VLAN setting

leoleu · January 24, 2016, 4:30pm

Hello,

I am newbie in MikroTik world and I want to help with my lab settings.
There is my scenario:
port1 - gateway. I left the default setting with DHCP
port2 - trunk. There will be connected 3COM switch which supported VLANs.
port3 - VLAN1
port4 - VLAN2
I need to create 2 independent VLANs and those VLANs will share internet connection.
I used for settings the Winbox and I tried to set it by how-tos on Internet,
but it doesn’t work. Could you write me a basic steps what I will need to set?
I’ll delete my settings and i will start again. Thank you

L

Revelation · January 25, 2016, 11:41pm

Let’s see if we can help you…

So what you are trying to do, just to be clear, is to crate x2 VLANs on a Mikrotik Router. From there both VLANs need access to the internet. You will also have both VLANs on a trunk to another switch.

Do I understand your situation correctly?

Here are some things you can try:

Create a bridge for each vlan:

/interface bridge
add name=bridge-vlan1
/interface bridge port
add interface=ether3 bridge=bridge-vlan1
/interface vlan
add name=vlan1 interface=bridge-vlan1 vlan-id=1
/ip address
add interface=bridge-vlan1 address=10.10.10.1/24

/interface bridge
add name=bridge-vlan2
/interface bridge port
add interface=ether4 bridge=bridge-vlan2
/interface vlan
add name=vlan2 interface=bridge-vlan2 vlan-id=2
/ip address
add interface=bridge-vlan2 address=10.10.20.1/24

Now we need to configure the trunk: (you may need to play around with tag versus untag depending on your switch

/interface vlan
add name=vlan1-trunk-eth2 interface=ether2 vlan-id=1
add name=vlan2-trunk-eth2 interface=ether2 vlan-id=2

/interface bridge port
add interface=vlan1-trunk-eth2 bridge=bridge-vlan1
add interface=vlan2-trunk-eth2 bridge=bridge-vlan2

This should set you up where port2 is configured as a trunk going to your switch. Port 3 is setup for VLAN1 and port4 is setup for VLAN2. All devices within the same VLAN, regardless of port, should now be able to talk to each other.

You will want to then setup DHCP, if done on the Mikrotik, for each network/VLAN. You will also want to verify the routes were automatically added, which they should have been, which would allow inter-vlan routing. This can be prevented within the firewall if you wish to prevent it.

You will need to setup a NAT with Masquerade for the VLANs to get out to the internet.

Butch Evans has a great blog on Mikrotik configuration examples. I highly recommend checking it out.
http://blog.butchevans.com/2010/02/to-tag-or-not-to-tag-that-is-the-question/

leoleu · May 7, 2016, 8:50am

Thank you Revelation, the VLAN working perfect.

I would like to ask you for checking my firewall setings please for a big mistake. In this moment I have no access list for PPTP, I will create it later. The PPTP is open for all IP address for now.

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=drop in-interface=br-vlan2 out-interface=br-vlan3 
      log=no log-prefix="" 

 1    chain=forward action=drop in-interface=br-vlan3 out-interface=br-vlan2 
      log=no log-prefix="" 

 2    chain=input action=accept src-address-list=LAN-permit log=no log-prefix="" 

 3 XI  chain=input action=drop log=no log-prefix="" 

 4    chain=input action=accept protocol=icmp log=no log-prefix="" 

 5    chain=input action=accept connection-state=established log=no log-prefix=">

 6    chain=input action=accept connection-state=related log=no log-prefix="" 

 7    ;;; VPN - Allow TCP port 1723 for PPTP
      chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix="" 

 8    ;;; VPN - Allow GRE protocol for PPTP
      chain=input action=accept protocol=gre log=no log-prefix="" 

 9    ;;; VPN - Drop access to G-LAN
      chain=forward action=drop in-interface=all-ppp out-interface=br-vlan3 
      log=no log-prefix="" 

10    chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

11    chain=forward action=accept connection-state=established 
      in-interface=ether1-gateway log=no log-prefix="" 

12    chain=forward action=accept connection-state=related 
      in-interface=ether1-gateway log=no log-prefix="" 

13    chain=forward action=drop in-interface=ether1-gateway log=no log-prefix=""

Revelation · May 13, 2016, 12:58am

leoleu:

Thank you Revelation, the VLAN working perfect.

I would like to ask you for checking my firewall setings please for a big mistake. In this moment I have no access list for PPTP, I will create it later. The PPTP is open for all IP address for now.

Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=drop in-interface=br-vlan2 out-interface=br-vlan3 
      log=no log-prefix="" 

 1    chain=forward action=drop in-interface=br-vlan3 out-interface=br-vlan2 
      log=no log-prefix="" 

 2    chain=input action=accept src-address-list=LAN-permit log=no log-prefix="" 

 3 XI  chain=input action=drop log=no log-prefix="" 

 4    chain=input action=accept protocol=icmp log=no log-prefix="" 

 5    chain=input action=accept connection-state=established log=no log-prefix=">

 6    chain=input action=accept connection-state=related log=no log-prefix="" 

 7    ;;; VPN - Allow TCP port 1723 for PPTP
      chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix="" 

 8    ;;; VPN - Allow GRE protocol for PPTP
      chain=input action=accept protocol=gre log=no log-prefix="" 

 9    ;;; VPN - Drop access to G-LAN
      chain=forward action=drop in-interface=all-ppp out-interface=br-vlan3 
      log=no log-prefix="" 

10    chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

11    chain=forward action=accept connection-state=established 
      in-interface=ether1-gateway log=no log-prefix="" 

12    chain=forward action=accept connection-state=related 
      in-interface=ether1-gateway log=no log-prefix="" 

13    chain=forward action=drop in-interface=ether1-gateway log=no log-prefix=""

What’s the problem you are having?