Hello everybody.
I’m new to Mikrotik and RouterOS.
I have a Mikrotik router model CCR-1009-8G-1S-1S+. RouterOS version is 6.32.3
I want to set up Inter-VLAN routing on a single ethernet interface that linked with CRS125 switch tagged port.
I’ve set up CCR as internal router, without NAT, with number of VLANS on single ethernet interface (ether2):
[admin@MikroTik] > interface vlan print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R vlan2 1500 enabled 2 ether2
1 R vlan10 1500 enabled 10 ether2
2 R vlan11 1500 enabled 11 ether2
3 R vlan14 1500 enabled 14 ether2
4 R vlan15 1500 enabled 15 ether2
5 R vlan16 1500 enabled 16 ether2
6 R vlan17 1500 enabled 17 ether2
7 R vlan18 1500 enabled 18 ether2
8 R vlan19 1500 enabled 19 ether2
9 R vlan21 1500 enabled 21 ether2
10 R vlan22 1500 enabled 22 ether2
11 R vlan23 1500 enabled 23 ether2
12 R vlan24 1500 enabled 24 ether2
13 R vlan31 1500 enabled 31 ether2
14 R vlan32 1500 enabled 32 ether2
15 R vlan33 1500 enabled 33 ether2
16 R vlan34 1500 enabled 34 ether2
17 R vlan35 1500 enabled 35 ether2
18 R vlan41 1500 enabled 41 ether2
19 R vlan42 1500 enabled 42 ether2
20 R vlan43 1500 enabled 43 ether2
21 R vlan44 1500 enabled 44 ether2
22 R vlan45 1500 enabled 45 ether2
23 R vlan46 1500 enabled 46 ether2
24 R vlan47 1500 enabled 47 ether2
25 R vlan48 1500 enabled 48 ether2
26 R vlan61 1500 enabled 61 ether2
27 R vlan62 1500 enabled 62 ether2
28 R vlan63 1500 enabled 63 ether2
29 R vlan64 1500 enabled 64 ether2
30 R vlan71 1500 enabled 71 ether2
31 R vlan81 1500 enabled 81 ether2
32 R vlan82 1500 enabled 82 ether2
33 R vlan83 1500 enabled 83 ether2
Each VLAN interface have an IP address on it own network (/24) ended with .99:
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 ether8
1 ;;; Servers network
192.168.10.99/24 192.168.10.0 vlan10
2 ;;; OIT network
192.168.11.99/24 192.168.11.0 vlan11
3 192.168.14.99/24 192.168.14.0 vlan14
4 192.168.15.99/24 192.168.15.0 vlan15
5 192.168.16.99/24 192.168.16.0 vlan16
6 192.168.17.99/24 192.168.17.0 vlan17
7 192.168.18.99/24 192.168.18.0 vlan18
8 192.168.19.99/24 192.168.19.0 vlan19
9 192.168.2.99/24 192.168.2.0 vlan2
10 192.168.21.99/24 192.168.21.0 vlan21
11 192.168.22.99/24 192.168.22.0 vlan22
12 192.168.23.99/24 192.168.23.0 vlan23
13 192.168.24.99/24 192.168.24.0 vlan24
14 192.168.31.99/24 192.168.31.0 vlan31
15 192.168.32.99/24 192.168.32.0 vlan32
16 192.168.33.99/24 192.168.33.0 vlan33
17 192.168.35.99/24 192.168.35.0 vlan35
18 192.168.34.99/24 192.168.34.0 vlan34
19 192.168.41.99/24 192.168.41.0 vlan41
20 192.168.42.99/24 192.168.42.0 vlan42
21 192.168.43.99/24 192.168.43.0 vlan43
22 192.168.44.99/24 192.168.44.0 vlan44
23 192.168.45.99/24 192.168.45.0 vlan45
24 192.168.46.99/24 192.168.46.0 vlan46
25 192.168.47.99/24 192.168.47.0 vlan47
26 192.168.48.99/24 192.168.48.0 vlan48
27 192.168.61.99/24 192.168.61.0 vlan61
28 192.168.62.99/24 192.168.62.0 vlan62
29 192.168.63.99/24 192.168.63.0 vlan63
30 192.168.64.99/24 192.168.64.0 vlan64
31 192.168.71.99/24 192.168.71.0 vlan71
32 192.168.82.99/24 192.168.82.0 vlan82
33 ;;; WiFi network
192.168.84.99/23 192.168.84.0 vlan83
34 192.168.0.99/24 192.168.0.0 ether2
35 192.168.81.99/24 192.168.81.0 vlan81
ether8 have default ip 192.168.88.1 for testing purposes.
Default gateway is on vlan10:
[admin@MikroTik] > ip route print where dst-address=0.0.0.0/0
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.10.6 1
All other routes is in their places, as it should be:
[admin@MikroTik] > ip route print where dst-address=0.0.0.0/0
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.10.6 1
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.10.6 1
1 ADC 192.168.0.0/24 192.168.0.99 ether2 0
2 ADC 192.168.2.0/24 192.168.2.99 vlan2 0
3 ADC 192.168.10.0/24 192.168.10.99 vlan10 0
4 ADC 192.168.11.0/24 192.168.11.99 vlan11 0
5 ADC 192.168.14.0/24 192.168.14.99 vlan14 0
6 ADC 192.168.15.0/24 192.168.15.99 vlan15 0
7 ADC 192.168.16.0/24 192.168.16.99 vlan16 0
8 ADC 192.168.17.0/24 192.168.17.99 vlan17 0
9 ADC 192.168.18.0/24 192.168.18.99 vlan18 0
10 ADC 192.168.19.0/24 192.168.19.99 vlan19 0
11 ADC 192.168.21.0/24 192.168.21.99 vlan21 0
12 ADC 192.168.22.0/24 192.168.22.99 vlan22 0
13 ADC 192.168.23.0/24 192.168.23.99 vlan23 0
14 ADC 192.168.24.0/24 192.168.24.99 vlan24 0
15 ADC 192.168.31.0/24 192.168.31.99 vlan31 0
16 ADC 192.168.32.0/24 192.168.32.99 vlan32 0
17 ADC 192.168.33.0/24 192.168.33.99 vlan33 0
18 ADC 192.168.34.0/24 192.168.34.99 vlan34 0
19 ADC 192.168.35.0/24 192.168.35.99 vlan35 0
20 ADC 192.168.41.0/24 192.168.41.99 vlan41 0
21 ADC 192.168.42.0/24 192.168.42.99 vlan42 0
22 ADC 192.168.43.0/24 192.168.43.99 vlan43 0
23 ADC 192.168.44.0/24 192.168.44.99 vlan44 0
24 ADC 192.168.45.0/24 192.168.45.99 vlan45 0
25 ADC 192.168.46.0/24 192.168.46.99 vlan46 0
26 ADC 192.168.47.0/24 192.168.47.99 vlan47 0
27 ADC 192.168.48.0/24 192.168.48.99 vlan48 0
28 ADC 192.168.61.0/24 192.168.61.99 vlan61 0
29 ADC 192.168.62.0/24 192.168.62.99 vlan62 0
30 ADC 192.168.63.0/24 192.168.63.99 vlan63 0
31 ADC 192.168.64.0/24 192.168.64.99 vlan64 0
32 ADC 192.168.71.0/24 192.168.71.99 vlan71 0
33 ADC 192.168.81.0/24 192.168.81.99 vlan81 0
34 ADC 192.168.82.0/24 192.168.82.99 vlan82 0
35 ADC 192.168.84.0/23 192.168.84.99 vlan83 0
36 ADC 192.168.88.0/24 192.168.88.1 ether8 0
Firewall has single rule, accepting all connections:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=accept log=no log-prefix=""
CCR connected to CRS-125 switch tagged port, all VLAN tags present.
Clients on all VLANs can access internet via default gateway 192.168.10.6
Clients on most VLANs can reach internal services (webmail, SQL Server, Helpdesk system, etc.) on VLANs 10 and 11.
And now the question:
I can’t get Inter-VLAN routing work completly.
Client on different VLANs can’t reach each other.
It means I can’t get network shares, printers working if it belongs to different network with client.
What I have missed? What I have to do to get Inter-VLAN routing to work?
Thank you.