Community discussions

MikroTik App
 
VocalTurnip
just joined
Topic Author
Posts: 1
Joined: Mon Jun 22, 2020 10:23 pm

VLAN can not ping Gateway

Mon Jun 22, 2020 10:25 pm

Hi,

I have followed the guide here;

https://wiki.mikrotik.com/wiki/Manual:Switch_Router

In order to set up two VLANs on my RB2011.

I have confirmed that a host will get the right IP from the DHCP server for the VLAN it should be on.

However that same host is not able to ping its Gateway, and therefore get out to the internet.

Any ideas would be great :)


Current config (minus sensitive info )

Sorry if formatting is poor,



# jun/22/2020 20:03:50 by RouterOS 6.46.6

# software id = RSMW-YDSZ

#

# model = RB2011UiAS-2HnD

# serial number = B9090B80C4B6

/interface bridge

add admin-mac=C4:AD:34:2D:4C:CE auto-mac=no comment=defconf name=Home

add name=Lab

/interface ethernet

set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Stay off" wireless-protocol=802.11

/interface vlan

add interface=Lab name=VLAN10_Desktop vlan-id=10

add interface=Lab name=VLAN20_Server vlan-id=20

/interface ethernet switch

set 0 name=Home

set 1 name=Lab

/interface ethernet switch port

set 6 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure

set 7 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure

set 8 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik

/ip pool

add name=dhcp ranges=192.168.88.2-192.168.88.254

add name=POOlab ranges=192.168.100.100-192.168.100.200,192.168.50.2-192.168.50.254

add name="Pool VLAN50" ranges=192.168.50.2-192.168.50.254

add name=POOL10 ranges=192.168.10.100-192.168.10.200

add name=POOL20 ranges=192.168.20.100-192.168.20.200

/ip dhcp-server

add address-pool=dhcp disabled=no interface=Home name=defconf

add address-pool=POOlab disabled=no interface=Lab name=DHCPlab

add address-pool=POOL10 disabled=no interface=VLAN10_Desktop name=DHCP10

add address-pool=POOL20 disabled=no interface=VLAN20_Server name=DHCP20

/interface bridge port

add bridge=Home comment=defconf interface=ether2

add bridge=Home comment=defconf interface=ether3

add bridge=Home comment=defconf interface=ether4

add bridge=Home comment=defconf interface=ether5

add bridge=Lab comment=defconf interface=ether6

add bridge=Lab comment=defconf interface=ether7

add bridge=Lab comment=defconf interface=ether8

add bridge=Lab comment=defconf interface=ether9

add bridge=Lab comment=defconf interface=ether10

add bridge=Home comment=defconf interface=sfp1

add bridge=Lab comment=defconf interface=wlan1

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface ethernet switch vlan

add ports=ether7,Lab-cpu switch=Lab vlan-id=10

add ports=ether8,Lab-cpu,ether6 switch=Lab vlan-id=20

/interface list member

add comment=defconf interface=Home list=LAN

add comment=defconf interface=ether1 list=WAN

add interface=Lab list=LAN

/ip address

add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

add address=192.168.100.1/24 interface=Lab network=192.168.100.0

add address=192.168.1.137/24 interface=ether1 network=192.168.1.0

add address=192.168.10.1/24 interface=VLAN10_Desktop network=192.168.10.0

add address=192.168.20.1/24 interface=VLAN20_Server network=192.168.20.0

/ip dhcp-client

add comment=defconf interface=ether1

/ip dhcp-server network

add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1

add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 netmask=24

add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1 netmask=24

/ip dns

set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static

add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=input comment="Custom: Lab Gateway isolation" disabled=yes dst-address=192.168.100.1 in-interface=Home log=yes

add action=drop chain=input disabled=yes dst-address=192.168.88.1 in-interface=Lab log=yes

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=forward comment="lab exception" disabled=yes dst-address=192.168.100.1 src-address=192.168.100.0/24

add action=drop chain=forward comment="Custom: Lab Isolation" disabled=yes dst-address=192.168.100.0/24 src-address=192.168.88.0/24

add action=drop chain=forward disabled=yes dst-address=192.168.88.0/24 log=yes src-address=192.168.100.0/24

add action=drop chain=forward disabled=yes dst-address=192.168.100.0/24 log=yes src-address=192.168.100.0/24

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat out-interface=ether1

/ip route

add distance=1 gateway=192.168.1.254

/system clock

set time-zone-name=Europe/London

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

Who is online

Users browsing this forum: Loskrochn, sindy, storp and 68 guests