Community discussions

MikroTik App
 
displacedbuck
just joined
Topic Author
Posts: 3
Joined: Sat Jan 08, 2022 4:11 pm

VLAN communication Help

Sun Jun 19, 2022 5:13 pm

I could use some assistance fixing my configuration. I have been unable to get communication between my main network and the vlan10 which i am setting up for virtual machines. At this point i am sure my configuration has several errors since i have been trying multiple solutions. However, all vlans work on their own, have internet access, and dns works.

The main network and VLAN10 share dns, VLAN2 has its own dns and VLAN100 has its own dns. THis allows stricter filtering for kids network and looser filtering for iot devices. I want to keep these separate and not communicating out. I would like the main network to be able to communicate to the VLANS and main and VLAN10 to communicate both ways.

I am attaching the current config and a rough diagram. Any guidance would be greatly appreciated.
/interface bridge
add admin-mac=DC:2C:6E:40:FB:49 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether2 name=guest vlan-id=2
add interface=bridge name=iot vlan-id=100
add interface=bridge name=main vlan-id=1
add interface=bridge name=virtuals vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.150-192.168.1.251
add name=dhcp_pool2 ranges=192.168.2.150-192.168.2.254
add name=dhcp_pool3 ranges=192.168.100.150-192.168.100.254
add name=virtual_pool ranges=192.168.10.20-192.168.10.250
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge name=maindhcp
add address-pool=dhcp_pool2 interface=guest name=guestdhcp
add address-pool=dhcp_pool3 interface=iot name=iotdhcp
add address-pool=virtual_pool interface=virtuals name=virtualdhcp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=10
add bridge=bridge tagged=ether2 vlan-ids=100
add bridge=bridge tagged=ether2 vlan-ids=2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=virtuals list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.2.1/24 interface=guest network=192.168.2.0
add address=192.168.100.1/24 interface=iot network=192.168.100.0
add address=192.168.10.1/24 interface=virtuals network=192.168.10.0
/ip arp
add address=192.168.1.100 interface=bridge mac-address=70:85:C2:B1:C3:89
add
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.10 client-id=ff:42:69:65:2d:0:2:0:0:ab:11:eb:6b:a9:3f:3b:1d:e0:87 mac-address=74:83:C2:11:70:2B server=maindhcp
add address=192.168.1.20 client-id=1:40:9f:38:fc:f:4f mac-address=40:9F:38:FC:0F:4F server=maindhcp
add address=192.168.1.99 client-id=1:a0:ce:c8:38:ef:de mac-address=A0:CE:C8:38:EF:DE server=maindhcp
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 domain=mydomain gateway=192.168.1.1 netmask=16
add address=192.168.2.0/24 comment="kids and guests" dns-server=45.90.28.146,45.90.30.146 domain=mydomain gateway=192.168.2.1 netmask=24
add address=192.168.10.0/24 comment=virtuals dns-server=192.168.1.1 domain=mydomain gateway=192.168.10.1
add address=192.168.100.0/24 comment=iot dns-server=8.8.8.8 domain=iot.mydomain gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/myid verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
add address=192.168.1.20 name=canone58496.mydomain ttl=30m
add address=192.168.1.1 name=mikrotik.mydomain ttl=30m
/ip firewall address-list
add address=192.168.1.0/24 list=main
add address=192.168.10.0/24 list=virtuals
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" log=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=forward comment="INTERVLAN: main to virtuals" in-interface=bridge out-interface=virtuals
add action=accept chain=forward comment="INTERVLAN: virtuals to main" in-interface=virtuals out-interface=bridge
add action=accept chain=input comment="virtuals VLAN DNS Access" connection-state=established,related,new dst-port=53 in-interface=virtuals protocol=udp
add action=accept chain=input comment="virtuals VLAN DNS Access" connection-state=established,related,new dst-port=53 in-interface=virtuals protocol=tcp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input dst-address=192.168.1.25 log=yes src-address=192.168.1.240
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24 port=2222
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=microtik
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=66.228.58.20
add address=45.63.54.13
add address=38.229.56.9
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN communication Help  [SOLVED]

Mon Jun 20, 2022 2:55 am

In DHCP server config, netmask=16 for main subnet is wrong. That's what clients get, so 192.168.1.x client then expects that 192.168.10.x (and any other 192.168.x.x) is directly reachable, but it isn't.
 
displacedbuck
just joined
Topic Author
Posts: 3
Joined: Sat Jan 08, 2022 4:11 pm

Re: VLAN communication Help

Mon Jun 20, 2022 3:13 am

Thanks. That solved main being able to reach the other subnets.
Still having issues with virtuals -- VLAN10 being able to reach main.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN communication Help

Mon Jun 20, 2022 3:57 am

If main can reach vlan10, then vlan10 should reach main too. Routing must be ok, otherwise neither would work. And firewall doesn't block it either.
 
displacedbuck
just joined
Topic Author
Posts: 3
Joined: Sat Jan 08, 2022 4:11 pm

Re: VLAN communication Help

Mon Jun 20, 2022 4:30 am

Sorry. You are correct. I had to reboot the server to get it to see the netmask changes.
All appears to be communicating as expected now.

Thanks

Who is online

Users browsing this forum: Amazon [Bot], cmmike, itsbenlol, SanchoHa, svh79 and 50 guests