VLAN can't ping gateway

charley · January 22, 2024, 11:45am

Hi,

I’m new to RouterOS. At work we have a Mictotik router that used to be managed by somebody else. I’m setting up a new AP with a guest network. WAN is on ‘ether1’, our main switch is connected to ‘ether5’ and to test/keep it separate, the AP is connected to ether2. I followed a guide to create the guest VLAN.

At the moment, I can connect to the AP, the DHCP server gives me an IP from the correct pool. I can ping devices on the other subnet (192.168.20.0/24) but can’t ping the gateway (10.20.20.1) and can’t get out to the internet. I’ve obviously done something wrong but I’m struggling to work out what. Can anybody see anything wrong in our config?

Cheers,

/interface bridge
add auto-mac=no fast-forward=no name=bridge-local \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-LAN
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] name= ether10-slave-local

/interface vlan
add interface=bridge-local name=vlan2 vlan-id=200

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=IPVN \
    user=xxxxxxx

/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/ip pool
add name=dhcp_pool3 ranges=10.20.20.2-10.20.20.20

/ip dhcp-server
add address-pool=dhcp_pool3 interface=vlan2 name=dhcp1
/port
set 0 name=serial0

/ppp profile
set *0 change-tcp-mss=no
set *FFFFFFFE change-tcp-mss=no

/routing bgp template
set default disabled=no output.network=bgp-networks

/routing ospf instance
add disabled=no name=default-v2

add addresses=::/0 name=123
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2
add bridge=bridge-local ingress-filtering=no interface=ether6
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1
add bridge=bridge-local ingress-filtering=no interface=wlan1
add bridge=bridge-local ingress-filtering=no interface=ether3
add bridge=bridge-local ingress-filtering=no interface=ether4-slave-local
add bridge=bridge-local ingress-filtering=no interface=ether5-LAN
add bridge=bridge-local ingress-filtering=no interface=ether8-slave-local
add bridge=bridge-local ingress-filtering=no interface=ether9-slave-local
add bridge=bridge-local ingress-filtering=no interface=ether10-slave-local

/ip neighbor discovery-settings
set discover-interface-list=all

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set max-neighbor-entries=8192

/interface bridge vlan
add bridge=bridge-local tagged=ether2,bridge-local vlan-ids=200

/ip address
add address=192.168.20.254/24 comment="default configuration" interface=\
    bridge-local network=192.168.20.0

add address=10.20.20.1/24 interface=vlan2 network=10.20.20.0

/ip dhcp-server network
add address=10.20.20.0/24 dns-server=10.20.20.1,8.8.8.8 gateway=\
    10.20.20.1


/ip firewall mangle
add action=change-mss chain=forward new-mss=1350 out-interface=IPVN \
    passthrough=yes protocol=tcp tcp-flags=syn

/ip route
add disabled=no dst-address=xxxx gateway=bridge-local pref-src=\
    xxxx


/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

mkx · January 22, 2024, 3:55pm

From the part of config you posted it’s not clear why it doesn’t work. And since you do get IP address from correct address pool, it seems that L2 setup is fine. However: are you sure it’s not firewall? If there is some firewall setup (which you omitted from post), then we’ll have to see it. And any address lists and interface lists …

charley · January 22, 2024, 4:14pm

Thanks for taking a look. There are currently no firewall rules on the device. We do have a PfSense VM upstream at our ISP.

anav · January 22, 2024, 4:38pm

My question is, are you sure you want it to be a Router?
By assigning the guest network on the AP, you are really introducing added router functionality and complexity that may not be required.
For example why cannot the main router provide the network DHCP etc, and then send at least two vlans in a trunk port to the MT AP…

(the trusted vlan, where the MT AP wil get its Ip address, and the data vlan which will go out the WLAN)???

In this manner, the AP will solely act as an AP/switch!

charley · January 22, 2024, 10:51pm

I would like to get it working this way if I can, mainly just to work out the problem.

anav · January 23, 2024, 2:13am

This way means nothing to me, do you want it to act as a router and handle its own subnet or act like an AP, and passthrough router subnets to the wlans …

charley · January 23, 2024, 7:49am

Sorry, obviously there’s some confusion in my original post. It IS a router. The AP is a separate device and isn’t a MicroTik - it’s connected to port 2 of our MicroTik router.

The config I posted is from the router not the AP.

llamajaja · January 23, 2024, 1:30pm

Which router, and what is the current firmware version being used?
Better to assign the port to the address you want and forget vlan2.
The bridge will remain serving all ports BUT NOT ether2.

_Remove this route it serves no purpose as one is automatically created via the bridge associated IP address"
/ip route
add disabled=no dst-address=xxxx gateway=bridge-local pref-src=
xxx_x

charley · January 23, 2024, 4:42pm

RouterOS 7.11.2
model = RB2011UiAS-2HnD