Vlan Routing Problem

So I have a Vlan routing problem. I updated the firmware on the router and before I did that, it was working fine. I have the hex routerboard. I have Vlan5 on ether2-master-local and after that it made a bridge1 created from master port and now my vlan5 is under the bridge1. The router IP address is 192.168.4.1/24 with DHCP and Vlan5 is 10.2.0.1/24 but no DHCP every device in Vlan5 has a static IP on it being 10.2.0.xxx. And in the firewall NAT I have is:

[//ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway 

 1    ;;; winp-app
      chain=dstnat action=dst-nat to-addresses=10.2.0.20 to-ports=4418
      protocol=tcp dst-port=4418 log=no log-prefix=""


/interface vlan> print
Flags: X - disabled, R - running 
 #   NAME                   MTU ARP             VLAN-ID INTERFACE                
 0 R winp-app Vlan5            1500 enabled               5 bridge1   



/ip address> print
Flags: X - disabled, I - invalid,
 #   ADDRESS            NETWORK  
 0   ;;; default configuration
     192.168.4.1/24    192.168.4.0
 1   10.2.0.1/24        10.2.0.0
 2 D xxx.xxx.xxx.xxx/24   xxx.xxx.xxx
 
 code]
 
 It works from internet browsers so you type public IP address  http://xxx.xxx.xxx.xxx:4418 and you get to the device web interface.


And when I type in the http://xxx.xxx.xxx.xxx:4418 I can see the packets getting to the winp-app NAT that I setup on the router on that port but the web page does not show up. 

What is wrong, What am I doing wrong and how do I fix it. 

Help is much appreciated.

Try actually posting a config

There is a difference in way Vlans are configured pre and post 6.41, read below, there are also some examples which include both pre and post 6.41 config

https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Private_VLAN

Sorry for the late reply with it being the holiday and the are internet was out for 2 days.

and Thanks for the link.

I have tired the some of the things in the link that you send but did not work. So let just start over.
So the default setting are IP address 192.168.88.1 /24 DHCP and I have devices that have static IP address 10.2.0.0 vlan 5 how would I go about it setting the router up to connect to those devices when Ethernet port 2-5 are bridged now and port forwarding to port 4418 and IP address 10.2.0.20


Your Advice is most appreciated.
.

Did you set the bridge ports facing VLAN5 correctly after the ugrade? Is VLAN5 defined in the bridge VLAN table. Without an:

/export hide-sensitive

It’s going to be slow to troubleshoot. Additionally a diagram helps too (even something simple in ME Paint).

Here is the code.

[//interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment="created from master port" name=bridge1 \
    protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether2-master-local

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local


/interface vlan
add interface=bridge1 name="winp-app Vlan5" vlan-id=5

/interface list
add name=mactel
add name=mac-winbox
add name=WAN
add name=LA
code]

Is this what you wanted to know about the vlan5 and the bridge? Or do you want the full code?

Here is something interesting under IP-address if I change the 10.2.0.1 interface to bridge1 from for the vlan5 interface it started working but then the IP address of the router changes to 10.2.0.1. Then when I change the interface back to the vlan5 interface, it stops working. If that helps are all.

Do you have anything in /interface bridge vlan? … To have vlan5 working there should be some config there as well. In addition to that, fi]/interface bridge[/i] should get vlan-filtering=yes … but that only after you have bridge vlan config in place.

Your RB acts as dumb switch until you configure vlans … which is OK for switching/bridging, but if you want RB to actively participate in certain VLAN, then it needs VLAN config.

Here is what I got for the bridge

[//interface bridge
add name=bridge1 protocol-mode=none pvid=5 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 vlan-ids=5

You have to decide whether bridge will be tagged or untagged member of VLAN 5 (in some old config export you have created vlan interface for vlan-id=5 on bridge but in recent export you have pvid=5 on same bridge). I recommend to go with tagged variant.

The lone configuration item in /interface bridge vlan is wrong. You should have something like this:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether4,ether5 vlan-ids=5
/interface vlan
add interface=bridge name=vlan5 vlan-id=5

I’m assuming you’ll use ether2 and ether3 as trunk ports for connecting managed switches and that you’ll use ether4 and ethet5 as access ports for the same VLAN (to connect PCs). Adapt to your needs. You should add IP configuration (address 10.2.0.1/24, DHCP server, …) to vlan5 interface.
And ether1 is WAN port.

@ mkx
You said Do you have anything in /interface bridge vlan? have vlan5 working there should be some config there as well. In addition to that, fi]/interface bridge[/i] should get vlan-filtering=yes … but that only after you have bridge vlan config in place.

So I put in the vlan-filtering=yes.

But now you are saying
/interface bridge vlan add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether4,ether5 vlan-ids=5 /interface vlan add interface=bridge name=vlan5 vlan-id=5

But not to have vlan-filtering=yes
So I am a bit confused.
I have disable it now.

You are right about using ether2 and ether3 as trunk ports and ether4 and ethet5 as access ports for the same VLAN to connect computers.
On ether2 this is a switch that connect to PCs that get there IP address from the RB is 192.168.88.0/24

And ether3 goes to the managed switch witch in Vlan5 and has the 10.2.0.xxx IPs that are Static assigned on those devices. And the computers on ether2, ether4 and ether5 need to access vlan5. And I need the internet to work on vlan5 so we can get to 10.2.0.5:4418. Witch I have added in the firewall.

Just a side note if I plug the controller in to the ether3 it starts working so I got a 5 port unmanaged switch in plug it in to ether3, the controller and the managed switch and everything is working.

And I can leave that 5 port switch there. If there’s nothing else to try.

Well we should be talking apples to apples.
Suggest you update your router to 6.43.8 before continuing.

Confirm following
ether2 - connected to managed switch in your diagram, only need vlan5 traffic on this port
ether3 - connected to what looks like an unmanaged switch to connect to PCs only running home network (192.168.88.x)
ether4 - ??
ether5 - ??

You have an additional requirement for users on ether 3, 4, 5 to be able to connect to vlan5 devices?
Did you mean to a specific device or all devices??

I am failing to see why even have a vlan5? If all router users require access to vlan 5 then just make it all one network?
However, I suppose if you want to allow one way traffic only, users to vlan 5 and not the reverse I suppose there may be some merit in that approach.
The same could be accomplished by having a DMZ type LAN off the bridge or in a separate bridge to ensure there is no layer 2 connectivity but allow the router to route traffic between them where appropriate (LAN to DMZ but not the reverse). Which is most efficient in terms of router CPU and performance is above my paygrade.

Okay assuming all on one bridge approach is most efficient…
The following is provided.
Note that until it is confirmed I have assumed that only ether2 is a trunk port and one uncertainty is
how to setup the bridge port. If I put admit tagged frames only I am assuming this means inbound from the managed switch and thus wont prevent Lan traffic to go out of port 2 to the managed switch.)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan5 vlan-id=5

/interface bridge port
add bridge=bridge1 interface=ether2 frames-admit-only-tagged packets ingress-filtering=yes (trunk port connected to managed switch)
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/interface bridge vlan
add bridge=bridge tagged=bridge, ether2 untagged=ether3, ether4, ether5 vlan-ids=5

/interface list member
add comment=defconf interface=eth1 list=WAN
add interface=bridge list=LAN
add interface=vlan5 list=LAN

/ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=bridge lease-time=1d
name=HoMeLAN
add address-pool=dhcp_vlan5 disabled=no interface=vlan5
lease-time=1d name=WinpServer

/ip pool
add name=dhcp-HomeLAN ranges=192.168.88.2-192.168.88.100 (for example)
add name=dhcp_vlan5=10.0.2.5-10.0.2.50 (for example)

/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.0.2.?/24 interface=vlan5 network=10.0.2.? (not sure how to write this one up as your nomenclature is different from what I know)

/ip dhcp-server network
add address=192.168.0.0/24 comment=HomeNetwork dns-server=192.168.0.1 gateway=
192.168.0.1
add address=10.0.2.?/24 comment=WinpNetwork dns-server=10.0.2.?
gateway=10.0.2.?

/IP firewall filter
add action=accept chain=forward comment=
"Allow Port Forwarding " connection-nat-state=dstnat
(you need this rule in the FORWARD chain to allow port forwarding rules to work)

/IP firewall filter
add action=accept chain=forward comment=“LAN to VLAN Access”
src-address=192.168.88.0/24 out-interface=vlan5
(This should allow all LAN computers to access VLAN devices)

/ip firewall nat
add action=dst-nat chain=dstnat comment=WinpAccess-tcp dst-port=4418
in-interface=WAN protocol=tcp to-addresses=10.0.2.5
(if you had a list of allowable external IPs… you would need to create the firewall address list and then modify the rule as follows
add … src-address-list=Allowed_External_Users )

I’m sorry, but in my latest config I didn’t replace all the config, I just pointed the needed changes. So the config (compared to what you posted in post #9 above) would be like this:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether4,ether5 vlan-ids=5
/interface vlan
add interface=bridge name=vlan5 vlan-id=5

That’s assuming that switch connected to ether2 is a managed switch (or connects devices that know what to do with VLAN tagged frames).

Thank you mkx

I will give this a shoot on Monday.

So it still did not work.

And in the addressing

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge1 network=192.168.88.0
add address=10.2.0.1/24 comment="Winp App" interface="Vlan5" network=10.2.0.0

and if I change it to

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge1 network=192.168.88.0
add address=10.2.0.1/24 comment="Winp App" interface=bridge1 network=10.2.0.0

It works and I can get to 10.2.0.5. But then it changes the IP address on the router to 10.2.0.1.

I’m confused. Please provide complete setup - output from /export hide-sensitive with public address(es) mangled. Paste it to [ code] … [ /code] environment here.

I’m looking at the network chart from one of your early posts and it does lack some information:

• what is IP address 192.168.88.1 for? The router’s LAN?
• to which router ports are connected (dumb?) switch south of router and managed switch east of router?
• is VLAN with ID=5 carried over connection between router and managed switch? Is only that VLAN or untagged carried over same link as well?
• how’s managed switch configured regarding VLANs?

If you can connect to 10.2.0.5 when router’s address 10.2.0.1 is bound to bridge, this means something is hugely mis-configured with regard of VLANs .. and not necessarily on RB router.

@mkx

Here is the config

/interface bridge
add admin-mac=D4:CA:6D:C4:01:44 arp=reply-only auto-mac=no comment=\
    "created from master port" name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=D4:CA:6D:C4:01:43 name=\
    ether1-gateway
set [ find default-name=ether2 ] mac-address=D4:CA:6D:C4:01:44 name=\
    ether2-master-local
set [ find default-name=ether3 ] mac-address=D4:CA:6D:C4:01:45 name=\
    ether3-slave-local
set [ find default-name=ether4 ] mac-address=D4:CA:6D:C4:01:46 name=\
    ether4-slave-local
set [ find default-name=ether5 ] mac-address=D4:CA:6D:C4:01:47 name=\
    ether5-slave-local
/interface vlan
add interface=bridge1 name="Winp App Vlan5" vlan-id=5
/interface list
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add add-arp=yes authoritative=after-2sec-delay disabled=no interface=bridge1 \
    lease-time=3d name=default
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/system logging action
set 0 memory-lines=100
set 1 disk-file-name=log disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge1 interface=ether2-master-local
/interface bridge vlan
add bridge=bridge1 tagged=ether2-master-local,ether3-slave-local untagged=\
    ether4-slave-local,ether5-slave-local vlan-ids=5
/interface list member
add interface=bridge1 list=mactel
add interface=ether3-slave-local list=mactel
add interface=bridge1 list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether5-slave-local list=mac-winbox
add interface=ether1-gateway list=WAN
add list=mac-winbox
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge1 \
    network=192.168.88.0
add address=10.2.0.1/24 comment="Winp app Vlan5" interface="Winp App Vlan5" \
    network=10.2.0.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
    interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.239 comment=ETVE31-PC mac-address=C8:1F:66:45:60:48 \
    server=default
add address=192.168.88.158 comment=ETVE29-PC mac-address=E4:F4:C6:3B:03:BB \
    server=default
add address=192.168.88.171 comment=ETVE30-PC mac-address=C4:04:15:6E:33:D8 \
    server=default
add address=192.168.88.142 comment=ETVE5-Laptop mac-address=00:25:B3:76:59:66 \
    server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" connection-state="" \
    in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related ipsec-policy=in,ipsec
add action=accept chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=\
    invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="Winp app port" dst-port=4418 protocol=\
    tcp to-addresses=10.2.0.5 to-ports=4418
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.142/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system logging
add topics=firewall
/system routerboard settings
set silent-boot=no

what is IP address 192.168.88.1 for? The router’s LAN?
Yes the router IP address is 192.168.88.1 on the LAN side.

to which router ports are connected (dumb?) switch south of router and managed switch east of router?
From Router ether2 goes to Port1 on the managed switch. east of router
From Router Ether3 goes to Port1 on a unmanaged switch. south of router


is VLAN with ID=5 carried over connection between router and managed switch?
YES

Is only that VLAN or untagged carried over same link as well?
YES

how’s managed switch configured regarding VLANs?
All the ports on the switch are tagged for Vlan5.

I will look are the switch config more closely after this.

thank you in advance for your help. mkx

Here’s an omission from your config:

/interface bridge vlan
add bridge=bridge1 tagged=> bridge1,> ether2-master-local,ether3-slave-local untagged=
ether4-slave-local,ether5-slave-local vlan-ids=5

If you want to get vlan traffic to bridge interface, then it has to be listed as (tagged) member of that VLAN.

Thank you for all your help and patients. mkx

It works now.