Communication between tow or more different vlans

RouterOS General
1

As in the screenshot,

*Bridge1 (eth2,3,4,5-192.168.1.1/24)
-VLAN1 (192.168.10.1/24) I use this to redirect traffic through VPN-1
-VLAN2 (192.168.20.1/24) I use this to redirect traffic through VPN-2
-VLAN3 (192.168.30.1/24) I use this to redirect traffic through VPN-3
-VLAN4 (192.168.40.1/24) I use this to redirect traffic through VPN-4
*Bridge2 (eth6,7,8,9,10-192.168.68.1/24)
VLAN6 (192.168.198.1/24) Testing


So, I have few devices like smart TV’s connected in VLAN’s and I have NAS devices connected in bridge1, can I establish communications between two or more VLAN’s so that I can use NAS devices with my TV’s and manage my TV’s while I’m on any network..?
Screenshot 2022-06-01 215326.png

2

Sure you can.
Use proper firewall rules to allow forward traffic from one to the other.

3
  1. Are your VLANs isolated from each other?
  2. Can you share the firewall rule that you are using to do this?

If your firewall rule to isolate VLANS looks something like this,

add action=drop chain=forward comment="Isolate VLANs from each other." \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=VLANs

Then you can put something like this above that filter rule,

/ip firewall filter
add action=accept chain=forward comment="Allow certain computers in VLAN10 access to VLAN50" connection-state=new in-interface=vlan1_10 out-interface=vlan4_40 src-address-list=vlan10to40_access

Notice that there is a firewall list of IPs to communicate in between VLANs. Assuming that you have static IPs, this is how you do it in your router.

/ip firewall address-list
add address=192.168.10.100 comment="Office Desktop" list=vlan10to40_access
4



as of now I’ve no firewall rules for VLAN’s, I have firewall rules only to redirect traffic through VPN’s

Below is my current firewall nat rules


0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=192.168.90.200
src-address-list=ipsec_local dst-address-list=!ipsec_local
connection-mark=ipsec_fortigate

1 chain=srcnat action=masquerade out-interface=bridge3_WAN log=no
log-prefix=“”

2 chain=srcnat action=masquerade out-interface=l2tp_ExpressVPN log=no
log-prefix=“”

3 chain=srcnat action=masquerade out-interface=l2tp_SAL_Germany log=no
log-prefix=“”

4 chain=srcnat action=masquerade out-interface=l2tp_VPNPTP log=no
log-prefix=“”

5

You need regular firewall rules.

Please export config from terminal;
/export file=anynameyouwish
Review file for sensitive info, then post contents between [__code] quotes.

6

jun/03/2022 10:09:54 by RouterOS 6.49.5

software id = WCSY-YUBL

model = 2011UAS-2HnD

/interface bridge
add name=bridge1_LAN1
add name=bridge2_LAN2
add name=bridge3_WAN
add name=bridge4_PPPoE
add name=bridge5
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=india frequency=auto
mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN1
set [ find default-name=ether3 ] name=ether3_LAN1
set [ find default-name=ether4 ] name=ether4_LAN1
set [ find default-name=ether5 ] name=ether5_LAN1
set [ find default-name=ether6 ] name=ether6_LAN2
set [ find default-name=ether7 ] name="ether7_LAN2 (910)"
set [ find default-name=ether8 ] name="ether8_LAN2 (Rohan)"
set [ find default-name=ether9 ] name="ether9_LAN2 (509)"
set [ find default-name=ether10 ] name="ether10_LAN2 (209)"
set [ find default-name=sfp1 ] advertise="10M-half,10M-full,100M-half,100M-ful
l,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" disabled=yes

/interface vlan
add interface=bridge1_LAN1 name=vlan1_10 vlan-id=10
add interface=bridge1_LAN1 name=vlan2_20 vlan-id=20
add interface=bridge1_LAN1 name=vlan3_30 vlan-id=30
add interface=bridge1_LAN1 name=vlan4_40 vlan-id=40
add interface=bridge2_LAN2 name=vlan6_60 vlan-id=60
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\

/ip ipsec mode-config
add connection-mark=ipsec_fortigate name=cfg1_FG responder=no
src-address-list=ipsec_local use-responder-dns=no
/ip ipsec policy group
add name=group1_FG
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=profile1_FG
/ip ipsec peer
add address= name=peer1_FG profile=profile1_FG
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=proposal1_FG pfs-group=none
/ip pool
add name=dhcp1_LAN1 ranges=192.168.1.51-192.168.1.254
add name=dhcp2_LAN2 ranges=192.168.68.51-192.168.68.254
add name=dhcp3_VLAN10 ranges=192.168.10.51-192.168.10.254
add name=dhcp4_VLAN20 ranges=192.168.20.51-192.168.20.254
add name=dhcp5_VLAN30 ranges=192.168.30.51-192.168.30.254
add name=dhcp6_VLAN40 ranges=192.168.40.51-192.168.40.254
add name=dhcp7_PPPoE ranges=192.168.198.51-192.168.198.254
add name=dhcp8 ranges=192.168.178.51-192.168.178.254
add name=dhcp9_VLAN60 ranges=192.168.60.51-192.168.60.254
/ip dhcp-server
add address-pool=dhcp1_LAN1 disabled=no interface=bridge1_LAN1 lease-time=10h
name=dhcp1_LAN1
add address-pool=dhcp2_LAN2 disabled=no interface=bridge2_LAN2 lease-time=10h
name=dhcp2_LAN2
add address-pool=dhcp3_VLAN10 disabled=no interface=vlan1_10 lease-time=10h
name=dhcp3_VLAN10
add address-pool=dhcp4_VLAN20 disabled=no interface=vlan2_20 lease-time=10h
name=dhcp4_VLAN20
add address-pool=dhcp5_VLAN30 disabled=no interface=vlan3_30 lease-time=10h
name=dhcp5_VLAN30
add address-pool=dhcp6_VLAN40 disabled=no interface=vlan4_40 lease-time=10h
name=dhcp6_VLAN40
add address-pool=dhcp7_PPPoE disabled=no interface=bridge4_PPPoE lease-time=
10h name=dhcp7_PPPoE
add address-pool=dhcp8 disabled=no interface=bridge5 lease-time=10h name=
dhcp8
add address-pool=dhcp9_VLAN60 disabled=no interface=vlan6_60 lease-time=10h
name=dhcp9_VLAN60
/ppp profile
add dns-server=8.8.8.8,1.1.1.1 local-address=192.168.168.1 name=
profile1_PPPoE rate-limit=10m/75m remote-address=dhcp7_PPPoE
/queue simple
add name="queue1_LAN1 Speed Limit" target=bridge1_LAN1
add max-limit=10M/75M name="queue2_LAN2 Speed Limit" target=bridge2_LAN2
add max-limit=128k/128k name=queue3 target=bridge5
/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address pcq-rate=20M
add kind=pcq name=PCQ_upload pcq-classifier=src-address pcq-rate=10M
/queue tree
add disabled=yes name=queue1 packet-mark=Guest_Download parent=global queue=
PCQ_download
add disabled=yes name=queue2 packet-mark=Guest_Upload parent=global queue=
PCQ_upload
/system logging action
set 1 disk-file-count=100 disk-lines-per-file=10000
/interface bridge port
add bridge=bridge1_LAN1 ingress-filtering=yes interface=ether2_LAN1
add bridge=bridge1_LAN1 ingress-filtering=yes interface=ether3_LAN1
add bridge=bridge1_LAN1 ingress-filtering=yes interface=ether4_LAN1
add bridge=bridge1_LAN1 ingress-filtering=yes interface=ether5_LAN1
add bridge=bridge2_LAN2 ingress-filtering=yes interface=ether6_LAN2
add bridge=bridge2_LAN2 ingress-filtering=yes interface="ether7_LAN2 (910)"
add bridge=bridge2_LAN2 ingress-filtering=yes interface="ether8_LAN2 (Rohan)"
add bridge=bridge2_LAN2 ingress-filtering=yes interface="ether9_LAN2 (509)"
add bridge=bridge2_LAN2 ingress-filtering=yes interface="ether10_LAN2 (209)"
add bridge=bridge3_WAN ingress-filtering=yes interface=ether1_WAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=4096
/interface l2tp-server server
set enabled=yes
/interface list member
add interface=bridge3_WAN list=WAN
add interface=bridge1_LAN1 list=LAN
add interface=bridge2_LAN2 list=LAN
add interface=bridge4_PPPoE list=LAN
add interface=bridge5 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pppoe-server server
add authentication=mschap2 default-profile=profile1_PPPoE disabled=no
interface=bridge4_PPPoE one-session-per-host=yes service-name=
service1_PPPoE
/ip address
add address=192.168.1.1/24 interface=bridge1_LAN1 network=192.168.1.0
add address=192.168.68.1/24 interface=bridge2_LAN2 network=192.168.68.0
add address=192.168.10.1/24 interface=vlan1_10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2_20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3_30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan4_40 network=192.168.40.0
add address=192.168.168.1/24 interface=bridge4_PPPoE network=192.168.168.0
add address=192.168.178.1/24 interface=bridge5 network=192.168.178.0
add address=192.168.60.1/24 interface=vlan6_60 network=192.168.60.0
/ip dhcp-client
add disabled=no interface=bridge3_WAN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8,1.1.1.1 gateway=
192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8,1.1.1.1 gateway=
192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8,1.1.1.1 gateway=
192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1,8.8.8.8,1.1.1.1 gateway=
192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1,8.8.8.8,1.1.1.1 gateway=
192.168.40.1
add address=192.168.60.0/24 dns-server=192.168.60.1,8.8.8.8,1.1.1.1 gateway=
192.168.60.1
add address=192.168.68.0/24 dns-server=192.168.68.1,8.8.8.8,1.1.1.1 gateway=
192.168.68.1
add address=192.168.178.0/24 dns-server=192.168.178.1,8.8.8.8,1.1.1.1
gateway=192.168.178.1
add address=192.168.198.0/24 dns-server=192.168.168.1,8.8.8.8,1.1.1.1
gateway=192.168.198.1
/ip dns
set servers=94.200.200.200,91.74.74.74
/ip firewall address-list
add address=192.168.10.0/24 list=ipsec_local
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=
"redirect VLAN20 to Exp VPN" passthrough=yes src-address=192.168.20.0/24
add action=mark-routing chain=prerouting new-routing-mark=
"redirect VLAN40 to SAL_Germany VPN" passthrough=yes src-address=
192.168.40.0/24
add action=mark-routing chain=prerouting new-routing-mark=
"redirect VLAN30 to VPNPTP-IND" passthrough=yes src-address=
192.168.30.0/24
add action=mark-connection chain=prerouting dst-address-type=!local
new-connection-mark=ipsec_fortigate passthrough=yes src-address=
192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge3_WAN
add action=masquerade chain=srcnat out-interface=l2tp_ExpressVPN
add action=masquerade chain=srcnat out-interface=l2tp_SAL_Germany
add action=masquerade chain=srcnat out-interface=l2tp_VPNPTP
/ip ipsec identity

/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 level=unique peer=peer1_FG proposal=proposal1_FG
src-address=192.168.90.0/24 tunnel=yes
/ip route
add distance=1 gateway=l2tp_ExpressVPN routing-mark=
"redirect VLAN20 to Exp VPN"
add distance=1 gateway=l2tp_SAL_Germany routing-mark=
"redirect VLAN40 to SAL_Germany VPN"
add distance=1 gateway=l2tp_VPNPTP routing-mark=
"redirect VLAN30 to VPNPTP-IND"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2_LAN1 type=internal
add interface=ether1_WAN type=external
/lcd
set backlight-timeout=never color-scheme=light default-screen=stat-slideshow
touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether1_WAN disabled=yes
set ether2_LAN1 disabled=yes
set ether3_LAN1 disabled=yes
set ether4_LAN1 disabled=yes
set ether5_LAN1 disabled=yes
set ether6_LAN2 disabled=yes
set "ether7_LAN2 (910)" disabled=yes
set "ether8_LAN2 (Rohan)" disabled=yes
set "ether9_LAN2 (509)" disabled=yes
set "ether10_LAN2 (209)" disabled=yes
set wlan1 disabled=yes
add interface=bridge1_LAN1
add interface=bridge2_LAN2
add interface=bridge3_WAN
add disabled=yes interface=bridge4_PPPoE
add disabled=yes interface=bridge5
/lcd interface pages
set 0 interfaces=bridge1_LAN1,bridge2_LAN2,bridge3_WAN
/ppp secret

/system clock
set time-zone-name=Asia/Dubai
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system routerboard reset-button
set enabled=yes hold-time=10s..0s
/system scheduler
add interval=6h name=schedule1 on-event=
"/ip ipsec active-peers kill-connections" policy=write,test start-date=
may/30/2022 start-time=11:00:00
/system script
add dont-require-permissions=yes name=script1 owner=admin policy=write,test
source="/ip ipsec active-peers kill-connections"
/tool graphing interface
add interface=bridge2_LAN2
add interface=bridge1_LAN1
/tool graphing queue
add simple-queue="queue2_LAN2 Speed Limit"
add simple-queue="queue1_LAN1 Speed Limit"
/tool graphing resource
add

7

This part was too complex, I think …

Serial number is visible. Remove from your post.
IPSEC credentials are visible. Remove from your post.
PPP credentials are visbile. Remove from your post.
Wifi looks pretty default (for testing ?). Credentials are visible but I guess it’s temporary.
Please post contents between [__code] quotes, makes the post a lot shorter.
You have a lot of advanced stuff like mangle and routing tables etc etc yet NO DEFAULT firewall rules ?? Care to explain how that comes ?

And please also clarify WHAT exactly needs to have access to WHERE.
This is too vague:

So, I have few devices like smart TV’s connected in VLAN’s and I have NAS devices connected in bridge1, can I establish communications between two or more VLAN’s so that I can use NAS devices with my TV’s and manage my TV’s while I’m on any network..?

Smart devices: on WHICH VLAN ?
NAS devices: on WHICH VLAN ?
Anything should be able to access those ?