Unable to get inter-VLAN routing to work despite proper IP services

Hi there forum, this is my first post so first of all thanks for all the great work you do here. Mikrotik is definitively not the easiest of ecosystems but boy is it powerful and bang for the buck!

Before I begin let me just clarify that I already did look closely at the classic VLAN thread by pcunite, googled globally and in-the-forum for intervlan Routing and router on a stick setup and similar. I think there’s some small step that I fail to notice in all of those and after trying for the last few days I gave up and decided to ask you all hoping someone will be able and willing to help a noob.

Setup
(full dump of config file at the end of the post)
I have a hexS router running RouterOS 7.17.2 in a - yet - lab setup so there’s no WAN and no firewall filters yet.
There are 3 VLANs as of now

• 10 - Family
• 30 - CCTV
• 69 - Management

and out of five ports:

• first one is out of the bridge as it’s going to be WAN,
• second is an access port to Managent VLAN (part of the bridge)
• third is an access port to Family VLAN (part of the bridge)
• fourth and fifth are access ports to Camera VLAN (part of the bridge)
• SFP port is a trunk port (not necessary for the problem I describe here, also part of the bridge)

Looks like switching works just fine as I can see that when I connect two devices to two ports of Camera VLAN, I successfully exchange data between the two within one VLAN subnet.

I have DHCP and addressing configured for all three VLANsand I successfully receive addresses from proper pools depending on which port I connect to. So connecting to Admin port I receive address in the Management Pool, connecting to Family port I receive a Family Pool address and connecting to either one of the two Camera ports I receive addresses in CCTV VLAN.

There is no firewall yet as I am not yet connected to the internet. Later, proper filter rules will be applied to allow VLANs access to each other based on my criteria and to limit who can talk to the internet and who the internet can talk back to etc. I just want to take it step by step until I - at least mostly - understand what’s going on and why I enter the commands I do.

The problem
What I fail to configure is inter-VLAN routing. While I can successfully communicate within one VLAN, I am not able to as much as ping devices on other VLANs. I tried comparing my setup to the one mentioned in Using RouterOS to VLAN your network but I must fail to see some missing piece.

Could you please point my search towards a proper direction? What am I missing?

Also here’s a dump of

/routing table print

[tester@router] > /routing route print
Flags: A - ACTIVE; c - CONNECT; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
    DST-ADDRESS      GATEWAY          AFI   DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW   
Ac  10.10.10.0/24    family-vlan      ip4          0     10             5  family-vlan    
Ac  10.10.30.0/24    camera-vlan      ip4          0     10             5  camera-vlan    
Ac  10.10.69.0/24    management-vlan  ip4          0     10             5  management-vlan
A H lo                                link         0                                      
A H camera-port1                      link         0                                      
A H camera-port2                      link         0                                      
A H lan-bridge                        link         0                                      
A H family-vlan                       link         0                                      
A H camera-vlan                       link         0                                      
A H management-vlan                   link         0

configuration export
Here’s a dump of the configuration I set up. The router is configured by uploading this as a script and with Reset Configuration + No Backup + No Users + No Defaults + Run after: this_script.crs so there’s nothing more that I wouldn’t share.

######################################
#### Skip IPv6
######################################
/ipv6 settings set disable-ipv6=yes forward=no

#####################################
### Miscellaneous
#####################################
# Identity
/system identity set name=router
# Skip IPv6
/ipv6 settings set disable-ipv6=yes forward=no
# temporary user until I have this all ready and will replace this with an SSH key
/user add name=tester group=full password=gogo

#####################################
### Ports designation
#####################################
# raname port to ease reasoning about which one is which
/interface
set [ find default-name=ether1 ] name=wan-port
set [ find default-name=ether2 ] name=admin-port
set [ find default-name=ether3 ] name=family-port
set [ find default-name=ether4 ] name=camera-port1
set [ find default-name=ether5 ] name=camera-port2
set [ find default-name=sfp1 ]   name=trunk-port
# Auto-negotiation does not work with XS+DA0001 
/interface ethernet set auto-negotiation=no speed=1G-baseT-full sfp-rate-select=low trunk-port

#####################################
### Bridge setup and trunk ports
#####################################
/interface bridge add name=lan-bridge admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no vlan-filtering=yes protocol-mode=none

/interface bridge port
add bridge=lan-bridge interface=trunk-port frame-types=admit-only-vlan-tagged

#####################################
### VLANs
#####################################
### 10 - Family - 10.10.10.0/24
# VLAN definition and addressing
/interface vlan add interface=lan-bridge name=family-vlan vlan-id=10
/ip address add interface=family-vlan address=10.10.10.1/24
/ip pool add name=family-pool     ranges=10.10.10.2-10.10.10.254
/ip dhcp-server add address-pool=family-pool interface=family-vlan name=family-dhcp disabled=no
/ip dhcp-server network add address=10.10.10.0/24 dns-server=10.10.69.1 gateway=10.10.10.1
# Ingress
/interface bridge port add bridge=lan-bridge pvid=10 interface=family-port frame-types=admit-only-untagged-and-priority-tagged
# Egress
/interface bridge vlan add vlan-ids=10 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=family-port

### 30 - CCTV - 10.10.30.0/24
# VLAN definition and addressing
/interface vlan add interface=lan-bridge name=camera-vlan vlan-id=30
/ip address add interface=camera-vlan address=10.10.30.1/24
/ip pool add name=camera-pool     ranges=10.10.1.2-10.10.30.254
/ip dhcp-server add address-pool=camera-pool interface=camera-vlan name=camera-dhcp disabled=no
/ip dhcp-server network add address=10.10.30.0/24 dns-server=10.10.69.1 gateway=10.10.30.1
# Ingress
/interface bridge port add bridge=lan-bridge pvid=30 interface=camera-port1 frame-types=admit-only-untagged-and-priority-tagged
/interface bridge port add bridge=lan-bridge pvid=30 interface=camera-port2 frame-types=admit-only-untagged-and-priority-tagged
# Egress
/interface bridge vlan add vlan-ids=30 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=camera-port1,camera-port2

### 69 - Management - 10.10.69.0/24
## Ethernet Ingress
# Ethernet Ingress for direct attached port
# VLAN definition and addressing
/interface vlan add interface=lan-bridge name=management-vlan vlan-id=69
/ip address add address=10.10.69.1/24 interface=management-vlan
# We start the management pool from .10 up as switches, APs and so on will be statically assigned 1-9
/ip pool add name=management-pool ranges=10.10.69.10-10.10.69.254
/ip dhcp-server add address-pool=management-pool interface=management-vlan name=management-dhcp disabled=no
/ip dhcp-server network add address=10.10.69.0/24 dns-server=10.10.69.1 gateway=10.10.69.1
# Ingress
/interface bridge port add bridge=lan-bridge pvid=69 interface=admin-port frame-types=admit-only-untagged-and-priority-tagged
# Egress
/interface bridge vlan add vlan-ids=69 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=admin-port

and here’s the same thing but as Mikrotik’s export show-sensitive dump if grouping by area is more confortable to read and reason about for you.

# 1970-01-02 08:57:56 by RouterOS 7.17.2
# software id = 0TXT-DK95
#
# model = RB760iGS
# serial number = 
/interface bridge
add admin-mac=D4:01:C3:E7:FB:00 auto-mac=no name=lan-bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=admin-port
set [ find default-name=ether4 ] name=camera-port1
set [ find default-name=ether5 ] name=camera-port2
set [ find default-name=ether3 ] name=family-port
set [ find default-name=sfp1 ] auto-negotiation=no name=trunk-port
set [ find default-name=ether1 ] name=wan-port
/interface vlan
add interface=lan-bridge name=camera-vlan vlan-id=30
add interface=lan-bridge name=family-vlan vlan-id=10
add interface=lan-bridge name=management-vlan vlan-id=69
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=family-pool ranges=10.10.10.2-10.10.10.254
add name=camera-pool ranges=10.10.1.2-10.10.30.254
add name=management-pool ranges=10.10.69.10-10.10.69.254
/ip dhcp-server
add address-pool=family-pool interface=family-vlan name=family-dhcp
add address-pool=camera-pool interface=camera-vlan name=camera-dhcp
add address-pool=management-pool interface=management-vlan name=management-dhcp
/interface bridge port
add bridge=lan-bridge frame-types=admit-only-vlan-tagged interface=trunk-port
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\
    family-port pvid=10
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\
    camera-port1 pvid=30
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\
    camera-port2 pvid=30
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\
    admin-port pvid=69
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=family-port vlan-ids=10
add bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=camera-port1,camera-port2 \
    vlan-ids=30
add bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=admin-port vlan-ids=69
/ip address
add address=10.10.10.1/24 interface=family-vlan network=10.10.10.0
add address=10.10.30.1/24 interface=camera-vlan network=10.10.30.0
add address=10.10.69.1/24 interface=management-vlan network=10.10.69.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.69.1 gateway=10.10.10.1
add address=10.10.30.0/24 dns-server=10.10.69.1 gateway=10.10.30.1
add address=10.10.69.0/24 dns-server=10.10.69.1 gateway=10.10.69.1
/system identity
set name=router
/system note
set show-at-login=no

Post scriptum
This is a scaled down and simplified version of the problem that I reduced my lab to at the moment. Originally there was also a CRS326 connected via SFP trunk that exposes 6 groups of access ports for 6 vlans. And when I’m on any of the vlans (managemnet included) i successfully gain access to other devices within this network regardless of whether I plug in via hexS or CRS access ports so switching passes trunk just right. I just can’t get routing accross VLANS to work. Same with CCTV VLAN and so on so the VLANs properly span accross trunked devices and switching works perfectly, DHCP and so on as well.

This is why I deciced to scale the thing down and do everything on hexS alone to take the CRS out of my picture until I pinpoint what I’m doing wrong and only then reintroduce CRS into the configuration.

Best regards
Piotr

I tried your config, and it seemed to work ok.
(I was connecting to another mikrotik)

Also when plugged into the trunk it supplied the 3 ip ranges to the Mikrotik via vlans.

Perhaps the devices you were connecting too had a firewall on them, and didn’t like being accessed from another subnet.
or had an alternative default gateway they preferred eg. via wifi.

Thanks rplant, of course that was it. After several failed attempts I connected to the internet via wifi on my home network and my connection tried to take that route and forgot that I am still on there. After getting out of wifi (so with only the Mikrotik direct connection left) everything worked like a charm. That was it, thanks! Marking as solved.