Hello mikrotik community,

I am having issues getting a running ros config going. The end goal is to setup vlan core/trunk on ether1, and have my gateway on ether2.

* VLAN100-200 are seperated for isolated hardwired access for hotel guests in there room.
The goal here is to get the hotspot running on the bridge1 which i added the vlan interfaces as ports.

* VLAN5 is for employees, which will drop packets to popular p2p and instant messengers.

* VLAN10 is for management/system admins.


Forgetting about the hotspot on bridge1 currently and droping vlan5 out of the setup.
I am still working on getting internet access to bridge1, so i do this after fresh install:

/interface vlan add interface=ether1 name= vlan10 vlan-id=10

/interface vlan add interface=ether1 name=vlan100 vlan-id=100 disabled=no
/interface vlan add interface=ether1 name=vlan101 vlan-id=101 disabled=no
/interface vlan add interface=ether1 name=vlan102 vlan-id=102 disabled=no

/interface bridge add
/interface bridge port add bridge=bridge1 interface=vlan100 disabled=no
/interface bridge port add bridge=bridge1 interface=vlan101 disabled=no
/interface bridge port add bridge=bridge1 interface=vlan102 disabled=no

I also use this rule to isolate the vlan clients from the soft-bridge. EDIT: This rule needs to be put in the bridge filter.
/interface bridge filter add chain=forward in-bridge=bridge1 out-bridge=bridge1 action=drop comment="" disabled=no

Configure dns address and allow remote requests:

/ip dns set primary-dns=10.166.26.1 allow-remote-requests=yes

Enable IP Firewall for bridges:

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

And then setup

/setup

define bridge1 address of 192.168.2.1
define vlan10 address of 192.168.1.1
define ether2 address of 10.166.26.50
gateway is 10.166.26.1
ether1 has no address, and is not part of the bridge.

Which defines the routes as this:

# DST-ADDRESS PREF-SRC GATEWAY-STATE GATEWAY DISTANCE INTERFACE
0 A S ;;; added by setup
0.0.0.0/0 reachable 10.166.26.1 1 ether2
1 ADC 10.166.26.0/24 10.166.26.50 0 ether2
2 ADC 192.168.1.0/24 192.168.1.1 0 vlan10
3 ADC 192.168.2.0/24 192.168.2.1 0 bridge1

and dhcp server on the interfaces as well:

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 bridge1 dhcp-pool-1 3d
1 dhcp2 vlan10 dhcp_pool1 3d



When i connect to VLAN10 dhcp assigns from correct pool (192.168.1.x), can ping 192.168.2.1(which i shouldnt be able to) and can access internet.
when i connect to VLAN100, VLAN101, VLAN102 I cant ping 192.168.2.1, however dhcp served from the correct pool (192.168.2.x)

[admin@MikroTik] /interface bridge host> print
Flags: L - local, E - external-fdb
BRIDGE MAC-ADDRESS ON INTERFACE
L bridge1 00:21:91:8B:XX:XX vlan102
L bridge1 00:21:91:8B:XX:XX vlan101
L bridge1 00:21:91:8B:XX:XX vlan100
bridge1 00:0E:35:97:XX:XX vlan101


As you can see my laptop displayed on the bridge host it seems to be identifying vlan properly in the bridge. Where i feel a little weak on is my NAT rules under /ip firewall nat. I have tried the standard masquerade with source preferences.

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether2

What am I missing to get my bridge to make connections to the ip NAT/Firewal?

Thanks for your time,

Jason

I put the drop rule under bridge filter, and network started working...

Im guesing there was constant packet loops due to my filter being in the wrong spot, and that was making the hardware quit working.