Rolling out RB1000, Multiple Vlans, problems with routing

nynhex · December 20, 2009, 1:16am

Hi all.

I’m very new to Mikrotik. I went with it over Cisco (my native tongue) since it was cost effective and has a pretty strong community.

I purchased an RB1000 as our router/firewall at my company and am having a hell of a time getting things going. Here’s where I’m at so far.

Eth1=Public (ISP Connectivity)
Eth2=Private (Lan Connectivity)

I’ve added the IP information to both interfaces and I can reach the Interweb just fine. The problem begins when I go to add Vlans.

ie: I setup a VLAN called, “ADMIN” with an ID of 2 with an ip of 192.168.101.1/24 and assigned it to Eth2 (Private).

I will plug my laptop into the Private port and assign an IP from that Subnet and no dice. Most likely an issue that I don’t have the port on my laptop in the proper vlan ID. No problem…

So I plug it into a 3com 4200g switch and turn on port trunking so it will get all VLAN ids. I’ll assign another port as VLAN ID 2 on the switch so I can plug my laptop in and assign an IP from that VLAN. No joy! I can’t even ping the VLAN interface. Yet when I switch back to the default VLAN 1 and plug directly into ETH2 I can ping/route traffic.

Where am I going wrong?

For some reason I’m having very little luck with Mikrotik. I’m used to doing things in Cisco/3com and while I’m not opposed to learning new things this OS just seems very backwards compared to what I’m used to.

Thanks for any light you can shed on the topic.

otgooneo · December 28, 2009, 7:23am

Hey guys,

I have same problem. I have VLAN333+VLAN721 (Trunk) from my ISP. I can set IP addresses to VLANs and I`m connecting 2 networks all okay. I did:

[otgoo@MikroTik] > interface vlan add name=VLAN721 vlan-id=721 interface=eth1 use-service-tag=no
[otgoo@MikroTik] > interface vlan add name=VLAN333 vlan-id=333 interface=eth1 use-service-tag=no
[otgoo@MikroTik] > ip address add address=172.16.16.2/24 network=172.16.16.0 broadcast=172.16.16.255 interface=VLAN333
[otgoo@MikroTik] > ip address add address=202.131.XXX.XXX/28 network=202.131.XXX.XXX broadcast=202.131.XXX.XXX interface=VLAN721
[otgoo@MikroTik] > ip address add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=eth5
[otgoo@MikroTik] > ip route add dst-address=0.0.0.0/0 gateway=202.131.XXX.XXX

Now I want to create VLAN721 to eth2. (to use web server with Real Public IP).

I did:
[otgoo@MikroTik] > interface bridge add name=VLAN721_bridge
[otgoo@MikroTik] > interface bridge port add bridge=VLAN721_bridge interface=eth2
[otgoo@MikroTik] > interface bridge port add bridge=VLAN721_bridge interface=VLAN721

Web server is connecting to internet all okay. But my LAN clients stopped to connect to internet. Otherwise no connection from 192.168.0.0/24 to 202.131.XXX.XXX gateway.

RouterOS experts please help me? Pls pls pls

sergejs · December 28, 2009, 11:18am

nynhex, do you have IP address assigned to VLAN interface? (Not to Ethernet interface).

gmsmstr · December 28, 2009, 5:46pm

Typically would be the IP needs to be on the VLAN interface as suggested.

nynhex · January 4, 2010, 6:25am

I think I found the problem here. I did assign IP addresses to the different vlan interfaces but on my core switch (3com) after you enable the trunking you have to set the permit-vlan flag to denote which vlan ids can pass. I failed to do this. I had tried it last week and i was able to route traffic from any vlan.

Now I have to start working on the firewall rules to block/allow inbound traffic as well as rules to block/allow specific traffic between vlans.

I’m slowly learning but don’t have much of a lab to test in so having to use live equipment.