I have a network running based on RB450G that has the following structure:
I wanted LAN1 and VLAN100 clients to be in one “private” sub-net, and VLAN200 - in separate “public” sub-net, all clients on LAN2 without VLAN should also go to “private” sub-net.
So I’ve created a bridge with a DHCP server enabled (192.168.1.0/24) and added LAN1 and VLAN100 into it. It worked well.
For VLAN200 I’ve assigned a separate DHCP server (10.10.200.0/24). It also worked as expected.
But now I’m stuck at joining PC2 (which is on the same port with VLANs) into the “private” sub-net:
I’ve added a switch rule to direct all traffic on port LAN2 without VLAN header present to port LAN1. At this point, PC2 is not getting assigned any IP address by DHCP server, however, when I force PC2 to use static IP - I’m able to ping it from a “private” sub-net computers. Since there would be many clients without VLAN tag (including PC2), using static IPs is not suitable here.
Moving Access Point to a separate port is not possible - there’s only one cable running to this area.
1. What am I doing wrong?
2. Is using a Bridge is the right choice in my scenario?
Here are configs:
ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.1.1/24 network=192.168.1.0 interface=LAN1
actual-interface=bridge1
1 address=10.10.200.1/24 network=10.10.200.0 interface=vlan200
actual-interface=vlan200
ip route print detail
0 ADC dst-address=10.10.200.0/24 pref-src=10.10.200.1 gateway=vlan200
gateway-status=vlan200 reachable distance=0 scope=10
1 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=bridge1,LAN2
gateway-status=bridge1 reachable,LAN2 reachable distance=0 scope=10
interface print detail
0 name="WAN1" type="ether" mtu=1500 l2mtu=1520 max-l2mtu=1520
1 R name="LAN1" type="ether" mtu=1500 l2mtu=1520 max-l2mtu=1520
2 R name="LAN2" type="ether" mtu=1500 l2mtu=1520 max-l2mtu=1520
3 name="ether4-slave-local" type="ether" mtu=1500 l2mtu=1520
max-l2mtu=1520
4 name="ether5-slave-local" type="ether" mtu=1500 l2mtu=1520
max-l2mtu=1520
5 name="pppoe-out1" type="pppoe-out"
6 R name="vlan100" type="vlan" mtu=1500 l2mtu=1516
7 R name="vlan200" type="vlan" mtu=1500 l2mtu=1516
8 R name="bridge1" type="bridge" mtu=1500 l2mtu=1516
ip firewall export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=WAN1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=yes ports=21
set tftp disabled=yes ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
3. Is this configuration correct from the requirements (clients separation) standpoint as a whole?