Hello,
I cant for the life of me work this out,
I have a RB750 and its laid out in the following way
eth 1 - WAN
I setup a second DHCP pool on VLAN0002 to give out 172.28.9.0/24
I also have a CISCO 3550 switch that I want to trunk the VLAN to, there is only 1 VLAN at the moment but I will be setting up more. I have connected port 1 on the cisco to eth 5 on the mikrotik. The switch gets an ip of 172.28.8.133. I now want to be able to select ports on that witch to use VLAN0002 and picking the 172.28.9.0/24 network but I cant seem to get it to work! I just pickup a 169 address
Can someone tell me if I’ve setup the mikrotik side correctly? Im guessing not as its not working. Someone to guide me though doing this would be great as im pretty new to vlans
Also keep in mind that when port5 is slave to port2, assign the VLAN interface to port2 on the mikrotik.
The Native Vlan of the switch is VLAN 1
I want the switch to pickup the same DHCP range that eth 2 is giving out for my LAN which is 172.28.8.0/24 this is why I have slaved eth 5 to eth2. The switch is connected to eth5, I have static reserved the address for the switch in the mikrotik with an address of 172.28.8.133.
I then want to setup vlans on the mikrotik which will trunk to the switch. Each of those vlans will have their own DHCP range on the individual vlans from the mikrotik.
i.e VLAN 2 - 172.28.9.0/24
My main LAN is connected to an unmanaged switch on eth 2 with a DHCP of 172.28.8.0/24. These devices will be staying on this LAN
The Cisco switch will be connected to eth 5 which is slaved to eth 2 on the mikrotik so it gets an ip in the 172.28.8.0/24 range.
I have then setup the vlans on eth5 on the mikrotik, so is that wrong? I need to setup the vlans on eth2?
Hopefully this diagram below will explain what I want to happen
https://www.dropbox.com/s/3f6mcwnqb6o0c91/FullSizeRender.jpg?dl=0
Just noticed in the diagram ive drawn Vlan 1 and 2 on the cisco switch
its meant to be vlan 2 and 3
apologies
Okay,
Now ive worked it out I have run into a small issue.
Because its trunking the vlans and its using the router as the gateway each vlan on the switch can route between each other.
I dont want this to happen, I want each vlan to be seperate but still share the same internet connection.
How would I go about doing this??
Eth2 - DHCP (172.28.8.0/24)
VLAN0002 - DHCP (172.28.9.0/24)
VLAN0003 - DHCP (172.28.10.0/24)
Trunk on port 1
Devices on VLAN0002 -
PC 1 (IP 172.28.9.2, Gateway 172.28.9.1, DNS 172.28.8.1)
Same setup for VLAN0003 but on the 10.0/24 range
I can ping devices from VLAN0002 on VLAN0003 and vice versa, how can I stop this but still share the same internet connection?
[admin@008-HOME] /ip> address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 172.28.8.1/24 172.28.8.0 ether2-master-local
1 172.28.7.1/24 172.28.7.0 ether1-gateway
2 D 81.xxx.xxx.xxx/32 172.16.11.27 pppoe-out1
3 172.28.9.1/24 172.28.9.0 VLAN0002
4 172.28.10.1/24 172.28.10.0 VLAN0003
admin@008-HOME] /ip> route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 172.16.11.27 1
1 ADC 172.16.11.27/32 81.129.86.39 pppoe-out1 0
2 ADC 172.28.7.0/24 172.28.7.1 ether1-gateway 0
3 ADC 172.28.8.0/24 172.28.8.1 ether2-master-l... 0
4 ADC 172.28.9.0/24 172.28.9.1 VLAN0002 0
5 ADC 172.28.10.0/24 172.28.10.1 VLAN0003 0
Thank you for that input but would you mind explaining how?
Here is my current firewall
[admin@008-HOME] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop invalid connections through router
chain=forward action=drop connection-state=invalid log=no log-prefix=""
1 ;;; Drop all traffic to-from addresses on \"CountryIPBlocks\" address li>
chain=forward action=drop dst-address-list=CountryIPBlocks log=no
log-prefix=""
2 ;;; Allow new connections through router coming in LAN interface
chain=forward action=accept connection-state=new
in-interface=ether2-master-local log=no log-prefix=""
3 ;;; Allow established connections through router
chain=forward action=accept connection-state=established log=no
log-prefix=""
4 ;;; Allow related connections through router
chain=forward action=accept connection-state=related log=no
log-prefix=""
5 ;;; Allow Plex
chain=forward action=accept protocol=tcp dst-port=32400 log=no
log-prefix=""
6 ;;; Allow BT Vision
chain=forward action=accept protocol=udp log=no log-prefix=""
7 ;;; Allow TCP Protocol 6 for PPTP
chain=forward action=accept protocol=tcp log=no log-prefix=""
8 ;;; Allow Ping Over PPTP
chain=forward action=accept protocol=icmp log=no log-prefix=""
9 ;;; Drop all other connections through the router
chain=forward action=drop log=no log-prefix=""
10 ;;; Drop all traffic from addresses on "CountryIPBlocks" address list
chain=input action=drop src-address-list=CountryIPBlocks log=no
log-prefix=""
11 ;;; Allow everything from the LAN interface to the router
chain=input action=accept in-interface=ether2-master-local log=no
log-prefix=""
12 ;;; Allow established connections to the router, these are OK because w>
ren't allowing new connections
chain=input action=accept connection-state=established log=no
log-prefix=""
13 ;;; Allow related connections to the router, these are OK because we are>
allowing new connections
chain=input action=accept connection-state=related log=no log-prefix=""
14 ;;; Allow PPTP VPN
chain=input action=accept protocol=tcp dst-port=1723 log=no
log-prefix=""
15 chain=input action=accept protocol=gre log=no log-prefix=""
16 chain=input action=accept protocol=tcp log=no log-prefix=""
17 ;;; UDP
chain=input action=accept protocol=udp log=no log-prefix=""
18 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2 log=no
log-prefix=""
19 ;;; Drop excess pings
chain=input action=drop protocol=icmp log=no log-prefix=""
20 ;;; Drop everything else to the router
chain=input action=drop log=no log-prefix=""
[admin@008-HOME] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=pppoe-out1 log=no log-prefix=""
1 ;;; Plex Server
chain=dstnat action=dst-nat to-addresses=172.28.8.100 to-ports=32400 protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no log-prefix=""
Rudios
July 7, 2015, 6:23pm
10
you could add drop rules for all the possible connections you do not want, like this
/ip firewall filter
Maybe simpler and more straight forward is allow the things you want and block all other traffic.
What I would do is the following
add chain=forward action=drop connection-state=invalid
