No traffic between VLANs regardless of firewall

Hello,

I tried to create VLANs on my Mikrotik router, but both my computers are not able to ping each other unless they are in the same VLAN. Except the devices in their VLAN they can only ping their VLAN gateways and the router itself (172.16.10.1). I use default Mikrotik firewall settings, but it seem that it is not in firewall because ping doesn’t even work with entire firewall disabled (except for the testing “accept all” rule).

Example:
PC1 in VLAN 60 with IP 172.16.60.1 can ping PC2 in the same VLAN with IP 172.16.60.2 (and both their GW 172.16.60.88 and the router 172.16.10.1)
but ping doesn’t work when the PC2 is in VLAN 50 with IP 172.16.50.2 (tracert from PC1 ends with * * * after 172.16.60.88 – Request timed out.)

What could I have set up wrong or be missing?
Thank you in advance.

# 2024-01-06 21:46:52 by RouterOS 7.13
# software id = IU8T-YSM6
#
# model = RBD53iG-5HacD2HnD
# serial number = blabla
/interface bridge
add admin-mac=18:FD:blabla auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="blabla" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country="blabla" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan70 vlan-id=70
add interface=ether1 name=vlan848 vlan-id=848
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan848 max-mru=1492 max-mtu=1492 name=pppoe-isp user=blabla
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.201.0-172.16.255.254
add name=dhcp_pool50 ranges=172.16.50.1-172.16.50.87,172.16.50.89-172.16.50.254
add name=dhcp_pool60 ranges=172.16.60.1-172.16.60.87,172.16.60.89-172.16.60.254
add name=dhcp_pool70 ranges=172.16.70.1-172.16.70.87,172.16.70.89-172.16.70.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
add address-pool=dhcp_pool50 interface=vlan50 lease-time=12h name=dhcp50
add address-pool=dhcp_pool60 interface=vlan60 lease-time=12h name=dhcp60
add address-pool=dhcp_pool70 interface=vlan70 lease-time=12h name=dhcp70
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan50 list=LAN
add interface=vlan60 list=LAN
add interface=vlan70 list=LAN
/ip address
add address=172.16.10.1/16 comment=defconf interface=bridge network=172.16.0.0
add address=172.16.50.88/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.88/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.88/24 interface=vlan70 network=172.16.70.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.0.0/16 comment=defconf dns-server=172.16.10.1 gateway=172.16.10.1 netmask=16
add address=172.16.50.0/24 dns-server=172.16.50.88 gateway=172.16.50.88
add address=172.16.60.0/24 dns-server=172.16.60.88 gateway=172.16.60.88
add address=172.16.70.0/24 dns-server=172.16.70.88 gateway=172.16.70.88
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.1.1.2 verify-doh-cert=yes
/ip dns static
add address=172.16.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-isp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Classic error of trying to keep the bridge doing DHCP. If you need another subnet take the one you kept on the bridge and make it vlan10… or something.
Many other errors as well.
Suggest you read…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Which OS are the PCs running? Windows, for example, by default blocks ICMP from outside the directly connected LAN subnet.

Using bridge-to-CPU interface as hybrid instead of all tagged is not an error, some people just do not like the cosmetics.

Windows, icmp ping enabled on firewall. I also tested both behind a switch (so PC → switch → router) and I wasn’t able to ping the switch from other than native VLAN.

This was the first time I tried configuring VLANs. And as a beginner I simply followed several tutorials from the internet, which were identically doing it like this.

It looks like you’ve posted part of your MikroTik configuration, but unfortunately, it seems to be incomplete. However, based on what you’ve provided, it appears that you’re working with VLANs, and you’re experiencing issues with inter-VLAN communication.

Here are a few things you might want to check:

Interface Configuration:

Ensure that the interfaces assigned to your VLANs are correctly set up. Check that each VLAN has its own bridge or that the interfaces are assigned to the correct bridge.
VLAN Configuration:

Double-check your VLAN configurations, including VLAN IDs, names, and associated interfaces.
IP Addressing:

Verify that the IP addresses assigned to devices in different VLANs are correct, and they fall within the correct subnet.
Gateway Configuration:

Confirm that each VLAN has its own gateway configured correctly. In your example, you mentioned 172.16.60.88 as the gateway for VLAN 60. Ensure that this IP address is correctly assigned to the router’s interface in VLAN 60.
Firewall Rules:

Since you’ve mentioned that the firewall is currently set to accept all, it should not be causing the issue. However, you might want to check if there are any specific firewall rules affecting inter-VLAN communication.
Routing:

Confirm that the router is properly routing traffic between VLANs. The router should have routes for each VLAN subnet.
Here’s a basic example of what your configuration might look like (please adapt it to your specific setup):

bash
Copy code
/interface vlan
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60 vlan-id=60

/ip address
add address=172.16.10.1/24 interface=bridge network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0

/ip route
add distance=1 gateway=172.16.50.1
add distance=1 gateway=172.16.60.1
This is a basic example, and you may need to adjust it based on your network topology and requirements. Ensure that your VLANs are correctly configured on both the router and the connected devices. If the issue persists, additional details about your configuration would be helpful in diagnosing the problem.

Well i guess what you should do is to use Bridge VLAN filtering.

On interface level you set VLANs just in case you want to have different subnets / dhcp servers per each VLAN.

But assigning and filtering itself should be done on Briddge to enable Bridge VLAN filtering, where bridge itself has to be part of VLAN as tagged. This way then your VLAN has access to CPU and therefore to Firewall to make InterVLAN filtering.

What you are doing is one of classic mistakes of using VLANs on Mikrotik.

I would recommend you documentation and go throuth the samples of incorrectly used scenarios. Its very hepful to understand, how VLAN works on Mikrotik.

https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering
https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration

Today I did some reconfiguration. I followed one of the configuration examples from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and added:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=60
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=70
/interface bridge port (added frame-types=admit-only-vlan-tagged)
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=wlan2 internal-path-cost=10 path-cost=10
/interface bridge (added vlan-filtering=yes)
add admin-mac=18:FD:blabla auto-mac=no comment=defconf name=bridge port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface list
add name=VLAN
/interface list member
add interface=vlan50 list=VLAN
add interface=vlan60 list=VLAN
add interface=vlan70 list=VLAN
/ip firewall filter
add action=accept chain=input comment="Allow VLAN - input" in-interface-list=VLAN
add action=accept chain=forward comment="Allow VLAN - forward" in-interface-list=VLAN

Also the following has been changed (to be more logical and replaced /16 to /24):

/ip address
add address=172.16.10.1/24 comment=defconf interface=bridge network=172.16.10.0
/ip pool
add name=dhcp ranges=172.16.10.10-172.16.10.254
/ip dhcp-server network
add address=172.16.10.0/24 comment=defconf dns-server=172.16.10.1 gateway=172.16.10.1

After this reconfiguration I was able to ping PC2 from PC1. From the opposite direction was then only needed to allow ping to VLAN with PC1 on my Antivirus software and with that my problem has been solved.
Thank you all for help.

Complete final configuration export: (relevant, so only without snmp, sheduler and ipv6)

# 2024-01-07 19:49:46 by RouterOS 7.13
# software id = IU8T-YSM6
#
# model = RBD53iG-5HacD2HnD
# serial number = blabla
/interface bridge
add admin-mac=18:FD:blabla auto-mac=no comment=defconf name=bridge port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="blabla" disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country="blabla" disabled=no distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan60 vlan-id=60
add interface=bridge name=vlan70 vlan-id=70
add interface=ether1 name=vlan848 vlan-id=848
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan848 max-mru=1492 max-mtu=1492 name=pppoe-isp user=blabla
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.10.10-172.16.10.254
add name=dhcp_pool50 ranges=172.16.50.1-172.16.50.87,172.16.50.89-172.16.50.254
add name=dhcp_pool60 ranges=172.16.60.1-172.16.60.87,172.16.60.89-172.16.60.254
add name=dhcp_pool70 ranges=172.16.70.1-172.16.70.87,172.16.70.89-172.16.70.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
add address-pool=dhcp_pool50 interface=vlan50 lease-time=12h name=dhcp50
add address-pool=dhcp_pool60 interface=vlan60 lease-time=12h name=dhcp60
add address-pool=dhcp_pool70 interface=vlan70 lease-time=12h name=dhcp70
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=wlan2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=50
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=60
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=70
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan50 list=VLAN
add interface=vlan60 list=VLAN
add interface=vlan70 list=VLAN
/ip address
add address=172.16.10.1/24 comment=defconf interface=bridge network=172.16.10.0
add address=172.16.50.88/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.88/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.88/24 interface=vlan70 network=172.16.70.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 comment=defconf dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.50.0/24 dns-server=172.16.50.88 gateway=172.16.50.88
add address=172.16.60.0/24 dns-server=172.16.60.88 gateway=172.16.60.88
add address=172.16.70.0/24 dns-server=172.16.70.88 gateway=172.16.70.88
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.1.1.2 verify-doh-cert=yes
/ip dns static
add address=172.16.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow VLAN - input" in-interface-list=VLAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow VLAN - forward" in-interface-list=VLAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pppoe-isp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN