Community discussions

MikroTik App
 
mremme
just joined
Topic Author
Posts: 12
Joined: Tue Sep 01, 2020 12:06 pm

VLANs cannot see eachothers

Sun Dec 05, 2021 12:44 pm

Hi,

I'm facing the huge VLAN world and just came acroos an issue.
I have a test device were I created a bridge and 2 VLANs (10=LAN, 20=VOICE)
Each network is a /24 subnet and own a DHCP server.
I've created also 2 virtual WiFi, one for each VLAN.

Vlans works correctly... port is assigned and dhcp bound the correct ip to the correct vlan.

Unfortunately I'm facing the issue that VLANs does not see eachother
here is the configuration I made
[admin@MikroTik] > /export
# jan/02/1970 02:12:49 by RouterOS 6.49.1
# software id = Y6M3-5V8C
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes name=br-trunk vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1-LAN
set [ find default-name=ether2 ] name=eth2-LAN
set [ find default-name=ether3 ] name=eth3-LAN
set [ find default-name=ether4 ] name=eth4-VOICE
set [ find default-name=ether5 ] name=eth5-MGMT
/interface wireless
set [ find default-name=wlan1 ] country=italy default-authentication=no default-forwarding=no disabled=no frequency=auto hide-ssid=\
    yes mode=ap-bridge skip-dfs-channels=all ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=br-trunk name=vlan10-LAN vlan-id=10
add interface=br-trunk name=vlan20-VOICE vlan-id=20
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:14:DB:BA master-interface=wlan1 multicast-buffering=disabled name=\
    wlan-LAN ssid=mk10 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:14:DB:BB master-interface=wlan1 multicast-buffering=disabled name=\
    wlan-VOICE ssid=mk20 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface list
add name=vlan-trust
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.1-192.168.10.253
add name=dhcp_pool1 ranges=192.168.20.1-192.168.20.253
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20-VOICE name=dhcp2
/interface bridge port
add bridge=br-trunk ingress-filtering=yes interface=eth1-LAN pvid=10 trusted=yes
add bridge=br-trunk ingress-filtering=yes interface=eth2-LAN pvid=10 trusted=yes
add bridge=br-trunk ingress-filtering=yes interface=eth3-LAN pvid=10 trusted=yes
add bridge=br-trunk ingress-filtering=yes interface=eth4-VOICE pvid=20 trusted=yes
add bridge=br-trunk ingress-filtering=yes interface=wlan-LAN pvid=10 trusted=yes
add bridge=br-trunk ingress-filtering=yes interface=wlan-VOICE pvid=20 trusted=yes
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip settings
set max-neighbor-entries=2048
/interface bridge vlan
add bridge=br-trunk tagged=br-trunk untagged=eth1-LAN,eth2-LAN,eth3-LAN,wlan-LAN vlan-ids=10
add bridge=br-trunk tagged=br-trunk untagged=wlan-VOICE,eth4-VOICE vlan-ids=20
/interface list member
add interface=vlan10-LAN list=vlan-trust
add list=vlan-trust
add interface=br-trunk list=vlan-trust
/ip address
add address=192.168.10.254/24 interface=vlan10-LAN network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20-VOICE network=192.168.20.0
add address=192.168.99.1/24 interface=br-trunk network=192.168.99.0
/ip dhcp-server lease
add address=192.168.10.100 client-id=iphone lease-time=20m server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-none=yes gateway=192.168.10.254 netmask=24
add address=192.168.20.0/24 dns-none=yes gateway=192.168.20.254 netmask=24
/ip firewall address-list
add address=192.168.10.0/24 list=vlan-trust
add address=192.168.20.0/24 list=vlan-trust
I tried also to enable the brifge/VLAN firewall and add a forward rule between VLAN10-LAN and VLAN20-VOICE (and viceversa) with no success
also Bridge filter did not suceeded.

ping simply fail. :(
thanks for your support
M
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: VLANs cannot see eachothers

Sun Dec 05, 2021 2:28 pm

The firewall policy is allow so with no rules any traffic will be successfully forwarded. The set use-ip-firewall-for-vlan=yes is not necessary, it only applies to VLAN-encapsulated traffic transiting the bridge, not to anything routed between VLANs.

Have you checked the firewall settings on the devices which are pinging to/from?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs cannot see eachothers

Sun Dec 05, 2021 4:28 pm

Yup, concur, that this should be removed as 98% time not needed.
/interface bridge settings
set use-ip-firewall-for-vlan=yes

However the more basic question I have is...... what are you using the device for??
A. ROUTER - nope, you have no ISP or WAN interface
B. ACCESS/POINT SWITCH - nope you have no connection to another switch or router to receive traffic from.

So I have to ask what is being attempted here???
 
mremme
just joined
Topic Author
Posts: 12
Joined: Tue Sep 01, 2020 12:06 pm

Re: VLANs cannot see eachothers

Sun Dec 05, 2021 4:37 pm

the role will be to act as switch.

the option set use-ip-firewall-for-vlan=yes "appears" once I firstly activate the bridge firewall.

I tried to disable it, disable the bridge firewall and that option came back ticked but disabled.
I tried to disable it via terminal... and now ping works.....

cuould it be an issue with winbox?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs cannot see eachothers

Sun Dec 05, 2021 8:43 pm

If its to act as a switch then its still wrong,
a. where is the trunk port carrying all the vlans from source (aka usually ether1).
b. if its a switch you do not set ip address, ip pool, dhcp server, dhcp server network

Its pretty basic.
create bridge
identify vlans to belong on that bridge
set bridge ports appropriately
set bridge vlans appropriately
turn vlan filtering on, for the bridge itself

No WAN or LAN just MGMT interface
list member is
a. either the Managment Vlan, or
b the home trusted Vlan

ip route is 0.0.0.0/0 gateway =gateway ip of vlan
IP DNS is gateway ip of vlan
macserver winmacserver interface-list=MGMT
 
mremme
just joined
Topic Author
Posts: 12
Joined: Tue Sep 01, 2020 12:06 pm

Re: VLANs cannot see eachothers

Mon Dec 06, 2021 9:13 am

Thanks anav,

My rush in replying made me wrong....

Actually that rb is a lab test: a closed system where to test vlans.
then, once I got confident with the setup, will be applied to my network (4011 + Hap AC2 + rb951)

thanks for your support, I'll follow your reccomendation.
Thanks
M
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLANs cannot see eachothers

Mon Dec 06, 2021 2:27 pm

No worries, in that case the RB4011 will be the router needing full vlan settings and firewall rules etc.
The hapac 2 being an access point/switch will need the minimum.

All well captured here with examples.......
viewtopic.php?t=143620

Who is online

Users browsing this forum: cesarfernandez63 and 20 guests