RB750 Switch plus VLAN functionality

Hi all,

I got a couple of RB750 and want to reuse one as a switch with VLAN functionality.

Short version:
Main Router (any Brand) provides DHCP —> MK RB750 (handles VLANs + VLAN DHCP)—> Client with VLAN-ID get DHCP from MK
Main Router (any Brand) provides DHCP —> MK RB750 (handles VLANs + VLAN DHCP)—> Client with NO VLAN-ID get DHCP from MAIN Router

For all intensive purposes ether1 on the MK RB750 is the link/WAN port to the Main router.
I followed this tutorial: Turn your router into a network switch https://www.youtube.com/watch?v=XKYmgtVs9kc

Build the VLANs on the Bridge
Clients with no VLAN-ID gets internet access on ether 2 - 5
Clients with VLAN-ID gets DHCP IP on ether 2 - 5 but no internet access
Added a masquerade rule on the Bridge as ether1 is included within the Bridge to no avail.

Any input would be much appreciated to get this resolve to why the VLAN Clients do not have internet access.

/interface bridge
add name=bridge_ALL
/interface vlan
add interface=bridge_ALL name=VLAN20 vlan-id=20
add interface=bridge_ALL name=VLAN30 vlan-id=30
add interface=bridge_ALL name=VLAN40 vlan-id=40
add interface=bridge_ALL name=VLAN50 vlan-id=50
/ip pool
add name=VLAN20Pool ranges=192.168.20.10-192.168.20.200
add name=VLAN30Pool ranges=192.168.30.10-192.168.30.200
add name=VLAN40Pool ranges=192.168.40.10-192.168.40.200
add name=VLAN50Pool ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=VLAN20Pool disabled=no interface=VLAN20 name=VLAN20dhcp
add address-pool=VLAN30Pool disabled=no interface=VLAN30 name=VLAN30dhcp
add address-pool=VLAN40Pool disabled=no interface=VLAN40 name=VLAN40dhcp
add address-pool=VLAN50Pool disabled=no interface=VLAN50 name=VLAN50dhcp
/interface bridge port
add bridge=bridge_ALL interface=ether1
add bridge=bridge_ALL interface=ether2
add bridge=bridge_ALL interface=ether3
add bridge=bridge_ALL interface=ether4
add bridge=bridge_ALL interface=ether5
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_ALL

How many wired connections from main router to MK?
Assuming non vlan traffic is one wire connection from MK to an unmanaged switch?

Only One wired connection from Main router to MK

There is no unmanaged swtich
Main Router → MK → Client device

Yes but at the bottom of your schematic you show four or five devices that are not on VLAN ???
With 5 Ports, 1 from Main router, and four others I assume going to managed switches (since you show multiple devices on every port), leaves ZERO PORTS for the non vlan devices.

Your math does not add up???..
(one port cannot serve multiple devices)
(four ports cannot serve 5 different port requirements as depicted).

Unless the MT device has more ports, I want some of the coffee you are drinking.

Presumably the client VLAN tagging is done elsewhere.

The configuration has IP addresses and connected routes for the VLANs, but no address or default route on the untagged VLAN for the masquerade rule to work with.

Either
/ip address
add address=xx.xx.xx.yy/24 interface=bridge_ALL
/ip route
add distance=1 gateway=xx.xx.xx.zz
where xx.xx.xx.zz is the LAN address of your main router and xx.xx.xx.yy is any available LAN address
OR
/ip dhcp-client
add disabled=no interface=bridge_ALL

Okay,
I see where the confusing came into play. The coffee I am currently drinking is Douwe Egberts Pure Gold nr3

ether 2 - 5 can hand out DHCP for VLANs and DHCP from Main router.

Using Virtualization one can have multiple devices on one port.
Example:
ether 2 has the following VM NICs connected to it
VM1 with VLAN ID 20
VM2 with VLAN ID 30
VM3 with NO VLAN ID
(I know this can be done as I have done it before with another router brand)

If managed switches would have been used still would not have matter what traffic was passed to the switch as the switch would strip the tags if need be.

This is done on the client side NIC

This added 2 entries to the Router List

Dst.Address 0.0.0.0/0
Gateway: Main router IP (reachable bridged_ALL)
Distance: 1

As well as

Dst.Address xx.xx.xx.0/24
Gateway: bridged_ALL reachable

DHCP Client pulls an IP from Main router
Address List shows same Address as pulled
Router List same two entries as above

VLANS still got no Internet using either suggestion

With either of those in place can you successfully ping or traceroute from the Mikrotik itself to the internet (e.g. 8.8.8.8 or 1.1.1.1), and what does a traceroute from any VLAN client show?

/ip dhcp-client
add disabled=no interface=bridge_ALL

Tools → Traceroute

Traceroute To: 1.1.1.1
Interface: Blank
Get a trace hop 1 is my Main Router all the way to hop 8 that is 1.1.1.1

Traceroute To: 1.1.1.1
Interface: VLAN30
All seems to timeout

Tools → Ping
Ping To: 1.1.1.1
Interface: bridge_All
Works

Ping To: 1.1.1.1
Interface: VLAN30
Times out

Selecting a VLAN interface won’t work - ping will attempt to send the request from that interface. Instead of selecting an Interface on the General tab you can enter an address of one of the VLANs, e.g. 192.168.30.1, as the Src. Address on the Advanced tab.

If that is successful try from one of your VLAN clients.

This is intresting,
Ping → General Tab
Ping To: 1.1.1.1
Intergace: Bridge_All
Works

Ping → Advanced Tab
Ping To: 1.1.1.1
Interface: Blank
Src Address: IP From Main Router IP Range
Does not work

Ping → Advanced Tab
Ping To: 1.1.1.1
Interface: Blank
Src Address: VLAN IP 192.168.30.1
Does not work

Something odd going on there, what does /ip address print and /ip route print show?

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                 
 0   192.168.20.1/24    192.168.20.0    VLAN20                                                                                                                                    
 1   192.168.30.1/24    192.168.30.0    VLAN30                                                                                                                                    
 2   192.168.40.1/24    192.168.40.0    VLAN40                                                                                                                                    
 3   192.168.50.1/24    192.168.50.0    VLAN50                                                                                                                                    
 4 D xxx.xxx.xxx.yyy/24 xxx.xxx.xxx.0   bridge_ALL 
                                                                                                                             
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          xxx.xxx.xxx.zzz            1
 1 ADC  192.168.20.0/24    192.168.20.1    VLAN20                    0
 2 ADC  192.168.30.0/24    192.168.30.1    VLAN30                    0
 3 ADC  192.168.40.0/24    192.168.40.1    VLAN40                    0
 4 ADC  192.168.50.0/24    192.168.50.1    VLAN50                    0
 5 ADC  xxx.xxx.xxx.0/24   xxx.xxx.xxx.yyy bridge_ALL                0
[admin@MikroTik] >

xxx.xxx.xxx.yyy/24 xxx.xxx.xxx.0 bridge_ALL Correct IP pulled from Main Router
xxx.xxx.xxx.zzz Main Router IP

Thanks to tdw for helping me out !
It seems for some reason the MK took its sweet time to “Find its Routes” so to speak.

Here is the working code.

/interface bridge
add name=bridge_ALL
/interface vlan
add interface=bridge_ALL name=VLAN20 vlan-id=20
add interface=bridge_ALL name=VLAN30 vlan-id=30
add interface=bridge_ALL name=VLAN40 vlan-id=40
add interface=bridge_ALL name=VLAN50 vlan-id=50
/ip pool
add name=VLAN20Pool ranges=192.168.20.10-192.168.20.200
add name=VLAN30Pool ranges=192.168.30.10-192.168.30.200
add name=VLAN40Pool ranges=192.168.40.10-192.168.40.200
add name=VLAN50Pool ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=VLAN20Pool disabled=no interface=VLAN20 name=VLAN20dhcp
add address-pool=VLAN30Pool disabled=no interface=VLAN30 name=VLAN30dhcp
add address-pool=VLAN40Pool disabled=no interface=VLAN40 name=VLAN40dhcp
add address-pool=VLAN50Pool disabled=no interface=VLAN50 name=VLAN50dhcp
/interface bridge port
add bridge=bridge_ALL interface=ether1
add bridge=bridge_ALL interface=ether2
add bridge=bridge_ALL interface=ether3
add bridge=bridge_ALL interface=ether4
add bridge=bridge_ALL interface=ether5
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
add address=192.168.50.1/24 interface=VLAN50 network=192.168.50.0
/ip dhcp-client
add disabled=no interface=bridge_ALL
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge_ALL

It is odd it took so long to start working as there just didn’t appear to be anything wrong, maybe some cached connection/routing/arp data which had to expire.

All I did was
Reset Configuration
No Default Configuration
Do Not Backup
Ran the code, wait for about 10min then all of a sudden it all worked as indented.

Must have been something with cached connection/routing/arp data that was not accounted for.