UniFi UX7 & Netgear MS308E VLAN Setup

Thu, 30 Apr 2026 00:00:00 +0000

UniFi UX7 & Netgear MS308E VLAN Setup#

Multi-switch VLAN topology using UniFi UCG Express (UX7) and Netgear MS308E switches.
Netgear MS308E 802.1Q Advanced configuration pattern for trunks and access ports.
Troubleshooting methodology for multi-switch chains (isolate to inter-switch trunks vs. device-specific vs. firewall).
UX7 firewall rule correction for IoT isolation (Tharkûn VLAN 3).

VLAN 1 (Gandalf): Untagged on trunks, PVID 1. Used for servers and switch management.
VLAN 2 (Mithrandir): Tagged on trunks, Untagged on access. PVID 2. Routes through UX7 VPN.
VLAN 3 (Tharkûn): Tagged on trunks, Untagged on access. PVID 3. Isolated IoT network.
Native VLAN set to 1 on trunks to ensure management traffic passes untagged and remains accessible.
UX7 Firewall: Tharkûn (VLAN 3) placed in DMZ zone. Required explicit “Allow DMZ to Internet” rule to restore IoT connectivity.

UX7 (Olorín): 192.168.1.1
- Port 1 (to Netgear Switch 1): Trunk, Native VLAN 1, Allowed VLANs 1, 2, 3.
Netgear MS308E (Switch 1): 192.168.1.239
- Port 1 (to UX7): VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Ports 2, 3 (to downstream switches): Same as Port 1.
- Access Ports (e.g., Port 8 to U7 AP): VLAN 3 Untagged, PVID 3.
Netgear MS308E (Switch 2):
- Trunk ports: VLAN 1 Untagged (PVID 1), VLAN 2 Tagged, VLAN 3 Tagged.
- Access Ports: VLAN 2 Untagged (PVID 2) for PCs, VLAN 3 Untagged (PVID 3) for IoT (e.g., Hue Hub).
UX7 Firewall Rules (Tharkûn/DMZ):
- Allow DMZ to Internet
- Allow DMZ to Gateway
- Block DMZ to Internal
- Block DMZ to VPN

Initial attempts to set trunk ports to “No Native VLAN” (all tagged) caused lockout because management traffic (VLAN 1) became untagged and was dropped. Reverted to Native VLAN = 1.
VLAN 2 (Mithrandir) initially failed on downstream switches due to missing tagged configuration on inter-switch trunks.
VLAN 3 (Tharkûn) failed due to missing firewall rule in UX7 Site Manager for the DMZ zone.