Inter-Vlan Routing.

RouterOS Forwarding Protocols
1

Hey Community’
Can We perform inter-vlan routing using MikroTik router like we can configure inter-vlan routing in CISCO Routers.

Regards’

2

Once your top interface has an IP address, yes.

Regards,

Envoyé de mon LG-H812 en utilisant Tapatalk

3

Hey AlainCasault,
I would like to brief explain my setup. I have Ubiquiti device, CISCO 2950 Switch & MikroTik Router. Internet is terminated on Ubiquiti device & it’s LAN port is connected to CISCO Switch. There are 2 Ports configured as WAN1 & WAN2 on MikroTik & 2 Ports configured as LAN1 & LAN2. IP Addresses has been setup accordingly. I am using PBR in order to use both WAN1 & WAN2. LAN1 traffic is passing through WAN1 & LAN2 traffic is passing through WAN2. I have configured 3 VLAN’s on CISCO Switch. Problem is that I am unable to Ping from LAN1 to LAN2 Clients IP’s. For example: LAN1 gateway is 192.168.1.1 & LAN2 gateway is 192.168.50.1 it is successful but when I ping from 192.168.1.1 to 192.168.50.100 it is unsuccessful. Screen shot is attached for your review.

Regards’
Ping Stats.PNG

4

Hello Azib,

I’m very visual and it’s hard without a network diagram. From what I can guess ( an see from my training sessions), have you disabled personal firewalls?
It’s a VERY common error that causes many headaches :slight_smile:

If the gateways can ping each other, I would guess that it’s not a vlan issue.

Again, a diagram would help a lot!!

Regards


Envoyé de mon LG-H812 en utilisant Tapatalk

5

Hey AlainCasault’
Network Diagram is attached for your review.

Regards’
Diagram.png

6

Ok.

As both lans are on the same L2 segment (VLAN 20), they should ping provided your vlan interface has an IP (2) for both subnets. Definitely check personal firewall.

From a design point of view, it’s a bad idea to have 2 IP subnets in the same VLAN. Impossible to seperate L2 traffic. Vulnerable to sniffing and other attacks. Having VLANs also serves to create smaller collison and broadcast domains to reduce the impact of high volume traffic.

Why do you have two wans with 2 IPs, but only one ISP? For testing purposes maybe??

Also, I think you have a drawing typo. You show 2 LAN1s and 2 LAN2s :wink:.

Regards,


Sent from Tapatalk

7

Hey AlainCasault’
Initial stage I have created separate vlans for each LAN segment & Separate Vlans does exists. I can separate VLAN traffic by plunging both LANs into different Vlan, it’s not a big deal.
It’s not for test purposes, I have purchased tow different links form same ISP, (CIR & Shared). I want to segregate the traffic that’s why I have created two WAN’s & tow LANS.
Please guide me how I design my setup in order to have full routing between Vlans subnets.

Regards’

8

I would suggest that you add two more VLANs so that each subnet is fully isolated and that’s it. You’ll Just need to migrate one WAN and one LAN to the new VLANs.

As long as the VLANs each have their own address, they are routed.

Sent from Tapatalk

9

Vlans have already created on CISCO Switch-2950. I just have to re-arrange the cables. I will do as earlier as possible & then let you know.

Regards’

10

/interface vlan
add name=wan1-vlan10 vlan-id=10
add name=wan2-vlan20 vlan-id=20

/interface bridge
add name=bridge-vlan10
add name=bridge-vlan20

/interface bridge port
add bridge=bridge-vlan10 interface=wan1
add bridge=bridge-vlan20 interface=wan2

^^ boom; wan is vlan’d

/interface vlan
add name=lan1-vlan11 vlan-id=11
add name=lan2-vlan21 vlan-id=21

/interface bridge
add name=bridge-vlan11
add name=bridge-vlan21

/interface bridge port
add bridge=bridge-vlan11 interface=lan1
add bridge=bridge-vlan21 interface=lan2


^^ boom; lan is vlan’d

! let’s do cisco

vlan 10
name wan1
vlan 11
name lan1
vlan 20
name wan2
vlan 21
name lan2

! fa 0/1 will connect to upstream. let’s assume we’ve talked to them and they
! are going to send us vlan 10 and 20 tagged. if you need help w/what they
! are sending you let me know
int fa 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk vlan allowed 10,20

! fa 0/11 = wan1 and fa 0/12 = wan2
int fa 0/11
switchport mode access
switchport access vlan 10

int fa 0/12
switchport mode access
switchport access vlan 20


! fa 0/21 = lan1 and fa 0/22 = lan2
int fa 0/21
switchport mode access
switchport access vlan 21

int fa 0/22
switchport mode access
switchport access vlan 22

^^ blamo. we have layer 2 segregated out appropriately. we could consoliate this a bit and trunk as many of the vlan’s up to the mikrotik on a single port or multiple ports as desired. you would just adjust your configuration as needed. you may have all the separate ports for a reason.

To do layer 3 is easy. Remove any firewall rules on the MikroTik and start from scratch. NAT lan1 to wan1 and lan2 to wan2. Allow traffic from lan1 to lan2 as desired. Ker-blamo. Done.

11

I guess you are marking connections for PBR, right?
The connection gets marked before routing decisions are made.
Now a packet coming in from LAN1 to LAN2 gets the mark “WAN1”. And your PBR does what it’s supposed to do: send it out via WAN1.
So the packets get nowhere.
Add routes for the corresponding subnets with gateway= with the routing marks.
Do this for all subnet/vlan-pairs and for each routing mark.

And it will work.
-Chris