Trying to setup a VLAN based network based on http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 mostly RoaS style.
The RB2011iL router is the main router most of it’s IFs serving APs with multiple SSIDs depending on VLANs.
ether1 is the DHCP WAN
ether5 will be a BLUE port
ether10 will be the (emergency) management port
Have a TP-link EAP225 on ether3, VLAN-SSID mapping setup. Getting IPs with DHCP fine. Internet access works fine.
Not fully done yet.
What I don’t get is why hosts on the same interface! and subnet can’t connect (ping) each other.
Have some IoT devices on the GREEN VLAN/SSID, all connected via the EAP225. All get an IP address (like 10.1.100.250) from the router, DHCP leases lists 'em all. Can ping 'em from the router. I connect with a laptop to the same EAP225, same GREEN VLAN/SSID, get an IP (10.1.100.9), can ping the router (10.1.111.1), but can’t ping 10.1.100.250. Seems to be something with arp, arp on the laptop does not list the IoT devices.
The other thing I need to figure is why ether10 does not really work, can’t ping the router (192.168.89.1) even when setting a fixed IP on the laptop (192.168.89.4/24, gw: 192.168.89.1).
Luckily winbox via mac server works on ether10.
…
Not fully done yet.
…
What I don’t get is why hosts on the same interface! and subnet can’t connect (ping) each other.
Have some IoT devices on the GREEN VLAN/SSID, all connected via the EAP225. All get an IP address (like 10.1.100.250) from the router, DHCP leases lists 'em all. Can ping 'em from the router. I connect with a laptop to the same EAP225, same GREEN VLAN/SSID, get an IP (10.1.100.9), can ping the router (10.1.111.1), > but can’t ping 10.1.100.250. > Seems to be something with arp, arp on the laptop does not list the IoT devices
are those iot devices getting their ips through dhcp or did you manually assign for them?
if you can’t see their arp, maybe you have put them in the wrong vlan port? remember that router (or inter vlan routing) don’t forward broadcast including arp messages.
or, maybe you have some unfinished firewall setup?
Likely the EAP225 has client isolation enabled on that SSID.
The other thing I need to figure is why ether10 does not really work, can’t ping the router (192.168.89.1) even when setting a fixed IP on the laptop (192.168.89.4/24, gw: 192.168.89.1).
You have the same subnet on two interfaces, the Mikrotik has no idea which interface to look for you laptop on. Likely you intended the BASE_VLAN to be 192.168.88.x/24 rather than the 192.168.89.x/24 which it is set to.