Mix LAN and VLAN can't communicate with each other

NEVdD · July 10, 2023, 6:53pm

Hi,

I am using a Mikrotik hEX for about a year now to load balance and have a failover on two internet connexions (which works great).

I am segmenting my network into three sub networks. For technical reasons, two sub networks are connected to the Mikrotik on one ethernet as VLANS and one directly using a specific ethernet port.
My problem is that I can’t communicate with the VLANs from my LAN network and I don’t understand why.

I have
WAN 1 with IP : 192.168.1.2
Eth1
Eth2
WAN 2 with IP : 192.168.2.2
Eth 3
VLANIoT with IP : 192.168.48.1
Eth 4 - VID 48
VLANGuests with IP : 192.168.47.1
Eth 4 - VID 47
LAN with IP : 192.168.49.1
Eth 5

From 192.168.49.0/24 I can ping 192.168.48.1 but not any other devices on VLANIoT (same for VLANGuests)
From 192.168.47.0/24 I can ping any device in 192.168.48.0/24 and vice versa

Can someone please help me understand what I do wrong in my configuration? To start I’d like all networks (LAN, VLANIoT and VLANGuests) to be able to talk to each other. When that works I’ll make firewall rules to achieve my final goal.
I also tried to make it work by disabling all firewall rules without success.

Here is my full configuration (I use netwatch to achieve the failover and fallback of my two internet connections, I didn’t include those.).

# jul/10/2023 20:22:47 by RouterOS 7.9.2
# software id = 9M7P-7MZ6
#
# model = RB750Gr3
/interface bridge
add name=BrdgLAN
add disabled=yes name=BrdgVLAN
add name=BrdgWAN1
add name=BrdgWAN2
/interface vlan
add interface=ether4 name=VLANGuests vlan-id=47
add interface=ether4 name=VLANIoT vlan-id=48
/interface list
add name=LAN
add name=WAN1
add name=WAN2
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.47.2-192.168.47.254
add name=dhcp_pool2 ranges=192.168.48.2-192.168.48.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLANGuests name=dhcpVLANGuests
add address-pool=dhcp_pool2 interface=VLANIoT name=dhcpVLANIoT
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/interface bridge port
add bridge=BrdgWAN1 interface=ether1
add bridge=BrdgWAN1 interface=ether2
add bridge=BrdgWAN2 interface=ether3
add bridge=BrdgLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=BrdgLAN list=LAN
add interface=BrdgWAN1 list=WAN1
add interface=BrdgWAN2 list=WAN2
add disabled=yes interface=BrdgVLAN list=VLANS
/ip address
add address=192.168.1.2/24 interface=BrdgWAN1 network=192.168.1.0
add address=192.168.2.2/24 interface=BrdgWAN2 network=192.168.2.0
add address=192.168.49.1/24 interface=BrdgLAN network=192.168.49.0
add address=192.168.47.1/24 interface=VLANGuests network=192.168.47.0
add address=192.168.48.1/24 interface=VLANIoT network=192.168.48.0
/ip dhcp-server network
add address=192.168.47.0/24 comment="Guests Network" gateway=192.168.47.1
add address=192.168.48.0/24 comment="IoT Network" gateway=192.168.48.1
add address=192.168.49.0/24 comment="LAN network" gateway=192.168.49.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,195.130.130.1,195.238.2.21
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Test access VLANS from LAN" \
    disabled=yes in-interface-list=LAN out-interface-list=VLANS
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=*2000010
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.1.0/24 \
    in-interface-list=LAN
add action=accept chain=prerouting dst-address=192.168.2.0/24 \
    in-interface-list=LAN
add action=mark-connection chain=prerouting comment="WAN to LAN" \
    connection-mark=no-mark in-interface-list=WAN1 new-connection-mark=\
    WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting comment="WAN to LAN" \
    connection-mark=no-mark in-interface-list=WAN2 new-connection-mark=\
    WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/4 Proximus  - Deactivate to redirect everything to No per connexio\
    n class" connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/2 Telenet - Deactivate to redirect everything to No per connexion \
    class" connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=\
    "PCC mangles - Connexion mark - No per connection class. To Telenet" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "PCC mangles - Connexion mark - No per connection class. To Proximus" \
    connection-mark=no-mark dst-address-type=!local in-interface-list=LAN \
    new-connection-mark=WAN1_conn passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "PCC mangles - Routing mark prerouting" connection-mark=WAN1_conn \
    in-interface-list=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "PCC mangles - Routing mark prerouting" connection-mark=WAN2_conn \
    in-interface-list=LAN new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output comment=\
    "PCC mangles - Routing mark output" connection-mark=WAN1_conn \
    dst-address-type=!local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output comment=\
    "PCC mangles - Routing mark output" connection-mark=WAN2_conn \
    dst-address-type=!local new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN2
/ip route
add comment="Google DNS 2" disabled=no distance=1 dst-address=8.8.4.4/32 \
    gateway=192.168.1.1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="ISP2 - Telenet main DNS for netwatch" disabled=no distance=1 \
    dst-address=195.130.130.1/32 gateway=192.168.2.1 pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="ISP1 - Proximus main DNS for netwatch" disabled=no distance=1 \
    dst-address=195.238.2.21/32 gateway=192.168.1.1 pref-src="" \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment="Proximus DNS 2" disabled=no distance=1 dst-address=\
    195.238.2.22/32 gateway=192.168.1.1 pref-src="" routing-table=main scope=\
    10 suppress-hw-offload=no target-scope=10
add comment="Google DNS 1" disabled=no distance=1 dst-address=8.8.8.8/32 \
    gateway=192.168.1.1 pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add comment="Telenet DNS 3" disabled=no distance=1 dst-address=\
    195.130.131.1/32 gateway=192.168.2.1 pref-src="" routing-table=main \
    scope=10 suppress-hw-offload=no target-scope=10
add comment="Telenet DNS 2" disabled=no distance=1 dst-address=\
    195.130.130.2/32 gateway=192.168.2.1 pref-src="" routing-table=main \
    scope=10 suppress-hw-offload=no target-scope=10
add comment=RouteWAN1Mark disabled=no dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=to_WAN1 suppress-hw-offload=no
add comment=RouteWAN2Mark disabled=no dst-address=0.0.0.0/0 gateway=\
    192.168.2.1 routing-table=to_WAN2 suppress-hw-offload=no
add comment=RouteWAN1 disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    routing-table=main suppress-hw-offload=no
add comment=RouteWAN2 disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 \
    routing-table=main suppress-hw-offload=no

anav · July 10, 2023, 8:43pm

I am only interested in the final goal, help once !
I will assume traffic flow needed is
vlaniot / vlanguests / vlanhome should all get internet
vlan home should be able to reach vlaniot ( perhaps limited to some ? )

By the way the one glaring mistake is you use 192.68.88 in your IP pool setup, instead of the correct 192.168.49

Also why are you using two ports for WAN1 , i will ignore such thing and remove it as a bridge until it can be explained…

Assuming ether4 is going to a smart Access point that can read vlans? If so you still need to send the trusted vlan down ether4 as the AP should have an IP on the trusted network!.

Your PCC mangling is incorrect.

Finally I use ether2 to create a safe spot to both access the router whenever, but also to configure the bridge stuff from an off bridge position.
Simply set your laptop ipv4 settings to any 192.168.55.X address… and you should be good to go.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
FIXED one bridge…
…

# model = RB750Gr3
/interface bridge
add name=BridgeLAN
/interface vlan
add interface=BridgeLAN name=VLANGuests vlan-id=47
add interface=BridgeLAN name=VLANIoT vlan-id=48
add interface=BridgeLAN name=VLANHome vlan-ids=49
/interface list
add name=WAN
add name=LAN
add name=Trusted
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.49.254
add name=dhcp_pool1 ranges=192.168.47.2-192.168.47.254
add name=dhcp_pool2 ranges=192.168.48.2-192.168.48.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLANGuests name=dhcpVLANGuests
add address-pool=dhcp_pool2 interface=VLANIoT name=dhcpVLANIoT
add address-pool=default-dhcp interface=VLANHome name=dhcpVLANHome
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
/interface bridge port
add bridge=BridgeLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BridgeLAN ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=ether5  pvid=49
/interface bridge vlan
add bridge=BridgeLAN tagged=BridgeLAN,ether4  untagged=ether5  vlan-ids=49
add bridge=BridgeLAN tagged=BridgeLAN,ether4  vlan-ids=47,48
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface list member
add interface=ether1 list=WAN
add interface=ether3 list=WAN
add interface=VLANIot list=LAN
add interface=VLANGuests list=LAN
add interface=VLANHome list=LAN
add interface=VLANHome list=Trusted
add interface=ether2 list=Trusted  comment="off bridge access"
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=192.168.2.2/24 interface=ether3 network=192.168.2.0
add address=192.168.49.1/24 interface=VLANhome network=192.168.49.0
add address=192.168.47.1/24 interface=VLANGuests network=192.168.47.0
add address=192.168.48.1/24 interface=VLANIoT network=192.168.48.0
add address=192.168.55.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server network
add address=192.168.47.0/24 comment="Guests Network" gateway=192.168.47.1
add address=192.168.48.0/24 comment="IoT Network" gateway=192.168.48.1
add address=192.168.49.0/24 comment="LAN network" gateway=192.168.49.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,195.130.130.1,195.238.2.21
/ip firewall filter
{ Input chain }
(default rules)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input comment="trusted"  in-interface-list=Trusted
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{ Forward chain }
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept in-interface-list=Trusted  out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{  ensure incoming WAN traffic is marked according to ISP }
add action=mark-connection chain=prerouting comment="External To Router WAN1" \
    connection-mark=no-mark in-interface=ether1 new-connection-mark=\
    WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting comment="External to Router WAN2" \
    connection-mark=no-mark in-interface=ether3 new-connection-mark=\
    WAN2_conn passthrough=yes
{ ensure return traffic goes out same WAN }
add action=mark-routing chain=output routing-mark=no-mark connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output routing-mark=no-mark connection-mark=WAN1_conn \
    new-routing-mark=to_WAN2  
{ Apply connection marks and PCC to outgoing LAN traffic }
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/3 Proximus"  connection-mark=no-mark dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN1 passthrough=yes \
    per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/3 Telenet"  connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN2 passthrough=yes \
    per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/3 Telenet" connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=viaWAN2 passthrough=yes \
    per-connection-classifier=both-addresses:3/2
{ ensure connection marked LAN traffic is Route Marked }
add action=mark-routing chain=prerouting comment="pcc mangles - routing mark" connection-mark=viaWAN1 \
    routing-mark=no-mark new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting comment="pcc mangles - routing mark" connection-mark=viaWAN2 \
    routing-mark=no-mark new-routing-mark=to_WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3
{ if WAN1 fails, send WAN1 traffic to WAN2 }
{ If WAN2 fails, send WAN2 traffic to WAN1 }
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=14 routing-table=main comment=WAN1
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=14 routing-table=main comment=WAN2
{if WAN1 fails}
distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=14 routing-table=to_WAN1
distance=2 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=14 routing-table=to_WAN1
{If WAN2 fails}
distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-scope=14 routing-table=to_WAN2
distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=14 routing-table=to_WAN2
{ Complete the final Hop }
add dst-address=1.1.1.1/32 gateway=192.168.1.1 scope=10 target-scope=13 comment=WAN1
add dst-address=8.8.4.4/32 gateway=192.168.2.1 scope=10 target-scope=13 comment=WAN2

…

Also think about if you want all traffic PCCd and thus mangled, aka just the LAN, or the LAN plus Iot plus Guests ???

NEVdD · July 11, 2023, 10:15am

Dear anav,

Thank you for your detailed answer, all those firewall rules will help me a lot with the next steps

Your assumptions are correct.

About the 192.68.88 pool setup, I noticed that when I exported the script but it doesn’t show up in the UI so I am a bit confused about what to do with it.

I use two ports on WAN1 because I have a device connected on eth2 so I use the MikroTik as a switch. The use you make with eth2 is very interesting though so I migh change things a bit to include that.

About the main question (allowing Eth 5 to “talk” with the VLANs on Eth 4), I tried a couple of things based on what you provided but I couldn’t make it work. From what I understand, the reason why my initial config wasn’t working is that Eth 5 should be also configured as a VLAN by putting a pvid on the port and creating a specific VLAN (you called it VLANHome). While I am wondering why it is necessary to do this, I did try without success.
Finally I gave up and used my managed switch to tag the communication with the router behind Eth 5 and connected all three VLANs to Eth 4. It is not optimal since all traffic between VLANHome and the two other VLANs has to go through Eth 4 but at least it works.
Maybe one day I’ll try again but VLANs management on Mikrotik is a bit confusing especially since you can make VLANs on the bridge window and on the Interface list window.

PCC mangling might be incorrect but it seems to work. The idea is instead of performing the modulo of the addresses for all the traffic, I do it only for a part of it (let’s say Proximus) and then everything that wasn’t marked is marked with the other mark (Then Telenet). The reasons I made it like this are
-I have to perform the modulo calculation on a fraction of the traffic so I save CPU resources
-Depending on my need it is easier to enable/disable rules to change how traffic is dispatched because I have a “default” mark rule to send everything to Telenet of Proximus without changing much of the config.
You see Telenet is not so good (sometimes latency rises for a couple of seconds) but it is faster so I route everything to Proximus unless I really need the high bandwidth.

I do not use the “check-gateway=ping” in the route configuration because it is not as reliable as using netwatch which can be configured to let’s say activate only if 80% of 5 pings are failed. I can also specify how long to wait between two checks to avoid pinging all the time

Could you please help me solve my issue considering that the device on Eth 4 doesn’t support VLANs?

Thank you in advance

PS : I explained all my thinking so you can tell me if and why I am wrong about the mangle, netwatch etc. I did spend a lot of time fiddling with these settings.
PS2 : My first reply was mixing Eth 4 and Eth 5. I took more time to think over anav answer and edited this message accordingly.

anav · July 11, 2023, 2:12pm

Yes all very confusing.
If you are simply feeding vlanXX to another router ( aka providing a private WANIP to that router ) doing it via an access port unagged for vlanXX works great.
So be accurate on exactly what you want to provide to this other router!!
(it would appear you were trying to give it a public IP from your ISP provider by bridging it together with the normal wan port, which is not possible unless getting multiple public IPs)

Also be clear on what traffic from the vlans you want PCCd.
All three vlans?

I note you say you may want to only partially PCC some traffic within a vlan?
If so how are you identifying those that should or should not be PCCd… fall within certain IP range for example? Come from an AP? etc.

I have no experience with the netwatch technique unfortunately.

NEVdD · July 30, 2023, 6:19pm

I found the issue, in the following configuration

/ip firewall mangle
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/4 Proximus  - Deactivate to redirect everything to No per connexio\
    n class" connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses:4/1
add action=mark-connection chain=prerouting comment="PCC mangles - Connexion m\
    ark - 1/2 Telenet - Deactivate to redirect everything to No per connexion \
    class" connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting comment=\
    "PCC mangles - Connexion mark - No per connection class. To Telenet" \
    connection-mark=no-mark disabled=yes dst-address-type=!local \
    in-interface-list=LAN new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "PCC mangles - Connexion mark - No per connection class. To Proximus" \
    connection-mark=no-mark dst-address-type=!local in-interface-list=LAN \
    new-connection-mark=WAN1_conn passthrough=yes

The “dst-address-type=!local” didn’t exclude packets going from a local network to another local local network which means it got marked and therefore was routed to either WAN 1 or WAN 2

The solution was to replace dst-address-type by an address list to avoid marking traffic that doesn’t go to the Internet.