Can't access device in different VLAN

racinmat · November 2, 2024, 3:04pm

TL;DR: I created a vlan with its own subnetwork and I can’t connect to devices in it from non-vlan subnetwork.

Hi,
I just bought mikrotik and started setting it up. I managed to make connection to the outside internet work (my ISP uses PPPoE), and I connected my laptop and NAS, assigned it static IP 192.168.0.2 and everything worked.
Then I added 3 vlans with following ranges:
192.168.10.0-255-iot
192.168.20.0-255-guest
192.168.30.0-255-admin
and I re-assigned static IP to the NAS: 192.168.30.2. But now I can’t connect to it from my laptop which is on 192.168.0.143.

Here is my configuration: https://gist.github.com/racinmat/ef298f0a6e9e03f73af496596507f920
I enabled firewall and routing logs on router and tried to connect to http://192.168.30.2:5000/ from my laptop (which is the port where Synology web UI runs), but I didn’t see anything mentioning any of these 2 IP addresses in the logs.
I also disabled all deny rules and I added the following rule:
/ip firewall filter
add action=log chain=forward log=yes log-prefix=“all-traffic”
but I didn’t see anything in related to the 192.168.30.2 either.
I saw lots of requests to the other pages that my laptop was connecting to, in public internet.

anav · November 2, 2024, 7:04pm

Typically one posts there config here directly, nobody likes going to different websites in general, as there are risks…
Just use notepadd++ and edit out stuff, then paste here and use the code block above ( black square with white rectangular brackets )

No sense mixing apples and oranges… if you have introduced vlan, forget the bridge doing any dhcp and simply make it another vlan.
See below for changes
Also, where are the vlans going you have them on all ports or what.
**MISSING totally /**interface bridge vlan settings !!!
No vlans member of LAN interface list…
MISSING entire firewall rules ???

Okay this config is HOSED. → please read —> http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

/interface vlan
add interface=bridge-LAN name=vlan10-iot vlan-id=10
add interface=bridge-LAN name=vlan20-guest vlan-id=20
add interface=bridge-LAN name=vlan30-admin vlan-id=30
add interface=bridge-LAN name=vlan5-home vlan-id=5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=TRUSTED name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=unifi value=0x0104C0A81E02
/ip pool
add name=default-dhcp ranges=192.168.0.20-192.168.0.254
add name=dhcp-iot ranges=192.168.10.50-192.168.10.200
add name=dhcp-guest ranges=192.168.20.50-192.168.20.200
add name=dhcp-admin ranges=192.168.30.50-192.168.30.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=vlan5-home=defconf
add address-pool=dhcp-iot disabled=no interface=vlan10-iot name=dhcp-iot
add address-pool=dhcp-guest disabled=no interface=vlan20-guest name=dhcp-guest
add address-pool=dhcp-admin disabled=no interface=vlan30-admin name=dhcp-admin
/interface bridge port
add bridge=bridge-LAN ingress-filtering=yes  frame-types=admit-priority-and-untagged  interface=ether2  pvid=5   { example of access port to dumb device }
add bridge=bridge-LAN ingress-filtering=yes  frame-types=admit-only-vlan-tagged   interface=ether3   { example of a trunk port to a smart device }
ETC.
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=bridge-LAN  tagged=bridge-LAN,ether3   untagged=ether2  vlan-ids=10
ETC.....
/interface list member
add comment=defconf interface=ether1 list=WAN
add  interface=vlan5-home  list=LAN
add  interface=vlan10-iot list=LAN
add  interface=vlan20-guest  list=LAN
add  interface=vlan30-admin list=LAN
add interface=vlan30-admin list=TRUSTED
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlan5-home  network=192.168.0.0
add address=192.168.10.1/24 interface=vlan10-iot network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-guest network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-admin network=192.168.30.0
/ip dhcp-server lease
add address=192.168.30.2 client-id=1:0:11:32:e4:d7:b6 mac-address=00:11:32:E4:D7:B6 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 domain=local gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 domain=local gateway=192.168.10.1 ntp-server=\
    195.113.144.201
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1 ntp-server=195.113.144.201
add address=192.168.30.0/24 dns-server=192.168.30.1 domain=local gateway=192.168.30.1 ntp-server=\
    195.113.144.201
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=192.168.30.2 name=greatlibrary.lan
/ip firewall address-list
add address=192.168.0.0/24 comment="for connecting base network and admin vlan" list=LAN
add address=192.168.30.0/24 comment="for connecting base network and admin vlan" list=LAN
/ip firewall filter
add action=accept chain=forward comment="allow connection between 192.168.0.* and 192.168.30.*" \
    dst-address-list=LAN src-address-list=LAN