Hi all

I've got an fiber connection with my ISP that offers IP, VoIP and IPTV services. My setup is as follows.


The fiber connection receives 3 different VLANS: 6 for IP services, 3 for VoIP services and 2 for IPTV services. I've got a UFiber Loco that takes in the Fiber connection and converts to Ethernet, in bridge mode, so that the router will manage all addressing. So, it sends all VLAN tagged packets to the router transparently.

The router is a Mikrotik hEX running RouterOS 7.14. I've got the first eth1 port set as WAN and all the other ethernets grouped in a single bridge.

My current setup for IP access is basically the following:

- I've configured a VLAN interface (vlan-internet) on top of (ether1), with VLAN ID 6.
- Then, there is a PPPoE interface (internet) on top of (vlan-internet) that gets the public IP address
- Finally, I'm masquerading all internal traffic to the (internet) interface.

I have some internal VLANS but I think it does not matter at this point. Each internal VLAN has its own router address, DHCP server, DHCP address pools and firewall rules. This setup works flawlessly.

Now, I want to setup a FreePBX machine that connects to the ISP SIP Trunk. What I've seen in some setup guides for this ISP, for accessing the VoIP VLAN the client must obtain an IP address via DHCP client (not PPPoE as in IP traffic).

So far, I have done

- First, configured a VLAN interface (vlan-voip) on top of (ether1), with VLAN ID 3
- Then, configured a DHCP client on top of (vlan-voip). I successfully get in the router the 10.28.135.254 address on network 10.28.128.0/19. It also sets up a route to 10.31.255.128/27 through 10.28.128.1%vlan-voip.
- From the Mikrotik console, I can successfully ping the 10.31.255.134 ISP SIP server
- If I configure a masquerade for the (vlan-voip) interface, then I can also ping the 10.31.255.134 server.

Now, my idea is to make this network more secure and segmented. What I want to do, as shown in the attached picture, is to kind of passthrough/bridge the ISP VLAN 3 to my FreePBX machine, maybe to another VLAN ID. So, basically I want to:

- Not configure a DHCP client on the router for the ISP VoIP VLAN, so I won't have any address set in the router
- Make that the FreePBX machine DHCP client gets its IP address directly from the ISP DHCP server on the VoIP VLAN.

So basically, the question is how to configure the router to not route the VoIP traffic and allow the FreePBX machine direct access to the ISP VoIP VLAN 3.

Other ideas that go through my mind.

- Convert the ISP VLAN ID 3 to my internal VLAN ID 10. I guess this can only be done on routing mode, not bridging.
- Maybe use VLAN over VLAN, so that I have a VLAN ID 10 for my internal VoIP traffic, but the server interface is also configured to DHCP client on VLAN 3 over VLAN 10.

What do you think? I guess this is a hard one...

Thanks!