I've been stuck for days on a problem that I can't solve, and in the meantime I've run out of ideas. Maybe someone can help me out here.
My network is separated into multiple VLANs. For the sake of simplicity, I only list a relevant part of the setup here.
Hardware: RB5009UG+S+
RouterOS 7.2.3
Physical Ports:
- ether1: LAN (untagged, connected to a VLAN-aware network switch, accessing VLAN 1 on this port)
- ether2: WAN (untagged, WAN)
- ether3: WIFI (tagged, Netgear WAX610 access point, providing VLAN 1, 5 and 7).
VLANs on ether3:
- vlan1-wifi-lan (VLAN 1): LAN / trusted network
- vlan5-wifi-guest (VLAN 5): GUEST / untrusted network
- vlan7-wifi-iot (VLAN 7): IOT / semi-trusted network
The WIFI-Networks for VLAN 1 and 5 work as expected. Setting up VLAN 7 in exactly the same way, also using a separate bridge, failed. I cannot get traffic routing. I already failed to ping a single device.
My most recent try was to skip using a bridge and just use the vlan-interface (vlan7-wifi-iot) directly. I also added logging firewall rules and allowing all incoming, outgoing and forwarding traffic for this interface as the top most firewall rules. I can see some broadcast and multicast packages on udp port 5353 and continuously on udp port 67. From any connected device to the WIFI network on VLAN 7 I successfully receive a DHCP response and get an IP address assigned. Resolving DNS or establishing an udp or tcp connection fails with "network unreachable".
Here is my (simplified) most recent configuration:
Code: Select all
/interface bridge
add admin-mac=12:34:56:78:90:AB auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
add ingress-filtering=no name=bridge_guest pvid=5 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=WIFI
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether3 name=vlan1-wifi-lan vlan-id=1
add interface=ether3 name=vlan5-wifi-guest vlan-id=5
add interface=ether3 name=vlan7-wifi-iot vlan-id=7
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
add name=IOT
/ip pool
add name=lan-clients ranges=10.12.32.101-10.12.32.199
add name=guest-clients ranges=10.12.88.101-10.12.88.199
add name=iot-clients ranges=10.12.90.101-10.12.90.199
/ip dhcp-server
add add-arp=yes address-pool=lan-clients always-broadcast=yes interface=\
bridge lease-time=1h name=lan
add address-pool=guest-clients always-broadcast=yes interface=bridge_guest \
lease-time=30m name=guest
add add-arp=yes address-pool=iot-clients always-broadcast=yes interface=\
vlan7-wifi-iot lease-time=3m name=iot
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge_guest interface=vlan5-wifi-guest pvid=5
add bridge=bridge interface=vlan1-wifi-lan
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_guest list=GUEST
add interface=vlan7-wifi-iot list=IOT
/ip address
add address=10.12.32.1/24 interface=bridge network=10.12.32.0
add address=192.168.178.250/24 interface=ether1 network=192.168.178.0
add address=10.12.88.1/24 interface=bridge_guest network=10.12.88.0
add address=10.12.90.0/24 interface=vlan7-wifi-iot network=10.12.90.0
/ip dhcp-server network
add address=10.12.32.0/24 dns-server=10.12.32.1 gateway=10.12.32.1
add address=10.12.88.0/24 dns-server=10.12.88.1 gateway=10.12.88.1
add address=10.12.90.0/24 dns-server=10.12.90.1 gateway=10.12.90.1 netmask=24
/ip firewall filter
add action=accept chain=forward in-interface-list=IOT log=yes log-prefix=\
test-
add action=accept chain=forward log=yes log-prefix=test- out-interface-list=\
IOT
add action=accept chain=input in-interface-list=IOT log=yes log-prefix=test-
add action=accept chain=output log=yes log-prefix=test- out-interface-list=\
IOT
# ...
add action=drop chain=forward comment="DROP POLICY - FORWARD"
add action=drop chain=input comment="DROP POLICY - INPUT"
/ip firewall mangle
add action=log chain=prerouting in-interface-list=IOT log=yes log-prefix=\
test-
add action=log chain=postrouting log=yes log-prefix=test- out-interface-list=\
IOT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade for iot" log=yes \
log-prefix=test- out-interface-list=IOT
/ip route
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=\
192.168.178.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
I would greatly appreciate any help, ideas or tips.
Thank you.