Community discussions

MikroTik App
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

routing between VLANs

Sun Sep 12, 2021 11:48 pm

hello, I cant ping between vlans. im just trying to ping. I have put the conf file here. out home network is on 192.168.1.1 but we need to get to the CCTV network.

thanks

# sep/12/2021 02:36:10 by RouterOS 6.47.9
# software id =
#
#
#
/interface bridge
add name=Lan
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] advertise=10000M-full disable-running-check=\
no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface vlan
add interface=Lan name=CCTV vlan-id=200
add interface=Lan name="Cust IP" vlan-id=60
add interface=ether1 name=ISP1 vlan-id=510
add interface=ether1 name=ISP2 vlan-id=520
add interface=ether1 name=ISP3 vlan-id=530
add interface=ether1 name=ISP4 vlan-id=540
add interface=Lan name=Management vlan-id=10
add interface=Lan name=Routers vlan-id=15
add interface=Lan name=Servers vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.200.10.2-10.200.10.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.2.8.1-10.2.10.0,10.2.10.2-10.2.15.254
add name=dhcp_pool3 ranges=10.30.10.2-10.30.10.254
add name=dhcp_pool4 ranges=10.2.15.2-10.2.15.254
add name=dhcp_pool5 ranges=10.20.8.1-10.20.10.0,10.20.10.2-10.20.15.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=CCTV name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=Lan name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=Management name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=Servers name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=Routers name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface="Cust IP" name=dhcp6
/interface bridge port
add bridge=Lan interface=ether2
/ip address
add address=50.221.xx.xxx/29 interface=ISP1 network=50.221.xx.xxx
add address=10.200.10.1/24 interface=CCTV network=10.200.10.0
add address=192.168.1.1/24 interface=Lan network=192.168.1.0
add address=65.156.xx.xxx/29 interface=ISP3 network=65.156.xx.xxx
add address=10.2.10.1/21 interface=Management network=10.2.8.0
add address=10.2.15.1/24 interface=Routers network=10.2.15.0
add address=10.30.10.1/24 interface=Servers network=10.30.10.0
add address=10.20.10.1/21 interface="Cust IP" network=10.20.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.2.8.0/21 gateway=10.2.10.1
add address=10.2.15.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.2.15.1
add address=10.20.8.0/21 dns-server=8.8.8.8,75.75.75.75 gateway=10.20.10.1
add address=10.30.10.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.30.10.1
add address=10.200.10.0/24 gateway=10.200.10.1
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8,75.75.75.75 \
gateway=192.168.1.1
/ip dns
set servers=75.75.75.75
/ip firewall address-list
add address=10.2.8.0/21 list=TO-ISP1
add address=10.2.15.0/24 list=TO-ISP1
add address=10.20.10.0/24 list=TO-ISP1
add address=10.30.10.0/24 list=TO-ISP3
add address=10.200.10.0/24 list=TO-ISP3
add address=192.168.1.0/24 list=TO-ISP3
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TO-ISP1 \
passthrough=yes src-address-list=TO-ISP1
add action=mark-routing chain=prerouting new-routing-mark=TO-ISP3 \
passthrough=yes src-address-list=TO-ISP3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP3
/ip route
add check-gateway=ping distance=1 gateway=50.221.xx.xx routing-mark=TO-ISP1
add check-gateway=ping distance=1 gateway=65.156.xxx.xx routing-mark=TO-ISP3
add check-gateway=ping comment=pings distance=1 gateway=50.221.xx.xx
add check-gateway=ping distance=1 gateway=65.156.xx.xx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name="Core Router 1"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Wed Sep 15, 2021 5:20 pm

The best resource for vlans is the following......
viewtopic.php?f=23&t=143620

In the meantime will have a look!

(1) Where is IP address of ISP 2,4?
(2) Understand you have FIVE vlans on the LAN and one bridge that is also providing DHCP for ethernet2.
(3) Dont have a clue how you are getting WAN IPs....... but it seems intriguing.
(4) Missing firewall rules
(5) Missing interface members and list members

(6) NO assignment of VLANS (interface bridge vlan) or bridge vlan filtering.
(6) If wanting to ensure a vlan should go out a specific wan it can be done without mangling

Please do the following.
Read the article and make the necessary changes.
Post a network diagram
Post the COMPLETE config /export hide-sensitive file=anynameyouwish
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Mon Sep 20, 2021 9:55 pm

(1) Where is IP address of ISP 2,4? ISP 2 and 4 are not setup yet. they are still being installed.

(2) Understand you have FIVE vlans on the LAN and one bridge that is also providing DHCP for ethernet2.

(3) Dont have a clue how you are getting WAN IPs....... but it seems intriguing. all wan ip are coming in on a 40gb port Eth1 that has vlans for the isp. The setup is 4 2gb fiber handoffs to a switch with vlans for each Isp to that then goes to the 40gb port on the router. the plan was to have all 4 isp for customers but we need the all to be fail over in case one goes out.

(4) Missing firewall rules - i dont know why they did show up

(5) Missing interface members and list members

(6) NO assignment of VLANS (interface bridge vlan) or bridge vlan filtering.
(6) If wanting to ensure a vlan should go out a specific wan it can be done without mangling
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Mon Sep 20, 2021 10:05 pm

# sep/20/2021 19:00:20 by RouterOS 6.47.9
# software id =
#
#
#
/interface bridge
add name=Lan
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] advertise=10000M-full disable-running-check=\
no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface vlan
add interface=Lan name=CCTV vlan-id=200
add interface=Lan name="Cust IP" vlan-id=60
add interface=ether1 name=ISP1 vlan-id=510
add interface=ether1 name=ISP2 vlan-id=520
add interface=ether1 name=ISP3 vlan-id=530
add interface=ether1 name=ISP4 vlan-id=540
add interface=Lan name=Management vlan-id=10
add interface=Lan name=Routers vlan-id=15
add interface=Lan name=Servers vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.200.10.2-10.200.10.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.2.8.1-10.2.10.0,10.2.10.2-10.2.15.254
add name=dhcp_pool3 ranges=10.30.10.2-10.30.10.254
add name=dhcp_pool4 ranges=10.2.15.2-10.2.15.254
add name=dhcp_pool5 ranges=10.20.8.1-10.20.10.0,10.20.10.2-10.20.15.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=CCTV name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=Lan name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=Management name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=Servers name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=Routers name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface="Cust IP" name=dhcp6
/interface bridge port
add bridge=Lan interface=ether2
/ip address
add address=50.221.xx.xx/29 interface=ISP1 network=50.221.xx.xx
add address=10.200.10.1/24 interface=CCTV network=10.200.10.0
add address=192.168.1.1/24 interface=Lan network=192.168.1.0
add address=65.156.xx.xx/29 interface=ISP3 network=65.156.xx.xx
add address=10.2.10.1/21 interface=Management network=10.2.8.0
add address=10.2.15.1/24 interface=Routers network=10.2.15.0
add address=10.30.10.1/24 interface=Servers network=10.30.10.0
add address=10.20.10.1/21 interface="Cust IP" network=10.20.8.0
add address=65.156.xx.186/29 interface=ISP3 network=65.156.xx.xx
add address=65.156.xx.187/29 interface=ISP3 network=65.156.xx.xx
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.2.8.0/21 gateway=10.2.10.1
add address=10.2.15.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.2.15.1
add address=10.20.8.0/21 dns-server=8.8.8.8,75.75.75.75 gateway=10.20.10.1
add address=10.30.10.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.30.10.1
add address=10.200.10.0/24 gateway=10.200.10.1
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8,75.75.75.75 \
gateway=192.168.1.1
/ip dns
set servers=75.75.75.75
/ip dns static
add address=192.168.1.46 name=revoltwireless.net
/ip firewall address-list
add address=10.2.8.0/21 list=TO-ISP1
add address=10.2.15.0/24 list=TO-ISP1
add address=10.20.10.0/24 list=TO-ISP1
add address=10.30.10.0/24 list=TO-ISP3
add address=10.200.10.0/24 list=TO-ISP3
add address=192.168.1.0/24 list=TO-ISP3
add address=192.168.1.1-192.168.1.254 list=ALL_LANS
add address=10.2.8.1-10.2.8.254 list=ALL_LANS
/ip firewall filter
add action=accept chain=output out-interface=Lan
add action=accept chain=input in-interface=Lan
add action=accept chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TO-ISP1 \
passthrough=yes src-address-list=TO-ISP1
add action=mark-routing chain=prerouting new-routing-mark=TO-ISP3 \
passthrough=yes src-address-list=TO-ISP3
add action=mark-connection chain=input in-interface=ISP1 new-connection-mark=\
ISP1_conn passthrough=yes
add action=mark-connection chain=input in-interface=ISP2 new-connection-mark=\
ISP2_conn passthrough=yes
add action=mark-connection chain=input in-interface=ISP3 new-connection-mark=\
ISP3_conn passthrough=yes
add action=mark-connection chain=input in-interface=ISP4 new-connection-mark=\
ISP4_conn passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP3_conn \
new-routing-mark=to_ISP3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP4_conn \
new-routing-mark=to_ISP4 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Lan new-connection-mark=ISP1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Lan new-connection-mark=ISP2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Lan new-connection-mark=ISP3_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Lan new-connection-mark=ISP4_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:4/3
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
in-interface=Lan new-routing-mark=to_ISP1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP3
add action=dst-nat chain=dstnat dst-address=65.156.185.187 dst-port=80 \
protocol=tcp to-addresses=192.168.1.46 to-ports=80
add action=dst-nat chain=dstnat dst-address=65.156.185.187 dst-port=443 \
protocol=tcp to-addresses=192.168.1.46 to-ports=443
/ip route
add check-gateway=ping distance=1 gateway=50.221.15.145 routing-mark=TO-ISP1
add check-gateway=ping distance=1 gateway=65.156.185.185 routing-mark=TO-ISP3
add check-gateway=ping comment=pings distance=1 gateway=50.221.15.145
add check-gateway=ping distance=1 gateway=65.156.185.185
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name="Core Router 1"
Last edited by networkrevolt on Tue Sep 21, 2021 8:57 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Mon Sep 20, 2021 10:15 pm

Use code tags on configs, tis the black square with white square brackets to the right of the B.. I..U in the text edit line under the title of the thread ,when in edit mode!
Dont give a bridge the name of a common other used term in configurations such as LAN.............. it gets very confusing.

(1) you have 3 ISP addresses all pointing to ISP3, instead of 1,2,3,4

(2) Lets look at your management setup
add address-pool=dhcp_pool2 disabled=no interface=Management name=dhcp3
add name=dhcp_pool2 ranges=10.2.8.1-10.2.10.0,10.2.10.2-10.2.15.254

10.2.8.1 -10.2.10.0 wTF is that and then
10.2.10.2-10.2.15.254 ??????

Then an ip address.
add address=10.2.10.1/21 interface=Management network=10.2.8.0
??????????????

Okay I cannot subnet myself out of a paper bag and thus stick to simple network structures
but doesnt 10.2.10.1/21 cover 8 " NORMAL " subnets........
10.2.10.1/24 through through 10.2.17.1/24 and thus the network should be 10.2.10.0
and ip pool
10.2.10.2-10.2.17.254 ??

Then you have a routers vlan which is inside the subnet of the management network at 10.2.10.15.......

Summary, until the subnet structure of your vlans and corresponding settings make sense I am unable to help.
Perhaps its legit, but someone else then should assist.

As already noted, no fw rules, not ready for live to ISP modem yet.
Last edited by anav on Mon Sep 20, 2021 10:39 pm, edited 2 times in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: routing between VLANs

Mon Sep 20, 2021 10:25 pm

dst-address-type=!local is likely not doing what you expected - this means addresses which are not local to the Mikrotik, it does not mean local subnets. Also note the mangle rules only apply to the bridge-to-CPU interface of the bridge (as @anav says confusingly called Lan), they will have no effect on packets via VLAN interfaces attached to the bridge.

You have no useful firewall filter rules - the default policy is accept, so the Mikrotik is completely exposed to the internet.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Mon Sep 20, 2021 11:57 pm

Thank you for your import. I did a little drawing of what we are trying to do. They have a old Cisco router that we are trying to replace. any help or anything would be great thanks
network layout.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Tue Sep 21, 2021 8:39 pm

You still havent applied the code tags to your previous post ????

Assume then the core switch passed all the WAN Connections via vlans to the Router via ether1.
Not sure how to best address that on the router .......................
Last edited by anav on Tue Sep 21, 2021 9:05 pm, edited 1 time in total.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Tue Sep 21, 2021 8:46 pm

ok i will do that.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Tue Sep 21, 2021 9:12 pm

Thanks Anav,

yes we have 3 ip address poinging to ISP3 bc we have a block of 5 and all 5 of them come in to the router on that ISP. All the Wan ports will have more then one ip address to them. The core switch passes all the wans connections to ether1 what is a 40gb fiber ports


The Management pool was set up to copy the old cisco pool when the company have over 1000 units on that vlan now there is less then 100, thanks to them learning about sub routers at towers.

This is a very messed up place that we took over after the owner died, so we can fix a Little at a time. One of the Things that we would like to do is get this router in place. it dose not need to go by the code i posted, that is something they come up with to try to make it work. my goal as the new owner of the mess is to wet it up right with 4 wans for load and failover and have the vlans work. form our office. The wan vlans need to stay that way running. as for the pools we can make them smaller as management only goes to the sub routers now and not everything.

this set up is in a test setup to we get it right and can put it in place.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Tue Sep 21, 2021 9:31 pm

Hi there..
I have attempted to give you a cleaned up rational setup that makes sense to simple me.
Once we know what is desired in terms of requirements more can be done or stuff can be modified, removed added as appropriate.
Note: I removed bridge from any dhcp etc and gave its work to vlan 11 (presuming lan users)

Requirements needing information:
a. what subnets/vlans are supposed to use as WANIP outbound
b. what the role of the ISP wan connections is supposed to be (which is primary which is back up which is fixed for some lans to use etc.............) then that can be figured out and the mangling if required as well.
c. I simplified the nomenclature so its easily readable and simplified the subnetting to what I am familiar with.
d. I added default firewall rules so its safe out of the box.
e. NEED to know the requirements of
i. which vlans need internet access
ii which vlans or devices on vlans may need access to other vlans
iii. yourself as admin, which vlan will you be working from to configure the router and what vlans do you need access to.
iv. What you are doing with rest of ports on router ether 3 to xxxx ????
...
interface bridge
add name=BL vlan-filtering=no {changed this to yes when config is complete}
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] advertise=10000M-full disable-running-check=\
no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no/Internet
/interface vlan
add interface=BL name=Management vlan-id=10
add interface=BL name=lanusers vlan-id=11
add interface=BL name=Routers vlan-id=15
add interface=BL name=Servers vlan-id=30
add interface=BL name=Cust_IP vlan-id=60
add interface=BL name=CCTV vlan-id=200
add interface=ether1 name=ISP1-510 vlan-id=510
add interface=ether1 name=ISP2-520 vlan-id=520
add interface=ether1 name=ISP3-530 vlan-id=530
add interface=ether1 name=ISP4-540 vlan-id=540
add interface=ether1 name=ISP5-550 vlan-id=550
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface-list
add list=WAN
add list=LAN
add list=Manage
/interface list members
add ether1 list=WAN
add ISP1-510 list=WAN
add ISP2-520 list=WAN
add ISP3-530 list=WAN
add ISP4-540 list=WAN
add ISP5-550 list=WAN
add Management list=LAN
add Management list=Manage
add lanusers list=LAN
add Routers list=LAN
add Servers list=LAN
add Cust_IP list=LAN
add CCTV list=LAN
/ip pool
add name=dhcp_pool-10 ranges=10.10.2.2-10.10.2.254
add name=dhcp_pool-11 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool-15 ranges=10.15.2.2-10.15.2.254
add name=dhcp_pool-30 ranges=10.30.2.2-10.30.2.254
add name=dhcp_pool-60 ranges=10.60.2.2-10.60.2.254
add name=dhcp_pool-200 ranges=10.200.2.2-10.200.2.254
/ip dhcp-server
add address-pool=dhcp_pool-10 disabled=no interface=Management name=dhcp10
add address-pool=dhcp_pool-11 disabled=no interface=lanusers name=dhcp11
add address-pool=dhcp_pool-15 disabled=no interface=Routers name=dhcp15
add address-pool=dhcp_pool-30 disabled=no interface=Servers name=dhcp30
add address-pool=dhcp_pool-60 disabled=no interface=Cust_IP name=dhcp60 
add address-pool=dhcp_pool-200 disabled=no interface=CCTV name=dhcp200
/interface bridge port
add bridge=BL interface=ether2  ingress-filtering=yes  frame-types=admit-only-vlan-tagged
/interface bridge vlan
add bridge=BL tagged=BL,ether2 vlan-ids=10,11,15,30,60,200
/ip address
add address=10.10.2.1/24 interface=Management network=10.10.2.0
add address=192.168.1.1/24 interface=lanusers network=192.168.1.0
add address=10.15.2.1/24 interface=Routers network=10.15.2.0
add address=10.30.2.1/24 interface=Servers network=10.30.2.0
add address=10.60.2.1/24 interface=Cust_IP network=10.60.2.0
add address=10.200.2.1/24 interface=CCTV network=10.200.2.0
add address=50.221.xx.xx/29 interface=ISP1-510 network=50.221.xx.xx
add address=65.156.xx.186/29 interface=ISP2-520 network=65.156.xx.xx
add address=65.156.xx.187/29 interface=ISP3-530 network=65.156.xx.xx
add address=65.156.xx.xx/29 interface=ISP4-540 network=65.156.xx.xx
add address=65.156.xx.xx/29 interface=ISP5-550 network=65.156.xx.xx
/ip dhcp-client
add disabled=no interface=ISP1-510
add disabled=no interface=ISP2-520
add disabled=no interface=ISP3-530
add disabled=no interface=ISP4-540
add disabled=no interface=ISP5-550
/ip dhcp-server network
add address=10.10.2.0/24  dns-server=10.10.2.1  gateway=10.10.2.1 
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8,75.75.75.75 gateway=192.168.1.1
add address=10.15.2.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.15.2.1
add address=10.30.2.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.30.2.1
add address=10.60.2.0/24 dns-server=8.8.8.8,75.75.75.75 gateway=10.60.2.1
add address=10.200.10.0/24 dns-server=10.200.2.1  gateway=10.200.10.1
/ip dns
set servers=75.75.75.75
/ip dns static
add address=192.168.1.46 name=revoltwireless.net
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related log-prefix=fasttrack
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=drop-invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "not DSTNATed"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=StaticWanIP dst-port=80 \
protocol=tcp to-addresses=192.168.1.46  {to port not required if same as dst-port}
add action=dst-nat chain=dstnat dst-address=StaticWanIp dst-port=443 \
protocol=tcp to-addresses=192.168.1.46
/ip route
add check-gateway=ping distance=1 gateway=ISP1 IP address
add check-gateway=ping distance=1 gateway=ISP2 IP address
add check-gateway=ping distance=1 gateway=ISP3 IP address
add check-gateway=ping distance=1 gateway=ISP4 IP address
add check-gateway=ping distance=1 gateway=ISP5 IP address
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Manage
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name="Core Router 1"
 
fsebera
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Re: routing between VLANs

Tue Sep 21, 2021 11:10 pm

 
Hey Networkrevolt

See PIC below for a simplified operational setup for Inter-Vlan Routing on MikroTik infrastructure (credited to forum expert Sindy!!!!)
This basic configuration has been tested operational on physical MikroTik infrastructure running RouterOS 4.67 as-well-as latest version of free MikroTik Cloud Hosted Router (CHR) running within VMware Workstation 14 Pro. I attempted to make it operational on Oracle Virtualbox but due to trunking failures within Oracle host I ran out of time.

Two user network Vlans and 1 Management Vlan all can ping and route to each other. Needless to say there is no security implemented as your environment is unique from others. This setup just enables folks to get up and running quickly in a lab environment and it is expected the users (you) will implement security as required by your policy and procedures.
 
[....................]

Hope this helps
Frank
 
 
Last edited by fsebera on Fri Sep 24, 2021 3:34 pm, edited 2 times in total.
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Wed Sep 22, 2021 4:24 am

Anav, thanks

a. what subnets/vlans are supposed to use as WANIP outbound all vlan need to out to the wan

b. what the role of the ISP wan connections is supposed to be (which is primary which is back up which is fixed for some lans to use etc.............) then that can be figured out and the mangling if required as well. The plan was to use use them in load balance and failover if one of the ISP go down. As of right now only isp1 and isp3 is working, isp1 is 1gb and isp3 is a 2gb.

iii. yourself as admin, which vlan will you be working from to configure the router and what vlans do you need access to. The they have work on 192.168.1.1 to get to everything. Our office as of now uses a vpn to vlan 10 to get into their system. In the next 60 days we are moving to the building they are in as i now own it. The plan is to put the whole office on that 192.168.1.1 or a vlan. I would like to keep that vpn for when we are away.

iv. What you are doing with rest of ports on router ether 3 to xxxx ???? all the other ports will be links to up to ether 5 with be vlan trunk ports for switches for fail over.
 
brianchrist
newbie
Posts: 44
Joined: Mon Feb 27, 2006 4:50 pm

Re: routing between VLANs

Wed Sep 22, 2021 12:00 pm

You're marking the packets on the incoming LAN interface with mark-routing, so they will be routed to the ISP interface while Mikrotik evaluates the routing decision.
They will never reach other LAN interfaces.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Wed Sep 22, 2021 5:44 pm

Okay so you want the users to share WAN1 and WAN3 in a load balance arrangement where roughly WAN1 is selected for 1 session while WAN3 is selected for two sessions type of ratio basis.
So for every three new sessions the router handles outbound, two will go out WAN3 and one will go out WAN1.
Yeah thats mangling and as noted probably where you have gone wrong in the config.......
Check this out...... between these two it should be doable.
https://mum.mikrotik.com/presentations/US12/steve.pdf
https://mum.mikrotik.com/presentations/US12/tomas.pdf
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Wed Sep 29, 2021 10:58 pm

hello, i went back and set up PCC and have had no luck, i can ping out of the router when one of the wans is turned on but as soon as i turn on the the other everything stops working. they keep showing it with one lan port but i need it to so on all vlans, so i trying to set it up with just the ether2 and the bridge. but no luck. we are only trying it with 2 isp right now and will add the other after we get the 2 working. here is what i have. i think i miss something or messwd it up.


/interface bridge
add name=BL vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] advertise=10000M-full disable-running-check=\
no
set [ find default-name=ether3 ] disable-running-check=no
/interface vlan
add interface=BL name=CCTV vlan-id=200
add disabled=yes interface=BL name=Cust_IP vlan-id=60
add disabled=yes interface=ether1 name=ISP1-510 vlan-id=510
add interface=ether1 name=ISP2-520 vlan-id=520
add interface=ether1 name=ISP3-530 vlan-id=530
add interface=ether1 name=ISP4-540 vlan-id=540
add interface=ether1 name=ISP5-550 vlan-id=550
add disabled=yes interface=BL name=Management vlan-id=10
add disabled=yes interface=BL name=Routers vlan-id=15
add disabled=yes interface=BL name=Servers vlan-id=30
add disabled=yes interface=BL name=lanusers vlan-id=11
/interface list
add name=WAN
add name=LAN
add name=Manage
/ip pool
add name=dhcp_pool-10 ranges=10.10.2.2-10.10.2.254
add name=dhcp_pool-11 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool-15 ranges=10.15.2.2-10.15.2.254
add name=dhcp_pool-30 ranges=10.30.2.2-10.30.2.254
add name=dhcp_pool-60 ranges=10.60.2.2-10.60.2.254
add name=dhcp_pool-200 ranges=10.200.2.2-10.200.2.254
/ip dhcp-server
add address-pool=dhcp_pool-10 disabled=no interface=Management name=dhcp10
add address-pool=dhcp_pool-11 disabled=no interface=lanusers name=dhcp11
add address-pool=dhcp_pool-15 disabled=no interface=Routers name=dhcp15
add address-pool=dhcp_pool-30 disabled=no interface=Servers name=dhcp30
add address-pool=dhcp_pool-60 disabled=no interface=Cust_IP name=dhcp60
add address-pool=dhcp_pool-200 disabled=no interface=CCTV name=dhcp200
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=BL frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether2
/interface bridge vlan
add bridge=BL tagged=BL,ether2 vlan-ids=10,11,15,30,60,200
/interface list member
add interface=ether1 list=WAN
add interface=ISP1-510 list=WAN
add interface=ISP2-520 list=WAN
add interface=ISP3-530 list=WAN
add interface=ISP4-540 list=WAN
add interface=ISP5-550 list=WAN
add interface=Management list=Manage
add interface=Management list=LAN
add interface=lanusers list=LAN
add interface=Routers list=LAN
add interface=Servers list=LAN
add interface=Cust_IP list=LAN
add interface=CCTV list=LAN
add interface=ether2 list=LAN
/ip address
add address=192.168.1.2/24 disabled=yes interface=ether2 network=192.168.1.0
add address=65.156.xx.xx/29 interface=ISP3-530 network=65.156.xx.xx
add address=10.10.2.1/24 interface=Management network=10.10.2.0
add address=192.168.1.1/24 interface=lanusers network=192.168.1.0
add address=10.15.2.1/24 interface=Routers network=10.15.2.0
add address=10.30.2.1/24 interface=Servers network=10.30.2.0
add address=10.60.2.1/24 interface=Cust_IP network=10.60.2.0
add address=10.200.2.1/24 interface=CCTV network=10.200.2.0
add address=50.221.xx.xx/29 interface=ISP1-510 network=50.221.xx.xx
/ip cloud
set update-time=no
/ip dhcp-server network
add address=10.10.2.0/24 dns-server=10.10.2.1 gateway=10.10.2.1
add address=10.200.10.0/24 dns-server=10.200.2.1 gateway=10.200.10.1
/ip dns
set servers=192.168.1.26,8.8.8.8
/ip dns static
add address=192.168.1.46 name=revoltwireless.net
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=fasttrack
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=drop-invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"not DSTNATed"
/ip firewall mangle
add action=accept chain=prerouting dst-address=50.221.xx.xx
add action=accept chain=prerouting dst-address=65.156.xx.xx
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=BL new-connection-mark=WAN1 \
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=BL new-connection-mark=WAN2 \
passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=BL \
new-routing-mark=ISP1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=BL \
new-routing-mark=ISP3-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
ISP1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
ISP3-mark passthrough=yes
# ISP1-510 not ready
add action=mark-connection chain=prerouting connection-mark=WAN1 \
in-interface=ISP1-510 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=WAN2 \
in-interface=ISP3-530 new-connection-mark=WAN2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=50.221.xx.xx routing-mark=\
ISP1-mark
add check-gateway=ping distance=1 gateway=65.156.xx.xx routing-mark=\
ISP3-mark
add check-gateway=ping distance=1 gateway=50.221.xx.xx
add distance=2 gateway=65.156.xx.xx
/system identity
set name="Core Router 1 (NEW)"
/tool user-manager database
set db-path=user-manager
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Fri Oct 01, 2021 9:06 pm

Anyone good at mangle, i cant see what i did wrong, It a bridge with vlans on one port. maybe i am missing something.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Fri Oct 01, 2021 10:51 pm

Did you compare your rules to those of the presentations from the previous post?
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Sat Oct 02, 2021 5:28 am

Did you compare your rules to those of the presentations from the previous post?

yes i did, they did it with one ether vs bridge/vlans. so i dont know if there is something that need to be changed for that.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: routing between VLANs

Sat Oct 02, 2021 3:47 pm

I've not looked at the detail of the mangle rules but no mangling will work properly until fasttrack is disabled.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Sat Oct 02, 2021 3:52 pm

Yes.............. this rule LOL. To be fair, MK poorly documents the restriction of not using fast track for mangling.
Even the two presentations from experts failed to note this as does the WIKI on mangling.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=fasttrack
 
networkrevolt
just joined
Topic Author
Posts: 23
Joined: Sun Sep 12, 2021 5:30 am

Re: routing between VLANs

Sat Oct 02, 2021 7:55 pm

i put the line in for fast track but i,, still not getting anything. can i take fast track out?

thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: routing between VLANs

Sat Oct 02, 2021 8:58 pm

Yes, ensure fastrack is not active!!.
There is some finesse about how one can apply it to some packets and not others but for now just DISABLE it, no need to remove it.

Who is online

Users browsing this forum: holvoetn and 84 guests