Help with inter vlan routings

twyxted · April 30, 2018, 6:48am

Hi Everyone, I need help with inter-vlan routing

I have this current physical setup:

1x RB3011 UiAS-RM Router
1x Cisco SG200-50P Switch (Core Switch)
2x Cisco SG200-50 Switch

The switches were layer 2 and the necessary port trunks have been configured.
Switch 1 (Core):
Port 48 = Router
Port 49 = Switch 2
Port 50 = Switch 3

Problem:
How can I allow all Vlans to access “Vlan100 IT”? This Vlan100 IT is where our biometrics, file server, printer, etc. were connected and I need either every vlans or even just vlan 101, 102, 103, 104, 105, 110 can access to it.
/interface bridge
add fast-forward=no name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN1
set [ find default-name=ether2 ] name=eth2-WAN2
set [ find default-name=ether5 ] name=eth5-LAN

/interface vlan
add interface=eth5-LAN name=“Vlan100 IT” vlan-id=100
add interface=eth5-LAN name=“Vlan101 HR/Admin” vlan-id=101
add interface=eth5-LAN name=“Vlan102 QA” vlan-id=102
add interface=eth5-LAN name=“Vlan103 MC” vlan-id=103
add interface=eth5-LAN name=“Vlan104 CS” vlan-id=104
add interface=eth5-LAN name=“Vlan105 ConfeRm” vlan-id=105
add interface=eth5-LAN name=“Vlan106 GameRm” vlan-id=106
add interface=eth5-LAN name=“Vlan110 IT/Admin” vlan-id=110
add interface=eth5-LAN name=“Vlan120 WiFi-Admin” vlan-id=120
add interface=eth5-LAN name=“Vlan121 WiFi-Staff” vlan-id=121
add interface=eth5-LAN name=“Vlan122 WiFi-Guest” vlan-id=122

/ip pool
add name=dhcp_pool1 ranges=10.7.0.51-10.7.255.254
add name=dhcp_pool2 ranges=10.7.1.2-10.7.1.254
add name=dhcp_pool3 ranges=10.7.4.2-10.7.4.254
add name=dhcp_pool4 ranges=10.7.5.2-10.7.5.254
add name=dhcp_pool5 ranges=10.7.6.2-10.7.6.254
add name=dhcp_pool6 ranges=10.7.7.2-10.7.7.254
add name=dhcp_pool7 ranges=10.7.8.2-10.7.8.254
add name=dhcp_pool8 ranges=10.7.9.2-10.7.9.254
add name=dhcp_pool9 ranges=10.7.10.2-10.7.10.254
add name=dhcp_pool10 ranges=10.7.20.2-10.7.20.254
add name=dhcp_pool11 ranges=10.7.21.2-10.7.21.254
add name=dhcp_pool12 ranges=10.7.22.2-10.7.22.254

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay
disabled=no interface=LAN-Bridge lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no
interface=“Vlan100 IT” lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no
interface=“Vlan101 HR/Admin” lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no
interface=“Vlan102 QA” lease-time=1d name=dhcp4
add address-pool=dhcp_pool5 authoritative=after-2sec-delay disabled=no
interface=“Vlan103 MC” lease-time=1d name=dhcp5
add address-pool=dhcp_pool6 authoritative=after-2sec-delay disabled=no
interface=“Vlan104 CS” lease-time=1d name=dhcp6
add address-pool=dhcp_pool7 authoritative=after-2sec-delay disabled=no
interface=“Vlan105 ConfeRm” lease-time=1d name=dhcp7
add address-pool=dhcp_pool8 authoritative=after-2sec-delay disabled=no
interface=“Vlan106 GameRm” lease-time=1d name=dhcp8
add address-pool=dhcp_pool9 authoritative=after-2sec-delay disabled=no
interface=“Vlan110 IT/Admin” lease-time=1d name=dhcp9
add address-pool=dhcp_pool10 authoritative=after-2sec-delay disabled=no
interface=“Vlan120 WiFi-Admin” lease-time=1d name=dhcp10
add address-pool=dhcp_pool11 authoritative=after-2sec-delay disabled=no
interface=“Vlan121 WiFi-Staff” lease-time=8h name=dhcp11
add address-pool=dhcp_pool12 authoritative=after-2sec-delay disabled=no
interface=“Vlan122 WiFi-Guest” lease-time=8h name=dhcp12

/interface bridge port
add bridge=LAN-Bridge hw=no interface=eth5-LAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=10.7.0.1/16 interface=LAN-Bridge network=10.7.0.0
add address=xxx.xxx.xxx.xxx/30 interface=eth1-WAN1 network=xxx.xxx.xxx.xxx
add address=xxx.xxx.xxx.xxx/29 interface=eth2-WAN2 network=xxx.xxx.xxx.xxx
add address=10.7.1.1/24 interface=“Vlan100 IT” network=10.7.1.0
add address=10.7.4.1/24 interface=“Vlan101 HR/Admin” network=10.7.4.0
add address=10.7.5.1/24 interface=“Vlan102 QA” network=10.7.5.0
add address=10.7.6.1/24 interface=“Vlan103 MC” network=10.7.6.0
add address=10.7.7.1/24 interface=“Vlan104 CS” network=10.7.7.0
add address=10.7.8.1/24 interface=“Vlan105 ConfeRm” network=10.7.8.0
add address=10.7.9.1/24 interface=“Vlan106 GameRm” network=10.7.9.0
add address=10.7.10.1/24 interface=“Vlan110 IT/Admin” network=10.7.10.0
add address=10.7.20.1/24 interface=“Vlan120 WiFi-Admin” network=10.7.20.0
add address=10.7.21.1/24 interface=“Vlan121 WiFi-Staff” network=10.7.21.0
add address=10.7.22.1/24 interface=“Vlan122 WiFi-Guest” network=10.7.22.0

/ip dhcp-server network
add address=10.7.0.0/16 dns-server=10.7.0.1 gateway=10.7.0.1
add address=10.7.1.0/24 dns-server=10.7.1.1 gateway=10.7.1.1
add address=10.7.4.0/24 dns-server=10.7.4.1 gateway=10.7.4.1
add address=10.7.5.0/24 dns-server=10.7.5.1 gateway=10.7.5.1
add address=10.7.6.0/24 dns-server=10.7.6.1 gateway=10.7.6.1
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.7.8.0/24 dns-server=10.7.8.1 gateway=10.7.8.1
add address=10.7.9.0/24 dns-server=10.7.9.1 gateway=10.7.9.1
add address=10.7.10.0/24 dns-server=10.7.10.1 gateway=10.7.10.1
add address=10.7.20.0/24 dns-server=10.7.20.1 gateway=10.7.20.1
add address=10.7.21.0/24 dns-server=10.7.21.1 gateway=10.7.21.1
add address=10.7.22.0/24 dns-server=10.7.22.1 gateway=10.7.22.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-WAN1
add action=masquerade chain=srcnat out-interface=eth2-WAN2

artz · April 30, 2018, 7:11am

There is an error in your configuration, you have created a VLAN interface on top of a slave interface, you can read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_interface_on_a_slave_interface

If this is all of your configuration, then with this configuration interVLAN routing is allowed between all VLANs.
If you are not able to access other VLANs, then you have probably set up a Firewall (maybe on a different device).

sid5632 · April 30, 2018, 7:46am

Post the entire config. (with the software version). Don’t leave out what you think is irrelevant.
Don’t use ports directly once they are in a bridge e.g. “/interface vlan add interface=eth5-LAN name=“Vlan100 IT” vlan-id=100” should use LAN-Bridge not eth5-LAN.
I don’t see what the point of LAN-Bridge is in the first place.
Say what you have tried to determine that things aren’t working. e.g. have you tried pinging anything, both from the router itself and from various devices

twyxted · April 30, 2018, 8:41am

That’s what I knew as well, I thought I did the right thing however; I cannot make an inter-vlan access when trying on any computers from different vlans.

All vlans were connected and do actually have an internet access. I’m not quite sure if I should need to config anything within the bridge such as bridge vlan, bridge vlan filtering etc. as the switches I am using were layer 2 cisco smart switches.

But when I try to ping the following gateway addresses of each vlans from a client PC, it’s not reachable:
10.7.10.1 (10.7.10.0/24)
10.7.20.1 (10.7.20.0/24)
10.7.21.1 (10.7.21.0/24)
10.7.22.1 (10.7.22.0/24)
10.7.4.1 (10.7.4.0/24)
10.7.5.1 (10.7.5.0/24)
10.7.6.1 (10.7.6.0/24)
10.7.7.1 (10.7.7.0/24)
10.7.8.1 (10.7.8.0/24)
10.7.9.1 (10.7.9.0/24)

I’m quite new to mikrotik. Below were the vlan configurations of my cisco switches:
Switch 1 (Core Switch)
Interface Settings:

Vlan Membership Settings:

Switch 2
Interface Settings:

Vlan Membership Settings:

Switch 3
Interface Settings:

Vlan Membership Settings:

twyxted · April 30, 2018, 8:54am

I see, thank you everyone. Will try it again

twyxted · April 30, 2018, 9:30am

I have changed the vlan interface which is on slave interface

here's the complete config:

apr/30/2018 17:21:42 by RouterOS 6.41.4

software id = LB6W-3FQY

model = RouterBOARD 3011UiAS

serial number = 783E0773A6D3

/interface bridge
add fast-forward=no name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN1
set [ find default-name=ether2 ] name=eth2-WAN2
set [ find default-name=ether5 ] name=eth5-LAN
/interface gre
add clamp-tcp-mss=no !keepalive local-address=xxx.xx.xx.xxx name=ph1-sg remote-address=
xxx.xxx.xxx.xxx
add clamp-tcp-mss=no !keepalive local-address=xxx.xxx.xxx.xx name=ph2-twzz remote-address=
xx.xxx.xxx.xx
/interface vlan
add interface=LAN-Bridge name="Vlan100 IT" vlan-id=100
add interface=LAN-Bridge name="Vlan101 HR/Admin" vlan-id=101
add interface=LAN-Bridge name="Vlan102 QA" vlan-id=102
add interface=LAN-Bridge name="Vlan103 MC" vlan-id=103
add interface=LAN-Bridge name="Vlan104 CS" vlan-id=104
add interface=LAN-Bridge name="Vlan105 ConfeRm" vlan-id=105
add interface=LAN-Bridge name="Vlan106 GameRm" vlan-id=106
add interface=LAN-Bridge name="Vlan110 IT/Admin" vlan-id=110
add interface=LAN-Bridge name="Vlan120 WiFi-Admin" vlan-id=120
add interface=LAN-Bridge name="Vlan121 WiFi-Staff" vlan-id=121
add interface=LAN-Bridge name="Vlan122 WiFi-Guest" vlan-id=122
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment=Streaming name=streaming regexp=
"^..+\.(youtube.com|googlevideo.com|twitch.tv|akamaihd.net).$"
add comment=Facebook name=facebook regexp="^(.)(facebook)(.)\$"
add comment="Google Playstore" name=google-playstore regexp=
"^..+\.(play.googleapis.com|android.clients.google.com|lh3.googleusercontent.com).$"
add comment=Torrent name=bittorrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scr
ape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1
:ad2:id20:|\x08'7P\)[RP]"
/ip pool
add name=dhcp_pool2 ranges=10.7.1.2-10.7.1.254
add name=dhcp_pool3 ranges=10.7.4.2-10.7.4.254
add name=dhcp_pool4 ranges=10.7.5.2-10.7.5.254
add name=dhcp_pool5 ranges=10.7.6.2-10.7.6.254
add name=dhcp_pool6 ranges=10.7.7.2-10.7.7.254
add name=dhcp_pool7 ranges=10.7.8.2-10.7.8.254
add name=dhcp_pool8 ranges=10.7.9.2-10.7.9.254
add name=dhcp_pool9 ranges=10.7.10.2-10.7.10.254
add name=dhcp_pool10 ranges=10.7.20.2-10.7.20.254
add name=dhcp_pool11 ranges=10.7.21.2-10.7.21.254
add name=dhcp_pool12 ranges=10.7.22.2-10.7.22.254
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=
"Vlan100 IT" lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no interface=
"Vlan101 HR/Admin" lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no interface=
"Vlan102 QA" lease-time=1d name=dhcp4
add address-pool=dhcp_pool5 authoritative=after-2sec-delay disabled=no interface=
"Vlan103 MC" lease-time=1d name=dhcp5
add address-pool=dhcp_pool6 authoritative=after-2sec-delay disabled=no interface=
"Vlan104 CS" lease-time=1d name=dhcp6
add address-pool=dhcp_pool7 authoritative=after-2sec-delay disabled=no interface=
"Vlan105 ConfeRm" lease-time=1d name=dhcp7
add address-pool=dhcp_pool8 authoritative=after-2sec-delay disabled=no interface=
"Vlan106 GameRm" lease-time=1d name=dhcp8
add address-pool=dhcp_pool9 authoritative=after-2sec-delay disabled=no interface=
"Vlan110 IT/Admin" lease-time=1d name=dhcp9
add address-pool=dhcp_pool10 authoritative=after-2sec-delay disabled=no interface=
"Vlan120 WiFi-Admin" lease-time=1d name=dhcp10
add address-pool=dhcp_pool11 authoritative=after-2sec-delay disabled=no interface=
"Vlan121 WiFi-Staff" lease-time=8h name=dhcp11
add address-pool=dhcp_pool12 authoritative=after-2sec-delay disabled=no interface=
"Vlan122 WiFi-Guest" lease-time=8h name=dhcp12
/queue tree
add max-limit=10M name="All Bandwidth" parent=global priority=1
add max-limit=10M name=Download packet-mark=client-dw-packet parent="All Bandwidth"
priority=1
add max-limit=10M name=Upload packet-mark=client-up-packet parent="All Bandwidth" priority=
1
/queue type
add kind=pcq name=pcq-download-stream pcq-classifier=dst-address
add kind=pcq name=pcq-upload-stream pcq-classifier=dst-address
add kind=pcq name=pcq-download-facebook pcq-classifier=dst-address
add kind=pcq name=pcq-upload-facebook pcq-classifier=dst-address
add kind=pcq name=pcq-download-livechat pcq-classifier=dst-address
add kind=pcq name=pcq-upload-livechat pcq-classifier=dst-address
add kind=pcq name=pcq-download-android pcq-classifier=dst-address pcq-dst-address6-mask=64
pcq-src-address6-mask=64 pcq-total-limit=5000KiB
add kind=pcq name=pcq-upload-android pcq-classifier=dst-address pcq-dst-address6-mask=64
pcq-src-address6-mask=64 pcq-total-limit=3000KiB
set 14 pcq-rate=2M
/queue tree
add max-limit=5M name=http-dw packet-mark=http-dw-packet parent=Download priority=3 queue=
pcq-download-default
add max-limit=3M name=other-dw packet-mark=other-dw-packet parent=Download priority=2
queue=pcq-download-default
add max-limit=6M name=http-up packet-mark=http-up-packet parent=Upload priority=3 queue=
pcq-upload-default
add max-limit=5M name=other-up packet-mark=other-up-packet parent=Upload priority=2 queue=
pcq-upload-default
add max-limit=2M name=facebook-dw packet-mark=facebook-dw-packets parent=Download priority=
7 queue=pcq-download-facebook
add max-limit=2M name=facebook-up packet-mark=facebook-up-conn parent=Upload priority=7
queue=pcq-upload-facebook
add max-limit=10M name=backend-dw packet-mark=backend-dw-packet parent=Download priority=1
queue=pcq-download-default
add max-limit=10M name=backend-up packet-mark=backend-up-packet parent=Upload priority=1
queue=pcq-upload-default
add max-limit=10M name=qq-dw packet-mark=QQ-dw-packet parent=Download priority=1 queue=
pcq-download-default
add max-limit=10M name=qq-up packet-mark=QQ-up-packet parent=Upload priority=1 queue=
pcq-download-default
add max-limit=1M name=streaming-dw packet-mark=streaming-dw-packets parent=Download queue=
pcq-download-stream
add max-limit=1M name=streaming-up packet-mark=streaming-up-packets parent=Upload queue=
pcq-download-stream
add max-limit=10M name=livechat-dw packet-mark=LiveChat-dw-packets parent=Download
priority=1 queue=pcq-download-livechat
add max-limit=10M name=livechat-up packet-mark=LiveChat-up-packets parent=Upload priority=1
queue=pcq-upload-livechat
add max-limit=8M name=android-dw packet-mark=google-playstore-dw-packets parent=Download
priority=2 queue=pcq-download-android
add max-limit=8M name=android-up packet-mark=google-playstore-up-packets parent=Upload
priority=2 queue=pcq-upload-android
add max-limit=10M name=mail-igg-dw packet-mark=mail-igg-dw-packets parent=Download
priority=1 queue=pcq-download-default
add max-limit=10M name=mail-igg-up packet-mark=mail-igg-up-packets parent=Upload priority=1
queue=pcq-download-default
/routing ospf area
add area-id=x.x.x.x name=phoffice
/routing ospf instance
set [ find default=yes ] router-id=x.x.x.x
/snmp community
set [ find default=yes ] addresses=xx.x.x.xx/32
/interface bridge port
add bridge=LAN-Bridge hw=no interface=eth5-LAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=10.7.0.1/16 interface=LAN-Bridge network=10.7.0.0
add address=xxx.xxx.xxx.xx/30 interface=eth1-WAN1 network=xxx.xxx.xxx.xx
add address=xxx.xx.xx.xxx/29 interface=eth2-WAN2 network=xxx.xx.xx.xxx
add address=10.7.1.1/24 interface="Vlan100 IT" network=10.7.1.0
add address=10.7.4.1/24 interface="Vlan101 HR/Admin" network=10.7.4.0
add address=10.7.5.1/24 interface="Vlan102 QA" network=10.7.5.0
add address=10.7.6.1/24 interface="Vlan103 MC" network=10.7.6.0
add address=10.7.7.1/24 interface="Vlan104 CS" network=10.7.7.0
add address=10.7.8.1/24 interface="Vlan105 ConfeRm" network=10.7.8.0
add address=10.7.9.1/24 interface="Vlan106 GameRm" network=10.7.9.0
add address=10.7.10.1/24 interface="Vlan110 IT/Admin" network=10.7.10.0
add address=10.7.20.1/24 interface="Vlan120 WiFi-Admin" network=10.7.20.0
add address=10.7.21.1/24 interface="Vlan121 WiFi-Staff" network=10.7.21.0
add address=10.7.22.1/24 interface="Vlan122 WiFi-Guest" network=10.7.22.0
add address=xx.xxx.xxx.xx/30 interface=ph1-sg network=xx.xxx.xxx.xx
add address=xx.xxx.xxx.xx/30 interface=ph2-twzz network=xx.xxx.xxx.xx
/ip dhcp-server network
add address=10.7.0.0/16 dns-server=10.7.0.1 gateway=10.7.0.1
add address=10.7.1.0/24 dns-server=10.7.1.1 gateway=10.7.1.1
add address=10.7.4.0/24 dns-server=10.7.4.1 gateway=10.7.4.1
add address=10.7.5.0/24 dns-server=10.7.5.1 gateway=10.7.5.1
add address=10.7.6.0/24 dns-server=10.7.6.1 gateway=10.7.6.1
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.7.8.0/24 dns-server=10.7.8.1 gateway=10.7.8.1
add address=10.7.9.0/24 dns-server=10.7.9.1 gateway=10.7.9.1
add address=10.7.10.0/24 dns-server=10.7.10.1 gateway=10.7.10.1
add address=10.7.20.0/24 dns-server=10.7.20.1 gateway=10.7.20.1
add address=10.7.21.0/24 dns-server=10.7.21.1 gateway=10.7.21.1
add address=10.7.22.0/24 dns-server=10.7.22.1 gateway=10.7.22.1
/ip dns
set allow-remote-requests=yes servers=xxx.xxx.xxx.xxx,1.1.1.1,xxx.xxx.xxx.xxx,8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent_Users address-list-timeout=
none-dynamic chain=forward comment="RECORD AND DROP TORRENT USERS" in-interface=
LAN-Bridge layer7-protocol=bittorrent src-address-list=""
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905
protocol=tcp src-address-list=Torrent_Users
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905
protocol=udp src-address-list=Torrent_Users
add action=accept chain=input comment="ALLOW DNS CACHE" connection-state=established
in-interface=eth1-WAN1
add action=accept chain=input connection-state=established in-interface=eth2-WAN2
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ospf src-address=xxx.xxx.xxx.xxx/24
add action=drop chain=input comment="BLOCK DNS REQUEST ON WAN INTERFACE" dst-port=53
protocol=udp src-address=!10.7.0.0/16
add action=drop chain=input comment="DROP FTP BRUTE FORCERS" dst-port=21 protocol=tcp
src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h
chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="DROP SSH BRUTE FORCERS" dst-port=2200 protocol=tcp
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d
chain=input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=
input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=
input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=
input connection-state=new dst-port=2200 protocol=tcp
add action=accept chain=forward connection-state=established,related dst-address=
10.7.0.0/16 src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.7.0.250 dst-port=80 protocol=tcp
src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8
add action=drop chain=forward comment="VIRUS / PORTS FLOODING PREVENTION" dst-port=445
protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=accept chain=forward comment="INTERVLAN: Vlan103_MC to Vlan104_CS" disabled=yes
in-interface="Vlan103 MC" out-interface="Vlan104 CS"
add action=accept chain=forward comment="INTERVLAN: Vlan104_CS to Vlan103_MC" disabled=yes
in-interface="Vlan104 CS" out-interface="Vlan103 MC"
add action=accept chain=forward comment="INTERVLAN: Vlan100_IT to Vlan101_HR/Admin"
disabled=yes in-interface="Vlan100 IT" out-interface="Vlan101 HR/Admin"
add action=accept chain=forward comment="INTERVLAN: Vlan101_HR/Admin to Vlan100_IT"
disabled=yes in-interface="Vlan101 HR/Admin" out-interface="Vlan100 IT"
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=1436 out-interface=ph2-twzz passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=1436-65495
add action=change-mss chain=postrouting new-mss=1436 out-interface=ph1-sg passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=1436-65495
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h
chain=prerouting comment="VIRUS / PORTS FLOODING PREVENTION" connection-state=new
dst-port=445 limit=5,10:packet protocol=tcp
add action=mark-connection chain=forward comment=client-dw-con in-interface=eth1-WAN1
new-connection-mark=client-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-packet connection-mark=client-dw-con
new-packet-mark=client-dw-packet passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con in-interface=LAN-Bridge
new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-packet connection-mark=
client-up-con new-packet-mark=client-up-packet passthrough=yes
add action=mark-packet chain=forward comment=backend-dw-packet connection-mark=
client-dw-con new-packet-mark=backend-dw-packet passthrough=no port=443 protocol=tcp
src-address=xxx.xxx.xxx.xxx
add action=mark-packet chain=forward comment=backend-up-packet connection-mark=
client-up-con dst-address=xxx.xxx.xxx.xxx new-packet-mark=backend-up-packet passthrough=
no port=443 protocol=tcp
add action=mark-connection chain=forward comment=LiveChat-dw-conn in-interface=eth1-WAN1
new-connection-mark=LiveChat-dw-conn passthrough=yes port=8090 protocol=tcp
add action=mark-packet chain=forward comment=LiveChat-dw-packets connection-mark=
LiveChat-dw-conn new-packet-mark=LiveChat-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=LiveChat-up-conn dst-address=
xxx.xxx.xxx.xxx in-interface=LAN-Bridge new-connection-mark=LiveChat-up-conn passthrough=
yes port=8090 protocol=tcp
add action=mark-packet chain=forward comment=LiveChat-up-packets connection-mark=
LiveChat-up-conn new-packet-mark=LiveChat-up-packets passthrough=no
add action=mark-packet chain=forward comment=mail-igg-dw-packets connection-mark=
client-dw-con in-interface=eth1-WAN1 new-packet-mark=mail-igg-dw-packets passthrough=no
protocol=tcp src-address=xxx.xxx.xxx.xxx
add action=mark-packet chain=forward comment=mail-igg-up-packets connection-mark=
client-up-con dst-address=xxx.xxx.xxx.xxx new-packet-mark=mail-igg-up-packets
out-interface=LAN-Bridge passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=QQ-dw-packet connection-mark=client-dw-con
new-packet-mark=QQ-dw-packet passthrough=no port=4000,4001,4002,4003,4004,53373,57699
protocol=udp
add action=mark-packet chain=forward comment=QQ-up-packet connection-mark=client-up-con
new-packet-mark=QQ-up-packet passthrough=yes port=4000,4001,4002,4003,4004,53373,57699
protocol=udp
add action=mark-connection chain=forward comment=google-playstore-dw-conn in-interface=
eth1-WAN1 layer7-protocol=google-playstore new-connection-mark=google-playstore-dw-conn
passthrough=yes
add action=mark-packet chain=forward comment=google-playstore-dw-packets connection-mark=
google-playstore-dw-conn new-packet-mark=google-playstore-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=google-playstore-up-conn in-interface=
LAN-Bridge layer7-protocol=google-playstore new-connection-mark=
google-playstore-up-conn passthrough=yes
add action=mark-packet chain=forward comment=google-playstore-up-packets connection-mark=
google-playstore-up-conn new-packet-mark=google-playstore-up-packets passthrough=no
add action=mark-connection chain=forward comment=torrent-dw-conn in-interface=eth1-WAN1
layer7-protocol=bittorrent new-connection-mark=torrent-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=torrent-dw-packets connection-mark=
torrent-dw-conn new-packet-mark=torrent-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=torrent-up-conn in-interface=LAN-Bridge
layer7-protocol=bittorrent new-connection-mark=torrent-up-conn passthrough=yes
add action=mark-packet chain=forward comment=torrent-up-packets connection-mark=
torrent-up-conn new-packet-mark=torrent-up-packets passthrough=no
add action=mark-connection chain=forward comment=facebook-dw-conn in-interface=eth1-WAN1
layer7-protocol=facebook new-connection-mark=facebook-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=facebook-dw-packets connection-mark=
facebook-dw-conn new-packet-mark=facebook-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=facebook-up-conn in-interface=
LAN-Bridge layer7-protocol=facebook new-connection-mark=facebook-up-conn passthrough=
yes
add action=mark-packet chain=forward comment=facebook-up-packets connection-mark=
facebook-up-conn new-packet-mark=facebook-up-packets passthrough=no
add action=mark-connection chain=forward comment=streaming-dw-conn in-interface=eth1-WAN1
layer7-protocol=streaming new-connection-mark=streaming-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=streaming-dw-packets connection-mark=
streaming-dw-conn new-packet-mark=streaming-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=streaming-up-conn in-interface=
LAN-Bridge layer7-protocol=streaming new-connection-mark=streaming-up-conn passthrough=
yes
add action=mark-packet chain=forward comment=streaming-up-packets connection-mark=
streaming-up-conn new-packet-mark=streaming-up-packets passthrough=no
add action=mark-packet chain=forward comment=http-dw-packet new-packet-mark=http-dw-packet
packet-mark=client-dw-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-packet new-packet-mark=http-up-packet
packet-mark=client-up-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=other-dw-packet new-packet-mark=
other-dw-packet packet-mark=client-dw-packet passthrough=no
add action=mark-packet chain=forward comment=other-up-packet new-packet-mark=
other-up-packet packet-mark=client-up-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-WAN1
add action=masquerade chain=srcnat out-interface=eth2-WAN2
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set dccp disabled=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
add distance=2 gateway=xxx.xxx.xxx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never read-only-mode=yes
/routing ospf area range
add area=phoffice range=10.7.0.0/16
add area=backbone range=xxx.xxx.xxx.xxx/24
/routing ospf interface
add interface=ph2-twzz network-type=point-to-point
add interface=ph1-sg network-type=point-to-point
/routing ospf network
add area=phoffice network=10.7.0.0/16
add area=backbone network=xxx.xxx.xxx.xxx/30
add area=backbone network=xxx.xxx.xxx.xxx/30
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Singapore
/system identity
set name=IGGPH
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add host=8.8.8.8
add host=8.8.4.4
add host=208.67.220.220
add host=208.67.222.222
/tool sniffer
set file-limit=30000KiB file-name=packettest filter-interface=eth1-WAN1

sindy · April 30, 2018, 4:32pm

I can see the following:

/ip firewall filter
add action=accept chain=forward connection-state=established,related dst-address=10.7.0.0/16 src-address=10.0.0.0/8
...
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8

while

/ip address
add address=10.7.1.1/24 interface="Vlan100 IT" network=10.7.1.0

So any new connection towards the subnet of ****

Vlan100 IT

cannot be established as

10.7.1.0/24

fits into

10.7.0.0/16

and the subnets of all the other VLANs fit into

10.0.0.0/8

.

Supposing that the purpose of that last filter rule above was to separate other VLANs from each other, you need to put an exception rule just before it in order to permit access to ****

Vlan100 IT

from all other vlans:

add action=accept dst-address=10.7.1.0/24 src-address=10.0.0.0/8

The firewall rules are quite messy in general, as there is no “drop the rest” rule in the end of filter chains ****

input

and

forward

, and the default policy in RouterOS is always

accept

.

twyxted · May 2, 2018, 7:06am

Hi, still my vlans can’t communicate with each other.

Vlans were now under the bridge interface instead of the slave interface

I disabled these rules already as it has been added by my colleague from our HQ:
/ip firewall filter
add action=accept chain=forward connection-state=established,related dst-address=10.7.0.0/16 src-address=10.0.0.0/8
…
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8LAN IP: 10.7.0.1/16 still can’t ping the vlan’s ip addresses