Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Routing between VLANs on RB4011  [SOLVED]

Post Reply
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

Routing between VLANs on RB4011

Tue Oct 29, 2024 9:54 am

Hello,
I would ask your help in routing between vlans on RB4011iGS+5HacQ2HnD.
VLAN filtering is enabled and working, but I can't open connection from vlan100 to vlan200. I just assume the routing is missing, but I'm not sure what should be added.
eth1: WAN
eth2 (vlan100): hap ac2 1 (caps)
eth3 (vlan100): hap ac2 2 (caps)
eth4 (vlan100): client device
eth5 (vlan100): client device
eth6 (vlan100): client device
eth7: empty
eth8 (vlan10): admin access
eth9 (vlan200): poe switch for survilliance cameras
eth10: empty
wlan1 (vlan100)
wlan2 (vlan100)

Networks:
192.168.10.0/24 - vlan10 (admin)
192.168.90.0/24 - vpn
192.168.95.0/24 - vlan100 (clients)
192.168.200.0/24 - vlan200 (surveillance)

This model has two separate switches inside (switch1: eth1-5, switch2: eth6-10) and as I found on wiki, these switches don't support vlan table feature, so I'm lost how to continue with this..

I also tried debugging with packet sniffer on ether9, but no response from device in vlan200.
I'm sure you will ask for the full config, so here it is:
Code: Select all
# 2024-10-29 09:01:09 by RouterOS 7.16
# software id = PT47-7AMD
#
# model = RB4011iGS+5HacQ2HnD
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=ch24
add band=5ghz-onlyn name=ch5
/interface bridge
add name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 5300/20-Ce/an/DP(17dBm), SSID: Hidden Network, CAPsMAN forwarding
set [ find default-name=wlan2 ] country=MY_COUNTRY mode=ap-bridge ssid=  MikroTik_5G
/interface wireguard
add listen-port=9980 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan200 vlan-id=200
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1 vlan-id=100   vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk encryption=aes-ccm name=sec1
/caps-man configuration
add channel=ch24 country=MY_COUNTRY datapath=datapath1 distance=indoors   installation=indoor mode=ap name=cfg_24 security=sec1 ssid=  "Hidden Network"
add channel=ch5 channel.band=5ghz-n/ac .control-channel-width=20mhz   .frequency=5240 country=MY_COUNTRY datapath=datapath1 distance=indoors   installation=indoor mode=ap name=cfg_5 rates.supported="" security=sec1   ssid="Hidden Network"
/caps-man interface
add configuration=cfg_24 disabled=no l2mtu=1600 mac-address=xx:xx:xx:xx:xx:xx   master-interface=none name=cap1 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5300 configuration=cfg_5   configuration.installation=any disabled=no l2mtu=1600 mac-address=  xx:xx:xx:xx:xx:xx master-interface=none name=cap2 radio-mac=  xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2422 configuration=cfg_24 disabled=no l2mtu=1600   mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap3 radio-mac=  xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5180 configuration=cfg_5 disabled=no l2mtu=  1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none mtu=1500 name=  cap4 radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
add channel.frequency=2432 configuration=cfg_24 disabled=no l2mtu=1600   mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap5 radio-mac=  xx:xx:xx:xx:xx:xx radio-name=xx
add channel=ch5 channel.frequency=5240 configuration=cfg_5 disabled=no l2mtu=  1600 mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap6   radio-mac=xx:xx:xx:xx:xx:xx radio-name=xx
/interface list
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=profile1   supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(17dBm), SSID: Hidden Network, CAPsMAN forwarding
set [ find default-name=wlan1 ] country=MY_COUNTRY installation=indoor mode=  ap-bridge security-profile=profile1 ssid=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.95.30-192.168.95.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.200.2-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp_vlan10
add address-pool=dhcp_pool2 interface=vlan200 name=dhcp_vlan200
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=  xx:xx:xx:xx:xx:xx
add action=create-dynamic-enabled master-configuration=cfg_24 radio-mac=  xx:xx:xx:xx:xx:xx
/interface bridge port
add bridge=bridge interface=ether2 pvid=100
add bridge=bridge interface=ether3 pvid=100
add bridge=bridge interface=ether4 pvid=100
add bridge=bridge interface=ether5 pvid=100
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=200
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether6 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=ether8 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether4,ether5,ether3,ether2,ether6   vlan-ids=100
add bridge=bridge tagged=ether9,bridge vlan-ids=200
/interface list member
add interface=bridge list=LAN
add interface=ether8 list=LAN
/interface wireless cap
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.95.1/24 interface=vlan100 network=192.168.95.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.90.1/24 interface=wireguard1 network=192.168.90.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.95.99 client-id=1:xx:xx:xx:xx:xx:xx mac-address=  xx:xx:xx:xx:xx:xx server=dhcp1
add address=192.168.200.248 client-id=1:xx:xx:xx:xx:xx:xx mac-address=  xx:xx:xx:xx:xx:xx server=dhcp_vlan200
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=  192.168.10.1
add address=192.168.95.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=  192.168.95.1
add address=192.168.200.0/24 dns-server=192.168.95.3,192.168.95.33 gateway=  192.168.200.1
/ip firewall address-list
add address=192.168.95.0/24 list=admin_list
add address=192.168.10.0/24 list=admin_list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=  not_in_internet
add address=192.168.95.0/24 list=LAN_network
add address=192.168.10.0/24 list=LAN_network
add address=10.15.0.0/16 list=SW_Server
add address=192.168.8.0/24 list=SW_Server
add address=10.8.0.0/16 list=SW_Server
add address=192.168.68.0/24 list=SW_Server
add address=172.28.249.0/24 list=SW_Server
add address=172.28.1.0/24 list=SW_Server
add address=192.168.4.0/24 list=SW_Server
/ip firewall filter
add action=fasttrack-connection chain=forward comment=  "fast-track for established,related" connection-state=established,related   hw-offload=yes
add action=accept chain=input dst-port=8291,80 protocol=tcp src-address-list=  admin_list
add action=accept chain=input comment="Accept ICMP" in-interface=ether1   protocol=icmp
add action=accept chain=forward comment="Established, Related"   connection-state=established,related
add action=accept chain=forward dst-address-list=LAN_network   src-address-list=LAN_network
add action=accept chain=forward comment=vlan100_to_vlan200 in-interface=  vlan100 log-prefix=vlan100_to_vlan200 out-interface=vlan200
add action=accept chain=forward comment=vlan200_to_vlan200 connection-state=  "" in-interface=vlan200 log-prefix=vlan200_to_bridge out-interface=  vlan100
add action=accept chain=input comment="Wireguard allow" dst-port=9980   protocol=udp
add action=accept chain=forward comment="SW allow" dst-address-list=SW_Server   src-mac-address=xx:xx:xx:xx:xx:xx
add action=drop chain=forward comment="Drop from vlan200 to internet" log=yes   log-prefix=Drop_from_vlan200 out-interface=ether1 src-address=  192.168.200.0/24
add action=drop chain=input comment="block everything else - input_drop"   in-interface=ether1 log-prefix=input_drop
add action=drop chain=forward comment="Drop invalid forward"   connection-state=invalid
add action=drop chain=forward comment=  "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat   connection-state=new in-interface=ether1
add action=drop chain=forward comment=  "Drop tries to reach not public addresses from LAN - !public_from_LAN"   dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=  !public_from_LAN out-interface=!bridge
add action=drop chain=forward comment=  "Drop incoming packets that are not NAT`ted - !NAT" connection-nat-state=  !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=  "Drop incoming from internet which is not public IP - !public"   in-interface=ether1 log=yes log-prefix=!public src-address-list=  not_in_internet
add action=drop chain=forward comment=  "Drop packets from LAN that do not have LAN IP - LAN_!LAN" in-interface=  bridge log=yes log-prefix=LAN_!LAN src-address-list=!LAN_network
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=192.168.90.0/24
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.200.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.95.0/24,192.168.10.0/24
/system clock
set time-zone-autodetect=no time-zone-name=Europe/MY_CITY
/system identity
set name=MikroTik_4011
/system note
set show-at-login=no
/tool graphing interface
add allow-address=192.168.95.0/24 interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffer_eth9 filter-interface=ether9 memory-limit=1024KiB
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2671
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Routing between VLANs on RB4011

Tue Oct 29, 2024 10:20 am

You could order your firewall rules, would make it more readable. Start with input chain, then forward chain.
Currently it is a complete mess (to me).

This rule should allow traffic from VLAN100 to VLAN200. Is it hit (either counters or log entries when logging is enabled)? Where do the spaces come from?
Code: Select all
add action=accept chain=forward comment=vlan100_to_vlan200 in-interface=  vlan100 log-prefix=vlan100_to_vlan200 out-interface=vlan200
Top
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

Re: Routing between VLANs on RB4011

Tue Oct 29, 2024 10:55 am

Spaces come from formating the config before published. ( removed the new "\ new line" to make it more readable... didn't succeed)

This rule should allow traffic from VLAN100 to VLAN200. Is it hit (either counters or log entries when logging is enabled)? Where do the spaces come from?
Code: Select all
add action=accept chain=forward comment=vlan100_to_vlan200 in-interface= vlan100 log-prefix=vlan100_to_vlan200 out-interface=vlan200
This rule allows the traffic, it's clearly visible in the logs, this is why I don't think it's a firewall issue.

Rules reorganized:
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track for established,related" connection-state=established,related hw-offload=yes
add action=accept chain=input dst-port=8291,80 protocol=tcp src-address-list=admin_list
add action=accept chain=input comment="Accept ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="Wireguard allow" dst-port=9980 protocol=udp
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Local network allow" dst-address-list=LAN_network src-address-list=LAN_network
add action=accept chain=forward comment="vlan100_to_vlan200" in-interface=vlan100 log-prefix=vlan100_to_vlan200 out-interface=vlan200
add action=accept chain=forward comment="vlan200_to_vlan200" connection-state="" in-interface=vlan200 log-prefix=vlan200_to_vlan100 out-interface=vlan100
add action=accept chain=forward comment="SW allow" dst-address-list=SW_Server src-mac-address=xx:xx:xx:xx:xx:xx
add action=drop chain=forward comment="Drop from vlan200 to internet" log=yes log-prefix=Drop_from_vlan200 out-interface=ether1 src-address=192.168.200.0/24
add action=drop chain=input comment="block everything else - input_drop" in-interface=ether1 log-prefix=input_drop
add action=drop chain=forward comment="Drop invalid forward" connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN - !public_from_LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted - !NAT" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP - !public" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP - LAN_!LAN" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address-list=!LAN_network
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13008
Joined: Thu Mar 03, 2016 10:23 pm

Re: Routing between VLANs on RB4011  [SOLVED]

Tue Oct 29, 2024 11:14 am

Is ether9 (on the wire side of port, towards PoE switch) supposed to carry tagged or untagged frames? Bridge port configuration (add bridge=bridge interface=ether9 pvid=200) implies it's supposed to be untagged on wire side, but bridge vlan configuration (add bridge=bridge tagged=ether9,bridge vlan-ids=200) implies it's supposed to be tagged.

Note that having bridge (the cpu-facing) port tagged member of all of those VLANs is the right thing since you have corresponding VLAN interfaces. In the exported config it's not for VLAN ID 10, so you should fix that as well.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22041
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Routing between VLANs on RB4011

Tue Oct 29, 2024 12:59 pm

What mkx is really stating that its rude not to provide the entire config so we actually have the facts to help.........
/export fiile=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Top
 
mmee
just joined
Topic Author
Posts: 16
Joined: Sat Aug 28, 2021 8:30 am
Location: Estonia

Re: Routing between VLANs on RB4011

Tue Oct 29, 2024 1:46 pm

Hi,
What mkx is really stating that its rude not to provide the entire config so we actually have the facts to help.........
What part of the config you miss? I posted the full config in the first post, removed serial number, wireguard peers, country and mac addresses.

Thank you mkx for your suggestion, I chaged the ether9 on vlan200 interface from tagged to untagged and it started to work. I review the rest of my config! (vlan10)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22041
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Routing between VLANs on RB4011

Tue Oct 29, 2024 8:23 pm

Sorry my bad, I missed that for some reason.......old age :-)
Top
Post Reply

Who is online

Users browsing this forum: jaclaz and 34 guests
  4. RouterOS
  5. Beginner Basics