Thank you for posting! I will read these articles tonight, meanwhile this is the setup i’m looking for, I want these vlans to pass through ether1 of the router to reach the PPPoE internet service provider. Note that the ISP does not deal with my vlans nor providing any vlan to me, so the vlan setup is just to isolate in internal networks only and to give each one of them a separate network.
If there are no firewall rules blocking comms between these vlans and WAN port, it should work by default, i.e. The Mikrotik router will create a “Direct Attached Connected” route for each Vlan, then you will have a default gateway route via the WAN interface, either created dynamically or statically, depending on your setup and the various vlan’s will route via this interface to internet
Sorry for delay in response!! I was quite busy and had no enough time to reply so i really apologize.
So the setup has some updates now, it appears that my ISP is providing me with service through a VLAN (959), i was no aware of it until i called the support center.
I added the vlan 959 on the wan port and gave it IP address on the MT router but i can not ping to the ISP, they use a cisco switches so i thought it might be incompatibility issue? therfore just in matter of testing i used a cisco 2950 switch and added the vlan (959) and i could ping easily!!
so whats wrong here? can someone explain this to me please?
Have you modified the configuration from your first post based on the reading recommended by @CZfan? Because there was a systematic mistake in it and it is not clear from what you’ve posted later whether you have corrected that mistake or not.
Can you please tell me what kind of mistake do i made?
I have the same setup right now, the only new thing is that my port on the ISP side is vlan 959.
When i add vlan 959 on the wan port I couldn’t ping to the ISP gateway, but when i added the same vlan on the cisco switch i had ping just fine.
@CZFan has already told you that the vlan-id parameter is not visible in your configuration export, but you haven’t provided any standpoint to that.
So each /interface vlan configuration must contain the interface parameter specifying the underlying interface (which is ether9 for all of them in your case) but also a vlan-id which is missing in your configuration export. That would suggest that all of them have the default vlan-id=1 but that is not possible.
Other than that the LAN-facing configuration looks fine except if the client devices should use dynamic IP configuration, as you haven’t posted any /ip dhcp-server related configuration. If the DHCP servers for the subnets inside those VLANs are running somewhere else, they must provide Mikrotik’s IP addresses in these subnets as gateways if the Mikrotik should be their gateway to the internet.
Next, regarding the WAN side, you say that you have attached an IP address to an /interface vlan with vlan-id=959 attached to the WAN interface (ether1). However, the picture suggests that the ISP runs a PPPoE service. If so, you have to attach an /interface pppoe-client to that /interface vlan instead of attaching an IP address configuration to it.
Last but not least, before ever connecting the Mikrotik to the internet, you should set up firewall rules (or use the default ones and modify the /interface list member of list=WAN accordingly.
As always I recommend to follow the hint in my automatic signature. Maybe you should also post the part of Cisco configuration related to vlan 959.
Thank you Sindy & CZFan for your insights.
Regarding the IP addresses i’m using, non of them is public, even the one of my ISP.
So, this is the /export:
I used the bridge in order to let the PPPoE connections work as you have described to me earlier in my last post (Connecting multiple networks) that they work on layer 2 connections.
So, is this how it should be done?
In the Mikrotik configuration, by bridging together the tagless ends of all /interface vlan you haven’t helped anything, so remove the records from /interface bridge port. The tagged ends of all /interface vlan (except 959) are at ether9 and that’s enough, it matches the trunk configuration at Cisco side.
Unless you have some very restrictive firewall rules (you again haven’t posted the complete configuration, just a part of it), routing between the subnets in the VLANs and the internet should work. You need an action=masquerade or action=src-nat rule in /ip firewall nat so that devices in the VLAN subnets could talk to the internet bi-direcionally, as the ISP doesn’t have routes to those private subnets back to you.
In the configuration of the Cisco there is nothing at all regarding vlan 959 so I don’t get how it is possible that connecting this Cisco to the ISP’s uplink can make the devices access internet.
means that there is no src-nat or masquerade rule allowing the devices in the local subnets to receive responses from devices in the internet
Imagine how the packets flow. Your device sends a request from, say, 10.10.10.5 to, say, Google DNS at 8.8.8.8. Unless something on the way replaces the 10.10.10.5 by some public IP address, the Google DNS sends the response to 10.10.10.5, but in its local context 10.10.10.5 identifies some device in Google’s enterprise network. To avoid this, your router must replace the 10.10.10.5 by its own WAN address (assuming for simplicity sake that it is a public one) and remember that substitution in a context called “connection”, so that when the response arrives, it could make a symmetric change and forward the received packet from 8.8.8.8 to 10.10.10.5. The fact that your router’s WAN address is also a private one doesn’t change anything on this principle, except that your WAN address is unique in the network of your ISP, and the ISP’s edge router connecting the ISP to the internet does exactly the same NAT operation itself, translating your (private) WAN address to its own (public) WAN address. So you end up with multiple NATs between the client in your private network and the server in the internet.
So I would recommend you to set up the firewall rules copied from the default configuration and slightly modified to reflect your situation:
/interface list member add list=LAN interface=10.10.10.1
...make all the LAN interfaces members of interface list LAN here...
/interface list member add list=LAN interface=10.10.90.1
/interface list member add list=WAN interface=pppoe-out1
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
Waw!! that’s a lot of new things to learn!!
You are so helpful man!! i will read about each one of those, i like understand things first before implementing them.
