hello, I cant ping between vlans. im just trying to ping. I have put the conf file here. out home network is on 192.168.1.1 but we need to get to the CCTV network.
(1) Where is IP address of ISP 2,4?
(2) Understand you have FIVE vlans on the LAN and one bridge that is also providing DHCP for ethernet2.
(3) Dont have a clue how you are getting WAN IPs… but it seems intriguing. (4) Missing firewall rules
(5) Missing interface members and list members (6) NO assignment of VLANS (interface bridge vlan) or bridge vlan filtering.
(6) If wanting to ensure a vlan should go out a specific wan it can be done without mangling
Please do the following.
Read the article and make the necessary changes.
Post a network diagram
Post the COMPLETE config /export hide-sensitive file=anynameyouwish
(1) Where is IP address of ISP 2,4? ISP 2 and 4 are not setup yet. they are still being installed.
(2) Understand you have FIVE vlans on the LAN and one bridge that is also providing DHCP for ethernet2.
(3) Dont have a clue how you are getting WAN IPs… but it seems intriguing. all wan ip are coming in on a 40gb port Eth1 that has vlans for the isp. The setup is 4 2gb fiber handoffs to a switch with vlans for each Isp to that then goes to the 40gb port on the router. the plan was to have all 4 isp for customers but we need the all to be fail over in case one goes out.
(4) Missing firewall rules - i dont know why they did show up
(5) Missing interface members and list members
(6) NO assignment of VLANS (interface bridge vlan) or bridge vlan filtering.
(6) If wanting to ensure a vlan should go out a specific wan it can be done without mangling
Use code tags on configs, tis the black square with white square brackets to the right of the B.. I..U in the text edit line under the title of the thread ,when in edit mode!
Dont give a bridge the name of a common other used term in configurations such as LAN… it gets very confusing.
(1) you have 3 ISP addresses all pointing to ISP3, instead of 1,2,3,4
(2) Lets look at your management setup
add address-pool=dhcp_pool2 disabled=no interface=Management name=dhcp3
add name=dhcp_pool2 ranges=10.2.8.1-10.2.10.0,10.2.10.2-10.2.15.254
10.2.8.1 -10.2.10.0 wTF is that and then
10.2.10.2-10.2.15.254 ???
Then an ip address.
add address=10.2.10.1/21 interface=Management network=10.2.8.0
???
Okay I cannot subnet myself out of a paper bag and thus stick to simple network structures
but doesnt 10.2.10.1/21 cover 8 " NORMAL " subnets…
10.2.10.1/24 through through 10.2.17.1/24 and thus the network should be 10.2.10.0
and ip pool
10.2.10.2-10.2.17.254 ??
Then you have a routers vlan which is inside the subnet of the management network at 10.2.10.15…
Summary, until the subnet structure of your vlans and corresponding settings make sense I am unable to help.
Perhaps its legit, but someone else then should assist.
As already noted, no fw rules, not ready for live to ISP modem yet.
dst-address-type=!local is likely not doing what you expected - this means addresses which are not local to the Mikrotik, it does not mean local subnets. Also note the mangle rules only apply to the bridge-to-CPU interface of the bridge (as @anav says confusingly called Lan), they will have no effect on packets via VLAN interfaces attached to the bridge.
You have no useful firewall filter rules - the default policy is accept, so the Mikrotik is completely exposed to the internet.
Thank you for your import. I did a little drawing of what we are trying to do. They have a old Cisco router that we are trying to replace. any help or anything would be great thanks
yes we have 3 ip address poinging to ISP3 bc we have a block of 5 and all 5 of them come in to the router on that ISP. All the Wan ports will have more then one ip address to them. The core switch passes all the wans connections to ether1 what is a 40gb fiber ports
The Management pool was set up to copy the old cisco pool when the company have over 1000 units on that vlan now there is less then 100, thanks to them learning about sub routers at towers.
This is a very messed up place that we took over after the owner died, so we can fix a Little at a time. One of the Things that we would like to do is get this router in place. it dose not need to go by the code i posted, that is something they come up with to try to make it work. my goal as the new owner of the mess is to wet it up right with 4 wans for load and failover and have the vlans work. form our office. The wan vlans need to stay that way running. as for the pools we can make them smaller as management only goes to the sub routers now and not everything.
this set up is in a test setup to we get it right and can put it in place.
Hi there..
I have attempted to give you a cleaned up rational setup that makes sense to simple me.
Once we know what is desired in terms of requirements more can be done or stuff can be modified, removed added as appropriate.
Note: I removed bridge from any dhcp etc and gave its work to vlan 11 (presuming lan users)
Requirements needing information:
a. what subnets/vlans are supposed to use as WANIP outbound
b. what the role of the ISP wan connections is supposed to be (which is primary which is back up which is fixed for some lans to use etc…) then that can be figured out and the mangling if required as well.
c. I simplified the nomenclature so its easily readable and simplified the subnetting to what I am familiar with.
d. I added default firewall rules so its safe out of the box.
e. NEED to know the requirements of
i. which vlans need internet access
ii which vlans or devices on vlans may need access to other vlans
iii. yourself as admin, which vlan will you be working from to configure the router and what vlans do you need access to.
iv. What you are doing with rest of ports on router ether 3 to xxxx ???
…
See PIC below for a simplified operational setup for Inter-Vlan Routing on MikroTik infrastructure (credited to forum expert Sindy!!!)
This basic configuration has been tested operational on physical MikroTik infrastructure running RouterOS 4.67 as-well-as latest version of free MikroTik Cloud Hosted Router (CHR) running within VMware Workstation 14 Pro. I attempted to make it operational on Oracle Virtualbox but due to trunking failures within Oracle host I ran out of time.
Two user network Vlans and 1 Management Vlan all can ping and route to each other. Needless to say there is no security implemented as your environment is unique from others. This setup just enables folks to get up and running quickly in a lab environment and it is expected the users (you) will implement security as required by your policy and procedures.
a. what subnets/vlans are supposed to use as WANIP outbound all vlan need to out to the wan
b. what the role of the ISP wan connections is supposed to be (which is primary which is back up which is fixed for some lans to use etc…) then that can be figured out and the mangling if required as well. The plan was to use use them in load balance and failover if one of the ISP go down. As of right now only isp1 and isp3 is working, isp1 is 1gb and isp3 is a 2gb.
iii. yourself as admin, which vlan will you be working from to configure the router and what vlans do you need access to. The they have work on 192.168.1.1 to get to everything. Our office as of now uses a vpn to vlan 10 to get into their system. In the next 60 days we are moving to the building they are in as i now own it. The plan is to put the whole office on that 192.168.1.1 or a vlan. I would like to keep that vpn for when we are away.
iv. What you are doing with rest of ports on router ether 3 to xxxx ??? all the other ports will be links to up to ether 5 with be vlan trunk ports for switches for fail over.
You’re marking the packets on the incoming LAN interface with mark-routing, so they will be routed to the ISP interface while Mikrotik evaluates the routing decision.
They will never reach other LAN interfaces.
Okay so you want the users to share WAN1 and WAN3 in a load balance arrangement where roughly WAN1 is selected for 1 session while WAN3 is selected for two sessions type of ratio basis.
So for every three new sessions the router handles outbound, two will go out WAN3 and one will go out WAN1.
Yeah thats mangling and as noted probably where you have gone wrong in the config…
Check this out… between these two it should be doable. https://mum.mikrotik.com/presentations/US12/steve.pdf https://mum.mikrotik.com/presentations/US12/tomas.pdf
hello, i went back and set up PCC and have had no luck, i can ping out of the router when one of the wans is turned on but as soon as i turn on the the other everything stops working. they keep showing it with one lan port but i need it to so on all vlans, so i trying to set it up with just the ether2 and the bridge. but no luck. we are only trying it with 2 isp right now and will add the other after we get the 2 working. here is what i have. i think i miss something or messwd it up.
