VLAN for second IP from ISP

RouterOS Beginner Basics
1

Hello. I have a router with ether1 looking at ISP, with internet configured on static IP, everything working just fine.
However, i’ve recently decided to connect a SIP-trunk and ISP gave me a vlanid, a public ip/gateway for my sip station and sip server address, on same port as my internet.

I’ve actually never worked with vlans or sip before, so it took some digging and yet i can’t make it work. I’ve nailed the problem down to the fact that i cannot even ping gateway or sip server from mikrotik itself.

I’m trying the most basic setup for now on top of what i have:

/interface vlan add interface=ether1-WAN1 name=vlan338 vlan-id=338
/ip address add address=a.a.a.b/26 interface=vlan338 network=a.a.a.a

(where a.a.a.b - network and a.a.a.a - my public address).

Yet i cannot ping (and neither does arp work) even the gateway on this network, let alone the sip server address.

Gateway route is defined automatically and is stated as “reachable” in routing table, and even adding same line with explicitly specifying it doesn’t help.
In nat rules i have only masquerade on ether1-WAN1, i’ve also tried to put a src-nat or masquerade for vlan-338 before it, but it didn’t seem to have any effect.
I’ve asked ISP how exactly their vlan is routed to me and they said that “my port should be configured in access mode”. It means untagged vlan, right?

What am i missing?

2

Hi!

There are multiple methods to this “bridge + vlan filltering” or “interface-vlan + bridge”
You need the 2nd method to correctly work with your ISP.

1x Physical cable:

VLAN 1 = default vlan , untagged
VLAN 338 = SIP-TRUNK

Do the following:
/interface vlan add name=eth1-vlan338 vlan-id=338 interface=ether1
/interface bridge add name=brwan protocol-mode=none vlan-filtering=yes pvid=1
/interface bridge add name=brsiptrunk protocol-mode=none vlan-filtering=yes pvid=338
# here is the magic #
/interface bridge port add bridge=brwan interface=ether1 frame-types=admint-only-vlan-tagged
/interface bridge port add bridge=brsiptrunk interface=ether1-vlan338 frame-types=admint-only-vlan-tagged

Assign WAN-ip to "brwan"
Assign SIPTRUNK-ip to "brsiptrunk"
DONE
3

Unlikely, there are very few use cases where a single VLAN-aware bridge cannot implement the configuration required.

4

So your ISP is providing the SIP service? In which case the public IP, netmask and gateway are for the SIP device - you should not have any IP configuration on the Mikrotik, just pass the VLAN through and present it untagged to the SIP device (or configure the VLAN ID on the SIP device).

Whilst you can use multiple bridges there are various pitfalls for the unwary, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration. You can configure your existing bridge to be VLAN-aware, add the physical WAN port to the bridge with an otherwise unused VLAN ID to segregate WAN and LAN traffic, add an /interface vlan to the bridge as thw ‘WAN’ port and updated the interface list membership accordingly, then add the SIP VLAN between the physical WAN and SIP device ports.

An /export of your configuration with the serial number, any public IPs or other private data redacted, plus a diagram or sketch of how things are or will be connected explains much more than words do.