Hello,
until now I was using a plain Debian as my router, but I now own some hardware from MikroTik and though it would be a good idea to migrate the Debian machine to RouterOS. But now I have some problems on how to configure everything the correct way.

First of all the exact setup until now:
I am using Proxmox VE to provide Virtual Machines and every Proxmox VE host runs its own Router VM (Debian until now). This Router VM has two network interfaces where the first one is connected to the "WAN" with a public IP address (lets assume ) and the second one is connected to a (virtual) switch where also the every single VM is connected to.
For the VMs I have some public subnets (lets assume and ) which get routed via . The second network interface of the (Debian) RouterVM had configured an IP address per subnet (in this case it would be and ) and all remaining IP addresses of the subnet where routed via its own VLAN to the trunk port of the (virutal) switch. (10.1.0.2 => VLAN 101, 10.1.0.3 => VLAN 102, ..., 10.2.0.2 => VLAN 201, ...)
Every VM then had its own access/untagged port on the switch to isolate the VMs from each other and prevent customers using IP addresses they should not use.

After some ours of tinkering I gave up now, I were unable to set up the same system using RouterOS. I came the furthest when I created the VLAN interfaces (Interfaces > VLAN), a Bridge which got the subnets IP address (e.g. 10.1.0.1) and added all the VLAN interfaces as a port to the bridge, but still its not working very reliable, there are a lot of issues regarding ARP requests. It seems like RouterOS iignores the ARP response from the clients VM.

I am not a network expert and would really appreciate it if someone could help me on how to set this up, or at least give me some advice/tipps/tricks/... because I dont have any ideas left what I could try.

Best ragards,
Stefan

Your confusing layer 2 (ethernet) and layer 3 (IP) functionality. There is mention of an IP address per subnet with the form 10.1.0.1 & 10.2.0.1, but then addresses with the form 10.1.0.2 & 10.1.0.3 which is completely different - if a subnet is attached to an ethernet interface layer 2 switching/bridging is used for the IPoE (IP-over-ethernet) between addresses within the subnet, layer 3 routing is used between an address within the subnet and an address which is not.

Your confusing layer 2 (ethernet) and layer 3 (IP) functionality.

Hello and thanks for your reply. I know the difference between L2 and L3 and everything should be isolated on L2, so this is intended.

I have made a image, hopefully it clarifies what I want to do. The top right machine (name RouterOS on my drawing) was my Debian based router which should get replaced with RouterOS now. The setup in Debian was very easy - two interfaces (named eth0 and eth1) and some VLAN interfaces (eth1.102, eth1.103, ..., eth1.202, ...). eth0 had its public IP (10.0.0.123) and eth1 had a IP for every routed subnet (10.1.0.1 and 10.2.0.1 in this case). The last thing to do was to add some routes "route add 10.1.0.2 via eth1.102" and so on.
I want to achieve the exact same using RouterOS now. The problem is that when i try to set it up the same way as the Debian based machine (create VLAN interfaces as subinterface of ether2, assign IPs to ether2, add routes) ARP requests for 10.1.0.1 from the VMs (to RouterOS) wont get answered by RouterOS. I then have tried wild combinations of IP assignment, bridge interfaces, etc... (they were not intended to really work, just some trial and error debugging) but none of them worked.

So ultimatively my question is - what would be the correct way to set this scenario up in RouterOS?

The problem is that when i try to set it up the same way as the Debian based machine (create VLAN interfaces as subinterface of ether2, assign IPs to ether2, add routes) ARP requests for 10.1.0.1 from the VMs (to RouterOS) wont get answered by RouterOS. I then have tried wild combinations of IP assignment, bridge interfaces, etc... (they were not intended to really work, just some trial and error debugging) but none of them worked.

From your config, it looks like the problem is that you are using the addresses 10.1.0.1/32 and 10.2.0.1/32. That means the subnet mask for both is 255.255.255.255 which is not correct if you also have VMs on the same subnet.

That means the subnet mask for both is 255.255.255.255 which is not correct if you also have VMs on the same subnet.

Shouldnt that be irrelevant when configuring routes manually?
Also it was not a problem before when using Debian as the router.
The "subnet" is only routed by the ISP I get the IP addresses from, internally I dont want to use it as a subnet. The IPs are from the subnet, but are used as single IPs. I hope you understand what I mean.

The "subnet" is only routed by the ISP I get the IP addresses from, internally I dont want to use it as a subnet. The IPs are from the subnet, but are used as single IPs. I hope you understand what I mean.

Sorry, looked at your example a little more closely. This isn't really a "beginner basics" question. You can't use an ethernet interface or VLAN or similar as the next-hop unless the router itself has an IP on that interface/VLAN, in which case the route is already present as a "connected" route and you don't have to add it. I'm not entirely sure how you have this working on Debian at all.

I'm surprised it works as there do not appear to be any addresses associated with the VLANs (ether2.102, ether2.103, etc.), having an address on the base ether2 isn't propagated to the child VLAN interfaces.

Our main use of routed IP blocks is public addresses for PPPoE clients, but we have used /32 point to point IPoE connections. For your setup along the lines of: The clients would be configured with their /32 address and 10.0.0.123 as the peer.

I think probably what you need to do is delete the routes you have created, and instead add the address multiple times, as follows:
Each time the "network" would be changed for the other VM. You shouldn't need to add routes manually with that at all. Give that a try. Change the VLAN interface names to match what you have configured.

Thanks to you both - configuring the same IP on multiple (VLAN) interfaces did the trick. Never thought about trying this because it feels something strange to have the same IP configured on more than one Interface.
It also seems like that Debian, in some way, propagates the IP of the base interface also to the VLAN sub interface, thus I never had issues with that.

Thanks again and best regards