Inter-vlan issues

tfgp · June 26, 2024, 1:12pm

Hello all,

I have a router with 2 separated WANs (1 of those is CG-NAT, another in a VLAN) and multiple VLANs.
For some reason, i can’t reach some IP from a VLAN to another VLAN.
I have a printer in the VLAN 1 and i can reach it by the another VLANs.

The principal objective it is the VLAN 2000 to be isolated from the other ones, the rest can communicate with each other.

Also, i’ve checked the IP Routes and every VLAN does not have Pref. Source, it is normal?

Actual configs here:

# 2024-06-26 13:50:49 by RouterOS 7.12.2
# model = RB4011iGS+
/interface bridge
add admin-mac=PROTECTED auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan20-isp vlan-id=20
add interface=bridge name=vlan2000 vlan-id=2000
add interface=bridge name=vlan2001 vlan-id=2001
add interface=bridge name=vlan2002 vlan-id=2002
add interface=bridge name=vlan2003 vlan-id=2003
add interface=bridge name=vlan2004 vlan-id=2004
add interface=bridge name=vlan2005 vlan-id=2005
add interface=bridge name=vlan2006 vlan-id=2006
add interface=bridge name=vlan2007 vlan-id=2007
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.100
add comment=2001 name=pool-2001 ranges=10.9.16.55-10.9.16.126
add comment=2002 name=pool-2002 ranges=10.9.16.238-10.9.16.254
add comment=2005 name=pool-2005 ranges=10.10.254.1-10.10.254.252
add comment=2003 name=pool-2003 ranges=10.9.15.2-10.9.15.126
add comment=2000 name=pool-2000 ranges=10.9.12.2-10.9.13.254
add comment=2004 name=pool-2004 ranges=10.9.14.2-10.9.14.254
add comment=2006 name=pool-2006 ranges=10.9.15.130-10.9.15.254
add comment=2007 name=pool-2007 ranges=10.9.17.2-10.9.17.126
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=pool-2001 comment=2001 interface=vlan2001 lease-time=9h name=dhcp-2001
add address-pool=pool-2002 comment=2002 interface=vlan2002 lease-time=10m name=dhcp-2002
add address-pool=pool-2005 comment=2005 interface=vlan2005 lease-time=10m name=dhcp-2005
add address-pool=pool-2003 comment=2003 interface=vlan2003 lease-time=9h name=dhcp-2003
add address-pool=pool-2000 comment=2000 interface=vlan2000 lease-time=1h name=dhcp-2000
add address-pool=pool-2004 comment=2004 interface=vlan2004 lease-time=9h name=dhcp-2004
add address-pool=pool-2006 comment=2006 interface=vlan2006 lease-time=9h name=dhcp-2006
add address-pool=pool-2007 comment=2007 interface=vlan2007 lease-time=9h name=dhcp-2007
/port
set 0 name=serial0
set 1 name=serial1
/interface sstp-client
add connect-to=PROTECTED disabled=no http-proxy=0.0.0.0 name=vpn port=444 profile=default-encryption proxy-port=444 user=user
/routing table
add disabled=no fib name=ONT
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge comment=2001 tagged=bridge,ether6,ether7,ether8 vlan-ids=2001
add bridge=bridge comment=2005 tagged=bridge,ether6,ether7,ether8 vlan-ids=2005
add bridge=bridge comment=2002 tagged=bridge,ether6,ether7,ether8 vlan-ids=2002
add bridge=bridge comment=2003 tagged=bridge,ether6,ether7,ether8 vlan-ids=2003
add bridge=bridge comment=2000 tagged=bridge,ether6,ether7,ether8 vlan-ids=2000
add bridge=bridge comment=2004 tagged=bridge,ether6,ether7,ether8 vlan-ids=2004
add bridge=bridge comment=2006 tagged=bridge,ether6,ether7,ether8 vlan-ids=2006
add bridge=bridge comment=2007 tagged=bridge,ether6,ether7,ether8 vlan-ids=2007
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
/ip address
add address=192.168.1.254/24 comment=defconf interface=bridge network=192.168.1.0
add address=PROTECTED/30 interface=vlan20-isp network=PROTECTED
add address=PROTECTED/30 interface=ether2 network=PROTECTED
add address=10.9.16.1/25 interface=vlan2001 network=10.9.16.0
add address=10.9.16.129/25 interface=vlan2002 network=10.9.16.128
add address=10.10.254.254/16 interface=vlan2005 network=10.10.0.0
add address=10.9.15.1/25 interface=vlan2003 network=10.9.15.0
add address=10.9.12.1/23 interface=vlan2000 network=10.9.12.0
add address=10.9.14.1/24 interface=vlan2004 network=10.9.14.0
add address=10.9.15.129/25 interface=vlan2006 network=10.9.15.128
add address=10.9.17.1/25 interface=vlan2007 network=10.9.17.0
/ip dhcp-server network
add address=10.9.12.0/23 comment=2000 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.12.1
add address=10.9.14.0/24 comment=2004 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.14.1
add address=10.9.15.0/25 comment=2003 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.15.1
add address=10.9.15.128/25 comment=2006 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.15.129
add address=10.9.16.0/25 comment=2001 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.16.1
add address=10.9.16.128/25 comment=2002 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.16.129
add address=10.9.17.0/25 comment=2007 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.9.17.1
add address=10.10.0.0/16 comment=2005 dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=10.10.254.254
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1,9.9.9.9,8.8.8.8 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip dns static
add address=192.168.1.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WinBox Wan Administration" dst-port=8291 protocol=tcp
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.9.14.1 src-address=10.9.14.0/24
add action=accept chain=prerouting dst-address=10.9.15.1 src-address=10.9.15.0/25
add action=accept chain=prerouting dst-address=10.9.15.129 src-address=10.9.15.128/25
add action=accept chain=prerouting dst-address=10.9.16.1 src-address=10.9.16.0/25
add action=accept chain=prerouting dst-address=10.9.16.129 src-address=10.9.16.128/25
add action=accept chain=prerouting dst-address=10.10.254.254 src-address=10.10.0.0/16
add action=accept chain=prerouting dst-address=192.168.1.254 src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=ONT src-address=10.9.12.0/23
add action=mark-routing chain=prerouting new-routing-mark=main passthrough=yes src-address=10.9.14.0/24
add action=mark-routing chain=prerouting new-routing-mark=main src-address=10.9.15.0/25
add action=mark-routing chain=prerouting new-routing-mark=main src-address=10.9.15.128/25
add action=mark-routing chain=prerouting new-routing-mark=main src-address=10.9.16.0/25
add action=mark-routing chain=prerouting new-routing-mark=ONT passthrough=yes src-address=10.9.16.128/25
add action=mark-routing chain=prerouting new-routing-mark=main src-address=10.9.17.0/25
add action=mark-routing chain=prerouting new-routing-mark=ONT passthrough=yes src-address=10.10.0.0/16
add action=mark-routing chain=prerouting new-routing-mark=main passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=vlan20-isp
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=PROTECTED
add action=dst-nat chain=dstnat dst-address=PROTECTED dst-port=2001 in-interface=vlan20-isp protocol=udp to-addresses=10.9.16.2 to-ports=2001
add action=dst-nat chain=dstnat dst-address=PROTECTED dst-port=2002 in-interface=vlan20-isp protocol=udp to-addresses=10.9.16.2 to-ports=2005
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PROTECTED pref-src="" routing-table=ONT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PROTECTED pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.9.0.0/24 gateway=SSTP-GATEWAY pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add distance=1 dst-address=10.9.4.0/24 gateway=SSTP-GATEWAY
add distance=1 dst-address=10.9.250.0/24 gateway=SSTP-GATEWAY
add distance=1 dst-address=10.6.12.0/24 gateway=10.9.16.2
add distance=1 dst-address=10.7.12.0/24 gateway=10.9.16.2
add distance=1 dst-address=10.7.15.0/24 gateway=10.9.16.2
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

How i can optimize/fix this problem? I’ve tried so many rules but they didnt worked.

Kind Regards,

llamajaja · June 26, 2024, 1:50pm

Sorry your requirements are not clear.
If you have 9 vlans that can reach each other in both directions and one vlan that cannot
YOU ONLY NEED TWO VLANS.

tfgp · June 26, 2024, 1:58pm

I apologize for the misinterpretation. each vlan is from a specific location that needs to be configured like that, where vlan 2000 is sized to be a guest network.
In the future, that vlans will only communicate with vlan 1.