add chain=srcnat action=masquerade out-interface=ether2
Correct VLAN are just for WiFi everything else sits on LAN 10.0.0.0/24 trying to help friend of mine with this setup and basically doing this remotely. Unfortunately I don't know nothing about Mikrotik so I'm a little bit lost hereI'm assuming the VLAN networks are specifically used for WIFI and the rest of the network is normal LAN traffic.
In general, I thought that at the router level without a specific drop rule VLAN members would be able to connect to other VLAN members through layer 3 routing?
In other words, even if you had specific ROUTING to go out the internet, a FW rule would be needed to block inter VLAN to LAN or to other VLAN traffic at the layer 3 routing level (VLANS only block at layer2).
Correct from what i understand that L3 switch is just setup as L2 switch and since it's PoE I think he use that to feed some security cameras with that. if you guys tell me what output to show i will do that once I get home tonight.configuration for IP Interface and IP Address is not complete. The native LAN must have an address and interface as well. and showing your NAT rules would help.
My best guess, is the problem is likely to be a source NAT issue, try thisEdit: that L3 switch on 10.0.0.0/24, assuming it is acting as a L2 switch?
add chain=srcnat action=masquerade out-interface=ether2
You will need "export hide-sensitive file=filename" to be able to download the config in a file, else it will only display in terminal windowExport the config file via the terminal....
The file will show up in the file directory location and then you have to download it to your computer. (notepad ++ is your friend to read it).
I will look in to that...I believe you need to enable vlan filtering on the bridge. By default, Mikrotik allows communications between any routed interfaces. You would have to use firewall rules to drop any traffic between LAN segments you did not want.
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
You right technically there is only 2 interfaces eth2 with one switch that runs 10.0.0.0/24 and eth6 with Cisco switch Dot1q Trunk and 4 Vlans. The only thing that works is internet for Lan (eth2 10.0.0.0/24) and all 4 vlans (4x wifi connections) what is not working is communication between 10.0.0.0 and 10.0.10.0. Other words if I log in with laptop to wifi and lets say I will get address 10.0.10.120 from DHCP pool which I can confirm in the output on Cisco AP and trying ping that address from computer that is wired to LAN 10.0.0.0/24 nothing happened and getting the usual "time out" so there is only 2 things that could prevent this either the local system has no route to the desired destination, or a remote router reports that it has no route to the destination. Not sure about Firewall since if that was the case I should receive different msg.What exactly does and doesn't work now?
The image gives first impression that there's a lot of stuff, but on second look, there isn't anything special. Just one router with VLANs, different subnet for each, and serves as gateway for all of them. Firewall config is default, so the only thing it blocks is access from WAN, there's no filtering between VLAN subnets, so everything should be able to communicate with everything else.
Only thing I see, that might need adjusting, is bridge/VLAN config. For example, IP address on bridged port (LAN-ETH2) is wrong, it should be on bridge (but it's not breaking bug). I'm not completely sure what VLANs on bridged port do with current bridge implementation.
I don't thing so since I didn't set up anything like that just a simple setup as far for Cisco APJust a quick thought, since you are using a Cisco AP, it doesn't have any client-isolation or vlan filtering on it that is blocking vlan subnets from communicating does it?
Can't it be firewall on laptop? For example Windows by default drop pings from non-local subnets.
Yes I was avoiding to use VLAN1 since it's not the secure way to do things on business network. I know if I left everything to default VLAN1 I could just easily have only 2 SSID running both frequencies but since I'm not using the default VLAN1 then each radio needs to have its own SSID and vlan. Other words VLAN1 would allow me to have single SSID Home on both 2.4 and 5Ghz at the same time if that makes sense at least on cisco devices not sure about other manufacturers.Is ether6 trunk (all tagged) or hybrid (some untagged together with tagged) port?
If it's trunk then it woukd perhaps work better if that port wasn't member of bridge.
If it's hybrid, I'd make it trunk by creating another VLAN, used for passing otherwise untagged traffic over trunk connections.
N.b.: VLAN id 1 is sometimes considered untagged, sometimes tagged. To avoid confusion about that, it's better to avoid using that VLAN id and explicitly configure access ports for chosen VLAN id (different than 1).
What do you mean? and yes it's kind of both home and workDid I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix
/ip firewall mangle add action=log chain=prerouting dst-port=33333 protocol=tcp add action=log chain=forward dst-port=33333 protocol=tcp add action=log chain=postrouting dst-port=33333 protocol=tcp
Well like I said it's not mine but my friend... mine is even more complicated but built with cisco equipment only so I know what to do there ... as far for the Cisco switch nothing happening there besides vlans and trunk port... either way i will do some more testing when i have a chance....What do you mean? and yes it's kind of both home and workDid I understand this correctly, this is a home setup? If so, wow, how to NOT setup for Netflix
What I am saying, tyo me personally, it is a bit of a complicated setup for Home Office environment, you have Routers doing routing, swithches doing routing, multiple VLAN's, radius server doing authentication, etc.
Based on you OP, you have the below which indicates routing happening on Cisco switch 10.0.0.2, is the problem not maybe there?
add distance=1 dst-address=10.0.10.0/24 gateway=10.0.0.2"