Community discussions

MikroTik App
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Inter VLAN communications using the switch chip to create the VLANS

Sun Feb 19, 2017 12:44 am

I have seen some examples of doing this using bridges, but I am using the switch chip to create my trunks and manage the VLANS. I understand that concept, but by default those VLANs are isolated from each other. That works well but I would like to have a managing VLAN that can ping and see the other VLANS. I have spent several hours in Google and looked at the examples here, but I am at a lost. I am not even sure what to ask. Here is my configuration.
 /interface ethernet
set [ find default-name=ether1 ] comment="Ether1 - Office Trunk - VLAN 10,30,40” name=Office
set [ find default-name=ether2 ] comment="Ether2 - Gym Trunk - VLAN 10,20,30” master-port=Office name=Gym
set [ find default-name=ether3 ] comment="Ether3 - Housing - VLAN20" master-port=Office name=Houses
set [ find default-name=ether4 ] comment="Ether4 - Sign - VLAN40" master-port=Office name=Sign
set [ find default-name=ether5 ] comment=Disabled disabled=yes
set [ find default-name=ether6 ] comment=Disabled disabled=yes
set [ find default-name=ether7 ] comment="Ether7 - Configuration" l2mtu=10222 name=Direct
set [ find default-name=ether8 ] comment="Ether8 - WAN - From Cable Router" l2mtu=10220 name=Wan
set [ find default-name=sfp1 ] disabled=yes

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=Wan

/interface vlan
add interface=ether1 mtu=1504 name=VLAN10-Work vlan-id=10
add interface=ether1 mtu=1504 name=VLAN20-Housing vlan-id=20
add interface=ether1 mtu=1504 name=VLAN30-Guest vlan-id=30
add interface=ether1 mtu=1504 name=VLAN40-Sign vlan-id=40


/ip address
add address=192.168.1.1/24 interface=VLAN10-Work network=192.168.1.0
add address=10.10.20.1/24 interface=VLAN20-Housing network=10.10.20.0
add address=10.10.30.1/24 interface=VLAN30-Guest network=10.10.30.0
add address=172.16.192.1/24 interface=VLAN40-Sign network=10.10.40.0
add address=192.168.21.1/24 interface=ether7 network=192.168.21.0

/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=40 vlan-header=always-strip vlan-mode=secure
set 4 vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=yes ports=Office,Gym,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=Gym,Houses,switch1-cpu switch=switch1 vlan-id=20
add independent-learning=yes ports=Office,Gym,switch1-cpu switch=switch1 vlan-id=30
add independent-learning=yes ports=Office,Sign,switch1-cpu switch=switch1 vlan-id=40

/ip pool
add name=vlan10 ranges=192.168.1.20-192.168.1.100
add name=vlan20 ranges=10.10.20.20-10.10.20.200
add name=vlan30 ranges=10.10.30.20-10.10.30.200
add name=vlan40 ranges=172.16.192.20-172.16.192.200
add name=direct ranges=192.168.21.20-192.168.21.100

/ip dhcp-server
add address-pool=direct disabled=no interface=ether7 name=direct
add address-pool=vlan10 disabled=no interface=VLAN10-Work lease-time=3d name=vlan10
add address-pool=vlan20 disabled=no interface=VLAN20-Housing lease-time=3d name=vlan20
add address-pool=vlan30 disabled=no interface=VLAN30-Guest lease-time=3d name=vlan30
add address-pool=vlan40 disabled=no interface=VLAN40-Sign lease-time=3d name=vlan40

/ip dhcp-server network
add address=10.10.20.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=10.10.30.1
add address=172.16.192.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=172.16.192.1
add address=192.168.1.0/24 dns-server=208.67.222.222,208.67.222.220 gateway=192.168.1.1
add address=192.168.21.0/24 gateway=192.168.21.1

/ip firewall nat
add action=masquerade chain=srcnat
add action=redirect chain=dstnat dst-port=53 in-interface=!Wan protocol=tcp
Any help is appreciated.
 
magchiel
Member Candidate
Member Candidate
Posts: 131
Joined: Mon Jan 06, 2014 2:13 pm

Re: Inter VLAN communications using the switch chip to create the VLANS

Sun Feb 19, 2017 11:09 am

First, in order to prevent any issues and misconceptions, let's get the terminology straight.

A management VLAN us usually a VLAN which holds the management interfaces through which you configure your appliances. This is a VLAN that you want to isolate at all costs.
The purpose of a VLAN is to isolate traffic on the layer 2. You should not and cannot connect VLANs together in the way you describe as it would violate the concept of separating the broadcast domains.

However you could apply the concept of interVLAN routing and firewall traffic according to your needs. The configuration you've posted should allow this or easily extend it with an "administrative" VLAN that by default will have more or less unrestricted access to the other VLANs (but not the other way around). Instead if adding a dedicated "administrative" VLAN, you could also use firewall rules to allow specific hosts in current VLANs less restricted access to other VLANs. Whatever fits your bill. I'd make sure you only masquerade the traffic on the WAN interface though.

Who is online

Users browsing this forum: BartoszP and 41 guests