No internet connection on VLAN

RouterOS Beginner Basics
1

I have a RB3011 that has 5 VLAN’s setup on port 6. I am able to pass these VLAN’s to my CSS326-24g Switch wit no problem. The issue I have is that I am able to aquire the correct VLAN address on the proper switch port on the CSS but I get no internet connection. I do get the following…
IP Address
Subnet
Gateway
DNS
Here is my config file for the 3011
3011config.rsc (5.02 KB)

2

Why is your WAN connection setup with DHCP and pool, and even on bridge etc… ??
It is dhcp client only…

DHCP server networks are missing dns-server=
add address=100.100.11.0/24 gateway=100.100.11.1 dns-server=100.100.11.1

Interface list members is missing all the vlans list=LAN

3

Thank you so very much. This is my first attempt at VLAN config. I will do your changes and repost my results.

4

Oh in that case,
please read this excellent reference.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I personally use vlans for all subnets and the only thing the bridge does is bridging.

5

I applied your instructions and it is working just fine now. I guess I messed up when I attempted the first config. Can I post my new config file for your review?

6

Here is my new config file with the VLANS working. I would appreciate it if you could look at it and see if there are any issues. If all is well with the firewall settings I am going to reconfigure this from scratch with these settings.
3011Vlans.rsc (4.93 KB)

7

This can be set to NONE, known to cause issues…
/interface detect-internet
set detect-interface-list=WAN

Still dont see your DNS server settings…
/ip dhcp-server network
add address=100.100.11.0/24 gateway=100.100.11.1 dns-server=100.100.11.1
add address=100.100.12.0/24 gateway=100.100.12.1 etc
add address=100.100.13.0/24 gateway=100.100.13.1 etc
add address=100.100.14.0/24 gateway=100.100.14.1 etc
add address=100.100.15.0/24 gateway=100.100.15.1 etc
add address=192.168.100.0/24 gateway=192.168.100.1 etc

This should be set to NONE
/tool mac-server
set allowed-interface-list=LAN

Left over from default settings, can be removed.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Maybe add some decent DNS servers from the net
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9,9,9

8

I am going to start over with no configuration in the 3011. Maybe I can understand my error by doing that from scratch.

9

Learning from my mistakes is a wonderful thing. Thanks for all the pointers and help.

10

UPDATE ON MY ISSUE

After a reset of RB3011 and removing factory config I was able to create a completed VLAN configuration on the router. I also have a CSS326-24g setup to accept my VLANS from the RB3011. All is well with this setup. I have been able to understand the VLAN setup in the RB and the CSS. My next task is to setup a proper firewall in the 3011. Is there any example of a good firewall setup for the 3011?

Here is my Setup on the 3011
no-firewall-settings.rsc (3.16 KB)

11

Start with rextended default settings as listed at the below link.
This is what you need to get started.
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4

Then I would recommend moving from an allow concept of the default settings. to a block everything concept and only allow what you specifically need to have.
The reason for not going straight to the latter concept is that its really good to learn what the rules are doing and thus once you understand the firewall rules, then move forward.

http://forum.mikrotik.com/t/default-firewall-config/134431/13

12

On your config some changes required

Add DNS server on the DHCP network settings AND REMOVE WHAT YOU HAVE DONE FOR adding DNS servers under IP DNS.

/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1 dns-server=10.2.2.1 do this for all of them - should match the gateway!!
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.11.0/24 gateway=10.10.11.1
add address=10.10.12.0/24 gateway=10.10.12.1
add address=10.10.13.0/24 gateway=10.10.13.1
add address=10.10.14.0/24 gateway=10.10.14.1
add address=10.10.15.0/24 gateway=10.10.15.1
add address=10.10.16.0/24 gateway=10.10.16.1
add address=100.100.25.0/27 gateway=100.100.25.1
add address=100.100.25.0/24 gateway=100.100.25.1

For DNS servers just add a few good DNS servers that the router can use …
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1 etc…


Sourcenat rules need fixing.
Remove the first one as it does nothing helpful.
The rest as well.
Alll you need is
add action=masquerade chain=srcnat out-interface-list=WAN

13

Thank you so very much for the input. I will perform the changes requested and let you know how it goes. Again, thank you very much.

14

SUCESS!!!

The firewall is back to normal and I have tested all VLANS on the router and switch for proper communications and blocking of inter-VLAN communication. I have a management network set and that works flawlessly on the switch.

My next task is to fully understand the firewall setup in order to use some advanced settings. Overall I am very happy now that I have a much better concept of VLAN configuration on the Router and Switch.

You have been a great resource for quality help with my understanding configuration methods and proper setup. Thank you so very, very much. I only hope I can repay the forum with some knowledge of my own in the future.
Working_Well.rsc (3.9 KB)

15

Well I did have an ulterior motive…
I wanted to hear … INDIANA WANTS ME … ;-)))))))

16

You have been very helpful to me .I do appreciate your help.

17

Here you go with a continuing thank you for all you do in the Forum.
https://www.youtube.com/watch?v=eG2LI1hb35U

18

Here Is your song you requested
https://www.youtube.com/watch?v=eG2LI1hb35U

19

Here you go with a continuing thank you for all you do in the Forum.
https://www.youtube.com/watch?v=eG2LI1hb35U