Hi,
I need some help on vlan, addressing and routing.
If I understand correctly, the concept is: physical interface → create virtual interface (with vlan ID) on physical interface → add virtual interface to bridge → and then add IP subnet to bridge. Correct?
So: physical interface eth1 → virtual interface (with vlan ID 10) → bridge-10 and add 192.168.1.1/26 to bridge-10.
How does this work with multiple vlans?
Do I create two more bridges like this:
physical interface eth1 → virtual interface (with vlan ID 20) → bridge-20 and add 192.168.2.1/26 to bridge-20.
physical interface eth1 → virtual interface (with vlan ID 30) → bridge-30 and add 192.168.3.1/26 to bridge-30.
I’d like to segregate traffic into three categories on the same physical network: Clients, Servers, Visitors.
Clients in 192.168.1.0/26
Servers in 192.168.2.0/26
Visitors in 192.168.3.0/26
I have one RB751 and attached three vlan capable switches which can have any of the categories connected to them.
Servers: provide DNS/DHCP/Fileshare to Clients. Need access to Internet (e.g. to resolve clients DNS queries)
Clients: need access to Servers for DNS/DHCP/Fileshare and need access to Internet
Visitors: need only access Internet and may not access Servers/Clients
On the switches, I have created three vlans and traffic coming from the switches to the router is tagged with either vlan ID 10, 20 or 30. I’m just not sure if I’m configuring the router correctly.
All you need to do is create the VLAN interfaces on the relevant physical Ether port and apply the IP settings / DHCP server etc. to the VLAN interfaces. Bridges are only necessary if you want to bridge the VLAN interfaces to additional interfaces.
On the RB751 you would probably want to use the switch chip function, so make 2 Ether ports slaves of another (which becomes the master) and attach the VLAN interfaces only to the master Ether port. They will automatically appear on the slave ports without the use of a RouterOS bridge and without using CPU cycles for bridging.
This can be done, but then you should indeed create 3 bridges and add the dedicated (same) vlan interfaces to each bridge.
Leaves me with 1 question regarding DHCP.
You said you want your servers to be DHCP Server, also for clients, but in a different broadcast domain, that will not work.
Allright, I’ve added the IP address and subnet to the bridges and that works as we started out with physical interface eth1 → virtual interface (with vlan ID 10) → bridge-10 and add 192.168.1.1/26 to bridge-10
Thx for clarifying. As a follow-up question, how would you add the default gateway to Routes if Clients+Servers go to one and Visitors go to another?
If the routerboard will be connected to the internet, use the bridge ip addresses for the clients to be their default gateway. If the routerboard also will be DHCP server, let the gateway be set via DHCP
I’ve put the IP addresses on the bridges:
192.168.1.1 is on bridge-10 (this /26 subnet contains Clients)
192.168.2.1 is on bridge-20 (this /26 subnet contains Servers)
192.168.3.1 is on bridge-30 (this /26 subnet contains Visitors)
On the Mikrotik under Tools using Ping :
I can ping a client 192.168.1.4 from interface bridge-10
I can NOT ping a server 192.168.2.2 from interface bridge-10
On a client 192.168.1.4:
I can ping a server 192.168.2.2
I can NOT ping the bridge-10 address of 192.168.1.1
I have network connectivity from Clients to Servers and vice versa, and happy that it all works, just trying to understand if the above behavior is correct and normal.
I can ping a client 192.168.1.4 from interface bridge-10
I can NOT ping a server 192.168.2.2 from interface bridge-10
I think this is quite reasonable, since the 2.2 is not behind the bridge-10. I’m not sure but I can imagine that the MikroTik does not route the ping traffic if you specify a specific interface to ping from.
On a client 192.168.1.4:
I can ping a server 192.168.2.2
I can NOT ping the bridge-10 address of 192.168.1.1
Check you firewall rules, specific the input chain.