The idea
The setup is heavily based on pcunite's guide to VLANs viewtopic.php?t=143620 with added support for CAPsMAN in local forwarding mode, the idea being CAPsMAN uses the BASE_VLAN (99) for configuration and the actual VLANs for user-wifi-data.
RB3011 (called Main) Working as router between the VLANs and WAN. Connected to WAN (ether1), trunks (ether6 and ether9), accessport vlan10 (ether10)
RB952Ui (called EG) Working as accesspoint+switch: connected to trunk (ether1 -> Main-ether6), accessports vlan10 (ether 2-5)
RBD52G (called DG) Basically the same as EG
Working as accesspoint+switch connected to trunk (ether1 -> Main-ether9), accessports vlan10 (ether 2-4), accessport vlan 99 (ether5 - this is just for debugging, once everything works this will be vlan 10 too)
Problem
My problem is: When connected to WIFIintern (vlan 10) or EG/DG accessport for vlan10, I cannot reach Main-ether10.
Also, if I'm connected to my vlan99 debugging port (DG-ether5), I can only reach DG and Main via Winbox/Web, but not EG.
What I tried so far
As you can see, there is currently a rather strange and unexpected firewall rule in the forward chain: "add action=accept chain=forward comment="WHY\?!" in-interface=BR1". Once I added this rule I was able to get both problems resolved, BUT this also activated VLAN<->VLAN routing, which I don't want. Once the rule is disabled I can only reach "1 hop" basically, but it looks like Main is not switching between the 2 Main-trunk ports (Main-ether6/9) or between the trunks and the accessport (Main-ether10)
I also noticed a dynamically added entry in /interface bridge vlan print (on all 3 devices, output below is from Main, entry #4), which I don't understand. Where does this come from? Is this the culprit?
Code: Select all
[admin@Main] > /interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 BR1 10 BR1 ether10
ether6
ether9
1 BR1 20 BR1
ether6
ether9
2 BR1 30 BR1
ether6
ether9
3 BR1 99 BR1
ether6
ether9
4 D BR1 1 BR1
I'm stuck and would really appreciate your help!
elexx