No internet access to Vlan

Hi,

I have a CRS125-24G-1S with the following setup

cisco (192.168.0.1) → mikrotik (192.168.0.3) → Internal network (192.168.0.0/24), → VLAN2 (192.168.100.0/24)

Vlan2 is tagged with vlanid 500 from an AP and cisco is my external gateway

I have setup dhcp for vlan2 in mikrotik and clients connecting to the AP get their ip’s correctly but they don’t have internet. DNS is working for them

This is my config

/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether1-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-master-local name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-master-local name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-master-local name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-master-local name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-master-local name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-master-local name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-master-local name=ether16-slave-local
set [ find default-name=ether19 ] master-port=ether17
set [ find default-name=ether20 ] master-port=ether17
set [ find default-name=ether21 ] master-port=ether1-master-local name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-master-local name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-master-local name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether1-master-local name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether1-master-local name=sfp1-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan2 vlan-id=500
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=vlan2 name=dhcp2
/system logging action
add name=remotesyslog remote=192.168.0.40 src-address=192.168.0.3 target=remote
/ip firewall connection tracking
set enabled=yes
/ip address
add address=192.168.0.3/24 comment=“added by setup” interface=ether1-master-local network=192.168.0.0
add address=192.168.100.1/24 interface=vlan2 network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.0.3 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.12,192.168.0.14
/ip route
add comment=“added by setup” distance=1 gateway=192.168.0.1

any help on how to give internet access to the vlan will be appreciated

What happens if you add this:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan2

Are you able to surf? if so, you should either leave that masquerading on, or add proper routes/nat rules to the cisco.

static route in the cisco is the way to go:

config t
ip route 192.168.100.0 255.255.255.0 192.168.0.3
end
wr mem

Oh - and make sure that your NAT rule in the Cisco will also match packets from 192.168.100.0/24

usually there’s a rule like this:
ip nat inside source list NAT_LIST interface FastEthernet0/1 overload
(list name/number and interface will vary)

Look at the list - if it contains a rule:
permit ip any any
then you’re set.
If it only permits ip 192.168.0.0 0.0.0.255 any, then you’ll need to add a new entry for 192.168.100.0