Hello all,

I'm trying to setup intervlan using a Mikrotik Router Rb3011 and a Netgear Switch Layer 2.
My problem is setting up the communication between the VLANs.

RouterIP: 172.20.190.1
SwitchIP: 172.20.190.250

VLAN 100: PUB -> 10.100.100.0/24
VLAN 110: PROD -> 10.100.110.0/24
VLAN 120: LAB -> 10.100.120.0/24

VLAN PUB should be able to access VLAN 110, VLAN 120, the 172.20.190.0/24 Subnet (to access also the Router WebGui) and WAN
VLAN LAB should be able to access VLAN 110 and WAN
VLAN PROD should only be able to access WAN

On the Router site:
ether1 WAN
ether2 Connected to the Switch Trunk Port

On the switch site:
Port 1 Trunk Port

So my router is connected to the switch by ether2 which is the trunk port on the switch.
In the switch i've created all the vlans as mentioned above. In every VLAN Port 1 is marked as trunk.

On the router i've configured following:

/interface vlan print
Flags: X - disabled, R - running
# NAME MTU ARP VLAN-ID INTERFACE
0 R LAB 1500 enabled 120 ether2
1 R PROD 1500 enabled 110 ether2
2 R PUB 1500 enabled 100 ether2

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
172.20.190.1/24 172.20.190.0 bridge
1 D 192.168.0.87/24 192.168.0.0 ether1
2 10.100.100.1/24 10.100.100.0 PUB
3 10.100.110.1/24 10.100.110.0 PROD
4 10.100.120.1/24 10.100.120.0 LAB


Currently all my VLANS have access to the internet.

Current Problems:
I have a NAS device in VLAN PROD which has the iP 10.100.110.51. I can't ping /access it from the router itself nor from other VLANS. But the VLAN Gateway 10.100.110.1 is ok.
When I plug in my test laptop in the vlan prod it is obviously accessible.

ping 10.100.110.51
SEQ HOST SIZE TTL TIME STATUS
0 10.100.110.51 timeout
1 10.100.110.51 timeout
2 10.100.110.1 84 64 987ms host unreachable

ping 10.100.110.1
SEQ HOST SIZE TTL TIME STATUS
10.100.110.1 56 64 0ms

My current fw rules are the default (i did not changed settings):

ip firewall filter print

Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

i followed this tutorial which seems outdated:
https://systemzone.net/mikrotik-vlan-ro ... le-switch/

Yes, please follow this guide............
viewtopic.php?f=13&t=143620

What is the purpose of these two subnets then......
172.20.190.1/24 172.20.190.0 bridge
1 D 192.168.0.87/24 192.168.0.0 ether1