How to access one VLAN from another VLAN (Inter-VLAN Connections)

RouterOS General
1

I was having fun with my “homelab”, learning about docker, throwing up container after container in my “server” (reverse proxy, home assistant, wiki.js, etc.) when I decided I needed to deal with the Hairpin NAT issue. Reading around on past threads it sounded like I should move my “server” to a different vlan/network. Boom. Did it. Then I needed a firewall rule to allow communication from one VLAN to another. Boom. It blew it up. Can’t do it. Didn’t work. What am I doing wrong? I went from a very specific rule to a wide open:

add action=accept chain=forward comment="Allow VLAN" in-interface-list=VLAN \
    log=yes log-prefix=VLAN out-interface-list=VLAN

And nothing has worked. I even disabled my drop rules (after unpluggin) and that didn’t work. Is that not doing what I think it should be doing? Or is something else breaking it? Or something else missing? Firewalling is still something I haven’t delved too deeply in to. Can anyone please tell me what I’m doing wrong?

Here is my complete, mostly current mess (including diagram if you have draw.io/diagrams.net): https://github.com/simsrw73/documents/tree/main/smart-home/routeros

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow VLAN_BASE" in-interface=\
    vlan-base log=yes log-prefix=BASE
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow VLAN" in-interface-list=VLAN \
    log=yes log-prefix=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN log=yes log-prefix=\
    VLAN->INTERNET: out-interface-list=WAN
add action=accept chain=forward comment="Allow from WAN if DSTNATed" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop everything else" log=yes

/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.200.10 to-ports=80
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

I probably have far too many vlans. I’m still trying to figure out what is standard and best practice. But for the purpose here. I have one vlan (one lone pc on that vlan), vlan-server (192.168.200.10) that I want to access from another vlan, vlan-base (192.168.99.x). Both devices are Windows 11 Pro PCs.

Very grateful for any help.

2

You should use as many vlans as you require to separate subnets and users/devices. No more no less!!

Yeah your rules are a bit of a mess, not too bad but need some cleaning up.
However, you need to provide the full config to do so.

3

Thanks, anav. All my configs & diagrams/charts are linked at the github url above. But here’s the router config for more convenience:


# mar/25/2022 19:02:59 by RouterOS 7.1.5
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
# serial number = EC1A0FCC6B92
/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
    speed=1Gbps
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-base ranges=192.168.99.31-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.20-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.0/24 interface=vlan-server network=192.168.200.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
    "Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.99.20 client-id=1:50:eb:f6:7e:73:de comment=Desktop \
    mac-address=50:EB:F6:7E:73:DE server=dhcp-base
add address=192.168.200.10 client-id=1:24:4b:fe:5a:a9:9e mac-address=\
    24:4B:FE:5A:A9:9E server=dhcp-server
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.10 name=wiki.home.arpa
/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP
add address=192.168.99.0/24 list=Clients
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow VLAN_BASE" in-interface=\
    vlan-base log=yes log-prefix=BASE
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow VLAN" in-interface-list=VLAN \
    log=yes log-prefix=VLAN out-interface-list=VLAN
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN log=yes log-prefix=\
    VLAN->INTERNET: out-interface-list=WAN
add action=accept chain=forward comment="Allow from WAN if DSTNATed" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.200.10 to-ports=80
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.99.0/24 log=yes log-prefix="HAIRPIN: " src-address=\
    192.168.99.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Fwd for Home Assistant" \
    disabled=yes dst-address-list=WAN_IP dst-port=8123 protocol=tcp \
    to-addresses=192.168.99.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
/system clock
set time-zone-name=America/New_York
/system identity
set name=RT1-Office-NR2
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto
/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00
add interval=1d name=schedule-UpdateDDNS on-event=\
    "/system/script/run script-UpdateDDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:40:00
/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
    \r\
    \n  :do {\r\
    \n      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes\
    \_dst-path=cacert.pem;\r\
    \n      /certificate remove [ find where authority expired ];\r\
    \n      /certificate import file-name=cacert.pem passphrase=\"\";\r\
    \n      /file remove cacert.pem;\r\
    \n      :log info (\"CACERT: Updated certificate trust store\");\r\
    \n  } on-error={\r\
    \n      :log error (\"CACERT: Failed to update certificate trust store\");\
    \r\
    \n  };\r\
    \n}"
add dont-require-permissions=no name=script-UpdateDDNS owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Variables\r\
    \n:local GoogleDNSUsername \"Xdb3ILxQVxc7raMT\"\r\
    \n:local GoogleDNSPassword \"p3cM5AoNMvakMVnL\"\r\
    \n:local hostName \"mysmarthome.network\"\r\
    \n:local currentIP \"\"\r\
    \n:local previousIP \"\"\r\
    \n:local Results \"\"\r\
    \n:local fileResults \"GoogleDNS.txt\"\r\
    \n\r\
    \n# Script\r\
    \n:set currentIP [/ip cloud get public-address]\r\
    \n:set previousIP [:resolve \"\$hostName\"]\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n    :do {\r\
    \n        /tool fetch url=\"https://\$GoogleDNSUsername:\$GoogleDNSPasswor\
    d@domains.google.com/nic/update\?hostname=\$hostName&myip=\$currentIP\" ht\
    tp-header-field=\"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:\
    70.0) Gecko/20100101 Firefox/70.0\" mode=https dst-path=\$fileResults\r\
    \n        :set Results [/file get \$fileResults contents];\r\
    \n        :log info (\"DDNS Updater: GoogleDNS said this: \$Results\")\r\
    \n    } on-error={ \r\
    \n        :log error (\"DDNS Updater: GoogleDNS: script failed to set new \
    IP address\") \r\
    \n    }\r\
    \n    /file remove \$fileResults\r\
    \n}"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

Diagram and config files on One Drive
https://1drv.ms/u/s!AttCr8Kx_qYlg-xhXxfe-HsLoYuiag?e=Hb6vCf

4

Firstly please dont make a silly rule like all vlans to see all vlans.
Use something that makes sense perhaps from your base vlan (trusted) you want to be able to access all vlans.
add chain=forward action=accept in-interface=vlan-base out-interface-list=VLAN
OR
making a shared printer on the base vlan available to all
add chain=forward action=accept in-interface-list=VLAN out-interface=vlan-base dst-address=IP of printer



(1) What strikes you about the interface list…
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN

You have five vlans associated with VLANs BUT… you have six vlans?? More obvious if you had organized your list. ;-PP
missing=voip!

Conclusions:

A. You will not be able to reach the missing VLAN with your rules.
B. The missing VLAN will NOT get internet access.


(2) Why is first entry missing dns server entry??
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1

(3) MISSING lan users access to router services. (and if you are not using capsman get rid of that rule…)

The drop all rule is good, you do have a rule before it allowing vlan-base to access the router for config purposes.
But when you add the drop rule and stop allowing all users access to the router you stop dns and ntp and other services to users that may be required.
You need to add before the drop rule.
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp

(4) Explain this…

/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether2 pvid=99

/interface bridge vlan
add bridge=bridge tagged=
bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99

Hence why I insist on new users MANUALLY inserting all the untagging on the /interface bridge vlans, so that they can visually cross-check with their /interface bridge ports and so that its clearer on exports…

/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5,ether6,sfp-sfpplus1
untagged=ether2,ether8 vlan-ids=99


(5) Small point this is a better formulation of this rule (shorter) from
add action=accept chain=forward comment=“Allow from WAN if DSTNATed”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

To
add action=accept chain=forward comment=“Allow from WAN if DSTNATed”
connection-nat-state=dstnat

5

Thanks. Yeah, this was originally more specific, but I broadened while trying to get something working.

Something like:

add chain=forward action=accept  in-interface=vlan-base  out-interface=vlan-server



(1) What strikes you about the interface list…
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN

You have five vlans associated with VLANs BUT… you have six vlans?? More obvious if you had organized your list. ;-PP
missing=voip!

Conclusions:

A. You will not be able to reach the missing VLAN with your rules.
B. The missing VLAN will NOT get internet access.

Just sloppy. Setup voip 2 weeks ago and initially set it up on vlan 99. Saw it while working through this and changed it to new vlan didn’t have my attention fully on one thing or the other.


(2) Why is first entry missing dns server entry??
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1

Not sure. But fixed. Thanks.


(3) > MISSING lan users access to router services. > (and if you are not using capsman get rid of that rule…)

The drop all rule is good, you do have a rule before it allowing vlan-base to access the router for config purposes.
But when you add the drop rule and stop allowing all users access to the router you stop dns and ntp and other services to users that may be required.
You need to add before the drop rule.
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp

Surprised that didn’t break stuff. May have in ways I didn’t know, but that is mostly iot devices, so no one was complaining.


(4) Explain this…

/interface bridge port
add bridge=bridge frame-types=> admit-only-> untagged> -and-priority-tagged >
interface=> ether2 pvid=99

/interface bridge vlan
add bridge=bridge > tagged> =
bridge,> ether2> ,ether3,ether4,ether5,ether6,sfp-sfpplus1 > vlan-ids=99

Hence why I insist on new users MANUALLY inserting all the untagging on the /interface bridge vlans, so that they can visually cross-check with their /interface bridge ports and so that its clearer on exports…

/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether4,ether5,ether6,sfp-sfpplus1
untagged=ether2,ether8 > vlan-ids=99

More sloppy. I temp hooked my pc in on that port the other day and didn’t set it back correctly.

I’m getting old. My memory and mind is not cooperating with me anymore. Tech & stuff like this that I used to excel in is now a constant struggle. What do you do when you are no longer any good at the only thing you were ever good at?


(5) Small point this is a better formulation of this rule (shorter) from
add action=accept chain=forward comment=“Allow from WAN if DSTNATed”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

To
add action=accept chain=forward comment=“Allow from WAN if DSTNATed”
connection-nat-state=dstnat

Thank you for your time going through that and helping me make my config better. I made all of the changes you suggested. Unfortunately, I’m still not able to connect to the server. I can see the DHCP server has it assigned to 192.168.200.10 where I expect it to be. But I can’t get to it from my PC. Both PCs are running Windows 11 Pro and sitting next to each other. It was working fine while they were on the same vlan/network. But after I changed the vlan id, nothing. Could there be some other issue?

6

YES check pc software firewall rules, or server rules… doesnt appear to be MT related.

However, since all the other ports are TRUNK Ports, that means you have smart devices attached that are dispensing and untagging vlans to dumb devices.
Thus who knows what is going on there. :slight_smile:

7

Haven’t had a chance to dig in much today. Will follow up on those loose threads soon. But I was wondering if you could point me to an example of a complete firewall config that follows the drop all method you always champion here? A complete example that covers all the normal & common allowances.

8

https://forum.mikrotik.com/viewtopic.php?t=180838 The first one is basic, the second one is a bit more complex. If you can understand what both do thats the important point.

9

I agree with @anav, it is probably the windows firewall. By default when using the “private” (less restrictive) firewall profile, it will not block icmp ping requests from the same subnet, but when you are on a different subnet (even if it is an rfc1918 private address), it will be blocked by default. And if you want to allow other access you will need to create a rule for the access, windows has built ins for things like RDP.

Here’s one article I found specifically about allowing ping, but it shows modifying the domain, you probably only want to allow for private profile/template unless you have a domain controller. But allowing ping can cause confusion if that’s the only type of traffic allowed, so you really need to determine what types of traffic you do want allowed through the windows filewall; just because you can ping doesn’t mean you can connect to some arbitrary port.

Here’s a post I made on a competitors forum that shows how to adjust the windows firewall to allow pings from rfc1918 addresses. But you can be as wide or narrow in scope as you want.

Here’s a @Y-ASK video as a reference for people complaining about the router “not working”. Often the problem is really that they get no ping response from a windows PC that has the default firewall rules. At 18:06 he describes how to modify the windows firewall to allow pings from a specific network. Here’s the link to the video with time offset.

That is much better than just turning the windows firewall off.

For people that may be connecting directly to “internet”, and don’t want to be as visible, the following can allow RFC1918 addresses to ping, but still block global addresses. Just use the Add and enter the three ranges.

windows_firewall_allow_pings_from_rfc1918.png

10

I cannot get anything to work. I posted on several Windows forums and got zero help. I’m not totally convinced it is a Windows issue. Maybe in part…
I set both Windows machines to Private Network & Disabled Windows Firewall completely on private network. Nothing
I put a Raspberry Pi on the Server VLAN
From my router I can ping the Pi. OK.
From my router I cannot ping the “Server”. FAIL.
From my desktop I cannot ping the Pi. FAIL.
From my desktop I cannot ping the Server. FAIL.
From my router I can ping BASE gateway 192.168.99.1. OK.
From my router I cannot ping SERVER gateway 192.168.200.1. FAIL.

What can I do to troubleshoot this? What am I doing wrong? If I weren’t broke from buying all this MikroTik equipment I would offer a reward. It would so very much be worth it just to get it working so I can get some actual work done, but I’m scraping bottom and praying for charity. What am I doing wrong? Other than having VLAN to VLAN firewall rule wide open still. I will fix that, anav, but as it is it seems pretty dang secure despite that rule since I can’t squeeze anything through that hole.

My complete configuration with network diagram and catalog of devices is at:
https://1drv.ms/u/s!AttCr8Kx_qYlg-xhXxfe-HsLoYuiag?e=3r2w65

Network diagram at: https://github.com/simsrw73/documents/raw/main/smart-home/homelab.svg

Here’s the router config:

# apr/01/2022 10:45:44 by RouterOS 7.1.5
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
# serial number = EC1A0FCC6B92
/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
    speed=1Gbps
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-base ranges=192.168.99.31-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.200-192.168.200.249
/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
add interface=vlan-voip list=VLAN
add interface=ether7-Access list=TRUSTED
/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.0/24 interface=vlan-server network=192.168.200.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
    "Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.99.20 client-id=1:50:eb:f6:7e:73:de comment=Desktop \
    mac-address=50:EB:F6:7E:73:DE server=dhcp-base
add address=192.168.200.10 client-id=1:24:4b:fe:5a:a9:9e mac-address=\
    24:4B:FE:5A:A9:9E server=dhcp-server
add address=192.168.200.14 client-id=1:e4:5f:1:95:b2:43 mac-address=\
    E4:5F:01:95:B2:43 server=dhcp-server
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.10 name=wiki.home.arpa
/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP
add address=192.168.99.0/24 list=Clients
add address=192.168.99.20 list=Admin
add address=192.168.99.21 list=Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS (udp)" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Accept DNS (tcp)" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123,12300 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow VLAN_BASE" in-interface=\
    vlan-base log=yes log-prefix=BASE
add action=reject chain=input comment="Reject icmp-admin-prohibited" \
    in-interface-list=VLAN log=yes log-prefix=ICMP-ADMIN-PROHIBITED \
    reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN log=yes log-prefix=\
    VLAN->INTERNET: out-interface-list=WAN
add action=accept chain=forward comment="Allow Inter-VLAN" in-interface=\
    vlan-base log=yes log-prefix=VLAN out-interface=vlan-server
add action=accept chain=forward comment=\
    "Allow dst-nat from both WAN and LAN (including port forwarding)" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="Reject icmp-admin-prohibited" log=\
    yes log-prefix=ICMP-ADMIN-PROHIBITED reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.200.10 to-ports=80
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
    dst-address=192.168.99.0/24 log=yes log-prefix="HAIRPIN: " src-address=\
    192.168.99.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Fwd for Home Assistant" \
    disabled=yes dst-address-list=WAN_IP dst-port=8123 protocol=tcp \
    to-addresses=192.168.99.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
/system clock
set time-zone-name=America/New_York
/system identity
set name=RT1-Office-NR2
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
/system routerboard settings
set cpu-frequency=auto
/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00
add interval=1d name=schedule-UpdateDDNS on-event=\
    "/system/script/run script-UpdateDDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:40:00
/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
    \r\
    \n  :do {\r\
    \n      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes\
    \_dst-path=cacert.pem;\r\
    \n      /certificate remove [ find where authority expired ];\r\
    \n      /certificate import file-name=cacert.pem passphrase=\"\";\r\
    \n      /file remove cacert.pem;\r\
    \n      :log info (\"CACERT: Updated certificate trust store\");\r\
    \n  } on-error={\r\
    \n      :log error (\"CACERT: Failed to update certificate trust store\");\
    \r\
    \n  };\r\
    \n}"
add dont-require-permissions=no name=script-UpdateDDNS owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Variables\r\
    \n:local GoogleDNSUsername \"Xdb3ILxQVxc7raMT\"\r\
    \n:local GoogleDNSPassword \"p3cM5AoNMvakMVnL\"\r\
    \n:local hostName \"mysmarthome.network\"\r\
    \n:local currentIP \"\"\r\
    \n:local previousIP \"\"\r\
    \n:local Results \"\"\r\
    \n:local fileResults \"GoogleDNS.txt\"\r\
    \n\r\
    \n# Script\r\
    \n:set currentIP [/ip cloud get public-address]\r\
    \n:set previousIP [:resolve \"\$hostName\"]\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n    :do {\r\
    \n        /tool fetch url=\"https://\$GoogleDNSUsername:\$GoogleDNSPasswor\
    d@domains.google.com/nic/update\?hostname=\$hostName&myip=\$currentIP\" ht\
    tp-header-field=\"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:\
    70.0) Gecko/20100101 Firefox/70.0\" mode=https dst-path=\$fileResults\r\
    \n        :set Results [/file get \$fileResults contents];\r\
    \n        :log info (\"DDNS Updater: GoogleDNS said this: \$Results\")\r\
    \n    } on-error={ \r\
    \n        :log error (\"DDNS Updater: GoogleDNS: script failed to set new \
    IP address\") \r\
    \n    }\r\
    \n    /file remove \$fileResults\r\
    \n}"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes
11

For troubleshooting, try to limit the scope of the problem. You have a lot of parts, so saying “I put a Raspberry Pi on the Server VLAN” is pretty meaningless. Is it on the same switch as the Server that fails?

Please indicate what switch and port each of the above devices are connected to.

Also, are all your devices just using standard ethernet framing (untagged) and the selection of what vlan they are connected to is based solely on the PVID of the switch/bridge port they are connected to?

Also, your diagram shows nothing connected to the RB5009 via the SFP+ interface, but that is the only interface besides the bridge itself that most of your vlans are connected to, with the exception of vlan 99.

/interface bridge vlan
add bridge=bridge tagged=
bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200

12

(1) Small point on input chain…
add action=accept chain=input comment=“Allow VLAN_BASE” in-interface=
vlan-base log=yes log-prefix=BASE

Should it not be in-interface-list=BASE and not in-interface=vlan-base?
IF you want to be able to access the config from the ether7-access, the rule you have would not permit it, and the drop all rule at the end would block it.

(2) Nothing else seems weird… Since vlan99 has full access to vlan200, you should be able to reach or ping any device in vlan200 from vlan99.

What exactly is not working, and I dont really care about pinging I care about users requirements being met.

13

You may want to consider loading v7.2rc7 in the testing channel. It has a lot of fixes (but possibly some new bugs), but for sure it has bridge related fixes.

Also, your RB5009 has many ports available. I would use some of them as access ports for some of the other vlans, just to limit the amount of other equipment that is involved. Once you get things working on just the RB5009 ports, then start branching out. Crawl before you walk, walk before you run. You can troubleshoot a lot of access issues just by working with the ports on the RB5009, then once you have things working there, when you add a switch, if something doesn’t work, you will know it is related to the connection to the switch, or the switch configuration.

Partiioning the problem into manageable pieces is very helpful when troubleshooting. But even then some issues can be frustratingly hard to troubleshoot. For example this thread.

14

You have a typo in the address for vlan-server. You used network address instead of interface address.

add address=192.168.200.0/24 interface=vlan-server network=192.168.200.0

MikroTik is like writing your configs in assembly language, there is no type checking… you can freely shoot yourself in the foot.

15

Yes. The RPi & Server on the same switch.


Please indicate what switch and port each of the above devices are connected to.

Sorry. The diagram was getting busy and I didn’t draw in all the connections. But they are shown in the charts to the side.

RB5009 sfp+1 → CRS328 sfp+1
CRS328 sfp+2 → CRS112 sfp9
CRS112
eth1 → Server PC / Win11 Pro (Zadkiel)
eth3 → RPi (Raziel)
eth4 → Desktop PC / Win11 Pro (Cassiel)


Also, are all your devices just using standard ethernet framing (untagged) and the selection of what vlan they are connected to is based solely on the PVID of the switch/bridge port they are connected to?

If I understand, yes. I did not have them explicitly listed as untagged. anav go on to me for that above. And I was wrong. I just now corrected some issues related to that and now have those correct. Specifically, I did have eth1, server pc, listed as tagged. This was on the CRS112 that the devices are connected to. Unfortunately, that has not changed any of my test results. Everything test exactly as mentioned above.


Also, your diagram shows nothing connected to the RB5009 via the SFP+ interface, but that is the only interface besides the bridge itself that most of your vlans are connected to, with the exception of vlan 99.

/interface bridge vlan
add bridge=bridge tagged=
bridge,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200

Correct. The RB5009 sfp+1 is connected to CRS328 and then to CRS112 which the devices are connected to.

Sorry for the confusion. I should have drawn in the connections.

16

Thanks. Corrected!


(2) Nothing else seems weird… Since vlan99 has full access to vlan200, you should be able to reach or ping any device in vlan200 from vlan99.

What exactly is not working, and I dont really care about pinging I care about users requirements being met.

Nothing works. The services I have running in docker are no longer available. I cannot remote desktop nor ssh from PC to Server or RPi. There is no connection to that vlan, with the one exception that I can ping the RPi from the terminal of my RB5009.

17

██╗░░░██╗███████╗░██████╗██╗██╗██╗
╚██╗░██╔╝██╔════╝██╔════╝██║██║██║
░╚████╔╝░█████╗░░╚█████╗░██║██║██║
░░╚██╔╝░░██╔══╝░░░╚═══██╗╚═╝╚═╝╚═╝
░░░██║░░░███████╗██████╔╝██╗██╗██╗
░░░╚═╝░░░╚══════╝╚═════╝░╚═╝╚═╝╚═╝


Thank you! Doh! Thank you. One stupid typo. Whoever designed the ui–and using the word design is being generous–should be whupped. Yeah, I know it’s still my fault, but dang! Not just the guy who designed it, but everyone that signed off on it. There is so many ways it could be made better to catch mistakes. Places where if you make a change, you also have to make several other changes is very different places so that they all are in sync. Stupid typos like this could be given an “are you sure this is what you want” warning. So much pain all for one digit. One binary bit had me pulling my hair for near 2 weeks. I still love my MikroTik gear, but dang!

Well, at least I’ve had some pros going through my code and fixing all my other mistakes and fine tuning. Thanks a ton for the code review! Seriously, thank you a ton to both Buckeye and anav.

18

curious sometimes the router shows you red text when an error has been made, guess not in this case… sometimes its at a relate entry like dhcp server etc…

19

I agree, it should at least complain when the lowest or highest address in a block is used for an interface address, unless mask is /31 (point to point) or /32 (host). In all other cases, it should not be allowed.

I would consider it a bug, but perhaps there is some edge case I am not thinking about.

@simsrw73, if you want to help, write up and submit bug report with reproducer. Perhaps it can be fixed before 7.2 is released.

20

Sorry, I’ve been running around all weekend and just got back to this. I’ve tried to replicate it in order to file a report, but I cannot. Neither by the command line nor the gui. It must have already been fixed in a fairly recent release, otherwise, I have no idea how it got in there in that broken state: The stable release 7.1.5 will not allow an invalid address as it was in my config above.