Trouble with VLAN Configuration on MikroTik RB5009

Hello everyone,

I’m reaching out to seek some assistance with a networking issue I’m experiencing on my MikroTik RB5009 router. I’ve been trying to set up VLANs on this device, but unfortunately, I seem to be encountering some roadblocks.

Here’s a breakdown of my setup and the steps I’ve taken so far:

• Router Model: MikroTik RB5009UG+S
• Observations:

• DHCP is working fine.
  
  
  
• Default route has been added.
  
  
  
• I’ve assigned the correct IP addresses.
  
  
  
• I can successfully ping 8.8.8.8 from the MikroTik router.
  
  
  
• I’m able to reach my modem at 192.168.0.1 from my MikroTik router.

Despite the above observations, the VLANs are not working as intended.

I’ve double-checked my configuration settings, and everything seems to be in order. However, when I try to access devices connected to different VLANs, I’m unable to establish an Internet connection. It’s worth noting that I’ve followed the standard procedures for configuring VLANs on MikroTik devices (I used this guide: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 and I almost 1:1 copied the Router-Switch-AP config, just without the WLAN part, because I dont need that), so I’m a bit puzzled as to why it’s not functioning correctly.

Additionally, I’d like to mention that my network design includes specific VLAN assignments for different purposes. VLAN ID 10 is designated as my HOME_VLAN, intended for all home devices such as PCs, laptops, gaming consoles like Nintendo Switch, and other personal devices. VLAN ID 20 is allocated for my PiHole setup, serving as a dedicated VLAN for DNS filtering and ad-blocking services. Lastly, VLAN ID 99 is reserved as my Management VLAN, facilitating administrative tasks and network management activities. Each VLAN serves a distinct purpose in my network architecture, and ensuring their proper functionality is crucial for maintaining an efficient and secure network environment.

If anyone has encountered a similar issue or has expertise in MikroTik networking, I would greatly appreciate any insights or suggestions you may have to offer. I’m open to troubleshooting steps and willing to provide additional information as needed to resolve this issue.

Thank you in advance for your assistance!

# 2024-02-16 11:24:38 by RouterOS 7.13.4
# software id = SU4P-G42F
#
# model = RB5009UG+S+
# serial number = HFD09BMCQEG
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=PIHOLE_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HOME_POOL ranges=10.0.10.2-10.0.10.254
add name=PIHOLE_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN lease-time=1d name=HOME_DHCP
add address-pool=PIHOLE_POOL interface=PIHOLE_VLAN lease-time=1d name=\
    PIHOLE_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=1d name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=99
add bridge=BR1 interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=PIHOLE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=10.0.10.1/24 interface=HOME_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=PIHOLE_VLAN network=10.0.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Allow VLAN; TODO: When done and everything works, more granular" \
    in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=RouterSwitch
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Cannot spot error yet either…
Not sure what ether6 is doing its identified on bridge ports as a trunk port but nothing assigned bridge vlans.
Just to be consistent with how you did the other ones, I would manually untag ether4 on /interface bridge vlans but not necessary.

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=ether5 vlan-ids=99

Okay this seems off… Firstly this nework doesnt exist on your router… Secondly dont you want to put the pi-hole address here…
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server**=192.168.0.1** gateway=10.0.20.1
Finally, you have to decide if management vlan is going out pihole for dns as well…
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1

Note if you do send folks to pihole, I would ensure firewall rules allow it.
add chain=forward action=accept in-interface-list=VLAN dst-address=PiHole-IP-address

Hi!
Thanks for your reply.

You are right. The DNS-Server is not configured for my PiHole yet. The reason is that I wanted to reach some networks (to my modem 192.168.0.1 and 8.8.8. before doing things like DNS, since I think that is easier to set up. So at first, all my devices should get DNS from my modem, which is 192.168.0.1. Configuring the PiHole as my DNS, is the last step, since I would have to add some FW rules. The main question is, why can’t I ping 192.168.0.1 nor 8.8.8.8. I don’t need DNS for that.

To answer your other question: I have configured ether6, so I could connect to my Router, if I messed something up with my VLAN Configuration (doesn’t work now anyways, was just an idea at first, could delete this entry).

The rest with the untagging, yeah I could do that. Just didn’t seem to change anything tho

Thank you in advance!

Little Update: I asked my ISP, if he could set my modem to bridge mode, because I was reading (and even the ISP support told me) that this could resolve my issue. I’m still quite unsure if this could seriously fix that, but I will try. Unfortunately this change will be done next week.

Followup question: Are there any security concerns for my modem being in bridge mode? I know for a fact the modem does some things (I dont know what exactly) to secure my network. Will this impact my security?

Treat modem in a bridge mode as a little bit more inteligent media-converter. Protection is done on the router.

Anyways, bridging my modem didn’t work. Any other suggestions?

I would back out all the VLAN stuff, get the RB5009 working as a simple Internet router without it, and only then reintroduce the VLAN complication.

Indeed, I’d be tempted to back it up thoroughly, then reset it to the factory config. It’s a solid base to start from.

Once you get that working, back it up again, then use that as a checkpoint for getting VLANs working.

Thanks for your advice! I always wiped my Router before configuring VLANs, because I was fearing that a configuration I’ve done would crash my whole network. But this is genuinely good advice and I will try that now. Will come back, if I got some more news.

It just worked. Lol. After manually configuring it to a point where it works (without VLANs), I simply added my VLAN configuration and it just worked. Thanks for this great advice. Was working on this for days.

I’d be curious to see the diff between your newly working configuration and your prior attempt, posted above.

What was the critical change?

Concur, valuable feedback which can enable us perhaps to help others better.

For sure! I don’t know why, but I suppose I kinda forgot the srcnat masquerade rule? I was very confident that I inserted this FW rule, but I guess this was the missing step. Here’s my new VLAN configuration, maybe you will find another difference. I added another SERVER_VLAN, on this VLAN my MC Server will run and maybe also other servers, like a Webserver.

# 2024-02-17 14:26:35 by RouterOS 7.13.4
# software id = SU4P-G42F
#
# model = RB5009UG+S+
# serial number = HFD09BMCQEG
/interface bridge
add name=LAN-Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-modem-UpLink
set [ find default-name=ether2 ] name=ether2-PC
set [ find default-name=ether3 ] name=ether3-HomeDevice
set [ find default-name=ether4 ] name=ether4-HomeDevice
set [ find default-name=ether5 ] name=ether5-PiHole
set [ find default-name=ether6 ] name=ether6-Server
set [ find default-name=ether8 ] name=ether8-Management
/interface vlan
add interface=LAN-Bridge name=BASE_VLAN vlan-id=99
add interface=LAN-Bridge name=HOME_VLAN vlan-id=10
add interface=LAN-Bridge name=PIHOLE_VLAN vlan-id=20
add interface=LAN-Bridge name=SERVER_VLAN vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=HOME_POOL ranges=10.0.10.2-10.0.10.254
add name=PIHOLE_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.99.10-192.168.99.254
add name=SERVER_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=HOME_POOL interface=HOME_VLAN lease-time=1d name=HOME_DHCP
add address-pool=PIHOLE_POOL interface=PIHOLE_VLAN lease-time=1d name=PIHOLE_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=1d name=BASE_DHCP
add address-pool=SERVER_POOL interface=SERVER_VLAN lease-time=1d name=SERVER_DHCP
/interface bridge port
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2-PC pvid=10
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3-HomeDevice pvid=10
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4-HomeDevice pvid=10
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5-PiHole pvid=20
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6-Server pvid=30
add bridge=LAN-Bridge interface=ether7
add bridge=LAN-Bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8-Management pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=LAN-Bridge tagged=LAN-Bridge vlan-ids=10
add bridge=LAN-Bridge tagged=LAN-Bridge vlan-ids=20
add bridge=LAN-Bridge tagged=LAN-Bridge vlan-ids=30
add bridge=LAN-Bridge tagged=LAN-Bridge vlan-ids=99
/interface list member
add interface=ether1-modem-UpLink list=WAN
add interface=BASE_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=PIHOLE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=SERVER_VLAN list=VLAN
/ip address
add address=10.0.10.1/24 interface=HOME_VLAN network=10.0.10.0
add address=192.168.99.1/24 interface=BASE_VLAN network=192.168.99.0
add address=10.0.20.1/24 interface=PIHOLE_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=SERVER_VLAN network=10.0.30.0
/ip dhcp-client
add interface=ether1-modem-UpLink
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=192.168.99.0/24 dns-server=192.168.0.1 gateway=192.168.99.1
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=Modem-Network
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=forward dst-address-list=Modem-Network in-interface=SERVER_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=RouterSwitch
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE