-- Labs

Networking Setup

networkingvlanmikrotikproxmox experiment

5/5/2026

Hardware

  • Router: MikroTik hEX S (2025)
  • Switch: TP-Link SG2218

Legend

  • u : untagged
  • t : tagged

VLANs

VLANPurpose
10management
20core
30apps
40telco/network
50user
60labs

Port Assignments

  • SFP1 / Port 17: uplink (tagged)
  • Ports 1, 2-6: VLAN 10 (management)
    • Port 1: untagged (laptop/desktop access)
    • Ports 2-6: tagged (Proxmox nodes)
    • PVID: 10
    • Services: Tailscale, Cloudflare Tunnel
  • VLAN 20: 2x DNS services
  • VLAN 30: 2x CRM services, Copyparty
  • VLAN 40 / VLAN 60: no services yet
  • Ports 8-16: VLAN 50 (user) untagged
    • TP-Link Archer C64 in AP mode for Wi-Fi

Router Config

  • VLAN 10 has access to all VLANs.
  • VLAN 50 has access to VLAN 20 and VLAN 30 only.
  • Two WireGuard configs (ProtonVPN) currently disabled.
    • wg1: distance 1
    • wg2: distance 2
    • Direct ISP connection: distance 10
  • Internet fails after power loss when routed through WireGuard; ISP interface alone works.
  • Suspected cause: all routes sharing the same routing table.
  • Plan: revisit and fix within the next month.

Incident: Post-Power-Loss Recovery

Symptoms

After a power loss:

  • No internet access (cannot ping 8.8.8.8).
  • Can reach the router, all gateways, and even the ISP modem.
  • Cannot ping or access Proxmox nodes via Web UI.
  • Direct monitor/keyboard on nodes showed no local issues.

Root Cause

The switch had been in a “config limbo” where it was forwarding traffic loosely. After the reboot, it enforced VLAN rules strictly.

  • Proxmox node bridges were VLAN-aware with PVID 10.
  • Services on each node were tagged to their respective VLANs.
  • Switch ports for the nodes were untagged on VLAN 10.
  • Because the nodes expected tagged traffic for their services but received untagged traffic on the access ports, they dropped the packets.

Fix

Changed Proxmox node ports on VLAN 10 from untagged to tagged. After a switch reboot, everything came back correctly.

Internet Issue

With WireGuard routes enabled, traffic through the tunnel interfaces had no internet. Pinging directly via the ISP interface worked fine. Disabled WireGuard routing for now and will reconfigure with separate routing tables later.

Access Ports

Two additional ports are configured as untagged access on VLAN 10:

  1. Laptop
  2. Desktop