As it always happens, everything worked fine before I touched it…lol

I’ve got 2 networks I want to separate, ether port 5 - 10.0.1.1 (wireless) and ether port 4 - 192.168.20.1 (wired) with a common internet connection ether port 1

I created vlans for each network, gave address 10.0.1.10 (vlan1) and 192.168.20.10 (vlan2) When both are enabled the networks were unable to communicate with each other, which is what I wanted.. BUT when both are enabled the 10.0.1.1 (wireless) network can access the internet with no issues. The 192.168.20.1 (wired) network loses it’s connection to the internet.

If I disable 192.168.20.10 (vlan2) everything goes back to the way it was, everything works, the wireless can see the wired and the wired can see the wireless again.

what did I miss or do wrong?

Post your export..

ok here it is..

nov/10/2013 13:07:50 by RouterOS 5.26

software id = NTDH-3CEJ

/interface ethernet
set 0 comment="Time Warner Internet connection" name="ether2 - Internet"
speed=1Gbps
set 4 comment="Internal Network " name=ether4-local speed=1Gbps
set 5 comment="Wireless Network" name=ether5-local

/interface vlan
add comment="Internal Network" interface=ether4-local l2mtu=1516 name=vlan1
vlan-id=1
add comment="wireless network" interface=ether5-local l2mtu=1516 name=vlan2
vlan-id=2

/ip address
add address=10.0.1.1/24 comment="wireless network" interface=ether5-local
add address=192.168.20.1/24 comment="Internal Network" interface=ether4-local
add address=xxx.xxx.xxx.xxx/29 comment="Internet Connection" interface=
"ether1 - Internet"
add address=192.168.20.2/24 comment="Internal Network VLAN" disabled=yes
interface=vlan1
add address=10.0.1.10/24 comment="hotspot network vlan" interface=vlan2

/ip dhcp-server network
add address=10.0.1.0/24 comment="hotspot network" dns-server=
10.0.1.1,8.8.4.4,8.8.8.8,68.94.157.1 gateway=10.0.1.1 netmask=24
add address=192.168.20.0/24 comment="Local Network" dns-server=
192.168.20.1,8.8.8.8,8.8.4.4,68.94.157.1 gateway=192.168.20.1 netmask=24

/ip firewall filter
add action=drop chain=forward comment="Drop all P2P connections" p2p=all-p2p
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=17w1d chain=input dst-port=21,22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=17w1d chain=forward dst-port=21,22 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
in-interface="ether1 - Internet"

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network"
src-address=10.0.1.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=172.99.99.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip neighbor discovery
set ether3-local disabled=no
set vlan1 disabled=yes
set vlan2 disabled=yes

/ip route
add distance=1 gateway=Internet
add distance=1 gateway=xxx.xxx.xxx.xxx pref-src=xxx.xxx.xxx.xxx
add distance=1 dst-address=192.168.1.0/24 gateway=2-mail-site

If you only want to have two networks, each with dedicated interfaces, vlan’s are not needed.

I need the traffic to stay on each network and not see each other.

Just use the firewall filter table to block it (e.g. drop on the forward chain)

yes I can do that but it doesn’t answer the question, why didn’t the VLANs work.

Because they are not properly configured.
It really makes no sense to me what you want to achieve.
Can you draw us a simple network topology?

+1. My guess is that you have the VLANs configured as “trunk” ports instead of “access” ports. Meaning that your MikroTik is sending “tagged” packets to the devices on those ports and that the devices need to understand VLANs which I am guessing they don’t. Usually you want the ports connected to computers etc as access ports and not trunk ports, or at the least hybrid ports (e.g. untagged and tagged data over the same port).

But I agree, to really tell you “why” it is wrong we need to see how you have things connected (e.g. a diagram).

It didn’t work because you have the same subnets applied to two distinct interfaces. e.g. subnet 192.168.20.0/24 is on both interface ether4-local and interface vlan1.

By default RouterOS will route among connected networks. To stop it doing so use filters in the forward chain.

Didn’t even notice that. Good call

Sent from my SCH-I545 using Tapatalk

ok here’s a quick diagram

You don’t need vlans for that at all. Just run each port as its own network and block cross traffic with the firewall.

Sent from my SCH-I545 using Tapatalk

Yes, VLANs are needed for this setup. I’m not getting into why or who says so, they need to be in place.

No, they are useless in your setup. You just have different ports with different networks.
Your firewall rules should prevent inter range communication.
Vlan’s come into the picture when different networks need to be spread over several devices.

Based on your diagram one thing isn’t clear. I assume that the devices on each network don’t understand VLANs correct? e.g. ether ports 4 and 5 should be access ports and not trunk ports?

Even if the connected devices are Vlan aware, it makes no sense using them. It won’t give additional functionality or security.

Oh yeah. I completely agree with that, but the whole trunk port vs access port certainly doesn’t help make it at least functional. I entirely agree that VLANs offer no benefit here.