Howto: interVLAN routing across multiple ports

I’m a newbie in Mikrotik maybe someone out there can help me with my dilemma.

I’m using # model = RB750Gr3 router trying to implement interVLAN routing across multiple ports specifically ports eth3, eth4 and eth5

I segmented my network into multiple VLAN’s directly connected to the router ports are my Linksys Manage Switch in Trunk Port mode

eth5 ↔ linksys trunk port (AVoIP Devices) AVoIP-VL7 vlan-id=7
eth4 ↔ linksys trunk port (CCTV Devices) CCTV-VL10 vlan-id=10
eth3<–> linksys trunk port (PUBLIC WiFi) ELIB-VL87 vlan-id=87
eth3<–> linksys trunk port (IoT Devices) GCCC-VL8 vlan-id=8
eth3<–> linksys trunk port (IP Phone) VOICE-VL9 vlan-id=9

Communications (Ping, Internet, DHCP) from own VLAN to its gateway on router interface has no problem, but across VLAN can’t pass through.

Attached is my router config please guide me where i did wrong or what is missing in my config.

# jun/02/2022 15:36:33 by RouterOS 6.44.5
# software id = SG2V-10C1
#
# model = RB750Gr3
# serial number = C55D0B451512
/interface bridge
add admin-mac=C4:AD:34:C6:0D:66 auto-mac=no name=LAN_BRIDGE
/interface ethernet
set [ find default-name=ether2 ] name=CONVERGE
set [ find default-name=ether1 ] name=GLOBE
set [ find default-name=ether3 ] name=eth3-LAN
set [ find default-name=ether4 ] name=eth4-CCTV
set [ find default-name=ether5 ] name=eth5-AVoIP
/interface vlan
add interface=LAN_BRIDGE name=AVoIP-VL7 vlan-id=7
add interface=LAN_BRIDGE name=CCTV-VL10 vlan-id=10
add interface=eth3-LAN name=ELIB-VL87 vlan-id=87
add interface=eth3-LAN name=GCCC-VL8 vlan-id=8
add interface=eth3-LAN name=VOICE-VL9 vlan-id=9
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_88 ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_vl10 ranges=10.10.10.51-10.10.10.70
add name=dhcp_pool_vl87 ranges=192.168.87.1-192.168.87.253
add name=dhcp_pool_vl9 ranges=10.10.9.11-10.10.9.253
add name=dhcp_pool_vl8 ranges=10.10.8.20-10.10.8.253
add name=dhcp_pool_vl7 ranges=10.10.7.1-10.10.7.10
/ip dhcp-server
add address-pool=dhcp_88 disabled=no interface=LAN_BRIDGE name=dhcp_88
add address-pool=dhcp_pool_vl10 disabled=no interface=CCTV-VL10 name=\
    dhcp_VL10
add address-pool=dhcp_pool_vl87 disabled=no interface=ELIB-VL87 name=\
    dhcp_VL87
add address-pool=dhcp_pool_vl9 disabled=no interface=VOICE-VL9 name=dhcp_VL9
add address-pool=dhcp_pool_vl8 disabled=no interface=GCCC-VL8 name=dhcp_VL8
add address-pool=dhcp_pool_vl7 disabled=no interface=AVoIP-VL7 name=dhcp-VL7
/interface bridge port
add bridge=LAN_BRIDGE interface=eth3-LAN
add bridge=LAN_BRIDGE interface=eth5-AVoIP
add bridge=LAN_BRIDGE interface=eth4-CCTV
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=LAN_BRIDGE list=LAN
add comment=defconf interface=GLOBE list=WAN
add interface=CONVERGE list=WAN
add interface=CCTV-VL10 list=LAN
add interface=ELIB-VL87 list=LAN
add interface=GCCC-VL8 list=LAN
add interface=AVoIP-VL7 list=LAN
/ip address
add address=192.168.88.1/24 interface=LAN_BRIDGE network=192.168.88.0
add address=10.10.10.254/24 interface=CCTV-VL10 network=10.10.10.0
add address=192.168.87.254/24 interface=ELIB-VL87 network=192.168.87.0
add address=10.10.7.254/24 interface=AVoIP-VL7 network=10.10.7.0
add address=192.168.5.254/24 interface=AVoIP-VL7 network=192.168.5.0
add address=10.10.8.254/24 interface=GCCC-VL8 network=10.10.8.0
add address=10.10.9.254/24 interface=VOICE-VL9 network=10.10.9.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    GLOBE
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no \
    interface=CONVERGE
/ip dhcp-server lease
add address=192.168.88.11 client-id=1:fe:fb:e8:ac:b5:cc mac-address=\
    FE:FB:E8:AC:B5:CC server=dhcp_88
/ip dhcp-server network
add address=10.10.7.0/24 gateway=10.10.7.254
add address=10.10.8.0/24 gateway=10.10.8.254
add address=10.10.9.0/24 gateway=10.10.9.254
add address=10.10.10.0/24 gateway=10.10.10.254
add address=192.168.87.0/24 gateway=192.168.87.254
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.10.10.0/24
add action=mark-routing chain=prerouting new-routing-mark=TO-CONVERGE \
    passthrough=yes src-address=10.10.10.0/24
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    TO-CONVERGE passthrough=yes src-address=192.168.87.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=2 gateway=192.168.100.1 routing-mark=TO-CONVERGE
add distance=1 gateway=192.168.254.254 routing-mark=TO-GLOBE

WHY? You only need one port to carry trunked vlans to the next switch?

@mgabriel … please check what tags should be used for … I edited your post to make it easier to read.

@mgabriel

I think that it will help you to organize things a lot better. I have a system to do so that you can use.

1. Start with your VLANs. Make a table with the purpose and the id.

You will also need to create and name a bridge to where your VLANs will be added.

/interface bridge
add comment="VLAN bridge" name=LAN_BRIDGE vlan-filtering=no igmp-snooping=yes protocol-mode=none admin-mac=C4:AD:34:C6:0D:66 auto-mac=no

/interface vlan
add comment="VOIP blah, blah" interface=LAN_BRIDGE name=AVoIP-VL7 vlan-id=7
# THE REST OF VLANS

2. Follow with your interfaces. Add a table again that explains from where, to where, and what.

Notice that if there is more than one VLAN per interface, then that is called a trunk or a tagged interface. Only one VLAN present per interface, then it is an untagged interface. This is what you showed.

eth3<–> linksys trunk port (PUBLIC WiFi) ELIB-VL87 vlan-id=87
eth3<–> linksys trunk port (IoT Devices) GCCC-VL8 vlan-id=8
eth3<–> linksys trunk port (IP Phone) VOICE-VL9 vlan-id=9
eth4 ↔ linksys trunk port (CCTV Devices) CCTV-VL10 vlan-id=10

I can quickly look at what you are writing and I can see that the info provided IS INCORRECT AND INCOMPLETE. Make sure you fix that info. Read what I mentioned about tagged vs untagged. But let’s say this for the sake of the example, just add the code below,

/interface ethernet
set [ find default-name=ether1 ] name=GLOBE comment="Blah, blah, blah"
set [ find default-name=ether2 ] name=CONVERGE comment="Blah, blah, blah"
set [ find default-name=ether3 ] name=eth3-LAN comment="Blah, blah, blah"
set [ find default-name=ether4 ] name=eth4-CCTV comment="Blah, blah, blah"
set [ find default-name=ether5 ] name=eth5-AVoIP comment="Blah, blah, blah"

You can then do the following with the information you provided ( I am assuming that you don’t know the difference between tagged and untagged, so this is what I am inferring from what you wrote. Notice that you need to fill this with the information provided because like I said before, what you provided was incomplete and wrong.

Rewrite that and I then can help you go along. Once you have that figured out, the rest is easy. Just send me the info and I will not only try to make sense of it, but will explain why and what. Hope that this helps.

Quote: “Notice that if there is more than one VLAN per interface, then that is called a trunk or a tagged interface. Only one VLAN present per interface, then it is an untagged interface. This is what you showed.”

Not necessarily true. I could send a single vlan on an etherport to a managed switch… and it would be a trunk port.
What determines if one has a trunk, hybrid or access point depends upon what the port is being connected to…

A. dumb device, like PC or a printer, its an access port, SINGLE VLAN, which will be tagged upon entry to the port and untagged upon exit back to the dumb device. (ONE VLAN)
B. smart device, like a managed switch or business access point, is a trunk port, all vlan tags will be kept on traffic in both directions (ONE OR MORE VLANS)
C. smart device, like a voip device or bastardized AP (ubiquiti). AKA a hybrid port. (TWO or MORE VLANS)
(i) In this case the VLAN can be read and used by the device (voip phone) and the untagged vlan is passed to a PC…
(ii) ubiquiti devices in their default setup expect the managed VLAN to come to it untagged and the rest of the vlans tagged.

What can be said, which is true, is that access ports & hybrid ports can ONLY HAVE one untagged vlan.

Anav, I agree with “not necessarily true part.”

I also agree that best practice is to not use the untagged vlan for any “active” vlans; they should all be tagged on a trunk, and the untagged vlan shouldn’t be used for data. But the untagged frames are used by spanning tree protocol, and at least some device even require it to be vlan 1.

And what you say in C. and (ii) is true that in factory reset condition, the UniFi APs have to be “adopted” with untagged frames. But that can be changed once adopted. I asked you about how the TP-Link allowed intial setup, but if you answered, I don’t remember seeing it. The point is, by your definition, UniFi isn’t the only vendor that is “bastardized” in factory default condition.

Rabbit hole follows:
The IEEE 802.1Q spec treats “bridges” as “black boxes” (switches are bridges in IEEE 802.1Q spec), i.e. the spec does not cover how what happens inside the black box in implemented, only that it behaves a specific way with inputs an outputs. So I avoid using the term tagged except when talking about an ethernet frame on the wire, where there is a well defined format for tagging the ethernet frames. MikroTik uses your terminology when describing the switch features, and perhaps Atheros ASICs actually do “add IEEE 802.1Q tags” when receiving an untagged frame on an access port.

I prefer to use the terminology “classify received frames and assign to a specific vlan while in the switch”. That’s more generic and for some people less confusing than using the term tagging when the port is “untagged”. Many new to vlan users try to use Tagged ports for access ports, because they want the port to “tag the frame”.

The business APs you noted that I use are standard… they except trunk port in!

MAKE SURE YOU REMOVE YOUR DEVICE SERIAL NUMBER from your code!

Okay, let’s start with this.

1. Tell me what each VLANID is supposed to do.
2. Tell me what you want your router do to. For example. You want this interface to carry all these VLANs to this other router (or coming from this router). Or if you want this interface to connect to this computer on this VLAN.

The other guys were talking about hybrid interfaces; although I assumed that since that is something of an intermediate topic that is not something you wanted to do. If I assumed incorrectly, then let me know.

But first of all, look at this part of your code.

Notice that you are adding VLANs to an interface instead of your bridge. Why? Is it because you think that if they are in a bridge, they can interact with each other and you want isolation? Do you know that it would be easier to just use the same bridge and that being in the same bridge doesn’t necessarily means that they are sharing data?

Anyway, let me know and I will try to help.

Actually it matters little or nothing what the vlan wants to do.
The physical structure and relationships between devices are best captured in a network diagram.

What we need is the user requirements, what should
user a, b, c
Device, 1, 2,3
Groups of users d, e, f
Groups of devices 4,5,6

Be able to or need to do.
Be prevented from doing
Dont forget to include the admin in the above.

Well. Yes. But have you ever talked to someone new trying to setup Mikrotik about what they wan a VLAN for? It is always good to have the info. Maybe not for setup, but just to make sense of what is going on in their minds. For example, I see that he is naming his ethernet interfaces with weird names. Why? Is it because he wants to identify a purpose for those interfaces in his mind?

Most of the time there are things that are not correct, but it just makes sense in people’s mind.Specially if they are not technological illiterate, but new to Mikrotik. I think that it is easier to know the why and what and then explain the how. But those are my two cents.

So. Technically, no. You do not need to know what a VLAN does.

We are saying the same thing, your method will add confusion and lengthen the time for a solution, the shortest cleanest path to a solution is to separate config and structure from requirements.

The OP hasn’t been here since June 2…