Unable to get inter-VLAN routing working

RouterOS Beginner Basics
1

Hi, I’ve been trying to get my first RouterOS device up and running - everything else is working but can’t get traffic flowing between my VLANs. It’s a very similar problem to what’s described at Unable to get inter-VLAN routing to work despite proper IP services , but I’ve double-checked the firewalls on the devices.

Here’s the running config…

# apr/15/2026 20:50:34 by RouterOS 6.49.5
# software id = Z6I2-U7RQ
#
# model = 951Ui-2HnD
# serial number = xxxxxxxx
/interface bridge
add admin-mac=E4:8D:8C:A0:01:C1 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-A001C5 wireless-protocol=802.11
/interface vlan
add interface=bridge name="vlan10 - Control" vlan-id=10
add interface=bridge name="vlan20 - Comms" vlan-id=20
add interface=bridge name="vlan30 - Dante" vlan-id=30
add interface=bridge name="vlan40 - Art-Net" vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name="Default gateway - Control" value="'192.168.10.254'"
add code=3 name="Default gateway - Comms" value="'192.168.20.254'"
add code=3 name="Default gateway - Dante" value="'192.168.30.254'"
add code=3 name="Default gateway - Art-Net" value="'192.168.40.254'"
/ip dhcp-server option sets
add name="Control option set" options="Default gateway - Control"
add name="Comms option set" options="Default gateway - Comms"
add name="Dante option set" options="Default gateway - Dante"
add name="Art-Net option set" options="Default gateway - Art-Net"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="Control DHCP pool" ranges=192.168.10.100-192.168.10.200
add name="Comms DHCP pool" ranges=192.168.20.100-192.168.20.200
add name="Dante DHCP pool" ranges=192.168.30.100-192.168.30.200
add name="Art-Net DHCP pool" ranges=192.168.40.100-192.168.40.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool="Control DHCP pool" dhcp-option-set="Control option set" \
    disabled=no interface="vlan10 - Control" name="Control DHCP"
add address-pool="Comms DHCP pool" dhcp-option-set="Comms option set" \
    disabled=no interface="vlan20 - Comms" name="Comms DHCP"
add address-pool="Dante DHCP pool" dhcp-option-set="Dante option set" \
    disabled=no interface="vlan30 - Dante" name="Dante DHCP"
add address-pool="Art-Net DHCP pool" dhcp-option-set="Art-Net option set" \
    interface="vlan40 - Art-Net" name="Art-Net DHCP"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=30
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Control tagged=ether4,bridge untagged=ether3 \
    vlan-ids=10
add bridge=bridge comment=Comms tagged=ether4,bridge vlan-ids=20
add bridge=bridge comment=Dante tagged=ether4,bridge untagged=ether5 vlan-ids=\
    30
add bridge=bridge comment=Art-Net tagged=ether4,bridge vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="vlan10 - Control" list=LAN
add interface="vlan20 - Comms" list=LAN
add interface="vlan30 - Dante" list=LAN
add interface="vlan40 - Art-Net" list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.10.254/24 interface="vlan10 - Control" network=\
    192.168.10.0
add address=192.168.20.254/24 interface="vlan20 - Comms" network=192.168.20.0
add address=192.168.30.254/24 interface="vlan30 - Dante" network=192.168.30.0
add address=192.168.40.254/24 interface="vlan40 - Art-Net" network=\
    192.168.40.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/system identity
set name="KCI-61 Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And it seems to have automatically made all of the routes I’d expect:

image
image880×257 31.7 KB

I’m trying to ping from a laptop attached to VLAN 30, which has been given IP address 192.168.30.102 by the DHCP server, to a laptop on VLAN 10, which case been given 192.168.10.100. I can successfully ping 192.168.10.100 from its own VLAN through the RouterOS tools, but not from the other VLANs. The traffic is also not showing in the firewall log.

Where am I going wrong? Thanks in advance!

2

I may be the firewall in windows that is blocking ping from a different subnet. See Can't ping windows PCs on other subnet (lan or vlan)? It may be your windows firewall. How to allow pings from rfc1918 addresses.

3

what is between the two PCs in vlan 10 and vlan 30?

Can you provide a diagram of how they are connected. (even a photo of a hand drawn sketch is better than nothing).

Specifically do the PCs both have the 951Ui-2HnD as their default gateway?

If you do the following from a CMD prompt on the windows PC (on vlan 30) what do you get?

route print (or netstat -rn, both do the same)
tracert -d 192.168.10.100
ping 192.168.10.100

Paste output from above into a </> code block ( to copy from the cmd prompt press Ctrl+M then select text, then hover over selection, and right click. that will copy text to clipboard. Then open a reply, click on the </> icon at top of editing window, that will open a Preformatted text box. Paste (Ctrl+V)

4

Currently, your DHCP server instances for the VLANs are not properly configured. You've chosen the complicated way of manually adding option 3 entries and option sets entries to specify the gateways for the VLANs, but other important options like option 1 (that provides the very important subnet information) are missing.

Look at your export, the correct and simple way to configure the basic options is shown for you in the defconf entry:

That's how you properly supply the gateway, subnet, and DNS server information to the DHCP clients (plus many other data).

You should create the 4 DHCP Server -> Network entries for the 4 VLANs (use the defconf entry as example, but the gateway and DNS addresses of course end with .254). Then get rid of the references to the option sets.

Afterwards, you can delete the option sets, then the options (in that order).

1 Like
5

Why would anyone set up dhcp servers in that way, is there some youtube video or AI advice promoting this weird choice??