Need help with two VLANs inside a network

RouterOS Beginner Basics
1

I just bought a RB2011 to serve as a VLAN ‘splitter’ and as a hotspot.

Situation:
I got one ADSL modem from my ISP. It’s in the network 192.168.2.0/24
I got one router for internal purposes, in the network 192.168.0.0/24

The ADSL modem is connected to a TP-LINK managed switch on port 1, the DrayTek on port 2.
The TP-Link switch trunks port1 (vlan1) and port2 (vlan2) to port 3.

There’s a cable between the TP-link and my RB2011 (on ether1).
The RB2011 is standard config, so it has the 192.168.88.0/24 network and standard settings.

Goal:
ether1 must be the incoming port (so the cable from the TP-link with vlan1 and vlan2
ether2-5 and wlan1 and a hotspot on wlan2 (a VAP for wlan1) are for internet (vlan1)
ether 6-10 for the internal network (vlan2).

What have I done so far:
I created two new vlan interfaces: vlan_1_e1 (vlan1 on ether1) and vlan_2_e1 (vlan2 on ether1).

I broke bridge-local, made two new bridges:
bridge_vlan1 with vlan_1_e1, ether2-5, wlan1 and wlan2
bridge_vlan2 with vlan_2_e1, ether6-master

furthermore, I enabled DHCP client on vlan_1_e1 so I get an IP from my ADSL modem.
That one works. I don’t have internet, but after adding NAT I can acces the internet on ether2-5 and wlan1 (and on my hotspot).

When I plug the cable into ether7 for example, I get an IP address from the DrayTek router, but I can’t access it.
I tried adding DHCP client on vlan_2_e1, I tried NAT, I tried eveything, but no access to 192.168.0.0/24.
also, the internet is unaccessible when I am plugged into ether7. Even wlan1 can’t access the internet. When I check the LCD screen for stats on ether1, i see a peak in Tx every 2 seconds. Maybe there are collisions or loops?

when I unplug the cable in ether7 or vlan2, the internet is fast and normally accessible.

This is my first experience with such advanced routers, so I must have forgotten some crucial things. Can someone help me?
It seems to me that maybe I am routering with the MikroTik, which is not needed because the ISP modem is the main router, and the MikroTik only has to split the two VLANs into two networks…?

2

Please share your config

3

I will share it this afternoon, not at home right now.

By the way, here is a visualization of what I want :slight_smile:

My config (I just printed the config of /ip and /interface, don’t know what you want to see :slight_smile: )

[admin@MTRouter] /ip> export
# jan/02/1970 02:00:11 by RouterOS 6.15
# software id = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
#
/ip hotspot profile
add hotspot-address=10.5.50.1 login-by=cookie,http-chap,trial name=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-14 ranges=10.5.50.2-10.5.50.254
add name=VPN_IP ranges=10.0.0.10-10.0.0.20
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge_vlan1 network=192.168.88.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan2 network=10.5.50.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=vlan_1_e1
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=vlan_2_e1
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge_vlan1 lease-time=10m name=default
add address-pool=hs-pool-14 disabled=no interface=wlan2 lease-time=1h name=dhcp1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.5.50.0/24 to-addresses=0.0.0.0
/ip hotspot
add address-pool=hs-pool-14 disabled=no interface=wlan2 name=hotspot1 profile=hsprof1
/ip hotspot user
add name=admin
/ip upnp
set allow-disable-external-interface=no

Interface:

[admin@MTRouter] /interface> export
# jan/02/1970 02:02:18 by RouterOS 6.15
# software id = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#
/interface bridge
add admin-mac=4C:5E:xxxxxxxx:5F auto-mac=no l2mtu=1594 name=bridge_vlan1
add l2mtu=1594 name=bridge_vlan2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors l2mtu=2290 mode=ap-bridge ssid="Private"
add disabled=no l2mtu=2290 mac-address=4E:5E:xxxxxxx:68 master-interface=wlan1 name=wlan2 ssid="FreeWifi" wds-cost-range=0 wds-default-cost=0
/interface vlan
add interface=ether1-gateway l2mtu=1594 name=vlan_1_e1 vlan-id=1
add interface=ether1-gateway l2mtu=1594 name=vlan_2_e1 vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge_vlan1 interface=ether2
add bridge=bridge_vlan1 interface=ether3
add bridge=bridge_vlan1 interface=ether4
add bridge=bridge_vlan1 interface=ether5
add bridge=bridge_vlan2 interface=ether6-master-local
add bridge=bridge_vlan1 interface=wlan1
add bridge=bridge_vlan2 interface=vlan_2_e1
add bridge=bridge_vlan1 interface=vlan_1_e1
/interface pptp-server server
set default-profile=VPNserver enabled=yes
4

Can someone help me about this please? Maybe a small idea? :slight_smile:

5

Is it so complicated what I want to do? :laughing:

I tried something and now I have a working config:
It seemed that I enabled ‘Add default route’ when adding DHCP client for vlan_2_e1. I disabled that one, and now vlan1 (ether2-5) and vlan2 (ether 6-10) are seperated.

However, I’m still not satisfied. If you put the stats graph (bandwith graph) on the LCD scren for ether1-gateway, you see a spike of 600kbps Rx every 2 seconds and no Tx (hardly no). What does this mean? Collisions or loops? I am new to this :slight_smile:

Besides, There’s still something not good. For me, the Mikrotik just has to split vlan 2 (from the trunk) into some untagged ports (ether 6-10). Just a simple, plain, ‘stupid’ switch. Completely apart from vlan1, no connections whatsoever with 192.168.88.0/24.

And I new idea: I need to have IPTV on one of the ports in the 192.168.2.0 network. So I thought of adding vlan3 (two cables from the ISP modem, one for VLAN1 and one for VLAN3), I made a new bridge (bridge_vlan3) with only ether4 in it and vlan_3_e1, but I managed to get a 192.168.88.0 IP address by DHCP!!

So the Mikrotik is also giving out IP addresses on ether1-gateway (not neccessary, only on wlan1 and ether2-5!!!). So I get IP address via VLAN1 via the build-in switch in the ISP modem, back on the vlan3 cable, back on ether4! Why?! How can I remove ether1 from the DHCP server while it still is added to bridge_vlan1?

I am new to the advanced routers and Mikrotiks, and I don’t understand I thing…hopefully someone can explain what I am doing wrong. It feels that it has to be a simple thing but I don’t know it anymore…somebody please?!