Community discussions

MikroTik App
 
air737
just joined
Topic Author
Posts: 1
Joined: Sat Apr 22, 2023 4:06 pm

L2 issues with vlans

Sat Apr 22, 2023 6:21 pm

Hi,

i just got a new RB5009 running RouterOS 7.8.
At the moment I'm struggling setting it up as my main internet router. The setup ist relatively simple:

Modem (Vigor 166) > CSS610-8G-2S+ > CSS326-24G-2S+ > RB5009

I started from a default config. The PPPoE for the Modem is passed through a VLAN to the RB5009. At the router I have a stable internet connection, also for the client WHEN they get the connection. After booting the RB5009, the gateway IP is not reachable in the same L2 broadcast domain (vlan 1 in this example). It's only working when I move the VLAN's IP from the VLAN Interface to the bridge and back to the VLAN (?!). The connection stays stable then, until next reboot (or some kind of ARP timeout or so). At the moment I don't understand why this is'nt working. Also DHCP is not funktional. Setted up all adresses, pools, etc. but no single lease due to these communication issues. I assume there is some kind of L2 problem, maybe with the bridge config, which I can't figure out at the moment, so any help would be appreciated.
Thanks!

I'm aware, that running the WAN-VLAN for PPPoE in the same bridge is not nice, but at the moment I'm just want to get the setup running.

Below you find my /export:
/interface bridge
add admin-mac=48:A9:8A:97:CF:60 auto-mac=no name=br0 priority=0x8192 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=1514
/interface wireguard
add listen-port=13231 mtu=1420 name=wg0
/interface vlan
add interface=br0 name=vlan1-management vlan-id=1
add interface=br0 name=vlan2-default vlan-id=2
add interface=br0 name=vlan3-guest vlan-id=3
add interface=br0 name=vlan4-iot vlan-id=4
add interface=br0 name=vlan5-server vlan-id=5
add interface=br0 name=vlan6-voice vlan-id=6
add interface=br0 name=vlan7-wan vlan-id=7
add interface=br0 name=vlan8-dmz vlan-id=8
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7-wan max-mru=1492 max-mtu=1492 name=pppoe-dtag use-peer-dns=yes user=\
   xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=DMZ
add name=GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_vlan1-management ranges=10.1.0.100-10.1.0.200
add name=pool_vlan2-default ranges=10.2.0.100-10.2.0.200
add name=pool_vlan3-guest ranges=10.3.0.100-10.3.0.200
add name=pool_vlan4-iot ranges=10.4.0.100-10.4.0.200
add name=pool_vlan5-server ranges=10.5.0.100-10.5.0.200
add name=pool_vlan6-voice ranges=10.6.0.100-10.6.0.200
add name=pool_vlan8-dmz ranges=10.8.0.100-10.8.0.200
/ip dhcp-server
add address-pool=pool_vlan1-management interface=vlan1-management lease-time=1d10m name=vlan1-management-dhcp
add address-pool=pool_vlan2-default interface=vlan2-default lease-time=1d10m name=vlan2-default-dhcp
add address-pool=pool_vlan3-guest interface=vlan3-guest lease-time=1d10m name=vlan3-guest-dhcp
add address-pool=pool_vlan4-iot interface=vlan4-iot lease-time=1d10m name=vlan4-iot-dhcp
add address-pool=pool_vlan5-server interface=vlan5-server lease-time=1d10m name=vlan5-server-dhcp
add address-pool=pool_vlan6-voice interface=vlan6-voice lease-time=1d10m name=vlan6-voice-dhcp
add address-pool=pool_vlan8-dmz interface=vlan8-dmz lease-time=1d10m name=vlan8-dmz-dhcp
/interface bridge port
add bridge=br0 interface=ether2
add bridge=br0 interface=ether3
add bridge=br0 interface=ether4
add bridge=br0 interface=ether5
add bridge=br0 interface=ether6
add bridge=br0 interface=ether7
add bridge=br0 interface=ether8
add bridge=br0 interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br0 tagged=br0,sfp-sfpplus1 vlan-ids=2
add bridge=br0 tagged=br0,sfp-sfpplus1 vlan-ids=3
add bridge=br0 tagged=sfp-sfpplus1,br0 vlan-ids=4
add bridge=br0 tagged=br0,sfp-sfpplus1 vlan-ids=5
add bridge=br0 tagged=sfp-sfpplus1,br0 vlan-ids=6
add bridge=br0 tagged=br0,sfp-sfpplus1 vlan-ids=7
add bridge=br0 tagged=sfp-sfpplus1,br0 vlan-ids=8
/interface list member
add interface=br0 list=LAN
add interface=pppoe-dtag list=WAN
add interface=vlan1-management list=LAN
add interface=vlan2-default list=LAN
add interface=vlan4-iot list=LAN
add interface=vlan5-server list=LAN
add interface=vlan6-voice list=LAN
add interface=vlan8-dmz list=DMZ
add interface=vlan3-guest list=GUEST
/ip address
add address=10.1.255.254/16 interface=vlan1-management network=10.1.0.0
add address=10.2.255.254/16 interface=vlan2-default network=10.2.0.0
add address=10.3.255.254/16 interface=vlan3-guest network=10.3.0.0
add address=10.4.255.254/16 interface=vlan4-iot network=10.4.0.0
add address=10.5.255.254/16 interface=vlan5-server network=10.5.0.0
add address=10.6.255.254/16 interface=vlan6-voice network=10.6.0.0
add address=10.8.255.254/16 interface=vlan8-dmz network=10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.5.10.1 gateway=10.1.255.254 netmask=16
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="gast net no internal access" disabled=yes dst-address=10.0.0.0/8 src-address=10.0.3.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=\
    fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=superfortress
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: No registered users and 43 guests