Greetings,
I have been having some issues with my RB3011. I’m still fairly new to Mikrotik in general, so I am hoping you can help me solve my (seemingly) simple routing problem.
I’ve gotten my management VLAN working, which is on a separate NIC on my workstation. What I need help with is getting another VLAN talking to a different subnet… I’ve gone through a lot of trial and error, so I’ve cleaned up my configs to bare minimums.
VLAN
ether2 - 192.168.2.2/24 - no VLAN at the moment, switch has PVID set to 1 on those ports - These are our servers
ether4 - 192.168.200.1/24 - VLAN 200 - Got a Ubiquiti AP tagging management and VLAN 200 properly
I get a DHCP address (192.168.200.199) assigned to my cell phone no problem, I can ping 192.168.200.1 and 192.168.2.2, but nothing else on 192.168.2.0/24… I cannot access the web servers on 192.168.2.0, or anything else…
Quick intro to my setup. I had followed a couple hardening guides, which I disabled the following options:
/ip settings
set allow-fast-path=no rp-filter=strict secure-redirects=no send-redirects=no tcp-syncookies=yes
Removed all default ip addresses, bridges, dhcp-client/server, nat
I also disabled the mpls and routing package in /system package, since I am not trying to use anything from there. I tried enabling the routing package and it didn’t appear to make a difference. Basically, I tried to turn everything off, delete all default config, and only turn things on/configure them as they become needed.
Here’s what I have currently in my config (mgmt vlan omitted):
Interfaces: (I have all my ports set to master-port=none, I’m not doing any switching on this device)
/interface vlan
add interface=ether4 name=OfficeWiFi vlan-id=200
and from /interface ethernet switch port, I have:
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
1 ether2 switch1 fallback leave-as-is auto
3 ether4 switch1 fallback leave-as-is auto
IP Addresses:
/ip address
add address=192.168.200.1/24 interface=OfficeWiFi network=192.168.200.0
add address=192.168.2.2/24 interface=ether2 network=192.168.2.0
DHCP:
/ip dhcp-server
add address-pool=OfficeWiFiPool disabled=no interface=OfficeWiFi lease-time=3d name=OfficeWiFiDHCP
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=192.168.2.245 gateway=192.168.200.1
Firewall: (NAT and Mangle are empty) (I have tried deleting ALL rules, and putting in add action=accept chain=forward, just to see if that would work, and it did not help)
/ip firewall filter
add action=accept chain=input in-interface=!ether1-WAN protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=ether1-WAN
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward in-interface=ether1-WAN
Route: /ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC x.x.x.x/24 x.x.x.x Management 0
1 ADC 192.168.200.0/24 192.168.200.1 OfficeWiFi 0
I admit I got it to work using NAT and mangle, but I do not want to use NAT. I need the IP addresses of the devices to be logged on the servers. I don’t mind using mangle, I’ll need to learn it eventually.
Any thing else I need to check? I would appreciate some advice. Thanks in advance!