Community discussions

MikroTik App
  4. RouterOS
  5. General

problem with Vlan trunk

Post Reply
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

problem with Vlan trunk

Wed Dec 16, 2015 6:46 am

hi guys,
i have a problem with trunking multiple Vlans. I have config vlans on 2 routers: RB951G and RB1100. Here is my config
***on RB951G
Code: Select all
[admin@PhuServer] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  R  ether1                              ether            1500  1598       4074
 1  RS ether2                              ether            1500  1598       4074
 2   S ether3                              ether            1500  1598       4074
 3   S ether4                              ether            1500  1598       4074
 4   S ether5                              ether            1500  1598       4074
 5   S wlan1                               wlan             1500  1600       2290
 6  R  bridge1                             bridge           1500  1598
 7  R  vlan10                              vlan             1500  1594
 8  R  vlan20                              vlan             1500  1594
 9  R  vlan30                              vlan             1500  1594
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   172.16.20.1/24     172.16.20.0     ether2                                   
 1   10.10.10.1/24      10.10.10.0      vlan10                                   
 2   20.20.20.1/24      20.20.20.0      vlan20                                   
 3   30.30.30.1/24      30.30.30.0      vlan30                                   
 4 D 192.168.0.6/24     192.168.0.0     ether1
***on RB1100
Code: Select all
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  RS ether1                              ether            1500  1598       9498
 1   S ether2                              ether            1500  1598       9498
 2   S ether3                              ether            1500  1598       9498
 3  RS ether4                              ether            1500  1598       9498
 4   S ether5                              ether            1500  1598       9498
 5   S ether6                              ether            1500  1598       9498
 6   S ether7                              ether            1500  1598       9498
 7   S ether8                              ether            1500  1598       9498
 8   S ether9                              ether            1500  1598       9498
 9   S ether10                             ether            1500  1598       9498
10   S ether11                             ether            1500  1600       9500
11   S ether12                             ether            1500  1600       9116
12     ether13                             ether            1500  1600       9116
13  R  bridge access vlan10                bridge           1500  1598
14  R  bridge access vlan20                bridge           1500  1598
15  R  bridge access vlan30                bridge           1500  1598
16  R  bridge trunk                        bridge           1500  1598
17  RS vlan10                              vlan             1500  1594
18  RS vlan20                              vlan             1500  1594
19  RS vlan30                              vlan             1500  1594
Code: Select all
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    ether1                  bridge trunk             0x80         10       none
 1    ether4                  bridge access vlan10     0x80         10       none
 2 I  ether5                  bridge access vlan10     0x80         10       none
 3 I  ether6                  bridge access vlan10     0x80         10       none
 4 I  ether7                  bridge access vlan20     0x80         10       none
 5 I  ether8                  bridge access vlan20     0x80         10       none
 6    vlan20                  bridge access vlan20     0x80         10       none
 7 I  ether10                 bridge access vlan30     0x80         10       none
 8 I  ether11                 bridge access vlan30     0x80         10       none
 9 I  ether12                 bridge access vlan30     0x80         10       none
10    vlan10                  bridge access vlan10     0x80         10       none
11    vlan30                  bridge access vlan30     0x80         10       none
12 I  ether2                  bridge trunk             0x80         10       none
13 I  ether3                  bridge trunk             0x80         10       none
14 I  ether9                  bridge access vlan20     0x80         10       none
The problem is all of my vlans can ping each other. I dont know what i did wrong so i hope u guys could help me.Thanks and sorry for my bad english
Top
 
User avatar
simenskaa
just joined
Posts: 11
Joined: Thu Nov 12, 2015 1:54 pm

Re: problem with Vlan trunk

Wed Dec 16, 2015 9:21 am

Add a drop forward rule between the LANs
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: problem with Vlan trunk

Wed Dec 16, 2015 7:15 pm

The router is forwarding the traffic between the VLANs.
That's what a router is supposed to do.

The VLANs simply break your network into different broadcast domains.
(this means that UPnP devices won't see each other, for instance)

If you want to block IP communication between the various VLANs then you have to tell the router not to do it, and simenskaa's suggestion is the way to do that.
Code: Select all
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept out-interface=ether1
add chain=forward action=drop
Top
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: problem with Vlan trunk

Thu Dec 17, 2015 5:18 am

It 's worked guys. Thanks a lot. Really appreciated it =]]
Top
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: problem with Vlan trunk

Thu Dec 17, 2015 5:53 am

Hi ZeroByte can i ask you another questions ?
The code u give me
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept out-interface=ether1
add chain=forward action=drop

i have test it by disabled it one by one to see how it works. And it looks like if i left the 4th line enable, it's still works the same. Difference Vlans cant ping each other and the same Vlans can. So what the other do ?? Thanks and sorry for my bad english
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: problem with Vlan trunk

Thu Dec 17, 2015 8:04 pm

i have test it by disabled it one by one to see how it works. And it looks like if i left the 4th line enable, it's still works the same. Difference Vlans cant ping each other and the same Vlans can. So what the other do ?? Thanks and sorry for my bad english
Sure thing.
Code: Select all
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept connection-state=established,related
These two rules are the "stateful firewall" - meaning that if the connection state is established or the packet is related to another established connection, then this packet is OK. (FTP data is a "related" stream, and the audio stream for a SIP call is a "related" stream, for instance). The first rule uses fast-track, which accelerates the packet forwarding and skips other types of processing, so the router can handle more traffic capacity.
Rule 2 allows the same thing, but works for traffic that cannot benefit from fast track.

Basically, a rule that allows established connections is one that means "I've already approved this connection, so allow this packet without any more checks."

Any more rules after this will become the policy for new connections.
Code: Select all
add chain=forward action=accept out-interface=ether1
This means that if the packet is outbound to the Internet, it should be allowed.
(when the response from the website comes back, that will cause the connection to become "established" so rules 1 and 2 will permit those packets)

If you wanted to create an internal network that anyone could gain access to - suppose you put a media server and a printer on a special LAN connected to ether4, then you would add a rule here which looks like rule 3, but instead of out-interface=ether1, you would specify ether4.
Code: Select all
add chain=forward action=drop
This is the default rule to drop all packets that have not yet been approved.
Top
 
yaikun94
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Nov 24, 2015 10:05 am

Re: problem with Vlan trunk

Fri Dec 18, 2015 4:54 am

thanks a lot ZeroByte. You really a big help for me :D :D :D
Top
Post Reply
  4. RouterOS
  5. General