Intervlan RB4011

mnalamsputra · June 15, 2021, 9:44am

Hi All,

Sorry my English so bad.

I have plan in new building our office use RB4011 for Gateway (Router with VLAN) and Access Switch HP1820-48G.
I’m set VLAN and IP for Gateway in Mikrotik :
VLAN 1101 = 10.10.101.1/25
VLAN 1102 = 10.10.102.1/25
VLAN 1103 = 10.10.103.1/25

Now condition :

Trunking VLAN betwen Mikrotik to Access Switch = OK
Connection form Client (connect to access switch) to outside network via Mikrotik = OK

But i have a problems, intervlan on mikrotik cannot communicate.
For the exsample client in VLAN 1101 cant connect to client in VLAN 1102, and client from VLAN 1102 cannot connect to client in VLAN 1101

what can i do so that Intervlan can communicate?

Thank You

erlinden · June 15, 2021, 10:09am

By default it should work. You would have to check your firewall for rules blocking intervlan communication.
Perhaps you can share your configuration: /export hide-sensitive file=anynameyoulike

Please have a look at this great VLAN tutorial (as well): http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · June 15, 2021, 1:45pm

IF you need your vlans to communicate (everybody to everybody) then you dont need separate vlans LOL.

Typically a vlan will share a printer with other vlans for example. SO there are good cases for targetted sharing.

mnalamsputra · June 16, 2021, 5:12am

Hi Erlinden,
This is my config
software id = J16B-3S3M

model = RB4011iGS+

serial number =

/interface bridge
add admin-mac=2C:C8:1B:21:B0:0E auto-mac=no comment=defconf name=bridge
add name=bridge-cpp_ho
add name=bridge-cpp_svr
add name=bridge-npl_mgm
add name=bridge-npl_p2p
add name=bridge-npl_subho_wa
add name=bridge-wa_isp1
add name=bridge-wa_isp2
/interface vlan
add interface=bridge-npl_subho_wa name=vlan_101_mgm vlan-id=101
add interface=bridge-npl_subho_wa name=vlan_1101_ga vlan-id=1101
add interface=bridge-npl_subho_wa name=vlan_1102_mis vlan-id=1102
add interface=bridge-npl_subho_wa name=vlan_1103_ic vlan-id=1103
add interface=bridge-npl_subho_wa name=vlan_1104_fa vlan-id=1104
add interface=bridge-npl_subho_wa name=vlan_1105_ma vlan-id=1105
add interface=bridge-npl_subho_wa name=vlan_1106_export vlan-id=1106
add interface=bridge-npl_subho_wa name=vlan_1107_busdev vlan-id=1107
add interface=bridge-npl_subho_wa name=vlan_1120_internet vlan-id=1120
add interface=bridge-npl_subho_wa name=vlan_2039_taxcelor vlan-id=2039
add interface=bridge-npl_subho_wa name=vlan_2040_tcpp vlan-id=2040
add interface=bridge-npl_subho_wa name=vlan_4001_cppsvr vlan-id=4001
add interface=bridge-npl_subho_wa name=vlan_4002_cppmis vlan-id=4002
add interface=bridge-npl_subho_wa name=vlan_4003_cppho vlan-id=4003
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge interface=ether1
add bridge=bridge-npl_p2p broadcast-flood=no interface=ether2
add bridge=bridge-npl_p2p interface=ether3
add bridge=bridge-wa_isp1 interface=ether4
add bridge=bridge-wa_isp2 interface=ether5
add bridge=bridge-npl_subho_wa interface=ether7
add bridge=bridge-npl_subho_wa interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.10.101.1/25 comment=gw_subho_wa_mis interface=vlan_1101_ga
network=10.10.101.0
add address=192.20.1.3/29 comment=ip_p2p_ho interface=bridge-npl_p2p network=
192.20.1.0
add address=10.10.103.1/25 comment=gw_subho_wa_ic interface=vlan_1103_ic
network=10.10.103.0
add address=192.168.77.1/24 comment=gw_subho_mgm interface=vlan_101_mgm
network=192.168.77.0
add address=10.10.104.1/25 comment=gw_subho_wa_fa interface=vlan_1104_fa
network=10.10.104.0
add address=10.10.105.1/25 comment=gw_subho_wa_exp interface=vlan_1105_ma
network=10.10.105.0
add address=10.10.106.1/25 comment=gw_subho_wa_busdev interface=
vlan_1106_export network=10.10.106.0
add address=10.40.1.1/24 comment=gw_cppsvr interface=vlan_4001_cppsvr
network=10.40.1.0
add address=10.40.2.1/24 comment=gw_cppho interface=vlan_4002_cppmis network=
10.40.2.0
add address=10.10.102.1/25 comment=gw_subho_wa_ga interface=vlan_1102_mis
network=10.10.102.0
add address=10.10.120.1/25 comment=gw_subho_wa_inet interface=
vlan_1120_internet network=10.10.120.0
add address=10.20.39.1/24 comment=gw_subho_wa_taxcelor interface=
vlan_2039_taxcelor network=10.20.39.0
add address=10.20.40.1/24 comment=gw_subho_wa_tcpp interface=vlan_2040_tcpp
network=10.20.40.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.101.0/25 list=vlan_101
add address=10.10.102.0/25 list=vlan_102
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Route to HO" distance=1 gateway=192.20.1.1
/ip route rule
add dst-address=10.10.102.0/25 src-address=10.10.101.0/25 table=main
add dst-address=10.10.101.0/25 src-address=10.10.102.0/25 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks for your respond..

mnalamsputra · June 16, 2021, 5:27am

Oh, sure I have the reason. Vlans I need for the policy for outgoing connection like Internet Proxy.

anav · June 17, 2021, 11:07am

Have you read the article, I think not.
You have a mess that the article will help clear up.
Hint, one bridge
Hint, every vlan needs four things, ip address, pool, dhcp server, dhcp server network.