Top of the mornin’, guys :3
I have pretty much basic setup: ISP → Mikrotik router → 24 port dlink switch. ISP connected to Mikrotik on port 1 (eth1-wan), 5th port of router (eth5-lan) connected to 1st port of my switch.
3 vlans on Mikrotik (100, 200, 300) for my management, printer and workstation subnets.
- I have created 3 dhcp servers and 3 IP pools for each vlan:
- 192.168.10.0/24
- 192.168.20.0/24
- 192.168.30.0/24
- 2 NAT masquerade firewall rules were added for VLAN100 and 300 (since printers won’t need access to internet)
List of firewall rules:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input protocol=icmp
#test subnet for default vlan1 on switch
1 chain=input action=accept connection-state=new protocol=tcp
src-address=192.168.100.0/24 in-interface=lan5 dst-port=80,8291,22
#same for management vlan
3 chain=input connection-state=new protocol=tcp src-address=192.168.10.0/24
in-interface=vlan100 dst-port=80,8291,22
#same for workstations vlan
4 chain=input action=accept connection-state=new protocol=tcp
src-address=192.168.20.0/24 in-interface=vlan200 dst-port=80,8291,22
5 chain=input connection-state=new protocol=tcp connection-mark=allow_in
in-interface=wan1 dst-port=80
6 chain=input action=accept connection-state=new protocol=udp
src-address=192.168.100.0/24 dst-port=53,123
7 chain=input connection-state=new protocol=udp src-address=192.168.10.0/24
dst-port=53,123
8 chain=input action=accept connection-state=new protocol=udp
src-address=192.168.20.0/24 dst-port=53,123
9 chain=input connection-state=established,related
10 chain=output connection-state=!invalid
12 chain=forward action=accept connection-state=established,new
src-address=192.168.100.0/24 in-interface=lan5 out-interface=wan1
14 chain=forward connection-state=established,new src-address=192.168.10.0/24
in-interface=vlan100 out-interface=wan1
16 chain=forward action=accept connection-state=established,new
src-address=192.168.20.0/24 in-interface=vlan200 out-interface=wan1
17 chain=forward connection-state=established,related in-interface=wan1
out-interface=lan5
19 chain=forward connection-state=established,related in-interface=wan1
out-interface=vlan100
20 chain=forward action=accept connection-state=established,related
in-interface=wan1 out-interface=vlan200
21 chain=input action=drop
22 chain=output action=drop
23 chain=forward action=drop
List of NAT rules:
0 chain=srcnat action=masquerade src-address=192.168.100.0/24
out-interface=wan1
1 chain=srcnat action=masquerade src-address=192.168.10.0/24
out-interface=wan1
2 chain=srcnat action=masquerade src-address=192.168.20.0/24
out-interface=wan1
First issue is i cant ping devices from vlan 200 to vlan100 (or other way). Only address that respond is the address of gateway (for example from 192.168.10.125 device i can ping 192.168.10.1/20.1/30.1 addresses i set for mikrotik, when i set up dhcp servers for each vlan). I thought that RouterOS requires to create vlan, assign on ethernet port, create pool and dhcp. Routing will work out of box with no configuration needed. Apparentely i was wrong 
ATM i have all devices in 192.168.100.0/24 subnet, because that’s the only way they can communicate to each other.
Second issue - i cant access switch web-console not by ip, neither by name. I bound it to 192.168.100.3 IP and was able to connect to it and configure vlans. After day or two i just cant access or ping it, but switch works 100% because i can plug in a device in any port i have in default vlan and it will got correct IP, internet access etc.
Same issue persists with WIFI router which i plugged in a port and configured as Access Point. WiFi clients got their IPs and internet access, but i cant connect to router console. That’s pretty weird, since i can track them in DHCP leases list from Mikrotik interface.
I will be more than happy if you could point out what’s wrong with my setup. I’m a total noob but i want to learn the basics of SOHO network setup :3
BTW, i drew a simple network diagram, i hope it will clarify things a bit more.
