dxwil
November 27, 2024, 9:47pm
1
Hi, I’m pretty new to this, but after watching a few videos and reading up on VLANs, I have set them up. But they don’t work. I’ve now spent 2 days trying to find what’s wrong but I can’t.
My final goal is to have a trunk port on ether3 that carries over all my vlans to a tplink switch (the one without a management vlan, so I’ll have to set a static ip for it and access it that way, because according to a few other posts it gets it’s ip from just a random dhcp server on any vlan). In the below config however, I also tried to make ether5 an untagged port just for testing purposes, and if I set a pvid on that port, it just doesn’t connect at all, and if i don’t set the pvid but leave everything the same, it connects but to vlan1. I have already set my tplink switch to have a static ip 10.0.1.2, but I cannot access it from anywhere else other than by plugging my computer into it and setting my ip as part of that subnet.
Here is my config, I will be very grateful if someone can look into this
# nov/27/2024 22:34:16 by RouterOS 6.49.17
# software id = IM7X-NJZI
#
# model = 750GL
# serial number = 354F02E1F58D
/interface bridge
add admin-mac=D4:CA:6D:3C:20:69 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=REDACTED service-name=REDACTED use-peer-dns=yes user=\
REDACTED
/interface vlan
add interface=bridge name=Guest vlan-id=40
add interface=bridge name=IoT vlan-id=30
add interface=bridge name=Main vlan-id=20
add interface=bridge name=Management vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
add name=dhcp_pool1 ranges=10.0.1.10-10.0.1.254
add name=dhcp_pool2 ranges=10.0.2.10-10.0.2.254
add name=dhcp_pool3 ranges=10.0.3.10-10.0.3.254
add name=dhcp_pool4 ranges=10.0.4.10-10.0.4.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=Management name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=Main name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=IoT name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=Guest name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=10,30,40
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=Management list=VLANs
add interface=Main list=VLANs
add interface=IoT list=VLANs
add interface=Guest list=VLANs
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
netmask=24
add address=10.0.1.0/24 dns-server=10.0.0.1 gateway=10.0.1.1
add address=10.0.2.0/24 dns-server=10.0.0.1 gateway=10.0.2.1
add address=10.0.3.0/24 dns-server=10.0.0.1 gateway=10.0.3.1
add address=10.0.4.0/24 dns-server=10.0.0.1 gateway=10.0.4.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add topics=dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
anav
November 27, 2024, 10:54pm
2
Good time to learn.
If you do have a spare port or can spare one during the bulk of the configuration, highly recommended for safe and no hair tearing out configging!!
take ethernet port off bridge lets say 4 for now./interface ethernet
and add interface to LAN interface list.
ON PC plug into port and change iPv4 settings to 192.168.77.2 and you should be in!!
Read through this for some ideas → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
dxwil
November 29, 2024, 1:57pm
3
Thank you for the help. As you suggested, I removed ether5 from the bridge and disabled the bridge dhcp, as well as set ether4 as the untagged port to test. But something still doesn’t work. Now when I plug in my computer into ether4, instead of giving me an ip address from the bridge’s dhcp server, I don’t get any proper IP from any of the dhcp servers, let alone the vlan10 one. (I didn’t remove the VLAN list yet as I don’t think it affects anything right now).
Here is my config now:
# nov/29/2024 14:55:03 by RouterOS 6.49.17
# software id = IM7X-NJZI
#
# model = 750GL
# serial number = 354F02E1F58D
/interface bridge
add admin-mac=D4:CA:6D:3C:20:69 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=off_bridge5
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 service-name=002151706176 use-peer-dns=yes user=730006738450
/interface vlan
add interface=bridge name=Guest vlan-id=40
add interface=bridge name=IoT vlan-id=30
add interface=bridge name=Main vlan-id=20
add interface=bridge name=Management vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
add name=dhcp_pool1 ranges=10.0.1.10-10.0.1.254
add name=dhcp_pool2 ranges=10.0.2.10-10.0.2.254
add name=dhcp_pool3 ranges=10.0.3.10-10.0.3.254
add name=dhcp_pool4 ranges=10.0.4.10-10.0.4.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=Management name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=Main name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=IoT name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=Guest name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=20,30,40
add bridge=bridge tagged=bridge untagged=ether4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=Management list=VLANs
add interface=Main list=VLANs
add interface=IoT list=VLANs
add interface=Guest list=VLANs
add interface=off_bridge5 list=LAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.88.1/30 interface=off_bridge5 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 netmask=24
add address=10.0.1.0/24 dns-server=10.0.0.1 gateway=10.0.1.1
add address=10.0.2.0/24 dns-server=10.0.0.1 gateway=10.0.2.1
add address=10.0.3.0/24 dns-server=10.0.0.1 gateway=10.0.3.1
add address=10.0.4.0/24 dns-server=10.0.0.1 gateway=10.0.4.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system logging
add topics=dhcp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
anav
November 29, 2024, 2:21pm
4
You have four vlans but 5 pools is one clue. What was the first tip in my post above!!!
Its clear to me you made NO effort to read the vlan link article.
