Hi there forum, this is my first post so first of all thanks for all the great work you do here. Mikrotik is definitively not the easiest of ecosystems but boy is it powerful and bang for the buck!
Before I begin let me just clarify that I already did look closely at the classic VLAN thread by pcunite, googled globally and in-the-forum for intervlan Routing and router on a stick setup and similar. I think there's some small step that I fail to notice in all of those and after trying for the last few days I gave up and decided to ask you all hoping someone will be able and willing to help a noob.
Setup
(full dump of config file at the end of the post)
I have a hexS router running RouterOS 7.17.2 in a - yet - lab setup so there's no WAN and no firewall filters yet.
There are 3 VLANs as of now
I have DHCP and addressing configured for all three VLANsand I successfully receive addresses from proper pools depending on which port I connect to. So connecting to Admin port I receive address in the Management Pool, connecting to Family port I receive a Family Pool address and connecting to either one of the two Camera ports I receive addresses in CCTV VLAN.
There is no firewall yet as I am not yet connected to the internet. Later, proper filter rules will be applied to allow VLANs access to each other based on my criteria and to limit who can talk to the internet and who the internet can talk back to etc. I just want to take it step by step until I - at least mostly - understand what's going on and why I enter the commands I do.
The problem
What I fail to configure is inter-VLAN routing. While I can successfully communicate within one VLAN, I am not able to as much as ping devices on other VLANs. I tried comparing my setup to the one mentioned in Using RouterOS to VLAN your network but I must fail to see some missing piece.
Could you please point my search towards a proper direction? What am I missing?
Also here's a dump ofconfiguration export
Here's a dump of the configuration I set up. The router is configured by uploading this as a script and with Reset Configuration + No Backup + No Users + No Defaults + Run after: this_script.crs so there's nothing more that I wouldn't share.
and here's the same thing but as Mikrotik's export show-sensitive dump if grouping by area is more confortable to read and reason about for you.
Post scriptum
This is a scaled down and simplified version of the problem that I reduced my lab to at the moment. Originally there was also a CRS326 connected via SFP trunk that exposes 6 groups of access ports for 6 vlans. And when I'm on any of the vlans (managemnet included) i successfully gain access to other devices within this network regardless of whether I plug in via hexS or CRS access ports so switching passes trunk just right. I just can't get routing accross VLANS to work. Same with CCTV VLAN and so on so the VLANs properly span accross trunked devices and switching works perfectly, DHCP and so on as well.
This is why I deciced to scale the thing down and do everything on hexS alone to take the CRS out of my picture until I pinpoint what I'm doing wrong and only then reintroduce CRS into the configuration.
Best regards
Piotr
Before I begin let me just clarify that I already did look closely at the classic VLAN thread by pcunite, googled globally and in-the-forum for intervlan Routing and router on a stick setup and similar. I think there's some small step that I fail to notice in all of those and after trying for the last few days I gave up and decided to ask you all hoping someone will be able and willing to help a noob.
Setup
(full dump of config file at the end of the post)
I have a hexS router running RouterOS 7.17.2 in a - yet - lab setup so there's no WAN and no firewall filters yet.
There are 3 VLANs as of now
- 10 - Family
- 30 - CCTV
- 69 - Management
- first one is out of the bridge as it's going to be WAN,
- second is an access port to Managent VLAN (part of the bridge)
- third is an access port to Family VLAN (part of the bridge)
- fourth and fifth are access ports to Camera VLAN (part of the bridge)
- SFP port is a trunk port (not necessary for the problem I describe here, also part of the bridge)
I have DHCP and addressing configured for all three VLANsand I successfully receive addresses from proper pools depending on which port I connect to. So connecting to Admin port I receive address in the Management Pool, connecting to Family port I receive a Family Pool address and connecting to either one of the two Camera ports I receive addresses in CCTV VLAN.
There is no firewall yet as I am not yet connected to the internet. Later, proper filter rules will be applied to allow VLANs access to each other based on my criteria and to limit who can talk to the internet and who the internet can talk back to etc. I just want to take it step by step until I - at least mostly - understand what's going on and why I enter the commands I do.
The problem
What I fail to configure is inter-VLAN routing. While I can successfully communicate within one VLAN, I am not able to as much as ping devices on other VLANs. I tried comparing my setup to the one mentioned in Using RouterOS to VLAN your network but I must fail to see some missing piece.
Could you please point my search towards a proper direction? What am I missing?
Also here's a dump of
Code:
/routing table printCode:
[tester@router] > /routing route printFlags: A - ACTIVE; c - CONNECT; H - HW-OFFLOADEDColumns: DST-ADDRESS, GATEWAY, AFI, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW DST-ADDRESS GATEWAY AFI DISTANCE SCOPE TARGET-SCOPE IMMEDIATE-GW Ac 10.10.10.0/24 family-vlan ip4 0 10 5 family-vlan Ac 10.10.30.0/24 camera-vlan ip4 0 10 5 camera-vlan Ac 10.10.69.0/24 management-vlan ip4 0 10 5 management-vlanA H lo link 0 A H camera-port1 link 0 A H camera-port2 link 0 A H lan-bridge link 0 A H family-vlan link 0 A H camera-vlan link 0 A H management-vlan link 0 Here's a dump of the configuration I set up. The router is configured by uploading this as a script and with Reset Configuration + No Backup + No Users + No Defaults + Run after: this_script.crs so there's nothing more that I wouldn't share.
Code:
########################################## Skip IPv6######################################/ipv6 settings set disable-ipv6=yes forward=no######################################## Miscellaneous###################################### Identity/system identity set name=router# Skip IPv6/ipv6 settings set disable-ipv6=yes forward=no# temporary user until I have this all ready and will replace this with an SSH key/user add name=tester group=full password=gogo######################################## Ports designation###################################### raname port to ease reasoning about which one is which/interfaceset [ find default-name=ether1 ] name=wan-portset [ find default-name=ether2 ] name=admin-portset [ find default-name=ether3 ] name=family-portset [ find default-name=ether4 ] name=camera-port1set [ find default-name=ether5 ] name=camera-port2set [ find default-name=sfp1 ] name=trunk-port# Auto-negotiation does not work with XS+DA0001 /interface ethernet set auto-negotiation=no speed=1G-baseT-full sfp-rate-select=low trunk-port######################################## Bridge setup and trunk ports#####################################/interface bridge add name=lan-bridge admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no vlan-filtering=yes protocol-mode=none/interface bridge portadd bridge=lan-bridge interface=trunk-port frame-types=admit-only-vlan-tagged######################################## VLANs######################################## 10 - Family - 10.10.10.0/24# VLAN definition and addressing/interface vlan add interface=lan-bridge name=family-vlan vlan-id=10/ip address add interface=family-vlan address=10.10.10.1/24/ip pool add name=family-pool ranges=10.10.10.2-10.10.10.254/ip dhcp-server add address-pool=family-pool interface=family-vlan name=family-dhcp disabled=no/ip dhcp-server network add address=10.10.10.0/24 dns-server=10.10.69.1 gateway=10.10.10.1# Ingress/interface bridge port add bridge=lan-bridge pvid=10 interface=family-port frame-types=admit-only-untagged-and-priority-tagged# Egress/interface bridge vlan add vlan-ids=10 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=family-port### 30 - CCTV - 10.10.30.0/24# VLAN definition and addressing/interface vlan add interface=lan-bridge name=camera-vlan vlan-id=30/ip address add interface=camera-vlan address=10.10.30.1/24/ip pool add name=camera-pool ranges=10.10.1.2-10.10.30.254/ip dhcp-server add address-pool=camera-pool interface=camera-vlan name=camera-dhcp disabled=no/ip dhcp-server network add address=10.10.30.0/24 dns-server=10.10.69.1 gateway=10.10.30.1# Ingress/interface bridge port add bridge=lan-bridge pvid=30 interface=camera-port1 frame-types=admit-only-untagged-and-priority-tagged/interface bridge port add bridge=lan-bridge pvid=30 interface=camera-port2 frame-types=admit-only-untagged-and-priority-tagged# Egress/interface bridge vlan add vlan-ids=30 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=camera-port1,camera-port2### 69 - Management - 10.10.69.0/24## Ethernet Ingress# Ethernet Ingress for direct attached port# VLAN definition and addressing/interface vlan add interface=lan-bridge name=management-vlan vlan-id=69/ip address add address=10.10.69.1/24 interface=management-vlan# We start the management pool from .10 up as switches, APs and so on will be statically assigned 1-9/ip pool add name=management-pool ranges=10.10.69.10-10.10.69.254/ip dhcp-server add address-pool=management-pool interface=management-vlan name=management-dhcp disabled=no/ip dhcp-server network add address=10.10.69.0/24 dns-server=10.10.69.1 gateway=10.10.69.1# Ingress/interface bridge port add bridge=lan-bridge pvid=69 interface=admin-port frame-types=admit-only-untagged-and-priority-tagged# Egress/interface bridge vlan add vlan-ids=69 bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=admin-portCode:
# 1970-01-02 08:57:56 by RouterOS 7.17.2# software id = 0TXT-DK95## model = RB760iGS# serial number = /interface bridgeadd admin-mac=D4:01:C3:E7:FB:00 auto-mac=no name=lan-bridge protocol-mode=none \ vlan-filtering=yes/interface ethernetset [ find default-name=ether2 ] name=admin-portset [ find default-name=ether4 ] name=camera-port1set [ find default-name=ether5 ] name=camera-port2set [ find default-name=ether3 ] name=family-portset [ find default-name=sfp1 ] auto-negotiation=no name=trunk-portset [ find default-name=ether1 ] name=wan-port/interface vlanadd interface=lan-bridge name=camera-vlan vlan-id=30add interface=lan-bridge name=family-vlan vlan-id=10add interface=lan-bridge name=management-vlan vlan-id=69/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=family-pool ranges=10.10.10.2-10.10.10.254add name=camera-pool ranges=10.10.1.2-10.10.30.254add name=management-pool ranges=10.10.69.10-10.10.69.254/ip dhcp-serveradd address-pool=family-pool interface=family-vlan name=family-dhcpadd address-pool=camera-pool interface=camera-vlan name=camera-dhcpadd address-pool=management-pool interface=management-vlan name=management-dhcp/interface bridge portadd bridge=lan-bridge frame-types=admit-only-vlan-tagged interface=trunk-portadd bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\ family-port pvid=10add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\ camera-port1 pvid=30add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\ camera-port2 pvid=30add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=\ admin-port pvid=69/ipv6 settingsset disable-ipv6=yes forward=no/interface bridge vlanadd bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=family-port vlan-ids=10add bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=camera-port1,camera-port2 \ vlan-ids=30add bridge=lan-bridge tagged=lan-bridge,trunk-port untagged=admin-port vlan-ids=69/ip addressadd address=10.10.10.1/24 interface=family-vlan network=10.10.10.0add address=10.10.30.1/24 interface=camera-vlan network=10.10.30.0add address=10.10.69.1/24 interface=management-vlan network=10.10.69.0/ip dhcp-server networkadd address=10.10.10.0/24 dns-server=10.10.69.1 gateway=10.10.10.1add address=10.10.30.0/24 dns-server=10.10.69.1 gateway=10.10.30.1add address=10.10.69.0/24 dns-server=10.10.69.1 gateway=10.10.69.1/system identityset name=router/system noteset show-at-login=noPost scriptum
This is a scaled down and simplified version of the problem that I reduced my lab to at the moment. Originally there was also a CRS326 connected via SFP trunk that exposes 6 groups of access ports for 6 vlans. And when I'm on any of the vlans (managemnet included) i successfully gain access to other devices within this network regardless of whether I plug in via hexS or CRS access ports so switching passes trunk just right. I just can't get routing accross VLANS to work. Same with CCTV VLAN and so on so the VLANs properly span accross trunked devices and switching works perfectly, DHCP and so on as well.
This is why I deciced to scale the thing down and do everything on hexS alone to take the CRS out of my picture until I pinpoint what I'm doing wrong and only then reintroduce CRS into the configuration.
Best regards
Piotr
Statistics: Posted by piotrlasota — Sun Feb 09, 2025 11:03 pm