VLAN connect to internet

seyha · November 17, 2018, 10:13am

I created VLAN 3 to separate network segment and each VLAN attach to ether3, ether4 and ether5. DHCP is created and assigned to each VLAN. When computer connect to ether3, DHCP will provide the IP address. However, each VLAN can not connect to internet because internet is using ether2 to connect to internet.
Please guide how to allow VLAN to access to internet. Please see my configuration as below:

/interface bridge
add name=bridge protocol-mode=none
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/interface vlan
add interface=bridge name=VLAN1 vlan-id=1
add interface=bridge name=VLAN2 vlan-id=2
add interface=bridge name=VLAN3 vlan-id=3

/ip address
add address=192.168.2.1/24 interface=VLAN1
add address=192.168.3.1/24 interface=VLAN2
add address=192.168.4.1/24 interface=VLAN3

/ip pool
add name=POOL1 ranges=192.168.2.1-192.168.2.100
add name=POOL2 ranges=192.168.3.1-192.168.3.254
add name=POOL3 ranges=192.168.4.1-192.168.4.254

/ip dhcp-server
add address-pool=POOL1 disabled=no interface=VLAN1 name=DHCP1
add address-pool=POOL2 disabled=no interface=VLAN2 name=DHCP2
add address-pool=POOL3 disabled=no interface=VLAN3 name=DHCP3

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

/interface ethernet switch vlan
add independent-learning=yes ports=ether3,switch1-cpu switch=switch1 vlan-id=1
add independent-learning=yes ports=ether4,switch1-cpu switch=switch1 vlan-id=2
add independent-learning=yes ports=ether5,switch1-cpu switch=switch1 vlan-id=3

/interface ethernet switch port
set ether3 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set ether5 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set switch1-cpu vlan-mode=secure

mkx · November 17, 2018, 3:10pm

Use of VLAN ID 1 can bring a lot of trouble … it seems that ROS uses that ID implicitly for untagged traffic on bridge and if you try to explicitly tag frames with this VLAN ID, they are still considered untagged…

anav · November 17, 2018, 5:33pm

mkx hit the nail on the head as that is the first thing I noticed.
I also do not understand your ethernet switch (vlan or port) settings.
I have no such think on my hex (or dont use it for my vlans).

I use bridge for vlans and thus use bridge ports to identify ethport interfaces or wlan interfaces.
Vlans are there own interface entity whose parent interface is the bridge. Which you seem to have already done, and thus why I am perplexed.

mkx · November 17, 2018, 6:09pm

RBs with decent switch chips (hEX is not one of them) can deal with VLANs in hardware (as it used to be THE way on ROS <6.41). The config section /interface ethernet switch deals with it.
Seems like new hardware, even though it has decent switch chip, will not expose this config interface any more.

CZFan · November 17, 2018, 9:37pm

Why complicate things with VLAN’s, just create your IPs on each interface

anav · November 18, 2018, 12:59am

Often one does not have the physical luxury of 3 different ethernet physical connections to support different LANs, hence vlans have an advantage.

seyha · November 18, 2018, 9:20am

I can access to internet after I added ether2 that connected to modem, but it assigned new DHCP IP range. That is not what I want.
I want to keep the same IP address that provided from DHCP of each VLAN.