Community discussions

MikroTik App
 
mkfan
just joined
Topic Author
Posts: 3
Joined: Sun Nov 10, 2024 5:39 pm

Routing between VLANS not working - CRS305

Mon Nov 11, 2024 12:19 am

Hi all,

trying to implement a simple VLAN configuration on a CRS305-1G-4S+IN, but can not get the routing between different VLANS to work. Works on other MK routers And I can't figure out what the difference is.

Config looks like the following:
 model = CRS305-1G-4S+
# serial number = xxxx
/interface bridge
add admin-mac=74:4D:28:64:E1:A0 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2 - 200"
set [ find default-name=sfp-sfpplus3 ] name="sfp-sfpplus3 - 178"
set [ find default-name=sfp-sfpplus4 ] name="sfp-sfpplus4 - NAS"
/interface vlan
add interface=bridge name=VLAN178 vlan-id=178
add interface=bridge name=VLAN200 vlan-id=200
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN200_pool ranges=192.168.200.100,192.168.200.200
add name=VLAN178_pool ranges=192.168.178.100,192.168.178.200
/ip dhcp-server
add address-pool=VLAN178_pool interface=VLAN178 name=DHCP178
add address-pool=VLAN200_pool interface=VLAN200 name=DHCP200
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface="sfp-sfpplus2 - 200" pvid=200
add bridge=bridge comment=defconf interface="sfp-sfpplus3 - 178" pvid=178
add bridge=bridge comment=defconf interface="sfp-sfpplus4 - NAS" pvid=178
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=178
add bridge=bridge tagged=bridge vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.178.8/24 interface=VLAN178 network=192.168.178.0
add address=192.168.200.8/24 interface=VLAN200 network=192.168.200.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.178.0/24 dns-server=8.8.8.8 gateway=192.168.178.8 netmask=24
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.8 netmask=24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
No matter what I do I can't access VLAN178 from VLAN200 - seems to work on other MK routers without problem by default. What am I missing here?

Many thanks!
 
rplant
Long time Member
Long time Member
Posts: 550
Joined: Fri Sep 29, 2017 11:42 am

Re: Routing between VLANS not working - CRS305  [SOLVED]

Mon Nov 11, 2024 2:38 am

Hi,

It seems to work for me.
Though having only 2 ip addresses in the dhcp server pools seems wrong.

It could be the devices you are connecting too on the .200.x and/or 178.x vlans don't have the CRS305 as their default gateway.
(eg. Not configured by the crs dhcp server)
Could also be firewall rules on the CRS (or target devices)

You could enable L3 hardware offload on the crs305 (will bypass any firewall rules you have)
/interface ethernet switch
set 0 l3-hw-offloading=yes
You could check your routes on the crs305.
Mine were the Same before I enabled l3 offload, except for the H flag
[admin@MikroTik] /interface/ethernet/switch> /ip route
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS       GATEWAY  DISTANCE
DAcH 192.168.88.0/24   bridge          0
DAcH 192.168.178.0/24  VLAN178         0
DAcH 192.168.200.0/24  VLAN200         0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22169
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing between VLANS not working - CRS305

Mon Nov 11, 2024 3:36 am

1. MISSING SOURCE - which port is WAN PORT, ether1 is disabled, sfpplus 2,3,4 appear to be LAN type ports and sfpplus 1 appears to be LANport of no definition, wrongly assigned to the bridge for dhcp. Exacerbated because the bridge has no definition for dhcp...........
Last Point, Do not put WAN on bridge.

2. Missing defining lans on interface list

3. No firewall rules............. one must be mad

Will asssume you will connect on WAN1 later.

FIXED
model = CRS305-1G-4S+
# serial number = xxxx
/interface bridge
add admin-mac=74:4D:28:64:E1:A0 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] name="sfp-sfpplus2 - 200"
set [ find default-name=sfp-sfpplus3 ] name="sfp-sfpplus3 - 178"
set [ find default-name=sfp-sfpplus4 ] name="sfp-sfpplus4 - NAS"
/interface vlan
add interface=bridge name=VLAN178 vlan-id=178
add interface=bridge name=VLAN200 vlan-id=200
add interface=bridge name=VLAN10 vlan-id=10
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN200_pool ranges=192.168.200.100,192.168.200.200
add name=VLAN178_pool ranges=192.168.178.100,192.168.178.200
add name=VLAN10_pool ranges=192.168.88.100,192.168.88.200
/ip dhcp-server
add address-pool=VLAN178_pool interface=VLAN178 name=DHCP178
add address-pool=VLAN200_pool interface=VLAN200 name=DHCP200
add address-pool=VLAN10_pool interface=VLAN10 name=DHCP10
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge ingress-filtering=yes  frame-types=admit-priority-and-untagged interface=sfp-sfpplus1  pvid=10 
add bridge=bridge ingress-filtering=yes  frame-types=admit-priority-and-untagged interface="sfp-sfpplus2 - 200" pvid=200
add bridge=bridge ingress-filtering=yes  frame-types=admit-priority-and-untagged interface="sfp-sfpplus3 - 178" pvid=178
add bridge=bridge ingress-filtering=yes  frame-types=admit-priority-and-untagged  interface="sfp-sfpplus4 - NAS" pvid=178
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=sfp-sfpplus1   vlan-ids=10
add bridge=bridge tagged=bridge  untagged=sfp-sfpplus3,sfp-sfpplus4   vlan-ids=178
add bridge=bridge tagged=bridge  untagged=sfp-sfpplus2  vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN178 list=LAN
add interface=VLAN200 list=LAN
add interface=VLAN10 list=TRUSTED
/ipv6 settings
set disable-ipv6=yes 
/ip address
add address=192.168.88.1/24 interface=VLAN10 network=192.168.88.0
add address=192.168.178.8/24 interface=VLAN178 network=192.168.178.0
add address=192.168.200.8/24 interface=VLAN200 network=192.168.200.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.178.0/24 dns-server=8.8.8.8 gateway=192.168.178.8 
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.8 
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1 
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input comment="LAN ACCESS" in-interface-list=LAN
add action=drop chain=input comment="Drop all else"    { add this rule last }
++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward  connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN  out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
{ add any allow rules between users/devices on vlans HERE! }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
 
mkfan
just joined
Topic Author
Posts: 3
Joined: Sun Nov 10, 2024 5:39 pm

Re: Routing between VLANS not working - CRS305

Sun Nov 17, 2024 12:41 pm

It could be the devices you are connecting too on the .200.x and/or 178.x vlans don't have the CRS305 as their default gateway.
Exactly, missed this point. I thought this is a layer 2 thing only any therefore did not think of the gateways configured on the clients. But of cource in this case traffic did not even reach the router.


The other points mentioned were also valid, but not relevant as it was just a quick test setup to figure out this problem. Good to point them out of course!

Many thanks!