//nbkelley /homelab

UniFi UX7 & Netgear MS308E VLAN Setup

Calendar April 30, 2026
Unifi, Netgear, Vlan, Ms308e, Ux7, Firewall, Tharkun, Mithrandir, Gandalf

UniFi UX7 & Netgear MS308E VLAN Setup#

What Was Established#

  • Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
  • Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
  • Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
  • UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

Key Decisions#

  • VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
  • VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
  • VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
  • Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
  • UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

Current Configuration#

  • UX7 (Olorín): 192.168.1.1
    • Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
  • Netgear MS308E (Switch 1): 192.168.1.239
    • Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
    • Ports 2, 3 (to downstream switches): Same as Port 1.
    • Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
  • Netgear MS308E (Switch 2):
    • Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
    • Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
  • UX7 Firewall Rules (Tharkûn/DMZ):
    • Allow DMZ to Internet
    • Allow DMZ to Gateway
    • Block DMZ to Internal
    • Block DMZ to VPN

Historical Notes#

  • Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
  • VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
  • VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.

Open Questions#

  • How to handle Rivendell (VLAN 4) when deployed?
  • Will U7 APs require specific VLAN tagging configurations for Tharkûn WiFi?
  • wiki/networking/vlan_setup.md (Legacy OPNsense context)
  • wiki/infrastructure/network.md
  • wiki/networking/opnsense_dmz_iot_firewall.md

Uptime Kuma - Configuration & Integrations