Routing public IP's to Vlans

RouterOS Beginner Basics
1

There is probably a simple answer to this I just am not seeing it.

ISP gave me for example:

address: 1.1.1.2/30
gateway 1.1.1.1

address 2.2.2.0/24

/ip address add address=1.1.1.2/30 interface=ether1
/ip route gateway=1.1.1.1

/ip address add address=2.2.2.1 interface=ether2

/interface vlan add interface=ether2 name=vlan100 vlan-id=100

I setup the switch and everthing for passing vlan100 traffic. When I set a laptop up with ip=2.2.2.2/24 and GW=2.2.2.1 if it goes through that vlan100 no connection. If I set it to a non vlan’ed interface I have connection.

The only way I can figure for a fix is to create a bridge and then add all the vlan’s to the bridge and then assign the 2.2.2.1 address to the bridge.

Hope that makes sense at to what I am trying to do.

2

If you want to have 2.2.2.0/24 in vlan100, you probably want this:

/ip address add address=2.2.2.1/24 interface=vlan100
3

I knew I forgot something.

I am going to have 200 vlan’s on the network. So I want to put a different IP on each vlan.

Thanks
Brent

4

I can’t say for sure that it’s the proper solution, but you can do:

/interface vlan
add interface=ether2 name=vlan10 vlan-id=10
add interface=ether2 name=vlan11 vlan-id=11
add interface=ether2 name=vlan12 vlan-id=12
...
/ip address
add address=2.2.2.1 interface=vlan10 network=2.2.2.10
add address=2.2.2.1 interface=vlan11 network=2.2.2.11
add address=2.2.2.1 interface=vlan12 network=2.2.2.12
...

And then for hosts in vlans use either also point to point addressing (e.g. address 2.2.2.10/32 and gw 2.2.2.1) or simply /24, which can be useful in case you want to have more than one host in some vlan and let them communicate directly. There will be no communication possible between hosts in different vlans, but I assume it’s what you want and why you’re doing this (correct me if I’m wrong).

5

So then on the device going through the vlan I would give assign it as 2.2.2..10/32 and GW 2.2.2.1

Thanks

6

Either that or standard /24 (or whatever subnet you get routed to you).

With /32, it’s point to point addressing and some devices might not support it. It works fine with Linux and even with Windows (since Vista). But it’s a little unusual config, so something else (or even something e.g. Linux based, but with limited config interface) might not like it. If you use this, you don’t even need 2.2.2.1 as gateway, it could be some completely independent address (192.168.1.1 for example).

Advantage of /24 is that it will work everywhere. Router will reply to arp even though its own address has /32 and it’s all what’s needed. And if you put 2.2.2.2/24 and 2.2.2.222/24 in same vlan, they will be able to talk to each other. With /32, this communication would have to go through router, unless you added direct route to both hosts.

7

if I do the /24 do I still do

add address=2.2.2.1 interface=vlan10 network=2.2.2.10

or would I do

add address=2.2.2.1/24 interface=vlan10 network=2.2.2.0
8

The first one.

Also - you’d want to enable arp=proxy-arp on the customer-vlan interfaces so that the customers can reach each other. (they may want to do vpn with each other, or whatever one might use a public IP address for) - and the customer can configure their device with /24 and everything will work perfectly.

Oh - and one final tip - you’ll want to black-hole the entire /24 by default:
/ip route add dst=2.2.2.0/24 type=blackhole

Using the “network=2.2.2.X” on a customer interface will create a connected /32 route for that customer, which will be more specific than the black hole route. The reason you want to black hole the /24 is so that un-allocated addresses’ traffic gets thrown in the trash. Otherwise, whenever a zombie bot is scanning your network, the scan packets for unused addresses would ping-pong between your router and the ISP’s router until the TTL expires.