Hello,
We are planning this deployment: ether1 is the interface connected to the "internet" - private network with vlans configured and servers.
Imagine we have two vlans, vlan 111 for "internet access", vlan 112 for voip access.

Moreover,
ether3 - host connected for "internet"
ether4 - host connected for "internet"
ether5 - host connected for "voip"

As a result we perform below steps:

- Create interface vlans 111 and 112 on ether1 interface - named vlan.111 and vlan.112
- Create DHCP client for each vlan - dhcp server already configured on network - as a result each vlan interface acquires an IP dymanically. Let's say:
vlan.111 10.111.1.2/24 Default GW: 10.111.1.1
vlan.112 10.112.1.2/24 Default GW: 10.112.1.1

- Create a bridge for vlan111, including vlan.111 iface, ether3 and ether4
- Create a bridge for vlan112, including vlan.112 iface and ether 5

- Create two DHCP servers for NAT functionality - one for the first bridge: 192.168.1.0/24 and for the second: 192.168.2.0/24
As a result: host in ether3: 192.168.1.2
host in ether4: 192.168.1.3
host in ether5: 192.168.2.2

- Masquerading rules enabled for both internal subnets and working OK.

The problem seems to be with the routing table. Two default routes towards 0.0.0.0/0 and only one active, and as a result only traffic for one vlan works (depending on which route is active).
How can we overcome this issue? Is route marking the way to go?

Is there any other design in order to implement "double" play or even "triple" play functionality - vlan for each service - NAT implemented for each service.

Thanks a lot,
CJ

You don't want to bridge your ethernet interfafes with appropriate vlan interfaces, that would interfer with routing, NAT ant whatnot your router actually needs to do for your internal LAN. What you need to do is to remove those vlan interfaces from the two bridges. Then you need to assign your router two more IP addresses, one to each of bridges. One would be 192.168.1.1/24 and the other 192.168.2.1/24. These two would be then used as default GW for the client devices (set by DHCP server in leases). After that, you would do some smart routing ... but I don't know how as I don't have any case where I'd have two default routes. Probably you would do some packet marking (depending on source address inside your LAN) and then use those marks to do routing. Perhaps someone with experience in this field will jump in?

A side question: do you need to have private network for VoIP service? At my home, I have tripple play ... VoIP is terminated inside xDSL box, but I get IPTV service out of that box. It's in separate VLAN (3999) and I don't bother with it, I just pass it on to the devices that need it ... If you could do the same for VoIP services, your routing setup on RB device would get much simpler.

Hey mkx,

Thanks for your answer.
In fact, I have also tried that, to assign 192.168.1.1 ip address in one bridge and 192.168.2.1 for the other bridge, but I still get the same result. Maybe, route marking is the way to go.

Regarding your topology, you mean, transparently passing the vlan, and assign the "public" IP in the end host - client. Is this correct? That's an interesting idea, cause no need for routing in Mikrotik device.
I will try and report with the results.
CJ

Regarding your topology, you mean, transparently passing the vlan, and assign the "public" IP in the end host - client. Is this correct?

Exactly. In my case the TV set-top box receives IP address from the provider's DHCP server and is fully visible from provider's management network, which I'm fine with. Even though the device is dual-homed (it has another IP address to connect to internet, VLAN untagged), I don't object. I just created another VLAN to separate those devices (I have two of them actually) from my home LAN so that they can access internet for whatever they need it (EPG is one of uses).
Provider assigns private IP addresses on that VLAN (10.0.0.0/8 network; from my network point of view I consider those as "public" addresses), but that's not the point here. The point is that I don't have to do any fancy stuff: NAT, IGMP snooping, etc. I don't mind multicast packet storms as well since they only affect a couple of switch ports which are members of said VLAN.