Mixed vlan and non-vlan over one interface -> routing

marcrisse · August 8, 2018, 3:07pm

Hi,

I am not able to route traffic between my normal lan and a guest-vlan.

My Interface ether7 is part of my lan-bridge. it is connetced to an unifi-switch. on unifi site i have defined a guest vlan with id 111 and on mikrotik there is a vlan-interface (vlan-111) under ether7. an dhcp-server on mikrotik is listening on vlan-111 and offers ip addresses to the clients. they can access the internet.

now i want to allow the guests to connect to one ip address located on my lan. but routing between vlan-111 and lan over the bridge is not possible. mikrotik routes all packages to default gateway (wan). there is a dynamic routing table entry, which seems to be correct but ignored. i tried to configure src-nat, routing-rules, static rules… nothing helped. on the bridge settings, i disabled firewalling.

 /interface print detail
 [...]
 1  RS name="LAN" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=8156 mac-address=E4:8D:8C:03:F8:ED last-link-up-time=aug/08/2018 16:18:08 link-downs=0 

 7  RS name="ether7-LAN" default-name="ether7" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1598 max-l2mtu=8156 mac-address=E4:8D:8C:03:F8:EE last-link-down-time=aug/08/2018 16:39:38 last-link-up-time=aug/08/2018 16:39:42 
       link-downs=1 

12  R  name="VLAN-Gast" type="vlan" mtu=1500 actual-mtu=1500 l2mtu=1594 mac-address=E4:8D:8C:03:F8:EE last-link-down-time=aug/08/2018 16:39:38 last-link-up-time=aug/08/2018 16:39:42 link-downs=2 

14  R  ;;; created from master port
       name="bridge1" type="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 mac-address=E4:8D:8C:03:F8:ED last-link-up-time=aug/08/2018 16:18:04 link-downs=0 




/ip address print
[...]                                                                                                                                                                      
 0   ;;; lokales LAN
     192.168.10.1/23    192.168.10.0    bridge1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
 7   192.168.89.1/24    192.168.89.0    VLAN-Gast                                                                                                                                                                                



/ip route print 
 0 A S  ;;; Mailtraffic WAN1
        0.0.0.0/0                          WAN1-DSL                  1
[...]
12 A S  192.168.3.0/24     192.168.10.1    192.168.10.222            1
13 A S  192.168.8.0/24     192.168.10.1    192.168.10.222            1
14 ADC  192.168.10.0/23    192.168.10.1    bridge1                   0
17 ADC  192.168.89.0/24    192.168.89.1    VLAN-Gast                 0

marcrisse · August 8, 2018, 3:44pm

here you can see the packets are forwarded to WAN (Interface WAN2-Unity):

17:38:28 firewall,info forward: in:VLAN-Gast(ether7-LAN) out:WAN2-Unity, src-mac b0:c1:9e:43:46:88, proto TCP (SYN), 192.168.89.100:46110->192.168.11.140:8880, len 60 
17:38:29 firewall,info forward: in:VLAN-Gast(ether7-LAN) out:WAN2-Unity, src-mac b0:c1:9e:43:46:88, proto TCP (SYN), 192.168.89.100:46115->192.168.11.140:8880, len 60 
17:38:31 firewall,info forward: in:VLAN-Gast(ether7-LAN) out:WAN2-Unity, src-mac b0:c1:9e:43:46:88, proto TCP (SYN), 192.168.89.100:46115->192.168.11.140:8880, len 60

But IP 192.168.11.140 belongs to 192.168.10.1/23 which is the address for bridge. lokal routes should match before 0.0.0.0/default gateway, isn’t it?
/ip address print detail
0 ;;; lokales LAN
address=192.168.10.1/23 network=192.168.10.0 interface=bridge1 actual-interface=bridge1