Configuration Issue: Transparent VLANs for Firewalls & WAN Routing

dboelsterli · March 11, 2025, 6:41am

Hello everyone,

I’m trying to configure a MikroTik router with the following setup:

WAN: 82.220.56.33/29 on ether1
LAN1: 192.168.88.1/22 with DHCP range 192.168.89.1-192.168.91.254 on a bridge (ether2-ether10), untagged
LAN2: Transparent to a firewall with IP 82.220.56.33/29 in VLAN 100, tagged on all ports or just on the bridge (whichever is easier)
LAN3: Transparent to a firewall with IP 82.220.56.34/29 in VLAN 100, tagged on all ports or just on the bridge (whichever is easier)
LAN1 should have internet access, while LAN2 and LAN3 should remain transparent
LAN1 should have MikroTik’s standard firewall protection rules

Current Test Results:
LAN1:
Ping from a client to 192.168.88.1 → OK
Ping from a client to 82.220.56.33 → OK
Ping from a client to 82.220.56.32 → NOT OK
Ping from the router terminal (/tool ping 82.220.56.32) → OK
LAN2:
Ping from a client with IP 82.220.56.34 to 82.220.56.32 → NOT OK
LAN3:
Ping from a client with IP 82.220.56.35 to 82.220.56.32 → NOT OK
Below is my current configuration (see attached). Could someone help me identify what’s wrong? I suspect VLAN or bridging issues, but I’m not sure. Any advice is appreciated!

Thanks in advance!

# 1) WAN configuration
/interface ethernet
set [find default-name=ether1] name=wan

/ip address
add address=82.220.56.33/29 interface=wan network=82.220.56.32

/ip route
add gateway=82.220.56.32 routing-table=main

# 2) LAN1 configuration with bridge and DHCP
/interface bridge
add name=bridge-lan1

/interface bridge port
add bridge=bridge-lan1 interface=ether2
add bridge=bridge-lan1 interface=ether3
add bridge=bridge-lan1 interface=ether4
add bridge=bridge-lan1 interface=ether5
add bridge=bridge-lan1 interface=ether6
add bridge=bridge-lan1 interface=ether7
add bridge=bridge-lan1 interface=ether8
add bridge=bridge-lan1 interface=ether9
add bridge=bridge-lan1 interface=ether10

/ip address
add address=192.168.88.1/22 interface=bridge-lan1 network=192.168.88.0

/ip pool
add name=dhcp_pool1 ranges=192.168.89.1-192.168.91.254

/ip dhcp-server
add name=dhcp1 interface=bridge-lan1 address-pool=dhcp_pool1 lease-time=10m

/ip dhcp-server network
add address=192.168.88.0/22 gateway=192.168.88.1 dns-server=8.8.8.8,8.8.4.4

# 3) VLAN 100 for LAN2 (transparent, IP 82.220.56.34)
/interface vlan
add name=vlan100 vlan-id=100 interface=wan

# 4) VLAN 200 for LAN3 (transparent, IP 82.220.56.35)
/interface vlan
add name=vlan200 vlan-id=200 interface=wan

# Enable Proxy-ARP on WAN interface
/interface ethernet
set [find name=wan] arp=proxy-arp

# 5) NAT for LAN1 internet access
/ip firewall nat
add chain=srcnat src-address=192.168.88.0/22 out-interface=wan action=masquerade

# 6) Firewall rules adjusted
/ip firewall filter
# Allow incoming connections
add chain=input connection-state=established,related action=accept
add chain=input in-interface=wan protocol=icmp action=accept

# Forward rules for LAN1
add chain=forward connection-state=established,related action=accept
add chain=forward in-interface=bridge-lan1 out-interface=wan action=accept

# Allow communication for VLAN 100 (LAN2)
add chain=forward in-interface=vlan100 out-interface=wan action=accept
add chain=forward in-interface=wan out-interface=vlan100 action=accept

# Allow communication for VLAN 200 (LAN3)
add chain=forward in-interface=vlan200 out-interface=wan action=accept
add chain=forward in-interface=wan out-interface=vlan200 action=accept

# Drop rules
add chain=input in-interface=wan action=drop
add chain=forward in-interface=wan dst-address=192.168.88.0/22 action=drop

# DNS setup
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

BartoszP · March 11, 2025, 8:01am

Please edit your post end use code tags ( button < / >) in the editor) for lines of code. It will simplify reading.

anav · March 11, 2025, 11:59am

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1