Hello Forum,
I'm trying to configure Vlans on my CCR2004 with 7.6. I can only ping the VLAN address but can't reach anything on untagged or tagged (i have a switch on vlan10) ports and DHCP don't assign any address.
This is a snip of my config, thanks in advance for your help
/interface> print
Flags: X, R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 (eolo) ether 1500 1596 9582 18:FD:74:9F:E9:2E
1 R ether2 (VFO) ether 1500 1596 9582 18:FD:74:9F:E9:2F
2 S ether3 ether 1500 1596 9582 18:FD:74:9F:E9:30
3 S ether4 ether 1500 1596 9582 18:FD:74:9F:E9:31
4 S ether5 ether 1500 1596 9582 18:FD:74:9F:E9:32
5 RS ether6 ether 1500 1596 9582 18:FD:74:9F:E9:33
6 S ether7 ether 1500 1596 9582 18:FD:74:9F:E9:34
7 RS ether8 ether 1500 1596 9582 18:FD:74:9F:E9:35
8 ether9 ether 1500 1596 9582 18:FD:74:9F:E9:36
9 RS ether10 ether 1500 1596 9582 18:FD:74:9F:E9:37
10 ether11 ether 1500 1596 9582 18:FD:74:9F:E9:38
11 S ether12 ether 1500 1596 9582 18:FD:74:9F:E9:39
12 ether13 ether 1500 1596 9582 18:FD:74:9F:E9:3A
13 S ether14 ether 1500 1596 9582 18:FD:74:9F:E9:3B
14 ether15 ether 1500 1596 9582 18:FD:74:9F:E9:3C
15 ether16 ether 1500 1596 9582 18:FD:74:9F:E9:3D
16 sfp-sfpplus1 ether 1500 1600 9586 18:FD:74:9F:E9:3E
17 S sfp-sfpplus2 ether 1500 1600 9586 18:FD:74:9F:E9:3F
18 R BridgeVlan10 vlan 1500 1592 18:FD:74:9F:E9:30
19 R BridgeVlan20 vlan 1500 1592 18:FD:74:9F:E9:30
20 X Eolo pppoe-out
21 R bridge2-LAN bridge 1500 1596 18:FD:74:9F:E9:37
22 R bridgeVlan bridge 1500 1596 18:FD:74:9F:E9:30
/interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VLAN-ID INTERFACE
0 R BridgeVlan10 1500 enabled 10 bridgeVlan
1 R BridgeVlan20 1500 enabled 20 bridgeVlan
/ip/dhcp-server> print
Columns: NAME, INTERFACE, RELAY, ADDRESS-POOL, LEASE-TIME
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME
0 LAN-dhcp bridge2-LAN LAN_dhcp_pool 10m
1 dhcp1 BridgeVlan10 192.168.10.254 dhcp_pool14 10m
2 dhcp2 BridgeVlan20 192.168.10.254 dhcp_pool15 10m
/ip/dhcp-server>
/ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS GATEWAY DNS-SERVER
0 192.168.0.0/24 192.168.0.254 8.8.8.8
1 192.168.10.0/24 192.168.10.254 8.8.8.8
2 192.168.20.0/24 192.168.20.254 8.8.8.8
/interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VLAN-ID INTERFACE
0 R BridgeVlan10 1500 enabled 10 bridgeVlan
1 R BridgeVlan20 1500 enabled 20 bridgeVlan
/interface/vlan>
/interface/bridge> print
Flags: X - disabled, R - running
0 R name="bridge2-LAN" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=18:FD:74:9F:E9:37 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=no dhcp-snooping=no
1 R name="bridgeVlan" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=18:FD:74:9F:E9:30 protocol-mode=rstp fast-forward=yes
igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes
ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no dhcp-snooping=no
/interface/bridge/port> print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 IH ether3 bridgeVlan yes 20 0x80 10 10 none
1 IH ether4 bridgeVlan yes 10 0x80 10 10 none
2 IH ether5 bridgeVlan yes 20 0x80 10 10 none
3 IH ether7 bridgeVlan yes 20 0x80 10 10 none
4 H ether8 bridgeVlan yes 10 0x80 10 10 none
5 IH ether14 bridge2-LAN yes 1 0x80 10 10 none
6 I sfp-sfpplus1 *13 1 0x80 10 10 none
7 I sfp-sfpplus2 bridge2-LAN yes 1 0x80 10 10 none
8 H ether10 bridge2-LAN yes 1 0x80 10 10 none
9 IH ether12 bridge2-LAN yes 1 0x80 10 10 none
10 H ether6 bridgeVlan yes 10 0x80 10 10 none
/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridgeVlan 10 bridgeVlan ether8
ether6
1 bridgeVlan 20 bridgeVlan
2 D bridgeVlan 1 bridgeVlan
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
yes, I've been following all kind of tutorials, even this one which is really nice, but still can't make it
Re: CCR2004 - Vlans
Printing a few sections of the settings doesn't provide much useful information, post the output of /export after redacting any identifying information (serial number, public IPs, etc.)
Re: CCR2004 - Vlans
I am not sure what you mean by "ping the VLAN address".I can only ping the VLAN address but can't reach anything on untagged or tagged (i have a switch on vlan10) ports and DHCP don't assign any address.
/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridgeVlan 10 bridgeVlan ether8
ether6
1 bridgeVlan 20 bridgeVlan
2 D bridgeVlan 1 bridgeVlan
What is attached to ether6 and ether8?
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
on ether 8 there is a dhcp client, ether6 a switch with static addressI am not sure what you mean by "ping the VLAN address".I can only ping the VLAN address but can't reach anything on untagged or tagged (i have a switch on vlan10) ports and DHCP don't assign any address.
/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridgeVlan 10 bridgeVlan ether8
ether6
1 bridgeVlan 20 bridgeVlan
2 D bridgeVlan 1 bridgeVlan
What is attached to ether6 and ether8?
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
thanks for the hint 
Printing a few sections of the settings doesn't provide much useful information, post the output of /export after redacting any identifying information (serial number, public IPs, etc.)
Code: Select all
# oct/23/2022 18:57:23 by RouterOS 7.6
# software id = J9R6-AECV
#
# model = CCR2004-16G-2S+
# serial number = xxxxxxx
/interface bridge
add name=bridge2-LAN
add ingress-filtering=no name=bridgeVlan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 (eolo)"
set [ find default-name=ether2 ] name="ether2 (VFO)"
/interface pppoe-client
add add-default-route=yes interface="ether1 (eolo)" name=Eolo user=\
W23693032822
/interface vlan
add interface=bridgeVlan name=BridgeVlan10 vlan-id=10
add interface=bridgeVlan name=BridgeVlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VPN-pool ranges=192.168.89.1-192.168.89.20
add name=LAN_dhcp_pool ranges=192.168.0.100-192.168.0.120
add name=CCTV_dhcp_pool ranges=192.168.20.2-192.168.20.253
add name=IOT_dhcp_pool ranges=192.168.10.2-192.168.10.253
add name=dhcp_pool8 ranges=192.168.10.200-192.168.10.253
add name=dhcp_pool9 ranges=192.168.20.200-192.168.20.253
add name=dhcp_pool10 ranges=192.168.10.100-192.168.10.253
add name=dhcp_pool11 ranges=192.168.10.100-192.168.10.253
add name=dhcp_pool12 ranges=192.168.10.1-192.168.10.253
add name=dhcp_pool13 ranges=192.168.10.1-192.168.10.253
add name=dhcp_pool14 ranges=192.168.10.100-192.168.10.253
add name=dhcp_pool15 ranges=192.168.20.100-192.168.20.253
/ip dhcp-server
add address-pool=LAN_dhcp_pool interface=bridge2-LAN name=LAN-dhcp
add address-pool=dhcp_pool14 interface=BridgeVlan10 name=dhcp1 relay=\
192.168.10.254
add address-pool=dhcp_pool15 interface=BridgeVlan20 name=dhcp2 relay=\
192.168.10.254
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *0 on-up=":foreach i in=[/ppp active print] do={\r\
\n:local Addr [/ppp active get \$i caller-id]\r\
\n/tool e-mail send to=\"xxxxxxxx\" subject=\"\$[/system identit\
y get name] - New L2TP Connection\" \\ body=\"New L2TP connection from \"\
\$[/ppp active print] at \$[/system clock get time] \$[/system clock get d\
ate]\";\r\
\n}"
add bridge=bridge2-LAN comment="L2TP xxxxxx" local-address=192.168.0.253 \
name=xxxxx on-down=":local remoteAddr\r\
\n:local callerId\r\
\n:local calledId\r\
\n:set remoteAddr \$\"remote-address\"\r\
\n:set callerId \$\"caller-id\"\r\
\n:set calledId \$\"called-id\"\r\
\n\r\
\n/tool e-mail send to=\"xxxxxxxxx\" subject=\"\$[/system identit\
y get name] - Disconnected L2TP xxxxxx VPN\" \\ body=\"xxxxxxx L2TP VPN con\
nected at \$[/system clock get time] \$[/system clock get date] from \$c\
allerId remote address \$remoteAddr called id \$calledId \"" on-up=":local\
\_remoteAddr\r\
\n:local callerId\r\
\n:set remoteAddr \$\"remote-address\"\r\
\n:set callerId \$\"caller-id\"\r\
\n\r\
\n\r\
\n/tool e-mail send to=\"xxxxxxxx\" subject=\"\$[/system identit\
y get name] - L2TP xxxxxxx VPN Connected\" \\ body=\"xxxxxxx L2TP VPN connec\
ted at \$[/system clock get time] \$[/system clock get date] from \$call\
erId \$remoteAddr \$calledId\"" remote-address=192.168.88.253 \
use-compression=no use-encryption=yes use-ipv6=no
/system logging action
set 1 disk-file-count=10 disk-lines-per-file=10000
set 3 remote=192.168.0.40 src-address=192.168.0.254
add email-to=xxxxxxx name=email target=email
add name=Observium remote=192.168.0.40 target=remote
/dude
set enabled=yes
/interface bridge port
add bridge=bridgeVlan interface=ether3 pvid=20
add bridge=bridgeVlan interface=ether4 pvid=10
add bridge=bridgeVlan interface=ether5 pvid=20
add bridge=bridgeVlan interface=ether7 pvid=20
add bridge=bridgeVlan ingress-filtering=no interface=ether8 pvid=10
add bridge=bridge2-LAN interface=ether14
add bridge=*13 interface=sfp-sfpplus1
add bridge=bridge2-LAN interface=sfp-sfpplus2
add bridge=bridge2-LAN interface=ether10
add bridge=bridge2-LAN interface=ether12
add bridge=bridgeVlan interface=ether6 pvid=10
/interface bridge vlan
add bridge=bridgeVlan tagged=bridgeVlan,ether4,ether6 untagged=ether8 \
vlan-ids=10
add bridge=bridgeVlan tagged=bridgeVlan,ether5 untagged=ether7 vlan-ids=20
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface="ether1 (eolo)" list=WAN
add interface=bridge2-LAN list=LAN
add interface="ether2 (VFO)" list=WAN
add interface=bridgeVlan list=LAN
add interface=BridgeVlan10 list=LAN
add interface=BridgeVlan20 list=LAN
/ip address
add address=192.168.0.254/24 comment=defconf interface=bridge2-LAN network=\
192.168.0.0
add address=192.168.100.6/8 interface="ether1 (eolo)" network=192.0.0.0
add address=10.0.0.254/24 interface="ether2 (VFO)" network=10.0.0.0
add address=192.168.10.254/24 interface=BridgeVlan10 network=192.168.10.0
add address=192.168.20.254/24 interface=BridgeVlan20 network=192.168.20.0
/ip dhcp-client
add disabled=yes interface="ether1 (eolo)"
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.254 \
ntp-server=192.168.0.254
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.254
/ip dns
set servers=8.8.8.8
/ip firewall address-list
xxxxxxxxx
/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=WhiteListRouter
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" disabled=yes \
dst-address-list=not_in_internet in-interface=*13 log-prefix=\
!public_from_LAN out-interface=!*13
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface="ether1 (eolo)" log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
"ether1 (eolo)" log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
log=yes log-prefix=LAN_!LAN src-address-list=!WhiteListRouter
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=\
500,4500,1701 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="Not IN LAN"
add action=accept chain=forward comment="defconf: accept all that matches IPSe\
c policy Notice the IPsec policy matcher rules. It is very important t\
hat IPsec encapsulated traffic bypass fast-track. That is why as an illust\
ration we have added a disabled rule to accept traffic matching IPsec poli\
cies. Whenever IPsec tunnels are used on the router this rule should be en\
abled. For IPv6 it is much more simple since it does not have fast-track s\
upport.\r\
\n\r\
\n" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" log=yes \
log-prefix="no_forward_ipv4 src" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4 log=yes log-prefix="no_forward_ipv4 dst"
/ip firewall nat
add action=accept chain=srcnat comment=\
"defconf: accept all that matches IPSec policy" disabled=yes \
ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Homecontrol data" disabled=yes \
dst-port=2201 in-interface=Eolo protocol=tcp to-addresses=192.168.0.5 \
to-ports=2201
add action=dst-nat chain=dstnat comment="Homecontrol http" disabled=yes \
dst-port=80 in-interface=Eolo protocol=tcp to-addresses=192.168.0.5 \
to-ports=80
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" log=yes \
log-prefix="Bad IPv4 src" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4 log-prefix="Bad IPv4 dst"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
log-prefix="Bad IPv4 SRC" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4 log-prefix="Bad IPv4 DST"
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN log=yes log-prefix="Not Global IPv4" \
src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan f\
rom WAN (disabilitata perche' blocca le rotte)" disabled=yes \
dst-address-list=not_in_internet in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
log=yes log-prefix="not in internet" src-address-list=!not_in_internet
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest" \
dst-address-list=!WhiteListRouter log=yes log-prefix="no white list" \
src-address-list=!WhiteListRouter
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
/ip route
add check-gateway=ping comment="Default Route" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=192.168.100.1 pref-src="" routing-table=\
main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="monitor fibra" disabled=no distance=1 \
dst-address=8.8.8.8/32 gateway=192.168.100.1 pref-src="" routing-table=\
main scope=10 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="monitor 4g" disabled=no distance=1 \
dst-address=1.1.1.1/32 gateway=10.0.0.1 pref-src="" routing-table=main \
scope=15 suppress-hw-offload=no target-scope=16
add check-gateway=ping comment="Backup Route" disabled=no distance=2 \
dst-address=0.0.0.0/0 gateway=10.0.0.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=11
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1 \
routing-table=main scope=10 suppress-hw-offload=no
/ppp profile
set *FFFFFFFE local-address=*1 remote-address=VPN-pool
/ppp secret
add name=xxxxx profile=xxxxxx service=l2tp
/system clock
set time-zone-name=Asia/xxxxxx
/system leds
set 0 type=interface-status
set 1 interface=*F00005 leds=user-led
set 2 type=interface-status
add interface=sfp-sfpplus1 leds=sfp-sfpplus1-led2 type=interface-activity
add interface=sfp-sfpplus2 leds=sfp-sfpplus2-led2 type=interface-activity
/system logging
set 0 topics=info,!dhcp
set 1 action=email
set 3 action=email
add topics=health
add disabled=yes topics=pptp
add topics=error
add topics=critical
add action=remote topics=info
add topics=firewall
add disabled=yes topics=ppp
add action=email disabled=yes topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/tool netwatch
add disabled=no down-script=":local remoteAddr\r\
\n:local callerId\r\
\n:local calledId\r\
\n:set remoteAddr \$\"remote-address\"\r\
\n:set callerId \$\"caller-id\"\r\
\n:set calledId \$\"called-id\"\r\
\n\r\
\n/tool e-mail send to=\"xxxxxx\" subject=\"\$[/system identit\
y get name] - Disconnected L2TP xxxxx VPN\" \\ body=\"xxxxx L2TP VPN con\
nected at \$[/system clock get time] \$[/system clock get date] from \$c\
allerId remote address \$remoteAddr called id \$calledId \"" host=8.8.8.8 \
http-codes="" test-script="" type=simple up-script=":local remoteAddr\r\
\n:local callerId\r\
\n:set remoteAddr \$\"remote-address\"\r\
\n:set callerId \$\"caller-id\"\r\
\n\r\
\n\r\
\n/tool e-mail send to=\"xxxxxx\" subject=\"\$[/system identit\
y get name] - L2TP xxxxx VPN Connected\" \\ body=\"xxxx L2TP VPN connec\
ted at \$[/system clock get time] \$[/system clock get date] from \$call\
erId \$remoteAddr \$calledId\""
/tool romon
set enabled=yes
Re: CCR2004 - Vlans
You are setting some interfaces to be both untagged with pvid=10 and pvid=20 under /interface bridge port and also tagged with tagged=under /interface bridge vlan - a bridge port should be either tagged or untagged for any particular VLAN ID.
Why are you specifying a relay= setting for the DHCP servers - instances will only answer requests from this address, not the local subnet. There also seem to be many overlapping but unused DHCP pools.
Why are you specifying a relay= setting for the DHCP servers - instances will only answer requests from this address, not the local subnet. There also seem to be many overlapping but unused DHCP pools.
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
ok, I untagged the interfaces from "interface" tab, put back to 1, and left only on the bridge the tag/untag config. Also removed dhcp relays which came automatically with dhcp setup.
while removing these settings a DHCP address was "offered" and showed up in the leases but disapperaared. Something is moving... but not yet working
/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridgeVlan 10 ether6 ether8
1 bridgeVlan 20 bridgeVlan
2 D bridgeVlan 1 bridgeVlan
ether8
ether6
while removing these settings a DHCP address was "offered" and showed up in the leases but disapperaared. Something is moving... but not yet working
/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridgeVlan 10 ether6 ether8
1 bridgeVlan 20 bridgeVlan
2 D bridgeVlan 1 bridgeVlan
ether8
ether6
You are setting some interfaces to be both untagged with pvid=10 and pvid=20 under /interface bridge port and also tagged with tagged=under /interface bridge vlan - a bridge port should be either tagged or untagged for any particular VLAN ID.
Why are you specifying a relay= setting for the DHCP servers - instances will only answer requests from this address, not the local subnet. There also seem to be many overlapping but unused DHCP pools.
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
so I managed to make it work from a clear configuration, now I have the problem I can ping items cross vlans...
# jan/02/1970 01:59:17 by RouterOS 7.6
# software id = J9R6-AECV
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeTrunk vlan-filtering=yes
/interface vlan
add interface=bridgeTrunk name=vlan10 vlan-id=10
add interface=bridgeTrunk name=vlan20 vlan-id=20
add interface=bridgeTrunk name=vlan99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.253
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.253
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool2 interface=vlan99 name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridgeTrunk interface=ether4 pvid=10
add bridge=bridgeTrunk interface=ether6 pvid=10
add bridge=bridgeTrunk interface=ether8 pvid=10
add bridge=bridgeTrunk interface=ether5 pvid=20
add bridge=bridgeTrunk interface=ether7 pvid=20
add bridge=bridgeTrunk interface=ether9 pvid=20
add bridge=bridgeTrunk interface=ether10
add bridge=bridgeTrunk interface=ether12
/interface bridge vlan
add bridge=bridgeTrunk tagged=ether10,ether12,bridgeTrunk untagged=ether8 \
vlan-ids=10
add bridge=bridgeTrunk tagged=ether10,ether12,bridgeTrunk untagged=ether7 \
vlan-ids=20
add bridge=bridgeTrunk tagged=bridgeTrunk,ether10,ether12 untagged=ether16 \
vlan-ids=99
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=\
192.168.88.0
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20 network=192.168.20.0
add address=192.168.0.254/24 interface=vlan99 network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.254
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.254
# jan/02/1970 01:59:17 by RouterOS 7.6
# software id = J9R6-AECV
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add ingress-filtering=no name=bridgeTrunk vlan-filtering=yes
/interface vlan
add interface=bridgeTrunk name=vlan10 vlan-id=10
add interface=bridgeTrunk name=vlan20 vlan-id=20
add interface=bridgeTrunk name=vlan99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.253
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.253
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan10 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan20 name=dhcp2
add address-pool=dhcp_pool2 interface=vlan99 name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridgeTrunk interface=ether4 pvid=10
add bridge=bridgeTrunk interface=ether6 pvid=10
add bridge=bridgeTrunk interface=ether8 pvid=10
add bridge=bridgeTrunk interface=ether5 pvid=20
add bridge=bridgeTrunk interface=ether7 pvid=20
add bridge=bridgeTrunk interface=ether9 pvid=20
add bridge=bridgeTrunk interface=ether10
add bridge=bridgeTrunk interface=ether12
/interface bridge vlan
add bridge=bridgeTrunk tagged=ether10,ether12,bridgeTrunk untagged=ether8 \
vlan-ids=10
add bridge=bridgeTrunk tagged=ether10,ether12,bridgeTrunk untagged=ether7 \
vlan-ids=20
add bridge=bridgeTrunk tagged=bridgeTrunk,ether10,ether12 untagged=ether16 \
vlan-ids=99
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=\
192.168.88.0
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20 network=192.168.20.0
add address=192.168.0.254/24 interface=vlan99 network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.254
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.254
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.254
Re: CCR2004 - Vlans [SOLVED]
You don't have a problem, you are/were not aware that inter VLAN communiction isn't blocked by default. You have to block it manually on the forward chain. Or better...block everything on the forward chain (as last rule) and only add the allow rules.so I managed to make it work from a clear configuration, now I have the problem I can ping items cross vlans...
-
-
attilhacks
just joined
- Posts: 11
- Joined:
Re: CCR2004 - Vlans
oh I just ruled it out with some drop rules
thanks!
I just ruled it out with some drop rules thanks!
You don't have a problem, you are/were not aware that inter VLAN communiction isn't blocked by default. You have to block it manually on the forward chain. Or better...block everything on the forward chain (as last rule) and only add the allow rules.so I managed to make it work from a clear configuration, now I have the problem I can ping items cross vlans...