No inter-vlan nor internet access

VincentdeWit · August 15, 2023, 8:28am

Hi all,

We have been trying to setup our new Mikrotik CCR.
What we want to achieve is the following:

WAN on ether1 connected to ISP router with fixed IP 192.168.1.200
Different VLANS for different purposes (apartments, management, office, wireless access points)
Each VLAN has a DHCP server
Wireless access points will tag traffic based on SSID through Aruba AP22
Bridge vlans has a default tag of 4 and vlan-filtering enabled

For testing purposes we have added an access port on ETH4 (interface listn ACCESS-VLAN-31) and we can get an IP from the DHCP server.
But when we try to access any other VLAN or ping to 8.8.8.8 or something else, it does not seem to work.

When we ping 8.8.8.8 from the web interface through eth1, it works. We thought it would be a NAT issue, and thus added a srcnat rule, but does not work.

Any ideas?

# 2023-08-15 10:16:17 by RouterOS 7.10.2
# software id = **ELIDED**
#
# model = CCR2004-16G-2S+
# serial number = **ELIDED**

/interface bridge
add name=local
add name=vlans pvid=4 vlan-filtering=yes

/interface vlan
add interface=vlans name=vlan.condominiums.10 vlan-id=10
add interface=vlans name=vlan.condominiums.20 vlan-id=20
add interface=vlans name=vlan.condominiums.30 vlan-id=30
add interface=vlans name=vlan.condominiums.31 vlan-id=31
add interface=vlans name=vlan.condominiums.40 vlan-id=40
add interface=vlans name=vlan.management.85 vlan-id=85
add interface=vlans name=vlan.office.90 vlan-id=90
add interface=vlans name=vlan.wireless.4 vlan-id=4

/interface list
add name=WAN
add name=LAN
add name=TRUNK
add name=ACCESS-VLAN-31
add name=VLAN
add name=MANAGEMENT
add include=VLAN,TRUNK,ACCESS-VLAN-31 name=WAN-ACCESS
add include=MANAGEMENT,VLAN,TRUNK,LAN,WAN name=ADMIN-ACCESS

/ip pool
add name=dhcp.pool.bridge.wireless ranges=172.16.4.2-172.16.4.254
add name=dhcp.pool.vlan.10 ranges=172.16.10.2-172.16.10.254
add name=dhcp.pool.vlan.20 ranges=172.16.20.2-172.16.20.254
add name=dhcp.pool.vlan.30 ranges=172.16.30.2-172.16.30.254
add name=dhcp.pool.vlan.31 ranges=172.16.31.2-172.16.31.254
add name=dhcp.pool.vlan.40 ranges=172.16.40.2-172.16.40.254
add name=dhcp.pool.vlan.85 ranges=172.16.85.2-172.16.85.254
add name=dhcp.pool.vlan.90 ranges=172.16.90.2-172.16.90.254

/ip dhcp-server
add address-pool=dhcp.pool.vlan.10 interface=vlan.condominiums.10 lease-time=\
    10m name=dhcp.vlan.10 server-address=172.16.10.1
add address-pool=dhcp.pool.vlan.20 interface=vlan.condominiums.20 lease-time=\
    10m name=dhcp.vlan.20 server-address=172.16.20.1
add address-pool=dhcp.pool.vlan.30 interface=vlan.condominiums.30 lease-time=\
    10m name=dhcp.vlan.30 server-address=172.16.30.1
add address-pool=dhcp.pool.vlan.40 interface=vlan.condominiums.40 lease-time=\
    10m name=dhcp.vlan.40 server-address=172.16.40.1
add address-pool=dhcp.pool.vlan.31 interface=vlan.condominiums.31 lease-time=\
    10m name=dhcp.vlan.31 server-address=172.16.31.1
add address-pool=dhcp.pool.vlan.90 interface=vlan.office.90 lease-time=10m \
    name=dhcp.vlan.90 server-address=172.16.90.1
add address-pool=dhcp.pool.vlan.85 interface=vlan.management.85 lease-time=\
    10m name=dhcp.vlan.85 server-address=172.16.85.1
add address-pool=dhcp.pool.bridge.wireless interface=vlan.wireless.4 \
    lease-time=10m name=dhcp.vlan.4 server-address=172.16.4.1

/port
set 0 name=serial0
set 1 name=serial1

/interface bridge port
add bridge=vlans interface=TRUNK pvid=4
add bridge=vlans frame-types=admit-only-untagged-and-priority-tagged \
    interface=ACCESS-VLAN-31 pvid=31

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/ip neighbor discovery-settings
set discover-interface-list=ADMIN-ACCESS lldp-med-net-policy-vlan=1

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=vlans tagged=ether9,ether10,ether11,ether12,vlans vlan-ids=\
    4,10,20,30,40,85,90
add bridge=vlans tagged=vlans vlan-ids=31

/interface detect-internet
set detect-interface-list=WAN

/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=ether9 list=TRUNK
add interface=ether10 list=TRUNK
add interface=ether11 list=TRUNK
add interface=ether12 list=TRUNK
add interface=ether4 list=ACCESS-VLAN-31
add interface=ether16 list=MANAGEMENT
add interface=vlan.condominiums.10 list=VLAN
add interface=vlan.condominiums.20 list=VLAN
add interface=vlan.condominiums.30 list=VLAN
add interface=vlan.condominiums.31 list=VLAN
add interface=vlan.condominiums.40 list=VLAN
add interface=vlan.management.85 list=VLAN
add interface=vlan.office.90 list=VLAN
add interface=vlan.wireless.4 list=VLAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=172.16.10.1/24 interface=vlan.condominiums.10 network=172.16.10.0
add address=172.16.20.1/24 interface=vlan.condominiums.20 network=172.16.20.0
add address=172.16.30.1/24 interface=vlan.condominiums.30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan.condominiums.40 network=172.16.40.0
add address=172.16.4.1/24 interface=vlan.wireless.4 network=172.16.4.0
add address=172.16.90.1/24 interface=vlan.office.90 network=172.16.90.0
add address=172.16.85.1/24 interface=vlan.management.85 network=172.16.85.0
add address=172.16.31.1/24 interface=vlan.condominiums.31 network=172.16.31.0
add address=192.168.1.200/24 interface=ether1 network=192.168.1.0

/ip dhcp-client
add disabled=yes interface=ether1

/ip dhcp-server network
add address=172.16.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.1.1 \
    netmask=24
add address=172.16.4.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.4.1 \
    netmask=24
add address=172.16.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.10.1 \
    netmask=24
add address=172.16.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.20.1 \
    netmask=24
add address=172.16.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.30.1 \
    netmask=24
add address=172.16.31.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.31.1 \
    netmask=24
add address=172.16.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.40.1 \
    netmask=24
add address=172.16.90.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.90.1 \
    netmask=24

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=WAN-ACCESS \
    out-interface-list=WAN
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=input in-interface-list=MANAGEMENT
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main suppress-hw-offload=no

/system clock
set time-zone-name=Europe/Madrid

/system identity
set name=**ELIDED**

/system note
set show-at-login=no

/system routerboard settings
set enter-setup-on=delete-key

anav · August 15, 2023, 11:05am

Draw a network diagram as the explanation is not clear.

VincentdeWit · August 15, 2023, 3:14pm

Does this make sense?
20230815 - Network diagram.drawio.png

anav · August 15, 2023, 8:45pm

Wireless AP makes no sense to me,
You have vlan 4 tagged and untagged?

Is this a Ubiquiti? where the management vlan comes in untagged from the router??
THen a hybrid would make sense.

Dont get ether2, that would vlan4 untagged if that is the management vlan ???

VincentdeWit · August 15, 2023, 9:28pm

Thanks for your response and sorry for the confusing VLAN 4.

I wanted to create a separate VLAN for the wireless access points; they are going to be Aruba AP22’s and my initial thought was to allow them to be easily added without the need to config them with a vlan, and also add a separate SSID which tags VLAN 4 for access to the AP’s VLAN.
Ether 2 is not yet in a VLAN and is configured with a static address now, to make sure that whenever i get locked out I can access the MT web interface.

anav · August 15, 2023, 10:08pm

Doesnt matter what the devices are, all smart devices (can read vlan tags) should get their IP from the same management subnet.

The best way to configure for safety is to do an off bridge etheport setup, probably what your doing but here is some reading.
https://forum.mikrotik.com/viewtopic.php?t=181718

VincentdeWit · August 16, 2023, 6:17am

Thanks for the guide! I will try to do make some changes based on that.
Any ideas on how to debug why the vlan traffic is not routing the traffic to the default gateway and thus not allowing to have internet?
I tried on all VLANs now, but none of them seem to do it.

VincentdeWit · August 16, 2023, 11:36am

Seems that after installing 7.11 upgrade all seems to be working now, thanks anyways!