No internet on LAN port with VLAN20

vhs1240 · February 27, 2022, 4:19pm

I’m running in a final problem to finish my setup, and after numerous attempts to get it to work I’m afraid I need some help.

So my setup is as follows:
I have 3 VLANS:
VLAN 10 = Main
VLAN 20 = IOT
VLAN 30 = Guest

I have a Mikrotik HAP Ac2 connected to my ISP router (and gets a static IP of 192.168.0.4)
Port 1 on my MT is WAN
Port 5 on my MT is a Trunk to my Ubiquiti AP which carries 2 SSID’s / 2 VLAN (10 & 20)
I have 3 virtual wifi’s configured on both wlan channels on my MT, each have their own VLAN. (10, 20, 30)

So far everything is working EXCEPT when I connect my computer via LAN 4 (VLAN 20)
My computer connects, gets the correct IP, but I get on the internet…

What am I doing wrong ??

# model = RBD52G-5HacD2HnD
# serial number = E5780FA00097
/interface bridge
add admin-mac=DC:2C:6E:11:70:14 auto-mac=no comment=defconf name=bridge
add name=bridge_vlan10
add name=bridge_vlan20
add name=bridge_vlan30
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-MAIN
set [ find default-name=ether3 ] name=ether3-MAIN
set [ find default-name=ether4 ] name=ether4-IOT
set [ find default-name=ether5 ] name=ether5-Trunk
/interface vlan
add interface=ether4-IOT name=ether4_vlan20 vlan-id=20
add interface=ether5-Trunk name=vlan10-trunk vlan-id=10
add interface=ether5-Trunk name=vlan20-trunk vlan-id=20
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    secprof_main supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    secprof_iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    secprof_guest supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=2437 hide-ssid=yes installation=indoor mode=ap-bridge \
    security-profile=secprof_main ssid=MikroTik-117018 wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=secprof_main \
    ssid=MikroTik-117019 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:04 \
    master-interface=wlan1 multicast-buffering=disabled name=wl1_guest \
    security-profile=secprof_guest ssid=LTS39--MT-Guest vlan-id=30 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:01 \
    master-interface=wlan1 multicast-buffering=disabled name=wl1_iot \
    security-profile=secprof_iot ssid=LTS39--MT-IoT vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:02 \
    master-interface=wlan1 multicast-buffering=disabled name=wl1_main \
    security-profile=secprof_main ssid=LTS39--MT-Main vlan-id=10 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:03 \
    master-interface=wlan2 multicast-buffering=disabled name=wl2_guest ssid=\
    LTS39--MT-Guest vlan-id=30 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:11:70:1B \
    master-interface=wlan2 multicast-buffering=disabled name=wl2_iot \
    security-profile=secprof_iot ssid=LTS39--MT-IoT vlan-id=20 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:00 \
    master-interface=wlan2 multicast-buffering=disabled name=wl2_main \
    security-profile=secprof_main ssid=LTS39--MT-Main vlan-id=10 vlan-mode=\
    use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=wl1_main name=wl1_vlan10 vlan-id=10
add interface=wl1_iot name=wl1_vlan20 vlan-id=20
add interface=wl1_guest name=wl1_vlan30 vlan-id=30
add interface=wl2_main name=wl2_vlan10 vlan-id=10
add interface=wl2_iot name=wl2_vlan20 vlan-id=20
add interface=wl2_guest name=wl2_vlan30 vlan-id=30
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_trunk10 ranges=10.10.10.50-10.10.10.100
add name=pool_trunk20 ranges=20.20.20.50-20.20.20.100
add name=pool_main ranges=10.10.10.50-10.10.10.100
add name=pool_iot ranges=20.20.20.50-20.20.20.100
add name=pool_guest ranges=30.30.30.50-30.30.30.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool_trunk20 interface=vlan20-trunk name=dhcp_trunk20
add address-pool=pool_trunk10 interface=vlan10-trunk name=dhcp_trunk10
add address-pool=pool_main interface=bridge_vlan10 name=dhcp_main
add address-pool=pool_iot interface=bridge_vlan20 name=dhcp_iot
add address-pool=pool_guest interface=bridge_vlan30 name=dhcp_guest
/interface bridge port
add bridge=bridge_vlan10 interface=ether2-MAIN pvid=10
add bridge=bridge_vlan10 interface=ether3-MAIN
add bridge=bridge interface=ether5-Trunk
add bridge=bridge_vlan10 interface=wl1_main
add bridge=bridge_vlan10 interface=wl1_vlan10
add bridge=bridge_vlan10 interface=wl2_main
add bridge=bridge_vlan10 interface=wl2_vlan10
add bridge=bridge_vlan20 interface=wl1_iot
add bridge=bridge_vlan20 interface=wl1_vlan20
add bridge=bridge_vlan20 interface=wl2_iot
add bridge=bridge_vlan20 interface=wl2_vlan20
add bridge=bridge_vlan30 interface=wl1_guest
add bridge=bridge_vlan30 interface=wl1_vlan30
add bridge=bridge_vlan30 interface=wl2_guest
add bridge=bridge_vlan30 interface=wl2_vlan30
add bridge=bridge_vlan20 interface=ether4-IOT
add bridge=bridge_vlan20 interface=ether4_vlan20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=no ports=ether4-IOT switch=switch1 vlan-id=20
add independent-learning=no ports=ether2-MAIN,ether3-MAIN switch=switch1 \
    vlan-id=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=vlan10-trunk network=10.10.10.0
add address=20.20.20.1/24 interface=vlan20-trunk network=20.20.20.0
add address=10.10.10.1/24 interface=bridge_vlan10 network=10.10.10.0
add address=20.20.20.1/24 interface=bridge_vlan20 network=20.20.20.0
add address=30.30.30.1/24 interface=bridge_vlan30 network=30.30.30.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1
add address=20.20.20.0/24 dns-server=8.8.8.8 gateway=20.20.20.1
add address=30.30.30.0/24 dns-server=8.8.8.8 gateway=30.30.30.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

404Network · February 27, 2022, 4:21pm

Sorry cannot help with switch chip config, I can do bridge vlan filtering in my sleep really need to master this to help others.
Hopefully someone else will chime in.

vhs1240 · February 27, 2022, 4:27pm

The switch chip config was merely an attempt to get it to work, with no succes, but if it can be done simpler I’m all for it.
In my head it sounds like a fairly simple setup (I think):
Port 1: Wan
Port 2: Vlan 10
Port 3: Vlan 10
Port 4: Vlan 20
Port 5: Trunk to AP (Vlan 10 & 20)
3 virtual Wifi’s (Vlan 10, 20 & 30)

Reason why I want the wifi enabled on the MT is that the Ubiquiti AP is on another floor

tdw · February 27, 2022, 6:17pm

The ‘old way’ of using multiple bridges can lead to many misconfiguration issues https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration. Inter-VLAN, WAN and WiFi traffic are always handled by the CPU, using the switch chip only offloads port-to-port traffic so is rarely worth the additional complexity.

Use a single VLAN-aware bridge, the outline setup is in the documentation https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-VLANExample-InterVLANRoutingbyBridge and https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-VLANExample-TrunkandHybridPorts, or this article http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

As the UniFi AP - controller traffic is encrypted you could use your main network to handle that rather than setting up a completely separate management VLAN. In the controller use the inbuilt ‘LAN’ network for the main network, create VLAN-only networks for the additional VLANs.

404Network · February 27, 2022, 6:45pm

Easy peasy, So many errors… tying vlans to ethernet ports and not the bridge and you never did assign vlan 30!!! Plus duplicate vlans too many bridges etc etc.. a total schmoz, just liquidate the setup and start fresh!!

The wifi settings were confusing, first do NOT put vlans inside the wifi settings, not needed. We assign those via bridge ports…
As for 8 WLANS, you only need SIX!!!
You have three sets of users. MAIN, IOT, GUEST
MAIN - WLAN1 (2.4) WLAN2 (5gh)
IOT - Wl1-iot (2.4) wl2-iot (5gh)
GUEST - Wl1-guest 2.4 Wl2-guest (5gh)

See below… (assumed you were not really using ipv6 so that default stuff or whatever you added (address lists removed).

/interface bridge
add admin-mac=DC:2C:6E:11:70:14 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-MAIN
set [ find default-name=ether3 ] name=ether3-MAIN
set [ find default-name=ether4 ] name=ether4-IOT
set [ find default-name=ether5 ] name=ether5-Trunk
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=2437 hide-ssid=yes installation=indoor mode=ap-bridge \
    security-profile=secprof_main ssid=MikroTik-117018 wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=secprof_main \
    ssid=MikroTik-117019 wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:04 \
    master-interface=wlan1 multicast-buffering=disabled name=wl1_guest \
    security-profile=secprof_guest ssid=LTS39--MT-Guest wds-cost-range=0 \
	wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:01 \
    master-interface=wlan1 multicast-buffering=disabled name=wl1_iot \
    security-profile=secprof_iot ssid=LTS39--MT-IoT v \
	wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:03 \
    master-interface=wlan2 multicast-buffering=disabled name=wl2_guest ssid=\
    LTS39--MT-Guest wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:11:70:1B \
    master-interface=wlan2 multicast-buffering=disabled name=wl2_iot \
    security-profile=secprof_iot ssid=LTS39--MT-IoT \
	wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=bridge name=vlan10-main vlan-ids=10
add interface=bridge name=vlan20-iot vlan-ids=20
add interface=bridge name=vlan30-guest vlan-ids=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add commment name=Trusted
/ip pool
add name=pool_10 ranges=10.10.10.50-10.10.10.100
add name=pool_20 ranges=20.20.20.50-20.20.20.100
add name=pool_30 range=30.30.30.50-30.30.30.100
/ip dhcp-server
add address-pool=pool_10 interface=vlan10-main name=dhcp_10
add address-pool=pool_20 interface=vlan20-iot name=dhcp_20
add address-pool=pool_30 interface=vlan30-guest name=dhcp_30
/interface bridge port
add bridge=bridge interface=ether2-MAIN pvid=10
add bridge=bridge interface=ether3-MAIN pvid=10
add brige=bridge  interface=ether4-IOT pvid=20
add bridge=bridge interface=ether5-Trunk
add bridge=bridg interface=wlan1 pvid=10 comment="main subnet"
add bridge=bridge interface=wlan2 pvid=10 comment="main subnet"
add bridge=bridge interface=wl1_iot pvid=20
add bridge=bridge interface=wl2_iot pvid=20
add bridge=bridge interface=wl1_guest pvid=30
add bridge=bridge interface=wl2_guest pvid=30
/interface bridge vlans
add bridge=bridge tagged=bridge,ether5  untagged=ether2,ether3  vlan-ids=10
add bridge=bridge tagged=bridge,ether5  untagged=ether4,wl1-iot,wl2-iot  vlan-ids=20
add bridge=bridge tagged=bridge  untagged=wl1-guests,wl2-guests vlan-ids=30
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface list member
add interface=vlan10-main list=LAN
add interface=vlan20-iot list=LAN
add interface=vlan30-guest list=LAN
add interface=vlan10-main list=Trusted
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=10.10.10.1/24 interface=vlan10-main network=10.10.10.0
add address=20.20.20.1/24 interface=vlan20-iot network=20.20.20.0
add address=30.30.30.1/24 interface=vlan30-guest network=30.30.30.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=20.20.20.0/24 dns-server=20.20.20.1 gateway=20.20.20.1
add address=30.30.30.0/24 dns-server=30.30.30.1 gateway=30.30.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Brussels
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Trusted

404Network · February 27, 2022, 6:53pm

The only hick up may be your trunk port ether5 to the unifi device.

We need to know how it is setup.
a. To accept management/trusted vlan incoming as untagged and all other vlans, tagged
b. Normal smart device, all incoming vlans are tagged

a. would have to be setup as a HYBRID port, see below for difference.
b. would have to be setup as a TRUNK PORT, like it is now in the config provided.

/interface bridge port
…
add bridge=bridge interface=ether5-Trunk pvid=10

/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4,wl1-iot,wl2-iot vlan-ids=20
add bridge=bridge tagged=bridge untagged=wl1-guests,wl2-guests vlan-ids=30