Inter-VLAN routing not working

thatscringebro · April 7, 2025, 1:37pm

I have been running my mikrotik router for a while using the config generated by the QuickSet menu, and I am trying to create 3 VLANs, with a one sided inter-VLAN routing so that I can manage devices that are separated. I have an external switch (HP V1910-48G), connected to my router on port eth9 to port 48 on the switch. My 3 VLANs are created on the switch, with the ports 1-47 set to untagged/access, each set to their respective VLAN and port 48 is tagged/hybrid on each VLAN. I have also created my VLANs on my mikrotik router, the addresses, the DHCP servers and fortunately, the devices connected the ports on my switch get the adequate ip based on the VLAN associated.

My problem is that inter-VLAN routing does not work: I cannot access devices from 1 VLAN to another, no matter the VLAN. I want to be able to access all the devices on the network from HomeVLAN, but currently, I can’t.

Here is my current config:

# apr/05/2025 10:00:46 by RouterOS 6.49.17

# software id = EADN-FEFS

#

# model = RB3011UiAS

# serial number = HEQ090099NM

/interface bridge

add admin-mac=78:9A:18:0A:BB:D5 auto-mac=no comment=defconf name=bridge

/interface ethernet

set [ find default-name=ether1 ] advertise=100M-half,100M-full,1000M-half,1000M-full

/interface vlan

add interface=bridge name="Home (VLAN 10)" vlan-id=10

add interface=bridge name="Server (VLAN 20)" vlan-id=20

add interface=bridge name="Wifi (VLAN 30)" vlan-id=30

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

add authentication-types=wpa2-psk mode=dynamic-keys name=WPA2 supplicant-identity=MikroTik

/ip pool

add name=dhcp ranges=192.168.88.10-192.168.88.254

add name=Home ranges=192.168.10.10-192.168.10.200

add name=Server ranges=192.168.20.10-192.168.20.200

add name=Wifi ranges=192.168.30.10-192.168.30.200

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge name=defconf

add address-pool=Home disabled=no interface="Home (VLAN 10)" name=Home

add address-pool=Server disabled=no interface="Server (VLAN 20)" name=Server

add address-pool=Wifi disabled=no interface="Wifi (VLAN 30)" name=Wifi

/interface bridge port

add bridge=bridge comment=defconf interface=ether2

add bridge=bridge comment=defconf interface=ether3

add bridge=bridge comment=defconf interface=ether4

add bridge=bridge comment=defconf interface=ether5

add bridge=bridge comment=defconf interface=ether6

add bridge=bridge comment=defconf interface=ether7

add bridge=bridge comment=defconf interface=ether9

add bridge=bridge comment=defconf interface=ether10

add bridge=bridge comment=defconf interface=sfp1

add bridge=bridge interface=ether8

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

add interface="Home (VLAN 10)" list=LAN

add interface="Server (VLAN 20)" list=LAN

add interface="Wifi (VLAN 30)" list=LAN

/ip address

add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

add address=192.168.10.1/24 interface="Home (VLAN 10)" network=192.168.10.0

add address=192.168.20.1/24 interface="Server (VLAN 20)" network=192.168.20.0

add address=192.168.30.1/24 interface="Wifi (VLAN 30)" network=192.168.30.0

/ip dhcp-client

add comment=defconf disabled=no interface=ether1

/ip dhcp-server network

add address=192.168.10.0/24 gateway=192.168.10.1

add address=192.168.20.0/24 gateway=192.168.20.1

add address=192.168.30.0/24 gateway=192.168.30.1

add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward in-interface="Home (VLAN 10)" out-interface="Server (VLAN 20)"

add action=accept chain=forward in-interface="Home (VLAN 10)" out-interface="Wifi (VLAN 30)"

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat dst-port=81 protocol=tcp to-addresses=192.168.20.11 to-ports=80

add action=dst-nat chain=dstnat dst-port=444 protocol=tcp to-addresses=192.168.20.11 to-ports=443

/system clock

set time-zone-name=America/Toronto

/system identity

set name=RouterOS

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

TheCat12 · April 7, 2025, 1:45pm

If this is your whole configiration, you have missed to set up Bridge VLAN filtering. You need to define which ports in the bridge will be access for which VLAN and which port will be the trunk one (I assume that will be ether3).

Suggest you read the following quite useful topic:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1