VLAN configuration, that has me stumped

clintguy74 · December 19, 2025, 11:50am

Hi everyone, now I been racking my brains and I just cant get this right.

I have a network, its a full WISP setup, with Radius and Voip etc. Cambium switches and cambium Radios, the wisp is working 100%.

I have now got a friend who wants to jump over my network from the datacenter to a break out point at his home.

He has 2 devices each with its own /32 I dont know and dont really want to know.

I set up a vlan via a bridge, I can see the devices in the host listson either side However, my one mikrotik without internet, doesnt route the vlan to the device,it just blocks it.

So the layout is 2 mikrotiks.

the first is a CCR2004

Has internet access and routing and is set-up for a multitude of networks,

The second is just a simple RB3011UiAS, with no internet breakout. all it is, is a plainbridge to the network with a dedicated port to the vlan.

Mikrotik 1 - Full internet access

ether 2 - bridge to the wireless and fibre core network, (IP address 10.10.10.2)

ether 4 - vlan 60 -untagged port the device connnected has a /32 ip address on the bridge with ingress filtering, tag-stacking, ether type 0x8100

vlan 60 untagged is port4 while port 2 is tagged. the rest of the network runs on vlan one,

Routing is via the SFP via a PPPoe internet account

Mikrotik 2 - NO internet access

ether 2 - bridge to the wireless and fibre core network, (IP address 10.10.10.3)

ether 4 - vlan 60 -untagged port the device connnected has a /32 ip address on the bridge with ingress filtering, tag-stacking, ether type 0x8100

vlan 60 untagged is port4 while port 2 is tagged. the rest of the network runs on vlan one,

On both mikrotiks, under Bridge> hosts the mikrotik mikrotik - I can see the device with MAC-Address of the respective port 4 and the 2 mikrotiks, however, I cant see the device on the other mikrotikon the vlan.

I have tried firewall, and the 2 /32 ip adddresses are eg: 172.31.1.64/32 and 172.31.1.65/32 these are set on the devices, not the mikrotiks. I just want a network via the VLAN that wont affect the rest of my network.

I was told its impossible, but there examples on the web and yetits like something is missing, as I can traceroute to the mikrotik #1, but from #1 to Number 2 it just stops at the mikrotik router.

Im a bit confussed with loaded my config file, I tried the upload, but I think I have done something wrong,

BartoszP · December 19, 2025, 12:05pm

Hi,

Start from there: Topics tagged rtfum

jaclaz · December 19, 2025, 1:14pm

If needed, basic instructions on how to export a configuration and post it on the forum are here:

clintguy74 · December 19, 2025, 1:54pm

Thank you, stupid me, Im was trying to upload the file. gotcha

Buckeye · December 19, 2025, 3:55pm

If these two devices were directly connected to the same dumb switch would they be able to communicate with each other?

With the given information, it appears they are host with no ability to use a gateway. So on a single LAN, (which a vlan emulates), I don't see how ip could be used for communication give the info provided. They could communicate directly via mac address, but I don't know how useful that would be without something like pppoe.

DuctView · December 19, 2025, 8:35pm

Not quite sure I understand what your configuration is, but if any of it is over the public internet or emulating the public internet, remember that 172.16.0.0/12 addresses are not routable and must be NATed. What is more is that NAT can only be applied at one end of a network - the initiating end for an action which calls on a public address. You cannot normally initiate from the public side into a server behind a NAT. And for what you are trying to do, for any interaction, one or other device is a server behind a NAT.

No idea how to fix this. May be you could configure a VPN from private to private or may be you could give both devices 'public' addresses on your WISP.