 ONLY on vlan40-catchall - DHCP server on vlan40-catchall - Internet working ### Step 4.2: Test Client Connectivity From a device on the network: 1. Disconnect and reconnect WiFi 2. Check if you get IP from 192.168.1.x range 3. Test internet access --- ## Phase 5: Add Additional VLANs (After VLAN40 is Stable) Wait 24-48 hours to ensure VLAN40 is stable before adding more VLANs. ### VLAN Overview | VLAN | Name | Subnet | Purpose | Assignment | |------|------|--------|---------|------------| | 10 | Management | 192.168.10.0/24 | Infrastructure | Port-based (ether4,5) | | 20 | Trusted | 192.168.20.0/24 | Family devices | RADIUS | | 25 | Kids | 192.168.25.0/24 | Kids devices | RADIUS | | 30 | IoT | 192.168.30.0/24 | Smart home | RADIUS | | 40 | Catch-All | 192.168.1.0/24 | Default/Unknown | Default | ### Step 5.1: Create VLAN 10 (Management) ```routeros # Create VLAN interface /interface vlan add interface=bridge name=vlan10-mgmt vlan-id=10 # Add IP /ip address add address=192.168.10.1/24 interface=vlan10-mgmt # Add to bridge VLAN table - ether4/5 untagged for Unraid /interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge untagged=ether4,ether5 # Update PVID on Unraid ports /interface bridge port set [find interface=ether4] pvid=10 /interface bridge port set [find interface=ether5] pvid=10 # Remove ether4/5 from VLAN40 /interface bridge vlan set [find vlan-ids=40] untagged=ether2,ether3,wifi1,wifi2 # Create DHCP for VLAN10 /ip pool add name=pool-vlan10 ranges=192.168.10.100-192.168.10.200 /ip dhcp-server add address-pool=pool-vlan10 interface=vlan10-mgmt name=dhcp-vlan10 disabled=no /ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8 ``` ### Step 5.2: Add Static Leases for VLAN10 ```routeros /ip dhcp-server lease add address=192.168.10.2 mac-address=18:FD:74:54:3D:BC comment="CAP XL ac" server=dhcp-vlan10 add address=192.168.10.3 mac-address=F4:1E:57:C9:BD:09 comment="CSS326" server=dhcp-vlan10 add address=192.168.10.20 mac-address=A8:B8:E0:02:B6:15 comment="Unraid" server=dhcp-vlan10 ``` --- ## Rollback Commands ### Emergency: Disable VLAN Filtering ```routeros /interface bridge set bridge vlan-filtering=no ``` ### Full Rollback: Restore Backup ```routeros /system backup load name=before-vlan-v3 ``` ### Factory Reset (Last Resort) Hold reset button while powering on until LEDs flash. --- ## Safe Mode Quick Reference | Action | WinBox | CLI | |--------|--------|-----| | Enter Safe Mode | Ctrl+X | Ctrl+X | | Exit & Save | Ctrl+X | Ctrl+X | | Exit & Discard | Close WinBox | Ctrl+D | | Auto-rollback | ~10 minutes | ~10 minutes | **Important:** Safe Mode only protects while you're connected. If disconnected, changes rollback automatically. --- ## Checklist Before Enabling VLAN Filtering - [ ] Backup saved and downloaded - [ ] WinBox connected via MAC (not IP) - [ ] VLAN interface created - [ ] Bridge tagged in VLAN table - [ ] All ports have correct PVID - [ ] IP added to VLAN interface - [ ] Safe Mode entered (Ctrl+X) - [ ] Ready to run activation script --- ## Troubleshooting ### Lost Connection After Enabling Filtering 1. Wait 10 minutes for Safe Mode rollback 2. If no rollback: Connect via WinBox MAC discovery 3. Run: `/interface bridge set bridge vlan-filtering=no` ### DHCP Not Working Check DHCP server interface: ```routeros /ip dhcp-server print ``` Should show `interface=vlan40-catchall` ### Internet Not Working Check NAT: ```routeros /ip firewall nat print ``` Should have masquerade rule for WAN. ### Devices Not Getting IP 1. Check bridge VLAN table has ports as untagged 2. Check ports have correct PVID 3. Check DHCP pool has available addresses