Community discussions

MikroTik App
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Activate Internet from incoming VLAN

Mon Aug 01, 2022 12:27 pm

Hi there,

my question is:

I am getting a VLAN 100 from ETH 3 via DHCP Client. I can forward this VLAN to the Switches witch are after the Router but they can not access the Internet. If I am trying to test the connection from ETH3 on my Laptop I have Internet. I think my Router blocks or does not enable Ineternet connection because it is not configured.
Is there something missing in the Firewall rule or routes?
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Activate Internet from incoming VLAN

Mon Aug 01, 2022 2:11 pm

I guess...YES, something is missing.
Please share your configuration so we can provide you with some meaningful information:

/export hide-sensitive file=anynameyoulike (and remove any personal information from it)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 1:55 am

A network diagram helps to show us the equipment involved, what is connected to all ports and conceptually what traffic flows there should be.
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:04 pm

I guess...YES, something is missing.
Please share your configuration so we can provide you with some meaningful information:

/export hide-sensitive file=anynameyoulike (and remove any personal information from it)
Hi, there here is the configfile:
# aug/02/2022 13:55:32 by RouterOS 6.48.6
#
# model = CCR1009-7G-1C-1S+
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
name="2.4GHz Standard"
/caps-man configuration
add name=Missing
/interface bridge
add name=DisplaySSID protocol-mode=none
add name=bridge_vlan100 protocol-mode=none
add name=hsia protocol-mode=none
add name=mgmt protocol-mode=none
add name=tv protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=wan1
set [ find default-name=ether2 ] comment=wan2
set [ find default-name=ether3 ] comment=Officenetz
set [ find default-name=ether4 ] comment=hsia-bridge-port
set [ find default-name=ether5 ] comment=mgmnt-bridge-port
set [ find default-name=ether6 ] comment=localbreakout
set [ find default-name=ether7 ] comment="MGMT Port2"
/interface vlan
add interface=ether3 name=vlan100 use-service-tag=yes vlan-id=100
add interface=ether5 name=vlan100_office use-service-tag=yes vlan-id=100
/caps-man datapath
add bridge=hsia client-to-client-forwarding=no local-forwarding=no name=\
hsiapath
add bridge=DisplaySSID client-to-client-forwarding=yes local-forwarding=no \
name=DisplaySSIDpath
/caps-man security
add name=hsiasec
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=DisplaySSIDsec
/caps-man configuration
add channel="2.4GHz Standard" channel.frequency=2412 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH01" security=hsiasec ssid=\
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2437 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH06" security=hsiasec ssid=\
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2462 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH11" security=hsiasec ssid=\
RekaDisentis
add channel.band=5ghz-onlyac channel.control-channel-width=20mhz \
channel.extension-channel=Ceee channel.reselect-interval=12h \
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=\
hsiapath mode=ap name=5G_band rx-chains=0,1,2 security=hsiasec ssid=\
RekaDisentis tx-chains=0,1,2
add channel.band=5ghz-a/n channel.control-channel-width=20mhz \
channel.extension-channel=Ce channel.reselect-interval=12h \
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=\
hsiapath mode=ap name=5G_band_an rx-chains=0,1,2 security=hsiasec ssid=\
RekaDisentis tx-chains=0,1,2
add datapath=DisplaySSIDpath name=DisplaySSID-cfg security=DisplaySSIDsec \
ssid=DisentisDisplay
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_hsia ranges=10.10.192.2-10.10.255.254
add name=pool_mgmt ranges=172.20.44.5-172.20.44.254
add name=pool_DisplaySSID ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool=pool_hsia disabled=no interface=hsia lease-time=\
1d name=server_hsia
add add-arp=yes address-pool=pool_mgmt disabled=no interface=mgmt lease-time=\
12w6d name=server_mgmt
add add-arp=yes address-pool=pool_DisplaySSID disabled=no interface=\
DisplaySSID lease-time=1w name=server_DisplaySSID
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=pub
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH01 master-configuration="2.4GHz CH01" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH06 master-configuration="2.4GHz CH06" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH11 master-configuration="2.4GHz CH11" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
5G_band name-format=prefix-identity slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
5G_band_an name-format=prefix-identity slave-configurations=\
DisplaySSID-cfg
add comment=CatchAll master-configuration=Missing
/interface bridge filter
add action=drop chain=forward comment="Prevent Intra-BSS attacks" in-bridge=\
hsia out-bridge=hsia
/interface bridge port
add bridge=hsia interface=ether4
add bridge=mgmt interface=ether7
add bridge=mgmt interface=ether5
add bridge=bridge_vlan100 interface=ether3 multicast-router=disabled pvid=100
add bridge=bridge_vlan100 interface=vlan100 multicast-router=disabled
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set secure-redirects=no tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge_vlan100 tagged=ether5 vlan-ids=100
/ip address
add address=10.10.192.1/18 comment=hotspot interface=hsia network=10.10.192.0
add address=172.20.44.1/24 comment=mgmnt interface=mgmt network=172.20.44.0
add address=192.168.10.1/24 comment=DisplaySSID interface=DisplaySSID \
network=192.168.10.0
add address=172.16.6.1/24 interface=ether3 network=172.16.6.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=bridge_vlan100 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=bridge_vlan100 use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=hsia on-alert=":log info bad_DHCP_Server"
add disabled=no interface=DisplaySSID on-alert=\
":log info DisplaySSID - anderer DHCP Server"
/ip dhcp-server network
add address=10.10.192.0/18 dns-server=10.10.192.1 gateway=10.10.192.1 \
netmask=18 ntp-server=10.10.192.1
add address=172.20.44.0/24 dns-server=172.20.44.1 gateway=172.20.44.1 \
netmask=24 ntp-server=172.20.44.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24 ntp-server=192.168.10.1
/ip firewall address-list
add address=172.16.60.0/24 list=RZ
add address=10.255.244.0/22 list=RZ
add address=10.255.252.0/22 list=RZ
add address=172.16.6.0 list=Office
/ip firewall filter
add chain=forward dst-address=10.10.192.0/18 src-address=172.16.60.0/24
add chain=forward dst-address=172.16.60.0/24 src-address=10.10.192.0/18
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="drop external ntp" dst-port=123 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external ntp" dst-port=123 \
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether2 protocol=tcp
add action=drop chain=forward comment="tv to mgmt" in-interface=tv \
log-prefix=DROP_FW out-interface=mgmt
add chain=input connection-state=established,related
add chain=input protocol=icmp src-address=10.10.192.0/18
add action=drop chain=forward comment="block multicast" src-address-type=\
multicast
add action=drop chain=forward comment="clients to mgmnt-lan" dst-address=\
172.20.44.0/24 src-address=10.10.192.0/18
add chain=forward comment="accept established" connection-state=established
add chain=forward comment="accept related" connection-state=related
add chain=forward comment="rz to mgmnt-lan" dst-address=172.20.44.0/24 \
src-address-list=RZ
add chain=forward comment="mgmnt-lan to rz" dst-address-list=RZ src-address=\
172.20.44.0/24
add action=drop chain=forward comment="mgmnt-lan 2 anywhere" src-address=\
172.20.44.0/24
add action=drop chain=forward comment=eventSSID2RZ dst-address=172.16.0.0/12 \
src-address=192.168.10.0/24
add action=drop chain=forward comment=eventSSID2TV dst-address=192.0.0.0/8 \
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes src-address-list=Office
add action=accept chain=forward disabled=yes dst-address-list=Office
/ip firewall mangle
add chain=prerouting dst-address-list=RZ
add action=accept chain=prerouting disabled=yes dst-address-list=RZ
add action=mark-connection chain=prerouting comment=unfiltered_clients \
connection-mark=no-mark disabled=yes dst-address-type=!local hotspot=auth \
in-interface=hsia new-connection-mark=hotspotuser passthrough=yes \
src-address=10.10.192.0/18
add action=mark-routing chain=prerouting comment=unfiltered connection-mark=\
hotspotuser disabled=yes dst-address-type="" in-interface=hsia \
new-routing-mark=hotspotuser passthrough=yes
add action=mark-routing chain=output connection-mark=hotspotuser disabled=yes \
new-routing-mark=hotspotuser passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="LB to WAN" out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout disabled=yes \
out-interface=bridge_vlan100
add action=accept chain=srcnat disabled=yes out-interface=bridge_vlan100
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=10.255.244.1 \
routing-mark=hotspotuser
add disabled=yes distance=5 gateway=10.255.252.1 routing-mark=hotspotuser
add disabled=yes distance=1 dst-address=10.10.192.0/18 gateway=hsia \
routing-mark=hotspotuser
add distance=10 gateway=ether3
add distance=20 gateway=172.16.6.1
add distance=15 dst-address=172.16.60.0/24 gateway=10.255.244.1
add comment=failback distance=20 dst-address=172.16.60.0/24 gateway=\
10.255.252.1
add distance=10 dst-address=172.16.60.128/25 gateway=10.255.252.1
add check-gateway=ping comment=OpenAppTV-Server distance=1 dst-address=\
172.16.60.211/32 gateway=10.255.244.1
/system ntp client
set enabled=yes primary-ntp=172.16.60.60 secondary-ntp=172.16.60.160
/system ntp server
set enabled=yes
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:09 pm

I will agree on the network diagram...
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:15 pm

I will agree on the network diagram...
I don´t know how I can insert Images.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:41 pm

Use the insert image icon... :shock:

The question is why you want to " forward " that VLAN to the rest of your network ?

Also, VLANs work on Layer 2 and they do not traverse Routers, Layer 3 devices...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:46 pm

@Nuri
(use the Attachments tab, then upload direclty the images on forum, without use 3rd party servers)
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:48 pm

My Problem is that my Router blocks the internet access from this VLAN ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:51 pm

( now is better ;) )
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 3:58 pm

Where is the VLAN 100 eth3 connected to on your MikroTik Router ?
On a Bridge Port or on a WAN port ?
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 4:00 pm

Where is the VLAN 100 eth3 connected to on your MikroTik Router ?
On a Bridge Port or on a WAN port ?
It is via a cable on ETH3.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 4:13 pm

In order to use the Bridge VLAN settings and the Bridge port pvid settings, Bridge VLAN filtering must be enabled.
Otherwise your Bridge interface is not VLAN aware...

And ofcorse before you enable it, you should read how it works otherwise there is a chance to lose connectivity with your device...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 5:02 pm

I often recommending taking a spare etherport for config purposes off the bridge to avoid loss of connectivity issues.
viewtopic.php?t=181718

Just to be clear your ISP gives you internet from an ont/modem to ethernet 3 on the MT, but it comes in riding vlan100 as setup by the ISP.
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 5:36 pm

I often recommending taking a spare etherport for config purposes off the bridge to avoid loss of connectivity issues.
viewtopic.php?t=181718

Just to be clear your ISP gives you internet from an ont/modem to ethernet 3 on the MT, but it comes in riding vlan100 as setup by the ISP.
Hi there,

no I am getting Internet for the productive on ETH1. ETH3 is connected to a VLAN which has Internet to but my Router blocks that connection to outside.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 6:57 pm

Got it, ether1 to ISP, ether3 is just a port with vlan100 on it which is allowed perhaps to other vlans but not to your internet.
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 7:02 pm

Got it, ether1 to ISP, ether3 is just a port with vlan100 on it which is allowed perhaps to other vlans but not to your internet.
That is correct. When I forward this VLAN 100 to the switches and clients they are in the correct IP range but they have no Internet connection.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Tue Aug 02, 2022 7:36 pm

As said earlier, but ignored, without Bridge VLAN filtering enabled, whatever configuration you' ve done under /bridge interface related to VLAN settings is simply ignored.

Also, you've added a VLAN interface on a slave Interface https://help.mikrotik.com/docs/display/ ... einterface
Which as you can read above can lead to some clients not getting an IP.

Overall your config has many many mistakes...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 2:04 am

Concur, its like a hodge podge of different youtube videso will work on something better.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 3:50 am

So its not clear what vlans go out which ports of the mT router. All I see is ether5 is connected to the MAIN switch but not which vlans actually flow into the switch,.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 8:16 am

Did you configure the router, or did you inherit the problem?

Why are service-tags being used?

/interface vlan
add interface=ether3 name=vlan100 use-service-tag=yes vlan-id=100
add interface=ether5 name=vlan100_office use-service-tag=yes vlan-id=100
 
Nuri
just joined
Topic Author
Posts: 15
Joined: Mon Sep 10, 2018 1:25 pm

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 11:05 am

As said earlier, but ignored, without Bridge VLAN filtering enabled, whatever configuration you' ve done under /bridge interface related to VLAN settings is simply ignored.

Also, you've added a VLAN interface on a slave Interface https://help.mikrotik.com/docs/display/ ... einterface
Which as you can read above can lead to some clients not getting an IP.

Overall your config has many many mistakes...
Hi,

I have tried it with filtering but nothing changed.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 11:58 am

You may want to look at this old thread VLAN's tag or untagged concerning service tags which are for stacked vlans. IEEE 802.1ad
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Activate Internet from incoming VLAN

Wed Aug 03, 2022 8:52 pm

I have tried it with filtering but nothing changed.
Probably because your configuration was wrong...

Who is online

Users browsing this forum: No registered users and 30 guests