Routing between Vlans
Posted: Thu Aug 04, 2022 10:49 pm
I created two vlans on CRS326-24G-2S+ using a new style of creating vlans. Means all ports in the one bridge, created two VLANS interfaces on interface bridge, added an IP addresses to them. I setup appropriate PVID and VLANS with tagged and untagged interfaces. All seems nice. I created two dhcp server, one on each vlan interface. But I cannot get an IP address from any dhcps, until I add bridge to all vlans as tagged port. Is it OK ? The second weird thing is, that I can ping from LAN vlan to LAN vlan, from DMZ vlan to DMZ vlan, even I can ping from LAN to DMZ 192.168.3.1 or vice versa. But I cannot ping from LAN to DMZ or from DMZ to LAN. I know this is the main goal for vlans, I tried to setup some firewall rules to solve this, but I was unsuccesful. I am prety sure when I used an old way of vlan setup using one bridge for each vlan, I will be able to forward packets between them or create a firewall rules. Is there some way to solve this using one bridge for all vlans ?
/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=DMZ-ether5
set [ find default-name=ether6 ] name=DMZ-ether6
set [ find default-name=ether7 ] name=DMZ-ether7
set [ find default-name=ether8 ] name=DMZ-ether8
set [ find default-name=ether15 ] name=LAN-ether15
set [ find default-name=ether16 ] name=LAN-ether16
set [ find default-name=ether17 ] name=LAN-ether17
set [ find default-name=ether18 ] name=LAN-ether18
set [ find default-name=ether19 ] name=LAN-ether19
set [ find default-name=ether20 ] name=LAN-ether20
set [ find default-name=ether21 ] name=LAN-ether21
set [ find default-name=ether22 ] name=LAN-ether22
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="ether2 INTERNET" name=inet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=bridge name=dmz vlan-id=30
add interface=bridge name=lan vlan-id=20
/ip pool
add name=dmz_pool ranges=192.168.3.250-192.168.3.254
add name=lan_pool ranges=192.168.2.250-192.168.2.254
/ip dhcp-server
add address-pool=dmz_pool interface=dmz name=dmz
add address-pool=lan_pool interface=lan name=lan
/system logging action
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether5 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether6 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether7 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether8 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether15 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether16 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether17 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether18 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether19 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether20 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether21 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether22 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,dmz untagged=DMZ-ether5,DMZ-ether6,DMZ-ether7,DMZ-ether8 vlan-ids=30
add bridge=bridge tagged=bridge,lan untagged=LAN-ether15,LAN-ether16,LAN-ether17,LAN-ether18,LAN-ether19,LAN-ether20,LAN-ether21,LAN-ether22 vlan-ids=20
/ip address
add address=192.168.3.1/24 interface=dmz network=192.168.3.0
add address=192.168.2.1/24 interface=lan network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=yes
/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=DMZ-ether5
set [ find default-name=ether6 ] name=DMZ-ether6
set [ find default-name=ether7 ] name=DMZ-ether7
set [ find default-name=ether8 ] name=DMZ-ether8
set [ find default-name=ether15 ] name=LAN-ether15
set [ find default-name=ether16 ] name=LAN-ether16
set [ find default-name=ether17 ] name=LAN-ether17
set [ find default-name=ether18 ] name=LAN-ether18
set [ find default-name=ether19 ] name=LAN-ether19
set [ find default-name=ether20 ] name=LAN-ether20
set [ find default-name=ether21 ] name=LAN-ether21
set [ find default-name=ether22 ] name=LAN-ether22
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="ether2 INTERNET" name=inet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add interface=bridge name=dmz vlan-id=30
add interface=bridge name=lan vlan-id=20
/ip pool
add name=dmz_pool ranges=192.168.3.250-192.168.3.254
add name=lan_pool ranges=192.168.2.250-192.168.2.254
/ip dhcp-server
add address-pool=dmz_pool interface=dmz name=dmz
add address-pool=lan_pool interface=lan name=lan
/system logging action
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether5 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether6 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether7 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ-ether8 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether15 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether16 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether17 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether18 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether19 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether20 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether21 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=LAN-ether22 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,dmz untagged=DMZ-ether5,DMZ-ether6,DMZ-ether7,DMZ-ether8 vlan-ids=30
add bridge=bridge tagged=bridge,lan untagged=LAN-ether15,LAN-ether16,LAN-ether17,LAN-ether18,LAN-ether19,LAN-ether20,LAN-ether21,LAN-ether22 vlan-ids=20
/ip address
add address=192.168.3.1/24 interface=dmz network=192.168.3.0
add address=192.168.2.1/24 interface=lan network=192.168.2.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related hw-offload=yes