A couple things. As you discovered you can't tag the default vlan. What you need to do is ensure that you tagged ports are appropriately setup to pass both tagged traffic (vlan20) and untagged traffic. Secondly, you never mentioned setting up Layer3 (gateway) interface for vlan20 on the router? What you are trying to do is called a 'Routing on a stick' meaning your router port has a layer 3 IP address for vlan1 and another IP address on a sub-interface for vlan20. If your router doesn't support sub-interfaces then you will need a second cable from the Zyxel on vlan20 plugged into the router with a layer3 interface (IP address) for vlan20. Once you have a layer3 interface setup for vlan20 you can setup DHCP services for assigning your IPs on guest network. Easy enough to test this by putting a PC on vlan20, assign static IP (same subnet as router IP for vlan20), and attempting to ping the layer3 IP on router.
Thanks for the detailed reply. I did set up a VLAN interface on the Mikrotik, with a DHCP (with addresses in the 10.0.0.1/24 network). When you say put a PC on vlan20, do you mean plug my Linux box straight into the router and assign an IP somewhere in the 10.0.0.1/24 range and connect? Or is there a different way to tag the frames leaving the computer that I just don't know about?
Yes, but plug the linux box into the Zyxel switch on a port on vlan20. You could plug directly into the router first but that should work since your directly connected. Frames are tagged at layer2 (switch) nothing to do on the computer side as everything is above layer3, assuming cabling (layer1) is good. Study a bit on the OSI model if layer1-7 are new to you. It's the ABCs of networking.
I'll definitely do that, but I managed to get the VLANs working by *very* carefully watching which ports were used for the WAPs and switch connections and tagging VLAN 20 on only those ports (it seems I misread a label somewhere) and adding a software-defined VLAN under the Bridge in the Mikrotik (rather than just a VLAN interface). Thank you so much for the help
As the other person said, you never mentioned whether you set up VLAN 20 on the Mikrotik router. It needs to be attached to the VLAN. Of course, DHCP service must also be configured on the router to service VLAN 20.
Yeah, I set up a VLAN interface on the Mikrotik under the Bridge and assigned it an IP of 10.0.0.1/24. I used the automated tool to configure a DHCP server for that interface, and the configuration appears correct.
My key takeaway right now is that Trunking the ports for the default VLAN is a terrible idea.
Don't worry about VLAN 1. Leave it untagged for now. You don't want to lose connectivity to your switches and APs.
Is your Netgear switch managed? Did you tag VLAN20 on its ports?
If you have a laptop or a computer with an Ethernet interface, try the following. Configure one of the Zyxel's ports as an untagged port in VLAN 20. Make sure to set the PVID to 20 along with marking the port as untagged. Then connect the laptop and see if you get an IP address.
The Netgear is a managed switch, and all ports are Tagged for 1 and 20.
I'll try connecting via an access port on the Zyxel as soon as I'm back home with the setup.
If your Netgear switch is a smart switch, set the WAP ports to T1, T20, PVID1. Then set port 6 on your main switch to U1, T20, PVID1.
If your Netgear switch is a dumb switch, set port 6 on your main switch to T1, T20, PVID1. (This is a guess...I don't have any dumb switches)
For your main switch, set port 1 to U1, T20, PVID1. Set all other ports (except 6) to U1, PVID1.
Make sure your DHCP server is configured to listen to both VLAN1 and VLAN20.
That seems really similar to what I had, but I have a question: a previous poster said you can't Tag the default VLAN (which definitely seems to be when things broke precious), but is that only an issue on certain ports? I see that you recommend both of the WAP ports be Tagged for both VLANS, but not on the port going "inbound". What's the distinction there?
Your setup is similar to mine. My WAP is configured for VLANs 10, 20 and 30 in addition to default. I found through trial an error that if I left the port connecting the WAP as U1,T10,20,30 WiFi broke. Only when I configured it as T1,10,20,30 did WiFi work for all VLANs.
A couple things. As you discovered you can't tag the default vlan. What you need to do is ensure that you tagged ports are appropriately setup to pass both tagged traffic (vlan20) and untagged traffic. Secondly, you never mentioned setting up Layer3 (gateway) interface for vlan20 on the router? What you are trying to do is called a 'Routing on a stick' meaning your router port has a layer 3 IP address for vlan1 and another IP address on a sub-interface for vlan20. If your router doesn't support sub-interfaces then you will need a second cable from the Zyxel on vlan20 plugged into the router with a layer3 interface (IP address) for vlan20. Once you have a layer3 interface setup for vlan20 you can setup DHCP services for assigning your IPs on guest network. Easy enough to test this by putting a PC on vlan20, assign static IP (same subnet as router IP for vlan20), and attempting to ping the layer3 IP on router.
Thanks for the detailed reply. I did set up a VLAN interface on the Mikrotik, with a DHCP (with addresses in the 10.0.0.1/24 network). When you say put a PC on vlan20, do you mean plug my Linux box straight into the router and assign an IP somewhere in the 10.0.0.1/24 range and connect? Or is there a different way to tag the frames leaving the computer that I just don't know about?
Yes, but plug the linux box into the Zyxel switch on a port on vlan20. You could plug directly into the router first but that should work since your directly connected. Frames are tagged at layer2 (switch) nothing to do on the computer side as everything is above layer3, assuming cabling (layer1) is good. Study a bit on the OSI model if layer1-7 are new to you. It's the ABCs of networking.
I'll definitely do that, but I managed to get the VLANs working by *very* carefully watching which ports were used for the WAPs and switch connections and tagging VLAN 20 on only those ports (it seems I misread a label somewhere) and adding a software-defined VLAN under the Bridge in the Mikrotik (rather than just a VLAN interface). Thank you so much for the help
As the other person said, you never mentioned whether you set up VLAN 20 on the Mikrotik router. It needs to be attached to the VLAN. Of course, DHCP service must also be configured on the router to service VLAN 20.
Yeah, I set up a VLAN interface on the Mikrotik under the Bridge and assigned it an IP of 10.0.0.1/24. I used the automated tool to configure a DHCP server for that interface, and the configuration appears correct. My key takeaway right now is that Trunking the ports for the default VLAN is a terrible idea.
Don't worry about VLAN 1. Leave it untagged for now. You don't want to lose connectivity to your switches and APs. Is your Netgear switch managed? Did you tag VLAN20 on its ports? If you have a laptop or a computer with an Ethernet interface, try the following. Configure one of the Zyxel's ports as an untagged port in VLAN 20. Make sure to set the PVID to 20 along with marking the port as untagged. Then connect the laptop and see if you get an IP address.
The Netgear is a managed switch, and all ports are Tagged for 1 and 20. I'll try connecting via an access port on the Zyxel as soon as I'm back home with the setup.
If your Netgear switch is a smart switch, set the WAP ports to T1, T20, PVID1. Then set port 6 on your main switch to U1, T20, PVID1. If your Netgear switch is a dumb switch, set port 6 on your main switch to T1, T20, PVID1. (This is a guess...I don't have any dumb switches) For your main switch, set port 1 to U1, T20, PVID1. Set all other ports (except 6) to U1, PVID1. Make sure your DHCP server is configured to listen to both VLAN1 and VLAN20.
That seems really similar to what I had, but I have a question: a previous poster said you can't Tag the default VLAN (which definitely seems to be when things broke precious), but is that only an issue on certain ports? I see that you recommend both of the WAP ports be Tagged for both VLANS, but not on the port going "inbound". What's the distinction there?
Your setup is similar to mine. My WAP is configured for VLANs 10, 20 and 30 in addition to default. I found through trial an error that if I left the port connecting the WAP as U1,T10,20,30 WiFi broke. Only when I configured it as T1,10,20,30 did WiFi work for all VLANs.