Dear Community and Netrat,

In my excitement with the solution given, I forgot to properly check that all VLANS have traffic going through. I feel somewhat embarrassed to have to come back asking for more help.

But after several trials during the last few days, I am still unable to get Mikrotik to let traffic going through the remaining VLANS. As indicated on the Interface page, VLAN 101 has Tr and Rx traffic running through normally but this is not the case with the remaining VLANS.

Again I'd appreciate your help with this issue.

The attached diagram shows of what I set out to achieve: And here is my current setting:

# jan/15/2010 20:32:12 by RouterOS 4.2


/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:FB:43 \
master-port=none mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:FB:44 \
master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:FB:45 \
master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:FB:46 \
master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:53:FB:47 \
master-port=none mtu=1500 name=ether5 speed=100Mbps

/interface vlan
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-101 use-service-tag=no vlan-id=101
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-103 use-service-tag=no vlan-id=103
add arp=enabled comment="" disabled=no interface=ether2 l2mtu=1520 mtu=1500 \
name=VL-104 use-service-tag=no vlan-id=104
add arp=enabled comment="" disabled=no interface=ether3 l2mtu=1520 mtu=1500 \
name=VL-105 use-service-tag=no vlan-id=1

/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1 \
switch-all-ports=yes

/ip dhcp-server
add address-pool=static-only authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=VL-101 lease-time=3d name=server1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/interface ethernet switch port
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback
set (unknown) vlan-mode=fallback

/ip address
add address=192.168.101.1/27 broadcast=192.168.101.31 comment="" disabled=no \
interface=VL-101 network=192.168.101.0
add address=192.168.105.1/27 broadcast=192.168.105.31 comment="" disabled=no \
interface=ether3 network=192.168.105.0
add address=192.168.103.1/27 broadcast=192.168.103.31 comment="" disabled=no \
interface=VL-103 network=192.168.103.0
add address=192.168.104.1/27 broadcast=192.168.104.31 comment="" disabled=no \
interface=VL-104 network=192.168.104.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=61.9.134.49 secondary-dns=\
61.9.133.193

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=forward comment="Invalid Connections" connection-state=\
invalid disabled=no
add action=accept chain=forward comment="Established Connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment=\
"Drop Connection fr VL104 to other VLANS" disabled=yes in-interface=\
VL-104 out-interface=ether1
add action=drop chain=forward comment="Drop connection fr others to VL104" \
disabled=yes in-interface=ether1 out-interface=VL-104

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no dscp=26 \
new-packet-mark=VoIP-SIP passthrough=yes
add action=mark-packet chain=prerouting comment="" disabled=no dscp=46 \
new-packet-mark=VoIP-RTP passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
192.168.0.0/16

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
set VL-101 discover=yes
set VL-103 discover=yes
set VL-104 discover=yes
set VL-105 discover=yes

/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set VL-101 queue=default
set VL-103 queue=default
set VL-104 queue=default
set VL-105 queue=default

Thank you in anticipation.

Can the other VLANs ping the router?

Hi Netrat,

No, they can not ping the router. Neither can they ping the gateway of their own subnets.

But from a PC in VLAN101, I can ping all 'default gateways' of these VLANS, i.e . 192.168.103.1, 192.168.104.1 & 192.168.105.1 alas but not the individual IP of a node in one of these subnets.

I am confused.

Thank you for coming back.

If they can't ping the router or each other then I think you need to check the configuration on your switch.

Netrat,

If they can't ping the router or each other then I think you need to check the configuration on your switch.

With perserverance and 'faith' in your suggestion, and after a few more hairs falling out of my head, I 'managed' to get the HP Procurve 1810's settings correct and traffic now flows through wired VLANS as water under the bridge. I like the metaphor since no bridge is used for crossing-over purposes. I also checked to be sure that all traffic flowing through all VLANS this time just to be sure.

This brings me to the remaining issue and just wonder if you can be so kind again. No Internet from my wifi connection.

I can connect with the RB411A but cannot get to the Net. It says no gateway reply. I can not assess the RB411A either from Winbox.

Thank you.

From your configuration: Change the interface to VL-105 instead of ether3, or remove the VLAN interface from ether3.

Hi,

Despite few trials, from changing the interface to VL-105 in place of eth3 to removing the VLAN interface from ether3, I still can not get the Net from the wifi side.

I can not ping an external IP adress from the wifi side. I can ping the RB450G router from the wifi side though.

Help, pls.