Today I wanted to setup a dedicated VLAN with it's own IP-range for my multimedia appliances (I don't trust them). However I got stuck. I get the feeling that I have a fundamental problem in my configuration.
Target setup: Problems:
- I want to have the multimedia devices in a dedicated network. Each network runs over a dedicated port on the router.
The DHCP-Relay is configured on the router. I can see the DHCP requests coming in, but the handshake stops after the DHCPOFFER. Internet access is no problem when I configure a static IP (e.g. 192.168.2.240) and an DNS server on the test client.
- RouterOS automatically routes to each network. But I can only the gateway interfaces (192.168.1.1 & 192.168.2.1).
Interface config:
Code: Select all
[admin@gatekeeper] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 RS ether1 ether 1500 1598 4074 D4:CA:6D:73:71:64
1 XS ether2 ether 1500 1598 4074 D4:CA:6D:73:71:65
2 RS ether3 ether 1500 1598 4074 D4:CA:6D:73:71:66
3 XS ether4 ether 1500 1598 4074 D4:CA:6D:73:71:67
4 R ether5-WAN ether 1500 1598 4074 D4:CA:6D:73:71:68
5 X wlan1 wlan 1500 1600 2290 D4:CA:6D:73:71:69
6 R LAN bridge 1500 1598 D4:CA:6D:73:71:65
7 R MM vlan 1500 1594 D4:CA:6D:73:71:66
8 R MMBridge bridge 1500 1598 D4:CA:6D:73:71:66
Code: Select all
[admin@gatekeeper] /interface bridge> print
Flags: X - disabled, R - running
0 R name="LAN" mtu=1500 actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=D4:CA:6D:73:71:65 protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=no admin-mac=D4:CA:6D:73:71:65 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
dhcp-snooping=no
1 R name="MMBridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=D4:CA:6D:73:71:66 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=yes
add-dhcp-option82=no
Code: Select all
[admin@gatekeeper] /ip dhcp-relay> print
Flags: X - disabled, I - invalid
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 I relay1 ether3 192.168.1.10 0.0.0.0
[admin@gatekeeper] /ip dhcp-relay>
Code: Select all
[admin@gatekeeper] /ip dhcp-relay> print
Flags: X - disabled, I - invalid
# NAME INTERFACE DHCP-SERVER LOCAL-ADDRESS
0 I relay1 ether3 192.168.1.10 0.0.0.0
[admin@gatekeeper] /ip dhcp-relay> ..
[admin@gatekeeper] /ip> rout
[admin@gatekeeper] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 XX.XX.XX.1 1
1 ADC XX.XX.XXX.0/21 XX.XX.XXX.XX ether5-WAN 0
2 ADC 192.168.1.0/24 192.168.1.1 LAN 0
3 ADC 192.168.2.0/24 192.168.2.1 MMBridge 0
MMBridge
[admin@gatekeeper] /ip route>
Code: Select all
[admin@gatekeeper] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept connection-state=established log-prefix=""
1 chain=output action=accept protocol=tcp src-address=192.168.1.10 src-port="" dst-port=53 log-prefix=""
2 ;;; default configuration
chain=input action=accept connection-state=related log-prefix=""
3 ;;; ICMP am WAN-Port --> DROP
chain=input action=drop protocol=icmp in-interface=ether5-WAN log=no log-prefix=""
4 X ;;; default configuration
chain=input action=drop in-interface=ether5-WAN log=no log-prefix=""
5 chain=input action=drop protocol=tcp in-interface=ether5-WAN dst-port=22 log=no log-prefix=""
6 chain=input action=drop protocol=tcp in-interface=ether5-WAN dst-port=80 log=no log-prefix=""
7 chain=input action=drop connection-state=new protocol=tcp connection-type="" in-interface=ether5-WAN dst-port=8291 log=no log-prefix=""
8 chain=forward action=drop protocol=tcp connection-type="" in-interface=LAN out-interface=ether5-WAN dst-port=53 log=no log-prefix=""
9 I ;;; in/out-interface matcher not possible when interface (ether1) is slave - use master instead (LAN)
chain=forward action=accept connection-limit=100,32 dst-address=192.168.1.10 in-interface=MMBridge out-interface=ether1 limit=0,5:packet log=no log-prefix=""
10 chain=forward action=drop in-interface=MMBridge out-interface=LAN log=no log-prefix=""
Code: Select all
[admin@gatekeeper] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Outgoing-NAT
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether5-WAN log=no log-prefix=""
[admin@gatekeeper] /ip firewall nat>
Any help is appreciated!