I'm very new to MT gear and systems ; I'm just trying to setup a very simple config on a newly acquired CRS326-24G-2S+ but I'm facing some issues.
What I'm trying to achieve: setup 2 isolated VLANs - one is for my isolated home lab, and the other one should be "attached" to my home network.
Basically, I just want to split the switch in half using VLANs. No router involved as I do not want any inter-VLAN communication (at least for now).
I know this is probably overkill at this scale, but the main goal for me is to learn - hence this home lab setup.
I followed some guides I found here and there and the MT doc https://wiki.mikrotik.com/wiki/Manual:I ... by_Bridge).
Here is the configuration (based on the default config):
Code: Select all
/interface bridge
add admin-mac=18:FD:74:FF:0C:4C auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether16 ] name=ether16-mgmt
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=172.20.0.200-172.20.0.249
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan20 lease-time=1d name=dhcp2
/interface bridge port
add bridge=bridge interface=ether1 pvid=20
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=20
add bridge=bridge interface=ether7 pvid=20
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether17 pvid=10
add bridge=bridge interface=ether18 pvid=10
add bridge=bridge interface=ether19 pvid=10
add bridge=bridge interface=ether20 pvid=10
add bridge=bridge interface=ether21 pvid=10
add bridge=bridge interface=ether22 pvid=10
add bridge=bridge interface=ether23 pvid=10
add bridge=bridge interface=ether24 pvid=10
add bridge=bridge interface=sfp-sfpplus1 pvid=10
add bridge=bridge interface=sfp-sfpplus2 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=\
10
add bridge=bridge tagged=bridge untagged=ether3,ether4,ether5,ether6,ether7,ether1,ether2,ether8 vlan-ids=20
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether16-mgmt network=192.168.88.0
add address=172.20.0.1/24 interface=vlan20 network=172.20.0.0
add address=192.168.1.2/24 interface=vlan10 network=192.168.1.0
/ip dhcp-server network
add address=172.20.0.0/24 gateway=172.20.0.1
/system routerboard settings
set boot-os=router-os
sfp-sfpplus1 is my desktop
ether1 and ether2 both have a Win machine connected to.
ether16 is outside the bridge (in case I messed up a config and I'm locked out of the router)...
I managed to setup my 2 VLANs, got DHCP server running on VLAN 20 (VLAN 10 already have my ISP router DHCP). I set up the 2 Windows machines on VLAN 20 ether1 and 2 (say PC1 and PC2), they got an IP no problem and they appear in the ARP table as well.
The issue is:
- I cannot ping from PC1 to PC2 and vice-versa (it throws a timeout systematically)
- Each host can ping the gateway (here 172.20.0.1) BUT I cannot ping from the router to a host (e.g running ping src-address=172.20.0.1 172.20.0.249 - for PC1)
- The same happens on VLAN 10 BUT, not for my desktop weirdly, which can be pinged from the CRS...
I tried some tools (like Torch and Packet Sniffer) but as far as I understand, I see nothing that can help me - namely, Torch sees the packet being sent, but no echo I guess.
I also tried an even simpler setup: PC1 and PC2 on a single VLAN 20 same as above, nothing else - same result.
I'm sure I missed something very simple (Routing ? Firewall rules ? NAT ?) or maybe my setup is dumb and won't work like that. But I'm very open to suggestions and teachings.
Thanks for your help!