I have switch Extreme (xos) g24xc L2/L3 cappabilty.
I try use rb450gx for give all vlan internet.
With my config now have problem.
Mikrotik to xos : cant ping
Vlan to mikrotik : cant ping
Xos to vlan : success
Where i wrong ?
Config on xos
vlan 10 : HR 172.16.10.1/24
vlan 20 : IT 172.16.20.1/24
vlan 30 : FINANCE 172.16.30.1/24
vlan 40 : SALES 172.16.40.1/24
vlan 50 : P2P_MIKROTIK 172.30.5.1/30
Vlan P2P_MIKROTIK tagged port 17 (to eth2 mikrotik)
Enable ipforwarding to all vlan
configure iproute add default 172.30.5.2
dhcp ( vlan 10.20.30.40 ) already create on switch.
Config on mikrotik
eth1 : to internet
eth2 : to xos : ipaddress (172.30.5.2/30)
add static route
172.16.10.0/24 gateway 172.30.5.1
172.16.20.0/24 gateway 172.30.5.1
172.16.30.0/24 gateway 172.30.5.1
172.16.40.0/24 gateway 172.30.5.1
Edited add config on mikrotik:
# aug/23/2021 14:48:25 by RouterOS 6.44.4
# software id = X4WI-02U8
#
# model = RB450Gx4
# serial number = B8D00A0985B8
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Internet
set [ find default-name=ether2 ] name=ether2-CoreSwitch
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=xxx.xx.xx.x/30 interface=ether1-Internet network=\
xxx.xx.xx.x
add address=172.30.5.2/30 interface=ether2-CoreSwitch network=172.30.5.0
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-Internet
/ip route
add distance=1 gateway=xxx.xx.xx.x
add distance=1 dst-address=172.16.10.0/24 gateway=172.30.5.1
add distance=1 dst-address=172.16.20.0/24 gateway=172.30.5.1
add distance=1 dst-address=172.16.30.0/24 gateway=172.30.5.1
add distance=1 dst-address=172.16.40.0/24 gateway=172.30.5.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia
Post full router configuration: execute /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file, open it with text editor and copy-paste here (inside [__code] [/code] environment). You may want to obfuscate (don’t delete!) any sensitive information present in configuration (such as publuc IP address).
In the original post the only the interface labelled ether3-pc is running, the ones labelled ether1-internet and ether2-coreswitch are not connected / not running so it is not surprising the VLAN show as inactive and the routes unreachable.
A sketch of how it is connected as well as the configuration would help.
Screenshots only tell 1% of story. Text configuration export (as I wrote before) tells 99% of story. So skip posting screenshots and post configuration.
So your L2/L3 switch is doing all the routing. Mikrotik doesn’t have any VLAN configuration, so switch port used to connect to Mikrotik should be configurad as access (untagged) port for corresponding VLAN. Or you can configure VLAN on mikrotik if you want to have connection between switch and mikrotik tagged.
Since firewall on Mikrotik is non-existing, I wonder what’s its function in the network (apart from NAT)?
You only need do define P2P_MIKROTIK … just be sure you have same VLAN ID set on both sides (your initial post has “vlan 50 : P2P_MIKROTIK 172.30.5.1/30” setting on xos).
Even though you’re using mikrotik only for NAT, it can still be hacked (both from internet and any of LANs) as it also lacks all firewall for chain=input (which guards router itself).
Since you’re running pretty old version of ROS, upgrade it to latest long-term (6.47.10 at this time). I suggest you to upgrade routerboot as well (/system routerboard upgrade).
After that have a look at default config, which can be gotten by running command /system default-config print … check firewall filter setting for chain=input. Either implement default rules (but be sure to populate appropriate interface lists) or implement similar rules but adjusting them to your router interfaces rayout.
