Devices in same VLAN not reachable

RouterOS General
1

Hi,

i wanted to try configure VLANs on my router and trying some basic setup to understand how this realy work but i hit a wall. Iam using provided setup and it works as all devices receive correct ip but devices on my server switch (ether3) are unreachable from my pc and i cant ping them even direct from router. but f.e. my pc (ether2) is ok. What am i missing?

/disk
set usb1 media-interface=none media-sharing=no
/interface bridge
add name=bridge1-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-internet
set [ find default-name=ether2 ] name=ether2-pc
set [ find default-name=ether3 ] name=ether3-server_switch
set [ find default-name=ether4 ] name=ether4-tv_box
set [ find default-name=ether5 ] name=ether5-cap
/interface veth
add address=“” gateway=“” gateway6=“” name=veth1-adguard
/interface vlan
add interface=bridge1-local name=vlan10-management vlan-id=10
add interface=bridge1-local name=vlan20-trusted vlan-id=20
add interface=bridge1-local name=vlan30-iot vlan-id=30
/interface list
add name=LAN
add name=WAN
/ip pool
add comment=vlan10 name=pool1 ranges=42.42.10.40-42.42.10.254
add comment=vlan20 name=pool2 ranges=42.42.20.50-42.42.20.254
add comment=vlan30 name=pool3 ranges=42.42.30.20-42.42.30.254
/ip dhcp-server
add address-pool=pool1 interface=vlan10-management lease-time=1d name=dhcp1-vlan10
add address-pool=pool2 interface=vlan20-trusted lease-time=1d name=dhcp2-vlan20
add address-pool=pool3 interface=vlan30-iot lease-time=12h name=dhcp3-vlan30
/interface bridge port
add bridge=bridge1-local interface=ether3-server_switch pvid=20
add bridge=bridge1-local interface=ether4-tv_box pvid=20
add bridge=bridge1-local interface=ether5-cap pvid=10
add bridge=bridge1-local interface=ether2-pc pvid=20
add bridge=bridge1-local interface=veth1-adguard
/interface bridge vlan
add bridge=bridge1-local tagged=bridge1-local untagged=ether5-cap vlan-ids=10
add bridge=bridge1-local tagged=bridge1-local,ether3-server_switch untagged=ether2-pc,ether4-tv_box vlan-ids=20
/interface list member
add interface=ether2-pc list=LAN
add interface=ether4-tv_box list=LAN
add interface=ether3-server_switch list=LAN
add interface=ether5-cap list=LAN
add interface=ether1-internet list=LAN
add interface=veth1-adguard list=LAN
add interface=vlan10-management list=LAN
add interface=vlan20-trusted list=LAN
add interface=vlan30-iot list=LAN
/ip address
add address=42.42.10.1/24 interface=vlan10-management network=42.42.10.0
add address=42.42.20.1/24 interface=vlan20-trusted network=42.42.20.0
add address=42.42.30.1/24 interface=vlan30-iot network=42.42.30.0
/ip dhcp-client
add interface=ether1-internet
/ip dhcp-server lease
add address=42.42.20.5 client-id=1:14:2b:2f:db:9d:a7 mac-address=14:2B:2F:DB:9D:A7 server=dhcp2-vlan20
add address=42.42.20.3 client-id=ff:b6:22:f:eb:0:2:0:0> :ab:> 11:d9:c3:4e:37:fc:76> :de:> e5 mac-address=40:16:7E:18:6C:31 server=dhcp2-vlan20
add address=42.42.10.3 client-id=1:d4:1:c3:67:b8:cc mac-address=D4:01:C3:67:B8:CC server=dhcp1-vlan10
add address=42.42.20.2 client-id=ff:f8:ce:1b:a1:0:2:0:0> :ab:> 11:69:d3:dd:85:4d:e8:9c:54 mac-address=2C:CF:67:8A:74:75 server=dhcp2-vlan20
add address=42.42.20.4 client-id=1:b8:6b:23:34:50:d mac-address=B8:6B:23:34:50:0D server=dhcp2-vlan20
/ip dhcp-server network
add address=42.42.10.0/24 dns-server=42.42.10.1 gateway=42.42.10.1
add address=42.42.20.0/24 dns-server=42.42.20.1 gateway=42.42.20.1
add address=42.42.30.0/24 dns-server=42.42.30.1 gateway=42.42.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=forward in-interface=vlan10-management log=yes log-prefix=vlan10 out-interface=vlan10-management
add action=accept chain=forward in-interface=vlan20-trusted log=yes log-prefix=vlan20 out-interface=vlan20-trusted
add action=accept chain=forward in-interface=vlan30-iot log=yes log-prefix=vlan30 out-interface=vlan30-iot
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-internet

2
  • If you want ether3-server_switch to be a trunk port of VLAN 20, then the PVID set on that port it wrong, you should change it back to 1 and set Frame Types to admit-only-vlan-tagged.
  • But if you want ether3-server_switch to be a normal access port of VLAN 20 then keep PVID as 20, but set Frame Types to admit-only-untagged-and-priority tagged, AND under /interface bridge vlan you need to move ether3-server_switch to the untagged list instead of the tagged list of VLAN 20.

Furthermore:

  • For ether2-pc, ether4-tv_box, ether5-cap set Frame Types to admit-only-untagged-and-priority tagged
  • These are unneeded and should removed


/interface list member
add interface=ether2-pc list=LAN
add interface=ether4-tv_box list=LAN
add interface=ether3-server_switch list=LAN
add interface=ether5-cap list=LAN
add interface=veth1-adguard list=LAN
  • This is wrong, should be moved to interface list WAN instead.


/interface list member
add interface=ether1-internet list=LAN
  • Your firewall config is extremely insecure. For now, you should implement the FW rules from the MikroTik defconf configuration.
3

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

4

Thank you thet works now. Tagged and untagged is still a smal mystery for me. Iknow my config is insecure but iam also insecure about my config and didnt wanted it to have another layer of complication. LAN/WAN edited. Interface LAN for internet was just a typo. But now the wired part works as expected. Thanks a lot