Issue communicating with VLAN

Hello,

I’ve been stuck for days on a problem that I can’t solve, and in the meantime I’ve run out of ideas. Maybe someone can help me out here.

My network is separated into multiple VLANs. For the sake of simplicity, I only list a relevant part of the setup here.

Hardware: RB5009UG+S+
RouterOS 7.2.3


Physical Ports:

• ether1: LAN (untagged, connected to a VLAN-aware network switch, accessing VLAN 1 on this port)
  
  
  
• ether2: WAN (untagged, WAN)
  
  
  
• ether3: WIFI (tagged, Netgear WAX610 access point, providing VLAN 1, 5 and 7).

VLANs on ether3:

• vlan1-wifi-lan (VLAN 1): LAN / trusted network
  
  
  
• vlan5-wifi-guest (VLAN 5): GUEST / untrusted network
  
  
  
• vlan7-wifi-iot (VLAN 7): IOT / semi-trusted network

The WIFI-Networks for VLAN 1 and 5 work as expected. Setting up VLAN 7 in exactly the same way, also using a separate bridge, failed. I cannot get traffic routing. I already failed to ping a single device.

My most recent try was to skip using a bridge and just use the vlan-interface (vlan7-wifi-iot) directly. I also added logging firewall rules and allowing all incoming, outgoing and forwarding traffic for this interface as the top most firewall rules. I can see some broadcast and multicast packages on udp port 5353 and continuously on udp port 67. From any connected device to the WIFI network on VLAN 7 I successfully receive a DHCP response and get an IP address assigned. Resolving DNS or establishing an udp or tcp connection fails with “network unreachable”.

Here is my (simplified) most recent configuration:

/interface bridge
add admin-mac=12:34:56:78:90:AB auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add ingress-filtering=no name=bridge_guest pvid=5 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=WIFI
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface vlan
add interface=ether3 name=vlan1-wifi-lan vlan-id=1
add interface=ether3 name=vlan5-wifi-guest vlan-id=5
add interface=ether3 name=vlan7-wifi-iot vlan-id=7

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
add name=IOT

/ip pool
add name=lan-clients ranges=10.12.32.101-10.12.32.199
add name=guest-clients ranges=10.12.88.101-10.12.88.199
add name=iot-clients ranges=10.12.90.101-10.12.90.199

/ip dhcp-server
add add-arp=yes address-pool=lan-clients always-broadcast=yes interface=\
    bridge lease-time=1h name=lan
add address-pool=guest-clients always-broadcast=yes interface=bridge_guest \
    lease-time=30m name=guest
add add-arp=yes address-pool=iot-clients always-broadcast=yes interface=\
    vlan7-wifi-iot lease-time=3m name=iot

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge_guest interface=vlan5-wifi-guest pvid=5
add bridge=bridge interface=vlan1-wifi-lan

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_guest list=GUEST
add interface=vlan7-wifi-iot list=IOT

/ip address
add address=10.12.32.1/24 interface=bridge network=10.12.32.0
add address=192.168.178.250/24 interface=ether1 network=192.168.178.0
add address=10.12.88.1/24 interface=bridge_guest network=10.12.88.0
add address=10.12.90.0/24 interface=vlan7-wifi-iot network=10.12.90.0

/ip dhcp-server network
add address=10.12.32.0/24 dns-server=10.12.32.1 gateway=10.12.32.1
add address=10.12.88.0/24 dns-server=10.12.88.1 gateway=10.12.88.1
add address=10.12.90.0/24 dns-server=10.12.90.1 gateway=10.12.90.1 netmask=24

/ip firewall filter
add action=accept chain=forward in-interface-list=IOT log=yes log-prefix=\
    test-
add action=accept chain=forward log=yes log-prefix=test- out-interface-list=\
    IOT
add action=accept chain=input in-interface-list=IOT log=yes log-prefix=test-
add action=accept chain=output log=yes log-prefix=test- out-interface-list=\
    IOT
# ...
add action=drop chain=forward comment="DROP POLICY - FORWARD"
add action=drop chain=input comment="DROP POLICY - INPUT"

/ip firewall mangle
add action=log chain=prerouting in-interface-list=IOT log=yes log-prefix=\
    test-
add action=log chain=postrouting log=yes log-prefix=test- out-interface-list=\
    IOT

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade for iot" log=yes \
    log-prefix=test- out-interface-list=IOT

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
    192.168.178.1 pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

I would greatly appreciate any help, ideas or tips.
Thank you.

You have an incomplete mix of old-style bridge-per-vlan and new-style VLAN-aware bridge. Use a single VLAN aware bridge, see the section https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering in the documentation

Hello tdw,

thank you for your reply. If I understand you correctly, you advise me to bind practically all ports and VLANs into a single bridge. I assume that I could implement most of the firewall rules and NATs through the bridge configuration. However, I don’t understand how I can now provide, for example, separate DHCP servers for the different networks, since everything is now a single bridge instead of separate bridges and interfaces.

Please note that each VLAN represents a separate network segment, using separate subnets, and should kept isolated as strictly as possible, except of some specific routing/nat for specific protocols and devices.

Post your complete config (hiding any public IPs)
Add network diagram,
and I will take a look. detailed

Read the docs that @tdw linked.

Create your vlan interfaces on a single bridge device, not ether3. use /interface bridge port and /interface bridge vlan to configure vlans on the switch ports.

p.s. I had a more complete post, but the board went unavailable, and I lost what I entered when I tried to preview.

When this happens, a step back in browser normally takes you back to the edited message - at least this works in Mozilla Firefox. Saved me some nerve multiple times.

I think my mistake was that I did go back and then got the “board in unavailable, please try again in a few minutes” message again. Then I think I must have refreshed the page when the board was still not available.

Next time this happens, I will open a new tab and wait until the the board is available in the new tab, then return to the “preview tab” and go to previous page, then hopefully the page will still be in the browser’s cache, and I can then use preview again.

Post your complete config (hiding any public IPs)
Add network diagram,
and I will take a look. detailed >

Hello anav, thank you for offering your help and sorry for my late reply. I will try to draw down my local network diagram and provide a more complete configuration of the current system within the next week.


In advance in text form:

My network is separated into domains/subnets:

1. WAN: The only device here is my internet router incl. its telephone system. The IP address space is managed by the internet router itself.
2. LAN: My local “trusted” network including my PCs and Home Server. Some devices are allowed to join this network via wireless lan. Address space is 10.12.32.0/24 and configured via the Mikrotik DHCP server. All registered devices are allowed to communicate to each other.
3. Guest: My local “i don’t care” network for guests and their smartphones and tablets. Address space is 10.12.88.0/24 and configured via the Mikrotik DHCP server. All registered devices are allowed to access the WAN, but nothing else.
4. Echo: All devices on this network join the network via wireless lan, are allowed to communicate with each other and access the WAN. Address space is 10.12.89.0/24 and configured via the Mikrotik DHCP server.
5. IoT: MY local “semi-trusted” network. All registered devices join this network via wireless lan and should not be able to communicate with each other. Address space is 10.12.90.0/24 and configured via the Mikrotik DHCP server. The registered devices are allowed to access specific targets and ports on WAN (ntp) and LAN (mqtt) in order to operate as expected on per-device rules.
6. There are multiple external networks connected via Wireguard VPN and IPsec. Limited access is allowed between single devices and networks. Almost all of them do not allow incoming traffic, but only outgoing.

The firewall rules are quite simple, restricting:

1. access to interfaces and VPNs
2. denying access to DNS services in order to force Android to use the Mikrotik DNS Server
3. manipulate / redirect unencrypted DNS packages in order to redirect specific incoming requests via VPN
4. allowing single devices from “IoT” to access single devices and ports within “LAN”
5. and after some more simple rules, dropping everything else, since I can’t find a way how to configure the firewall policy itself (assuming this firewall uses something like iptables)

Read the docs that @tdw linked.

Create your vlan interfaces on a single bridge device, not ether3. use /interface bridge port and /interface bridge vlan to configure vlans on the switch ports.

p.s. I had a more complete post, but the board went unavailable, and I lost what I entered when I tried to preview.

Hello Buckeye, thank you for your reply. I have already read the document, but obviously did not understand the relevant part, if I read that correctly from your response. Too bad that your longer post was lost.

Here a short description of what I remember I tried (and failed):

1. Enabled safe-mode.
2. Deleted all existing bridges except of one, called “bridge”.
3. Deleted all existing vlan-interfaces.
4. Assigned ether2 (LAN) to the bridge.
5. Assigned ether3 (WIFI) to the bridge and set PVID to 1, frame_types to “admit only VLAN tagged”, and enabled “Ingress filtering”.
6. Added VLAN 1 to the bridge (untagged=ether1, tagged=ether3)
7. Added VLAN 5 to the bridge (tagged=ether3)
8. Added VLAN 7 to the bridge (tagged=ether3)
9. Now I don’t get how to assigned the DHCP-Servers to their corresponding VLANs, since there is only one interface (“bridge”) left.
10. After struggeling a while a gave up again and rolled back my configuration by leaving the safe-mode without committing.

I will wait for the config before making comments about it.

Look at this example in the docs VLAN Example - InterVLAN Routing by Bridge

I will also recommend diagrams.net (aka draw.io) for making diagrams (unless you already have and know how to use something else. See this thread Network drawing program, what are you using? and post #17 for some links to useful videos showing what it is capable of.

Making a network diagram takes time, but it really helps when you are troubleshooting in the future, at least if you keep your documentation (diagram) current. If it isn’t kept current, it can make troubleshooting harder than without it; this is similar to old obsolete comments in code that can lead you to make incorrect assumptions, but I digress.

I did notice this in your comment to @anav

1. IoT: MY local “semi-trusted” network. All registered devices join this network via wireless lan and should not be able to communicate with each other. Address space is 10.12.90.0/24 and configured via the Mikrotik DHCP server. The registered devices are allowed to access specific targets and ports on WAN (ntp) and LAN (mqtt) in order to operate as expected on per-device rules.

The router’s firewall won’t be helpful in preventing wifi devices connected to the same SSID from being able to communicate with each other. That needs to be done by the access point by a client isolation feature.