Community discussions

MikroTik App
 
tlamik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Fri Mar 21, 2014 11:54 am

Routing between Vlans

Thu Aug 04, 2022 10:49 pm

I created two vlans on CRS326-24G-2S+ using a new style of creating vlans. Means all ports in the one bridge, created two VLANS interfaces on interface bridge, added an IP addresses to them. I setup appropriate PVID and VLANS with tagged and untagged interfaces. All seems nice. I created two dhcp server, one on each vlan interface. But I cannot get an IP address from any dhcps, until I add bridge to all vlans as tagged port. Is it OK ? The second weird thing is, that I can ping from LAN vlan to LAN vlan, from DMZ vlan to DMZ vlan, even I can ping from LAN to DMZ 192.168.3.1 or vice versa. But I cannot ping from LAN to DMZ or from DMZ to LAN. I know this is the main goal for vlans, I tried to setup some firewall rules to solve this, but I was unsuccesful. I am prety sure when I used an old way of vlan setup using one bridge for each vlan, I will be able to forward packets between them or create a firewall rules. Is there some way to solve this using one bridge for all vlans ?

/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=DMZ-ether5
set [ find default-name=ether6 ] name=DMZ-ether6
set [ find default-name=ether7 ] name=DMZ-ether7
set [ find default-name=ether8 ] name=DMZ-ether8
set [ find default-name=ether15 ] name=LAN-ether15
set [ find default-name=ether16 ] name=LAN-ether16
set [ find default-name=ether17 ] name=LAN-ether17
set [ find default-name=ether18 ] name=LAN-ether18
set [ find default-name=ether19 ] name=LAN-ether19
set [ find default-name=ether20 ] name=LAN-ether20
set [ find default-name=ether21 ] name=LAN-ether21
set [ find default-name=ether22 ] name=LAN-ether22
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="ether2 INTERNET" name=inet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=bridge name=dmz vlan-id=30
add interface=bridge name=lan vlan-id=20
/ip pool
add name=dmz_pool ranges=192.168.3.250-192.168.3.254
add name=lan_pool ranges=192.168.2.250-192.168.2.254
/ip dhcp-server
add address-pool=dmz_pool interface=dmz name=dmz
add address-pool=lan_pool interface=lan name=lan
/system logging action
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether5 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether6 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether7 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether8 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether15 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether16 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether17 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether18 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether19 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether20 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether21 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether22 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,dmz untagged=DMZ-ether5,DMZ-ether6,DMZ-ether7,DMZ-ether8 vlan-ids=30
add bridge=bridge tagged=bridge,lan untagged=LAN-ether15,LAN-ether16,LAN-ether17,LAN-ether18,LAN-ether19,LAN-ether20,LAN-ether21,LAN-ether22 vlan-ids=20
/ip address
add address=192.168.3.1/24 interface=dmz network=192.168.3.0
add address=192.168.2.1/24 interface=lan network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=yes
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 10860
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing between Vlans

Thu Aug 04, 2022 11:30 pm

I cannot get an IP address from any dhcps, until I add bridge to all vlans as tagged port. Is it OK ?
It is, see here why.

I can ping from LAN vlan to LAN vlan, from DMZ vlan to DMZ vlan
That's unrelated to routing, it's just bridging.

I can ping from LAN to DMZ 192.168.3.1 or vice versa. But I cannot ping from LAN to DMZ or from DMZ to LAN. I know this is the main goal for vlans, I tried to setup some firewall rules to solve this, but I was unsuccesful. I am prety sure when I used an old way of vlan setup using one bridge for each vlan, I will be able to forward packets between them or create a firewall rules. Is there some way to solve this using one bridge for all vlans ?
This does not depend on whether you choose the "one bridge per VLAN" or the "one bridge for all VLANs" approach. But I cannot see anything in your configuration export that would explain why you cannot ping a host in one subnet from a host in the other one. So maybe you are pinging Windows machines? If so, the default setting of the Windows firewall is to ignore ping requests from other subnets than the own one of the interface to which the ping request has arrived.


The firewall on your CRS itself is effectively non-existent - since the default behaviour is accept, whatever packet is not accepted by the only rule you have is accepted anyway.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21351
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing between Vlans  [SOLVED]

Fri Aug 05, 2022 12:54 am

Your error is here......
/interface bridge vlan
add bridge=bridge tagged=bridge,dmz untagged=DMZ-ether5,DMZ-ether6,DMZ-ether7,DMZ-ether8 vlan-ids=30
add bridge=bridge tagged=bridge,lan untagged=LAN-ether15,LAN-ether16,LAN-ether17,LAN-ether18,LAN-ether19,LAN-ether20,LAN-ether21,LAN-ether22 vlan-ids=20

What is highlighted in blue!!
In other words the interfaces being identified as tagged or untagged are PORTS (either etherports or wlan ports) and NOT vlans!
The reference to which vlan is set on "vlan-ids="

Fixed:
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=DMZ-ether5,DMZ-ether6,DMZ-ether7,DMZ-ether8 vlan-ids=30
add bridge=bridge tagged=bridge untagged=LAN-ether15,LAN-ether16,LAN-ether17,LAN-ether18,LAN-ether19,LAN-ether20,LAN-ether21,LAN-ether22 vlan-ids=20
 
tlamik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Fri Mar 21, 2014 11:54 am

Re: Routing between Vlans

Fri Aug 05, 2022 9:10 am

Well, I tried many differrent setups, including removing vlan interfaces dmz and lan from bridge vlan, but none were working. I tried the last suggestion, again remove dmz and lan and ping was not working again. Then I checked firewalls (yes, I used a laptops with W10), on one laptop there was disabled firewall, on the other one was not. So I disabled it, and I was able to ping from LAN laptop to DMZ laptop, but not in opposite way. So I changed LAN laptop with linux laptop and it works like a charm.

Stupid windows, stupid me, I am sorry.

Everything seems to working as I expected, the only thing I was learning is I am unable to unblock pings on one win laptop.

Thanks for all advices.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 39 guests