Community discussions

MikroTik App
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 12:12 am

Well, it seems I've been all over these forums this weekend trying to make a (seemingly) simply change and not having much luck.
Recently, I added a VLAN and attached the VLAN to the bridge.
I set up the IP pool, DHCP server, and added a new SSID to CAPsMAN.

My clients are able to connect to the SSID, and get an IP address.

They cannot however:
* Access the router (using the local router IP address)
* Access the other network assigned to the bridge
* Access the internet (by IP address)

I've been goofing around for the firewall for sometime, and even with logging enabled I'm not getting any hints as to what the issue is.
Since the VLAN was added to the bridge, both interface are on the address list "LAN"

Current filter rules: (192.168.90.0/24 is the VLAN 192.168.80.0/24 is the original bridge)

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 2    chain=forward action=accept src-address=192.168.90.0/24 dst-address=192.168.80.0/24 log=no log-prefix="" 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

12    chain=input action=accept in-interface-list=LAN log=no log-prefix="" 

13    chain=input action=accept protocol=icmp log=no log-prefix="" 

14    chain=input action=accept protocol=udp src-address=0.0.0.0 dst-port=5246,5247 log=no log-prefix="" 

15    ;;; CAPSMANAGER Discovery
      chain=input action=accept protocol=udp src-port=5246,5247 

16    ;;; CAPSMANAGER Discovery
      chain=input action=accept protocol=udp dst-port=5246,5247 

17    chain=input action=accept protocol=tcp src-address=66.152.179.48 dst-port=8989 log=no log-prefix="" 

18    chain=input action=drop log=yes log-prefix="" 

19    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

20    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
NAT masquerade rules:
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade src-address=0.0.0.0/0 out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 12:27 am

I've been goofing around for the firewall for sometime, and even with logging enabled I'm not getting any hints as to what the issue is.
Since the VLAN was added to the bridge, both interface are on the address list "LAN"
Adding "bridge" to an interface list does not also add any VLANs on the bridge to the interface list. You have to separately add the "alexa" VLAN to your LAN interface list.
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 12:48 am

I've been goofing around for the firewall for sometime, and even with logging enabled I'm not getting any hints as to what the issue is.
Since the VLAN was added to the bridge, both interface are on the address list "LAN"
Adding "bridge" to an interface list does not also add any VLANs on the bridge to the interface list. You have to separately add the "alexa" VLAN to your LAN interface list.

Okay, I am confused about this:
Image

/interface list export
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=alexa list=LAN
This makes it looks like they are added.

[edit: Looks like I can't include an image hosted on google]
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 12:57 am

This makes it looks like they are added.
Yes, that is fine then. I see that you added an extra rule that doesn't need to be there:

chain=input action=drop log=yes log-prefix=""

You are already dropping everything not coming in from LAN, so that drop rule can result in dropping things that you want that are coming from LAN.

You might just want to clear your filter rules and revert back to the default mikrotik ruleset, which should work just fine for this:
/ip firewall {
    filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
    filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
    filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
    filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
    filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
    filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
    filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
    filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
    filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
    filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 1:05 am

Simplification is good. I reverted to the default list you recommended. Unfortunately, there was no change with the issue.

VLAN clients can access (ping) each other, but not the router itself, nor the internet, nor the other network.
the router cannot access the clients either. So, perhaps there is something else not set correctly.

Appreciate your help with this,
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 1:50 am

Simplification is good. I reverted to the default list you recommended. Unfortunately, there was no change with the issue.

VLAN clients can access (ping) each other, but not the router itself, nor the internet, nor the other network.
the router cannot access the clients either. So, perhaps there is something else not set correctly.
Share your entire config with /export hide-sensitive
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 3:15 am

You got it,
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1
add authentication-types=wpa2-psk encryption=tkip name=security2
/caps-man configuration
add channel=2.4Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="2.4Ghz Config" \
    security=security1 ssid=Gauthier
add channel=5.0Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="5.0Ghz Config" \
    security=security1 ssid="Gauthier 5Ghz"
add channel=5.0Ghz country="united states3" datapath=alexa_datapath datapath.bridge=bridge name=Alexa security=\
    security1 ssid=Alexa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.80.50-192.168.80.254
add name=alex_pool ranges=192.168.90.50-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=alex_pool disabled=no interface=alexa name=alexa_dhcp_server
/system logging action
set 3 bsd-syslog=yes remote=192.168.80.7 syslog-facility=local5
add bsd-syslog=yes name=capssyslog remote=192.168.80.7 syslog-facility=local3 target=remote
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-75 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-74..120 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="2.4Ghz Config"
add action=create-dynamic-enabled hw-supported-modes=an master-configuration="5.0Ghz Config" \
    slave-configurations=Alexa
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=alexa vlan-ids=90
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=alexa list=LAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=192.168.80.0
add address=192.168.90.1 interface=alexa network=192.168.90.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.80.79 mac-address=B8:27:EB:4B:B8:9F
add address=192.168.80.59 mac-address=30:96:FB:5F:42:38
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.25,8.8.8.8 gateway=192.168.80.1 netmask=24 \
    ntp-server=0.0.0.0
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1 netmask=24 ntp-server=216.229.4.66
/ip dns
set allow-remote-requests=yes

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1
add authentication-types=wpa2-psk encryption=tkip name=security2
/caps-man configuration
add channel=2.4Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="2.4Ghz Config" \
    security=security1 ssid=Gauthier
add channel=5.0Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="5.0Ghz Config" \
    security=security1 ssid="Gauthier 5Ghz"
add channel=5.0Ghz country="united states3" datapath=alexa_datapath datapath.bridge=bridge name=Alexa security=\
    security1 ssid=Alexa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.80.50-192.168.80.254
add name=alex_pool ranges=192.168.90.50-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=alex_pool disabled=no interface=alexa name=alexa_dhcp_server
/system logging action
set 3 bsd-syslog=yes remote=192.168.80.7 syslog-facility=local5
add bsd-syslog=yes name=capssyslog remote=192.168.80.7 syslog-facility=local3 target=remote
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-75 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-74..120 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="2.4Ghz Config"
add action=create-dynamic-enabled hw-supported-modes=an master-configuration="5.0Ghz Config" \
    slave-configurations=Alexa
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=alexa vlan-ids=90
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=alexa list=LAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=192.168.80.0
add address=192.168.90.1 interface=alexa network=192.168.90.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.80.79 mac-address=B8:27:EB:4B:B8:9F
add address=192.168.80.59 mac-address=30:96:FB:5F:42:38
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.25,8.8.8.8 gateway=192.168.80.1 netmask=24 \
    ntp-server=0.0.0.0
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1 netmask=24 ntp-server=216.229.4.66
/ip dns
set allow-remote-requests=yes

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \
    src-address=0.0.0.0/0
add action=dst-nat chain=dstnat dst-port=1004 in-interface=ether1 protocol=tcp to-addresses=192.168.80.4 \
    to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.80.4 \
    to-ports=32400
add action=dst-nat chain=dstnat dst-port=1003 in-interface=ether1 protocol=tcp to-addresses=192.168.80.3 \
    to-ports=22
add action=dst-nat chain=dstnat dst-port=8003 in-interface=ether1 protocol=tcp to-addresses=192.168.80.3 \
    to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 in-interface=ether1 protocol=tcp to-addresses=192.168.80.24 \
    to-ports=1194
add action=dst-nat chain=dstnat dst-port=1006 in-interface=ether1 protocol=tcp to-addresses=192.168.80.26 \
    to-ports=22
add action=dst-nat chain=dstnat dst-port=1008 in-interface=ether1 protocol=tcp to-addresses=192.168.80.8 \
    to-ports=22
add action=dst-nat chain=dstnat comment=Octoprint dst-port=8031 in-interface=ether1 protocol=tcp src-address=\
    66.152.179.48 to-addresses=192.168.80.31 to-ports=80
add action=dst-nat chain=dstnat dst-port=8989 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    src-address-list="" to-addresses=192.168.80.16 to-ports=8080
add action=dst-nat chain=dstnat dst-port=9091 in-interface=ether1 protocol=tcp to-addresses=192.168.80.6 \
    to-ports=9091
add action=dst-nat chain=dstnat dst-port=9191 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.7 to-ports=9191
add action=dst-nat chain=dstnat dst-port=8765 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.11 to-ports=8765
add action=dst-nat chain=dstnat dst-port=5050 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.29 to-ports=5050
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.29 to-ports=8081
add action=dst-nat chain=dstnat dst-port=7890 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.6 to-ports=7890
add action=dst-nat chain=dstnat dst-port=1016 in-interface=ether1 protocol=tcp to-addresses=192.168.80.16 \
    to-ports=22
add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=tcp src-address=66.152.179.48 \
    to-addresses=192.168.80.16 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8888 protocol=tcp to-addresses=192.168.80.59 to-ports=8080
/system clock
set time-zone-name=America/New_York
/system identity
set name=Basement
/system logging
set 0 action=remote
set 1 action=remote
set 2 topics=firewall
/system ntp client
set enabled=yes primary-ntp=185.103.216.7 server-dns-names=,
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge filter-ip-address=192.168.80.75/32
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 4:03 am

You got it,
This looks like almost everything except your bridge definition. i.e. the line that actually creates your bridge "bridge" is missing. Maybe you deleted it because it has the admin mac, if the admin mac didn't get hidden, but I would need to see that too, with the exception of the admin mac. Mostly I am wondering if you have bridge VLAN filtering enabled.
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 4:24 am

I didn't omit anything intentionally. But the copy and pasting from the terminal wasn't great. Here's a better output.
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2.4Ghz
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5180 name=5.0Ghz
/interface bridge
add admin-mac=48:8F:5A:AB:35:E0 auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(27dBm), SSID: Gauthier, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-AB35E6 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(28dBm), SSID: Gauthier 5Ghz, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-AB35E5 wireless-protocol=802.11
/interface vlan
add interface=bridge name=alexa vlan-id=90
/caps-man datapath
add bridge=bridge local-forwarding=no name=datapath1
add bridge=bridge local-forwarding=no name=alexa_datapath vlan-id=90 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security1
add authentication-types=wpa2-psk encryption=tkip name=security2
/caps-man configuration
add channel=2.4Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="2.4Ghz Config" security=security1 ssid=Gauthier
add channel=5.0Ghz country="united states3" datapath=datapath1 datapath.bridge=bridge name="5.0Ghz Config" security=security1 ssid="Gauthier 5Ghz"
add channel=5.0Ghz country="united states3" datapath=alexa_datapath datapath.bridge=bridge name=Alexa security=security1 ssid=Alexa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.80.50-192.168.80.254
add name=alex_pool ranges=192.168.90.50-192.168.90.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=alex_pool disabled=no interface=alexa name=alexa_dhcp_server
/system logging action
set 3 bsd-syslog=yes remote=192.168.80.7 syslog-facility=local5
add bsd-syslog=yes name=capssyslog remote=192.168.80.7 syslog-facility=local3 target=remote
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..-75 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-74..120 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="2.4Ghz Config"
add action=create-dynamic-enabled hw-supported-modes=an master-configuration="5.0Ghz Config" slave-configurations=Alexa
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=alexa vlan-ids=90
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=alexa list=LAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=192.168.80.0
add address=192.168.90.1 interface=alexa network=192.168.90.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.80.79 mac-address=B8:27:EB:4B:B8:9F
add address=192.168.80.59 mac-address=30:96:FB:5F:42:38
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.25,8.8.8.8 gateway=192.168.80.1 netmask=24 ntp-server=0.0.0.0
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1 netmask=24 ntp-server=216.229.4.66
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
add action=dst-nat chain=dstnat dst-port=1004 in-interface=ether1 protocol=tcp to-addresses=192.168.80.4 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=tcp to-addresses=192.168.80.4 to-ports=32400
add action=dst-nat chain=dstnat dst-port=1003 in-interface=ether1 protocol=tcp to-addresses=192.168.80.3 to-ports=22
add action=dst-nat chain=dstnat dst-port=8003 in-interface=ether1 protocol=tcp to-addresses=192.168.80.3 to-ports=80
add action=dst-nat chain=dstnat dst-port=1194 in-interface=ether1 protocol=tcp to-addresses=192.168.80.24 to-ports=1194
add action=dst-nat chain=dstnat dst-port=1006 in-interface=ether1 protocol=tcp to-addresses=192.168.80.26 to-ports=22
add action=dst-nat chain=dstnat dst-port=1008 in-interface=ether1 protocol=tcp to-addresses=192.168.80.8 to-ports=22
add action=dst-nat chain=dstnat comment=Octoprint dst-port=8031 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.31 to-ports=80
add action=dst-nat chain=dstnat dst-port=8989 in-interface=ether1 protocol=tcp src-address=66.152.179.48 src-address-list="" to-addresses=192.168.80.16 to-ports=8080
add action=dst-nat chain=dstnat dst-port=9091 in-interface=ether1 protocol=tcp to-addresses=192.168.80.6 to-ports=9091
add action=dst-nat chain=dstnat dst-port=9191 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.7 to-ports=9191
add action=dst-nat chain=dstnat dst-port=8765 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.11 to-ports=8765
add action=dst-nat chain=dstnat dst-port=5050 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.29 to-ports=5050
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.29 to-ports=8081
add action=dst-nat chain=dstnat dst-port=7890 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.6 to-ports=7890
add action=dst-nat chain=dstnat dst-port=1016 in-interface=ether1 protocol=tcp to-addresses=192.168.80.16 to-ports=22
add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=tcp src-address=66.152.179.48 to-addresses=192.168.80.16 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8888 protocol=tcp to-addresses=192.168.80.59 to-ports=8080
/system clock
set time-zone-name=America/New_York
/system identity
set name=Basement
/system logging
set 0 action=remote
set 1 action=remote
set 2 topics=firewall
/system ntp client
set enabled=yes primary-ntp=185.103.216.7 server-dns-names=,
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=bridge filter-ip-address=192.168.80.75/32

I think you're looking for this:
/interface bridge
add admin-mac=48:8F:5A:AB:35:E0 auto-mac=no comment=defconf name=bridge
I do not have VLAN filtering on.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 4:53 am

add address=192.168.90.1 interface=alexa network=192.168.90.1
This is incorrect - by not specifying /24, it uses the default of /32 which is a subnet of one IP (i.e. netmask 255.255.255.255). So you have given the router an IP on this VLAN, with a subnet mask that is only large enough to accommodate the router itself and no client devices. You need 192.168.90.1/24 (which is equivalent to specifying a netmask of 255.255.255.0).

Also, the network was incorrectly calculated because you typed in the IP wrong. Either you can hit the up-triangle in winbox/webfig to undo the network after fixing the missing /24, and it will change it to the correct network setting, or you can manually change the network setting from 192.168.90.1 to 192.168.90.0.
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 5:01 am

:( when you waste too many hours because you fat fingered something.

Thanks for spotting that. That, naturally, fixed it.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 5:49 am

:( when you waste too many hours because you fat fingered something.

Thanks for spotting that. That, naturally, fixed it.
No problem. It is actually quite a common issue, even for people who are used to MikroTik. The issue is that so many other routers have a separate netmask setting that in the IP field, you are used to entering just the IP and not the netmask, and so it is easy to forget.

Also, just so you are aware, this is completely unnecessary and is not doing anything:
/interface bridge vlan
add bridge=bridge tagged=alexa vlan-ids=90
You can completely delete the bridge VLAN and it won't affect anything. The config under /interface bridge vlan only takes effect if bridge vlan filtering is enabled, and in your case it is not. Even if it was enabled, this bridge vlan config is not correct and would not do what you want.

Note: your regular /interface vlan settings for this VLAN are necessary, do not delete those. It is only the /interface bridge vlan (Bridge->VLANs tab in the UI) that are unnecessary.
 
jgauthier
just joined
Topic Author
Posts: 18
Joined: Sat May 22, 2021 11:47 pm

Re: VLAN can't access internet, router, or local LAN

Mon Jun 21, 2021 2:52 pm

Makes sense. Thanks again!
 
verbylab
newbie
Posts: 35
Joined: Sat Jun 26, 2021 4:30 pm

Re: VLAN can't access internet, router, or local LAN

Sun Jun 27, 2021 5:29 pm

add address=192.168.90.1 interface=alexa network=192.168.90.1
This is incorrect - by not specifying /24, it uses the default of /32 which is a subnet of one IP (i.e. netmask 255.255.255.255). So you have given the router an IP on this VLAN, with a subnet mask that is only large enough to accommodate the router itself and no client devices. You need 192.168.90.1/24 (which is equivalent to specifying a netmask of 255.255.255.0).

Thank you so much for this! I ran into the same issue (got an IP address on the VLAN through DHCP but couldn't ping the gateway and internet) and your tip made me go back to the address definition where I spotted the exact same error. Fixed it and now it works. 🙌

Who is online

Users browsing this forum: ameliask, kvitek79, mikronoob89, normis, Vojta and 102 guests