Multiple networks over rb3011

amartina · January 15, 2019, 8:40pm

Hi everyone, sorry for this question, but I don’t know what else to do.
I just bought a RB3011 ui as-rm, and I want to use one port for gatweay, and the other nine for three networks.

Eth1 for gateway

/ip route
add distance=1 gateway=172.24.0.81
/ip address
add address=172.24.0.82/29 interface=ether1 network=172.24.0.80

-Eth2-10 in a bridge.
I desire to configure three different networks on this bridge.

Private network, with DHCP

/interface wireless security-profiles
/ip pool
add name=PrivateNetwork ranges=172.16.48.20-172.16.48.254
/ip dhcp-server
add address-pool=PrivateNetwork disabled=no interface=bridge name=PrivateNetwork
/ip address
add address=172.16.48.1/24 interface=bridge network=172.16.48.0

Private network, static, VLAN10

add interface=bridge name=vlan10 vlan-id=10
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0

Public network, static, VLAN200

add interface=bridge name=vlan200 vlan-id=200
add address=200.xx.xx.xx/29 interface=vlan200 network=200.xx.xx.xx

But I can’t reach even the router configuring a host with VLAN10 or VLAN200. If i chance VLAN10 and VLAN200 for brige, at least I can reach the router, but not the gateway.
What I am missing?
Attached is the configuration
thank you everyone

Agu
config.txt.rsc (1.54 KB)

anav · January 16, 2019, 3:50pm

Ensure you have latest firmware is a standard statement.

so basically you have a private LAN and you wish to have to other LANs via VLAN.
One bridge is required.
Do you require LAN to WAN traffic
Do you require VLAN to WAN traffic
Do you require any LANIPs to have access to any VLANs or VLANIPs?

Changes/Additions to config
-added /interface list vlan members
-vlan pools
-dhcp server for vlans
-dhcp server network for vlans
-changed private DNS server to 172.16.48.1 (as you have detailed your IP DNS servers already under IP DNS)
-changed IP address entry for 200 vlan from /29 to /24 since I know /24
-modified bridge ports TBD
-modified bridge vlan rules. TBD

Bridge ports and Bridge vlan rules cannot really be laid out without additional information.
which ports are for which network (you have three).
Are some ports going to managed switches, to unmanaged switches, to Access points, to computers directly.
A diagram would help.

Thus far without the above info included…

/interface bridge
add name=bridge
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan200 vlan-id=200
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrivateNetwork ranges=172.16.48.20-172.16.48.254
add name=vlan10_pool ranges=10.0.10.20-10.0.20.254
add name=vlan200_pool ranges=200.xx.xx.20-200.xx.xx.254
/ip dhcp-server
add address-pool=PrivateNetwork disabled=no interface=bridge name=\
    PrivateNetwork
add address-pool=vlan10_pool disabled=no interface=vlan10 name=\
    vlan10Server
add address-pool=vlan200_pool disabled=no interface=vlan200 name=\
    vlan200Server
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan10 list=LAN
add interface=vlan200 list=LAN
/ip address
add address=172.24.0.82/29 interface=ether1 network=172.24.0.80
add address=10.0.10.1/24 interface=vlan10 network=10.0.10.0
add address=172.16.48.1/24 interface=bridge network=172.16.48.0
add address=200.xx.xx.xx/24 interface=vlan200 network=200.xx.xx.xx
/ip dhcp-server network
add address=172.16.48.0/24 dns-server=172.16.48.1 gateway=172.16.48.1
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=200.xx.xx.0/24 dns-server=200.xx.xx.1 gateway=200.xx.xx.1
/ip dns
set servers=200.16.16.1,8.8.8.8
/ip route
add distance=1 gateway=172.24.0.81

amartina · January 17, 2019, 1:32pm

Hi @anav, thank you for your response.

Thank you, now I’m running RuterOS 6.43.8
Yes, I have one LAN with private IPs and DHCP and two VLAN (VLAN200 and VLAN10) with static IPs.
All networks need to get to the gatway (Ethe1).
All to all, from LAN I should be able to get to the VLANs and from the VLANs to LAN.

Te bridge is build with Ethe2 to Ethe10, LAN, VLAN10 and VLAN200 share the bridge (is this called trunk?).
I configured the VLAN Interface over the brdge

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan200 vlan-id=200

configured the bridge VLAN

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=200,10

and the address

/ip address
add address=172.16.48.1/24 interface=bridge1 network=172.16.48.0
add address=200.xx.xx.xx/29 interface=vlan200 network=200.xx.xx.xx
add address=10.0.10.1/24 comment=test interface=vlan10 network=10.0.10.0

the LAN is the only working network
should I configure something else? what I’m missing?

Thank you

Agu
configtxt.rsc (1.93 KB)

anav · January 17, 2019, 7:22pm

Before I do any further work on this, let me get clarification.

Which statements are true:?
a. users on lan must be able to reach all IPs on VLANs
b. users on both VLANS must be able to reach all IPs on the LAN.
c. users on one vlan must be able to reach all IPs on the other VLAN.

OR did you mean as admin,
you need to be able to reach both vlans

amartina · January 17, 2019, 7:31pm

Hi @anav, thank you for your response
a. users on lan must be able to reach all IPs on VLANs
TRUE
b. users on both VLANS must be able to reach all IPs on the LAN.
TRUE
c. users on one vlan must be able to reach all IPs on the other VLAN.
TRUE

All users, host, in the bridge must be able to reach every LAN or VLAN ips

thank you

Agu

anav · January 17, 2019, 7:34pm

Hmmm, Okay, then perhaps I suggest you don’t need three network and vlans. You only need one network as the separate LANs and VLANs do not provide and extra value from a logical standpoint. In other words I don’ understand, why you need to create such a setup unless you are doing for the learning fun of it etc..

amartina · January 17, 2019, 11:26pm

Hi @anav,
The LAN is for all PCs in our lab (and could be VLAN1 of course)
VLAN 200 is for public servers
VLAN10 is for sensors

Yes, VLAN an LAN could be the same, but I’m not even able to make work LAN and VLAN200.
I even tryed one eth port/one VLAN ONLY (172 network, with DHCP), and can’t make it work, so maybe I’m making a mistake that I’m not finding, It’s my first Mikrotik, I had the same configuration ona Cisco Rv320 and also before with a Ubnt Edge router. But I don’t understand how to make it work in Mikrotik.

Thank you

Agu

pcunite · January 18, 2019, 3:33am

See the VLAN post in my signature. I hope to have the routing information added by tomorrow. VLANing with MikroTik will require some learning, which I hope to make simpler for new comers. Take time to read what I’ve put together so that you have the concepts in your head first. Then you can look at the configuration.

amartina · January 18, 2019, 3:01pm

Hi @pcunite,
Thank you for you post, will be really useful for those who doesn’t know how to configure a network.
Last thing a did is reset the router to start a new clean configuration, followed this presentation (https://mum.mikrotik.com/presentations/ID13/khomeini.pdf), but didn’t work
I will appreciate your post.

Thank you

Agu