Page 1 of 1

Providing Internet access to VLANs

Posted: Sat Mar 23, 2019 3:17 am
by kg4peq
Hi! I'm new to RouterOS and the MikroTik line, and have spent the past two weeks trying to get a working VLAN implementation on my RB960PGS. I'm coming in to the home stretch and have DHCP going on the various VLANs, which are pointing to the correct ports. The last thing I need to do is get these VLANs talking to the Internet through the WAN port. Having spent the last 24 hours fiddling with firewall rules, I'm stumped.

I've rolled my configuration back to a baseline state where the VLAN's are on the right ports and the router is serving DHCP on each. VLAN 1 is routing to the Internet as it always has. Three additional VLAN's need Internet access but should otherwise be firewalled from one another: 16, 24, and 48. The VLANs are set up using the "new" (>v6.41) bridge method.

I can't figure out where on earth to go from here. I've tried setting up forwarding rules between the VLAN interfaces and the WAN port, at various times trying to involve the bridge just for giggles, with no success. I'm fairly certain I need a rule to forward traffic from each of the VLAN's to the WAN port, and vice-versa but haven't the foggiest what this should look like. My past experience with firewalls (iptables specifically) isn't translating well to the MikroTik.

I've attached a configuration export showing where I am now. I would be immensely appreciative of any and all suggestions.

config.rsc

Re: Providing Internet access to VLANs

Posted: Sat Mar 23, 2019 4:40 pm
by mkx
Can client devices in VLANs ping their gateway address? I don't see anything in firewall section that would prevent VLAN client devices ftom accessing internet and/or devices on other VLANs.

Re: Providing Internet access to VLANs

Posted: Sat Mar 23, 2019 7:09 pm
by kg4peq
Can client devices in VLANs ping their gateway address? I don't see anything in firewall section that would prevent VLAN client devices ftom accessing internet and/or devices on other VLANs.

Thanks for the reply. As it turns out, no, they actually cannot ping the gateway. That seems weird to me: the clients are pulling DHCP from the router but can't ping it. DHCP for VLAN 16 serves up IP's in the 10.242.16.x range with a gateway of 10.242.16.1, which match the address assigned to the router on vlan16.

I turned on logging on the firewall rules yesterday and watching a client ping 8.8.4.4, it appears a ping reply is being sent but is not making it all the way back to the client.

Re: Providing Internet access to VLANs

Posted: Sat Mar 23, 2019 7:50 pm
by mkx
Please describe exact LAN topology for one of VLANs (which other devices are involved, how are they configured with regard to VLANs, etc.). While configuration on RB960PGS seems correct (although there are a few minor things that might need to be adjusted .. or might not) it might not be depending on the LAN layout and configuration of other devices ...

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 1:05 am
by kg4peq
Please describe exact LAN topology for one of VLANs (which other devices are involved, how are they configured with regard to VLANs, etc.). While configuration on RB960PGS seems correct (although there are a few minor things that might need to be adjusted .. or might not) it might not be depending on the LAN layout and configuration of other devices ...

Sure. The RB960PGS is feeding three Netgear ProSafe GS108PEv3 switches, which then serve up the appropriate VLAN to various non VLAN-aware devices via the PVID on each individual port. Devices are an assortment of Raspberry Pi's and other consumer equipment. The switches have been handling the VLANs just dandy for some months now; I'm skeptical of any issues with their configuration. Their trunk ports going into the RB960PGS are set up with VLAN 1 untagged, VLAN's 16 and 48 tagged, which matches the RB.

I'm sure there's plenty of tweaking to do with this configuration. Almost no effort has been put into any sort of optimization at this point.

EDIT: The fifth port on the RB960PGS will go to a wireless access point of some type, some time in the future. VLAN 24 goes to that port as the PVID. I've tested that port with other devices and while it gets DHCP from the router, it can't ping the gateway nor access the WAN.

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:04 am
by anav
/export hide-sensitive file=yourconfig

I have my RouterOS hooked up to two one dlink 24 port, one netgear GS110 and two MT 260GS units. Tis possible to get there!!!

As far as pvid=1, my experience with the assortment of switches is to keep the default pvid of ONE on all trunk ports, including the bridge on the router.
However do not run dhcp on pvid1 and in fact dont use it for any subnets........... Just one approach of many I am sure.

Have a read through this link.
viewtopic.php?f=13&t=143620

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:17 am
by kg4peq
/export hide-sensitive file=yourconfig

I have my RouterOS hooked up to two one dlink 24 port, one netgear GS110 and two MT 260GS units. Tis possible to get there!!!

This is substantially unchanged from the last export -- I think the only change is the addition of NTP client settings:

Code: Select all

# mar/23/2019 20:14:04 by RouterOS 6.44
# software id = MD3Y-99MM
#
# model = 960PGS
# serial number = AD8B0991DD63
/interface bridge
add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add comment="VLAN 16 - Guest access" interface=bridge name=vlan16 vlan-id=16
add comment="VLAN 24 - Wireless devices" interface=bridge name=vlan24 \
vlan-id=24
add comment="VLAN 48 - Experimental use" interface=bridge name=vlan48 \
vlan-id=48
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="All VLAN interfaces" name=all_vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="VLAN 1 - Default" name=vlan1_pool ranges=\
10.242.1.50-10.242.1.250
add comment="VLAN 16 - Guest access" name=vlan16_pool ranges=\
10.242.16.50-10.242.16.250
add comment="VLAN 24 - Wireless devices" name=vlan24_pool ranges=\
10.242.24.50-10.242.24.250
add comment="VLAN 48 - Experimental use" name=vlan48_pool ranges=\
10.242.48.50-10.242.48.250
/ip dhcp-server
add address-pool=vlan1_pool disabled=no interface=bridge name=vlan1_dhcp
add address-pool=vlan16_pool disabled=no interface=vlan16 name=vlan16_dhcp
add address-pool=vlan24_pool disabled=no interface=vlan24 name=vlan24_dhcp
add address-pool=vlan48_pool disabled=no interface=vlan48 name=vlan48_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=24
add bridge=bridge comment=defconf interface=sfp1
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="VLAN 1 - Default" untagged=ether2,ether3,ether4 \
vlan-ids=1
add bridge=bridge comment="VLAN 16 - Guest access" tagged=\
ether2,ether3,ether4,bridge vlan-ids=16
add bridge=bridge comment="VLAN 24 - Wireless devices" tagged=bridge \
untagged=ether5 vlan-ids=24
add bridge=bridge comment="VLAN 48 - Experimental use" tagged=\
ether2,ether3,ether4,bridge vlan-ids=48
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Include VLAN 16 in all_vlan" interface=vlan16 list=all_vlan
add comment="Include VLAN 24 in all_vlan" interface=vlan24 list=all_vlan
add comment="Include VLAN 48 in all_vlan" interface=vlan48 list=all_vlan
/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge \
network=10.242.1.0
add address=10.242.16.1 comment="VLAN 16 - Guest access" interface=vlan16 \
network=10.242.16.0
add address=10.242.24.1 comment="VLAN 24 - Wireless devices" interface=vlan24 \
network=10.242.24.0
add address=10.242.48.1 comment="VLAN 48 - Experimental use" interface=vlan48 \
network=10.242.48.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.242.1.0/24 comment="VLAN 1 - Default" dns-server=\
8.8.4.4,8.8.8.8,10.242.1.1 gateway=10.242.1.1 netmask=24
add address=10.242.16.0/24 comment="VLAN 16 - Guest access" dns-server=\
8.8.4.4,8.8.8.8,10.242.16.1 gateway=10.242.16.1 netmask=24
add address=10.242.24.0/24 comment="VLAN 24 - Wireless devices" dns-server=\
8.8.4.4,8.8.8.8,10.242.24.1 gateway=10.242.24.1 netmask=24
add address=10.242.48.0/24 comment="VLAN 48 - Experimental use" dns-server=\
8.8.4.4,8.8.8.8,10.242.48.1 gateway=10.242.48.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik
/system ntp client
set enabled=yes primary-ntp=132.163.97.5 secondary-ntp=132.163.96.5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:25 am
by anav
If you need a vlan for admin or general purposes, create vlan11 and ditch vlan1
Keep vlan=id=1 as default ID for all your switches (at least on the tagged port from the router) and as your bridge vlanid setting.

Since you have remote dns settings already enabled you probably can get rid of this default legacy rule
/ip dns static
add address=192.168.88.1 name=router.lan

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:32 am
by kg4peq
If you need a vlan for admin or general purposes, create vlan11 and ditch vlan1
Keep vlan=id=1 as default ID for all your switches (at least on the tagged port from the router) and as your bridge vlanid setting.

I plan to eventually make that change but I need to see that the VLANs will route traffic to the outside world first. Right now, that's not the case.
Since you have remote dns settings already enabled you probably can get rid of this default legacy rule
/ip dns static
add address=192.168.88.1 name=router.lan

I'm not sure where that's coming from. All of my configuration has been through Winbox with virtually no terminal involvement. That entry doesn't appear anywhere in the UI but it did jump out at me when I did the export. I'll poke around and see if I can get rid of it through the terminal.

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:33 am
by anav
/interface bridge vlan (modify delete vlan1 rule for this one)
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=11
For ether 5, if you are going to add an AP, assuming tis mikrotik or an AP that can assign vlans then it should not get pvid and should be treated like a trunk port (adjust bridge port accordingly)

Re: Providing Internet access to VLANs

Posted: Sun Mar 24, 2019 2:34 am
by anav
Oh its there, check under IP DNS STATIC TAB ;-)
Read the link I sent you, its accurate!

Re: Providing Internet access to VLANs

Posted: Wed Mar 27, 2019 7:11 am
by kg4peq
Oh its there, check under IP DNS STATIC TAB ;-)
Read the link I sent you, its accurate!

I had to hook the old Linksys router back up over the weekend and haven't had time to mess with the MikroTik any more. I missed that link when you initially posted it but I just had a look. I am familiar with that forum post and it's part of what got me as far as I am today. I'll mess with it some more this weekend, but I'm losing hope. Might end up returning this thing. It's looking like my desired setup isn't possible.

Re: Providing Internet access to VLANs

Posted: Wed Mar 27, 2019 1:31 pm
by anav
Its very possible.................
I have something similar, one MT Router RB450gx4 feeding a dlink 24port managed switch on eth2, eth3 goes to a 260GS MT managed switch, eth 4 goes to a second LAN not on the bridge.
The Dlink feeds some access ports and a three trunk ports (one to a second 260GS switch, one to a netgear GS110 managed switch and one to a capAC). The second 260GS switch also connects via a trunk port to a second capAC.
Here is my vlan list.
/interface vlan
add interface=HomeBridge name=GuestWifi_T&B_V100 vlan-id=100
add interface=HomeBridge name=Guests_WIFI-v200 vlan-id=200
add interface=HomeBridge name=MediaStreaming_V40 vlan-id=40
add interface=HomeBridge name=NAS_V33 vlan-id=33
add interface=HomeBridge name=SOLAR-36 vlan-id=36
add interface=HomeBridge name=TheoVLAN vlan-id=666
add interface=HomeBridge name=VOIP_77 vlan-id=77
add interface=HomeBridge name=VideoCamVLAN vlan-id=99
add interface=HomeBridge name=Wifi-SDevices_cap1 vlan-id=30
add interface=HomeBridge name=Wifi_SDevices_cap2 vlan-id=45
add interface=HomeBridge name=vlan11-home vlan-id=11

Trust me, your setup is very doable!!

Re: Providing Internet access to VLANs

Posted: Wed Mar 27, 2019 6:44 pm
by gotsprings
I would say to not use interface lists and try doing the firewall with interfaces or address lists.

Its more than doable.

Re: Providing Internet access to VLANs

Posted: Tue Jun 04, 2019 4:27 am
by kg4peq
Over two months later and I'm still fighting with this. (Okay, I'll admit I haven't invested a TON of time in it, just enough to keep myself frustrated with this router!)
Over and over again folks are posting that this is "doable" and others have it working, and having been through the documentation referenced in previous posts many dozens of times, I can't find what I'm doing wrong. The right VLANs are coming out of the right ports on the router, but I can only access the Internet from VLAN 1. The router is not pingable from the other VLANs, but it does serve DHCP as expected.

Code: Select all

# may/11/2019 09:18:21 by RouterOS 6.44
# software id = MD3Y-99MM
#
# model = 960PGS
# serial number = AD8B0991DD63
/interface bridge
add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add comment="VLAN 16 - Guest access" interface=bridge name=vlan16 vlan-id=16
add comment="VLAN 24 - Wireless devices" interface=bridge name=vlan24 \
vlan-id=24
add comment="VLAN 48 - Experimental use" interface=bridge name=vlan48 \
vlan-id=48
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="All VLAN interfaces" name=all_vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="VLAN 1 - Default" name=vlan1_pool ranges=\
10.242.1.50-10.242.1.250
add comment="VLAN 16 - Guest access" name=vlan16_pool ranges=\
10.242.16.50-10.242.16.250
add comment="VLAN 24 - Wireless devices" name=vlan24_pool ranges=\
10.242.24.50-10.242.24.250
add comment="VLAN 48 - Experimental use" name=vlan48_pool ranges=\
10.242.48.50-10.242.48.250
/ip dhcp-server
add address-pool=vlan1_pool disabled=no interface=bridge name=vlan1_dhcp
add address-pool=vlan16_pool disabled=no interface=vlan16 name=vlan16_dhcp
add address-pool=vlan24_pool disabled=no interface=vlan24 name=vlan24_dhcp
add address-pool=vlan48_pool disabled=no interface=vlan48 name=vlan48_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=24
add bridge=bridge comment=defconf interface=sfp1
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="VLAN 1 - Default" untagged=ether2,ether3,ether4 \
vlan-ids=1
add bridge=bridge comment="VLAN 16 - Guest access" tagged=\
ether2,ether3,ether4,bridge vlan-ids=16
add bridge=bridge comment="VLAN 24 - Wireless devices" tagged=bridge \
untagged=ether5 vlan-ids=24
add bridge=bridge comment="VLAN 48 - Experimental use" tagged=\
ether2,ether3,ether4,bridge vlan-ids=48
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Include VLAN 16 in all_vlan" interface=vlan16 list=all_vlan
add comment="Include VLAN 24 in all_vlan" interface=vlan24 list=all_vlan
add comment="Include VLAN 48 in all_vlan" interface=vlan48 list=all_vlan
/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge \
network=10.242.1.0
add address=10.242.16.1 comment="VLAN 16 - Guest access" interface=vlan16 \
network=10.242.16.0
add address=10.242.24.1 comment="VLAN 24 - Wireless devices" interface=vlan24 \
network=10.242.24.0
add address=10.242.48.1 comment="VLAN 48 - Experimental use" interface=vlan48 \
network=10.242.48.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.242.1.0/24 comment="VLAN 1 - Default" dns-server=\
8.8.4.4,8.8.8.8,10.242.1.1 gateway=10.242.1.1 netmask=24
add address=10.242.16.0/24 comment="VLAN 16 - Guest access" dns-server=\
8.8.4.4,8.8.8.8,10.242.16.1 gateway=10.242.16.1 netmask=24
add address=10.242.24.0/24 comment="VLAN 24 - Wireless devices" dns-server=\
8.8.4.4,8.8.8.8,10.242.24.1 gateway=10.242.24.1 netmask=24
add address=10.242.48.0/24 comment="VLAN 48 - Experimental use" dns-server=\
8.8.4.4,8.8.8.8,10.242.48.1 gateway=10.242.48.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RFRCMDHAVA02
/system ntp client
set enabled=yes primary-ntp=132.163.97.5 secondary-ntp=132.163.96.5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Providing Internet access to VLANs

Posted: Tue Jun 04, 2019 8:31 am
by mkx
Firewall rules are very restrictive for the traffic originating from VLAN networks. I'd allow the following (in addition to what you already have):
/ip firewall filter
# put next few rules before current rule "add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN"
add action=accept chain=input comment="Accept DHCP requests on VLAN interfaces" dst-port=67 protocol=udp src-port=68 in-interface-list=all_vlan
add action=accept chain=input comment="Accept DNS requests (UDP) from VLAN interfaces" dst-port=53 protocol=udp in-interface-list=all_vlan
add action=accept chain=input comment="Accept DNS requests (TCP) from VLAN interfaces" dst-port=53 protocol=tcp in-interface-list=all_vlan

And now, probably the reason for your VLAN subnets not working: netmask is not defined for VLAN-bound IP addresses (and implicitly it's taken to be /32):
/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge network=10.242.1.0 # this one was correct
add address=10.242.16.1/24 comment="VLAN 16 - Guest access" interface=vlan16 network=10.242.16.0
add address=10.242.24.1/24 comment="VLAN 24 - Wireless devices" interface=vlan24 network=10.242.24.0
add address=10.242.48.1/24 comment="VLAN 48 - Experimental use" interface=vlan48 network=10.242.48.0

I'm feeling ashamed not to spot this earlier. :oops:

Re: Providing Internet access to VLANs

Posted: Tue Jun 04, 2019 5:02 pm
by anav
Oopsy i see it now too LOL. Typically I look for a mis-match between what the interface setting is.......... not expecting a more basic operator error.
However, my sympathy is low as the OP still is using vlan-id=1 and using the bridge for DHCP.......................... But if it works.............

PS. Don't feel bad mkx, even the best Boeing engineers can have an off day. ;-)

Re: Providing Internet access to VLANs

Posted: Wed Jun 05, 2019 12:37 am
by kg4peq
Firewall rules are very restrictive for the traffic originating from VLAN networks. I'd allow the following (in addition to what you already have):
/ip firewall filter
# put next few rules before current rule "add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN"
add action=accept chain=input comment="Accept DHCP requests on VLAN interfaces" dst-port=67 protocol=udp src-port=68 in-interface-list=all_vlan
add action=accept chain=input comment="Accept DNS requests (UDP) from VLAN interfaces" dst-port=53 protocol=udp in-interface-list=all_vlan
add action=accept chain=input comment="Accept DNS requests (TCP) from VLAN interfaces" dst-port=53 protocol=tcp in-interface-list=all_vlan

And now, probably the reason for your VLAN subnets not working: netmask is not defined for VLAN-bound IP addresses (and implicitly it's taken to be /32):
/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge network=10.242.1.0 # this one was correct
add address=10.242.16.1/24 comment="VLAN 16 - Guest access" interface=vlan16 network=10.242.16.0
add address=10.242.24.1/24 comment="VLAN 24 - Wireless devices" interface=vlan24 network=10.242.24.0
add address=10.242.48.1/24 comment="VLAN 48 - Experimental use" interface=vlan48 network=10.242.48.0

I'm feeling ashamed not to spot this earlier. :oops:
Ah ha! Good catch on both the firewall and the netmask. I'll make those changes to the VLAN configuration and see what happens. I am surprised I didn't catch it, either, as many times as I've looked over the config.msc file!

Re: Providing Internet access to VLANs

Posted: Wed Jun 05, 2019 12:39 am
by kg4peq
Oopsy i see it now too LOL. Typically I look for a mis-match between what the interface setting is.......... not expecting a more basic operator error.
However, my sympathy is low as the OP still is using vlan-id=1 and using the bridge for DHCP.......................... But if it works.............

For a residential/hobby install, yes, VLAN 1 works just dandy. I'm open to being convinced otherwise, but I'm not sure I quite understand the point, particularly in my use case. As for "using the bridge for DHCP" -- what's the alternative and why is it better? Can you take a moment to educate? (I mentioned earlier I'll be making other changes to the setup but want to see basic routing functionality working on the VLANs first. No point muddying the waters.)

Re: Providing Internet access to VLANs

Posted: Wed Jun 05, 2019 1:35 am
by kg4peq
Alright, we're close! Traffic is now routing as expected across the VLAN's. However, all of my VLANs are available from all of the ports -- VLANs 1, 16, 24, and 48 all appear on ether2, ether3, ether4, and ether5. Additionally, the PVID is not being honored (ether5 should be PVID 24, and this should be the only VLAN on that port).

Code: Select all

# jun/04/2019 18:32:29 by RouterOS 6.44
# software id = MD3Y-99MM
#
# model = 960PGS
# serial number = AD8B0991DD63
/interface bridge
add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add comment="VLAN 16 - Guest access" interface=bridge name=vlan16 vlan-id=16
add comment="VLAN 24 - Wireless devices" interface=bridge name=vlan24 \
vlan-id=24
add comment="VLAN 48 - Experimental use" interface=bridge name=vlan48 \
vlan-id=48
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="All VLAN interfaces" name=all_vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="VLAN 1 - Default" name=vlan1_pool ranges=\
10.242.1.50-10.242.1.250
add comment="VLAN 16 - Guest access" name=vlan16_pool ranges=\
10.242.16.50-10.242.16.250
add comment="VLAN 24 - Wireless devices" name=vlan24_pool ranges=\
10.242.24.50-10.242.24.250
add comment="VLAN 48 - Experimental use" name=vlan48_pool ranges=\
10.242.48.50-10.242.48.250
/ip dhcp-server
add address-pool=vlan1_pool disabled=no interface=bridge name=vlan1_dhcp
add address-pool=vlan16_pool disabled=no interface=vlan16 name=vlan16_dhcp
add address-pool=vlan24_pool disabled=no interface=vlan24 name=vlan24_dhcp
add address-pool=vlan48_pool disabled=no interface=vlan48 name=vlan48_dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=24
add bridge=bridge comment=defconf interface=sfp1
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="VLAN 1 - Default" tagged=bridge untagged=\
ether2,ether3,ether4 vlan-ids=1
add bridge=bridge comment="VLAN 16 - Guest access" tagged=\
ether2,ether3,ether4,bridge vlan-ids=16
add bridge=bridge comment="VLAN 24 - Wireless devices" tagged=bridge \
untagged=ether5 vlan-ids=24
add bridge=bridge comment="VLAN 48 - Experimental use" tagged=\
ether2,ether3,ether4,bridge vlan-ids=48
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Include VLAN 16 in all_vlan" interface=vlan16 list=all_vlan
add comment="Include VLAN 24 in all_vlan" interface=vlan24 list=all_vlan
add comment="Include VLAN 48 in all_vlan" interface=vlan48 list=all_vlan
/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge \
network=10.242.1.0
add address=10.242.16.1/24 comment="VLAN 16 - Guest access" interface=vlan16 \
network=10.242.16.0
add address=10.242.24.1/24 comment="VLAN 24 - Wireless devices" interface=\
vlan24 network=10.242.24.0
add address=10.242.48.1/24 comment="VLAN 48 - Experimental use" interface=\
vlan48 network=10.242.48.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.242.1.0/24 comment="VLAN 1 - Default" dns-server=\
8.8.4.4,8.8.8.8,10.242.1.1 gateway=10.242.1.1 netmask=24
add address=10.242.16.0/24 comment="VLAN 16 - Guest access" dns-server=\
8.8.4.4,8.8.8.8,10.242.16.1 gateway=10.242.16.1 netmask=24
add address=10.242.24.0/24 comment="VLAN 24 - Wireless devices" dns-server=\
8.8.4.4,8.8.8.8,10.242.24.1 gateway=10.242.24.1 netmask=24
add address=10.242.48.0/24 comment="VLAN 48 - Experimental use" dns-server=\
8.8.4.4,8.8.8.8,10.242.48.1 gateway=10.242.48.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"Accept DHCP requests on VLAN interfaces" dst-port=67 in-interface-list=\
all_vlan protocol=udp src-port=68
add action=accept chain=input comment=\
"Accept DNS requests (UDP) from VLAN interfaces" dst-port=53 \
in-interface-list=all_vlan protocol=udp
add action=accept chain=input comment=\
"Accept DNS requests (TCP) from VLAN interfaces" dst-port=53 \
in-interface-list=all_vlan protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=all_vlan
add action=drop chain=forward comment="Block Internet access from VLAN 48" \
in-interface=vlan48 out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RFRCMDHAVA02
/system ntp client
set enabled=yes primary-ntp=132.163.97.5 secondary-ntp=132.163.96.5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Re: Providing Internet access to VLANs

Posted: Wed Jun 05, 2019 2:52 pm
by tdw
That is because at some point you have turned off bridge VLAN filtering, the emboldened item is missing:
/interface bridge
add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge vlan-filtering=yes

Currently, turning on VLAN filtering will break things as your VLAN1 bridge configuration is incorrect given they way other things are set up - it should be untagged rather than tagged:
/interface bridge vlan
add bridge=bridge comment="VLAN 1 - Default" untagged=ether2,ether3,ether4,bridge vlan-ids=1

Re: Providing Internet access to VLANs

Posted: Sat Jun 08, 2019 7:07 am
by kg4peq
That is because at some point you have turned off bridge VLAN filtering, the emboldened item is missing:
/interface bridge
add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge vlan-filtering=yes

Currently, turning on VLAN filtering will break things as your VLAN1 bridge configuration is incorrect given they way other things are set up - it should be untagged rather than tagged:
/interface bridge vlan
add bridge=bridge comment="VLAN 1 - Default" untagged=ether2,ether3,ether4,bridge vlan-ids=1
Thank you everyone for your input and help. I am up and running. I did establish a management VLAN and moved off VLAN 1 completely. Many thanks!!

Re: Providing Internet access to VLANs

Posted: Thu Mar 25, 2021 12:08 pm
by grumpazoid

And now, probably the reason for your VLAN subnets not working: netmask is not defined for VLAN-bound IP addresses (and implicitly it's taken to be /32):


/ip address
add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge network=10.242.1.0 # this one was correct
add address=10.242.16.1/24 comment="VLAN 16 - Guest access" interface=vlan16 network=10.242.16.0
add address=10.242.24.1/24 comment="VLAN 24 - Wireless devices" interface=vlan24 network=10.242.24.0
add address=10.242.48.1/24 comment="VLAN 48 - Experimental use" interface=vlan48 network=10.242.48.0

OMG. I just got tripped up on this. Everything working apart from client WAN access. added in /24 to VLAN IPs and Bingo.