Hi, here is my problem, I have set


[admin@SERVER] /interface> print
Flags: X - disabled, R - running, D - dynamic, S - slave
# NAME TYPE MTU
0 R Local ether 1500
1 R lan2 ether 1500
2 R Public ether 1500
3 R vlan1 vlan 1500
4 R vlan2 vlan 1500
5 R vlan3 vlan 1500
[admin@SERVER] /interface>


[admin@SERVER] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
1 xxx.xxx.234.11/24 xxx.xxx.234.0 xxx.xxx.234.255 Public
2 192.168.0.1/24 192.168.0.0 192.168.0.255 Local
3 192.168.10.254/24 192.168.10.0 192.168.10.255 vlan1
4 192.168.20.254/24 192.168.20.0 192.168.20.255 vlan2
5 192.168.30.254/24 192.168.30.0 192.168.30.255 vlan3
[admin@SERVER] /ip address>

[admin@SERVER] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 A S 0.0.0.0/0 r xxx.xxx.234.1 1 Public
1 ADC 192.168.0.0/24 192.168.0.254 0 Local
2 ADC 192.168.10.0/24 192.168.10.254 0 vlan1
3 ADC 192.168.20.0/24 192.168.20.254 0 vlan2
4 ADC 192.168.30.0/24 192.168.30.254 0 vlan3
5 ADC xxx.xxx.234.0/24 xxx.xxx.234.11 0 Public
[admin@SERVER] >


I have a computer set as 192.168.10.1 ip, dns 192.168.10.254, gateway 192.168.10.254 and mask 255.255.255.0

I cant get internet access from any vlan to internet, I already tried making a bridge from vlan1 to public interface but it doesnt worked. What am I missing?

Thank you anyone who reads this.

hm... what hardware do you use to tag VLANs?

I don't see a MASQ rule for the subnet in question.

[admin@SERVER] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=Public
[admin@SERVER] /ip firewall nat>


what do you mean by TAG vlans?

this masquerade works well with my Local interface and all the ips in there.

my vlan was created by mt with Local ether as main interface, Is the nat ok? it should nat all ether interfaces including vlan or not?

Thank you for answering.

VLAN is separate interface, and all rules regarding it's ethernet interface do not affect VLAN itself, so add masquerade rule for VLAN

what do you mean by TAG vlans?

I mean, there could be error in configuring VLANs on your switch. do you ping MT from your workstations?

hello, the masquerade rule doesnt specify the In Interface as Ether1 or in my case Local, but it has Public as Out Interface so shouldnt thist rule apply to all IN interfaces?

about the pinging, I can ping the vlans from the mt server but not from the workstations, as if there were no routes or something, but as you can see in the first post there is a route for every vlan.
Maybe the masquerade is ok and this thing that cant allow me to reach the server from workstations its the problem.

Local and Public interfaces are bridge by switch (linksys sr224), should I need to bridge Local and Vlan interfaces for Internet to work? the thing is that if I do that the vlan interfaces could see each other and the Local Interface. I want all of them to be apart to segment my lan.

Thank you all for your time.

Linksys SR224 doesn't support VLANs

ooh, sorry for make you waste your time then, thank you so much for your support Chupaka.

topic closed =(