OK - I have what should be a very simple setup for using VLANs but for some reason it's not working.
The managed switch is setup with the SFP+ port using VLAN tagging for the 4 noted VLANs, and individual ports are setup as access ports for the different VLANs. What's interesting is that I can see that this communication is working properly when vlan-filtering is disabled and I'm plugged into an access port, Winbox shows the IP address of the interface for just that VLAN. It also shows an interface with an IP address of 0.0.0.0 which is puzzling. In this state I can use the Winbox via MAC address to contact the router, but I can't get an IP from the DHCP server, and I can't contact the IP address even when I assign a fixed IP to the workstation in that subnet. As soon as I activate vlan-filtering the router becomes completely unreachable over this interface.
Here's what I've put together based on the documentation and various examples in the forums:
For testing purposes, the WAN connection is unplugged and the firewall rules are simply:
I'm clearly missing something basic here - anyone have an idea?
The managed switch is setup with the SFP+ port using VLAN tagging for the 4 noted VLANs, and individual ports are setup as access ports for the different VLANs. What's interesting is that I can see that this communication is working properly when vlan-filtering is disabled and I'm plugged into an access port, Winbox shows the IP address of the interface for just that VLAN. It also shows an interface with an IP address of 0.0.0.0 which is puzzling. In this state I can use the Winbox via MAC address to contact the router, but I can't get an IP from the DHCP server, and I can't contact the IP address even when I assign a fixed IP to the workstation in that subnet. As soon as I activate vlan-filtering the router becomes completely unreachable over this interface.
Here's what I've put together based on the documentation and various examples in the forums:
Code:
############################################## Basic Configuration/ip dns set servers=1.1.1.1,9.9.9.9/system clock set time-zone-name=Europe/Paris/system identity set name=gw-rmb/system logging add topics=firewall/system note set show-at-login=no#### VLANs ##### Create the bridge to hold VLANs - disabled while I set things up/interface bridge add name=internal-bridge vlan-filtering=no # Add the SFP+ port to the bridge/interface bridge port add bridge=internal-bridge interface=sfp28-2# Add the VLANs as tagged on the internal SFP, attached to the bridge/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=29 /interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=30 /interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=31/interface bridge vlan add bridge=internal-bridge tagged=internal-bridge,sfp28-2 vlan-ids=32# Create the virtual interfaces for each VLAN on the bridge/interface vlan add interface=internal-bridge name=DMZ vlan-id=29/interface vlan add interface=internal-bridge name=LAN vlan-id=30/interface vlan add interface=internal-bridge name=MGMT vlan-id=31/interface vlan add interface=internal-bridge name=IOT vlan-id=32# Assign IP addresses to the VLAN interfaces/ip address add address=192.168.29.254/24 interface=DMZ network=192.168.29.0/ip address add address=192.168.30.254/24 interface=LAN network=192.168.30.0/ip address add address=192.168.31.254/24 interface=MGMT network=192.168.31.0/ip address add address=192.168.32.254/24 interface=IOT network=192.168.32.0#### DHCP Servers ##### IP Pools to distribute/ip pool add name=dmz_pool ranges=192.168.29.101-192.168.29.199/ip pool add name=lan_pool ranges=192.168.30.101-192.168.30.199/ip pool add name=mgmt_pool ranges=192.168.31.101-192.168.31.199/ip pool add name=iot_pool ranges=192.168.32.101-192.168.32.199# Define DHCP network zones/ip dhcp-server network add address=192.168.29.0/24 comment=DMZ dns-server=192.168.30.199,192.168.20.4 gateway=192.168.29.254/ip dhcp-server network add address=192.168.30.0/24 comment=LAN dns-server=192.168.30.199,192.168.20.4 gateway=192.168.30.254/ip dhcp-server network add address=192.168.31.0/24 comment=MGMT dns-server=192.168.30.199,192.168.20.4 gateway=192.168.31.254/ip dhcp-server network add address=192.168.32.0/24 comment=IOT dns-server=192.168.30.199,192.168.20.4 gateway=192.168.32.254# Enable Servers/ip dhcp-server add address-pool=dmz_pool interface=DMZ name=DMZ/ip dhcp-server add address-pool=lan_pool interface=LAN name=LAN/ip dhcp-server add address-pool=mgmt_pool interface=MGMT name=MGMT/ip dhcp-server add address-pool=iot_pool interface=IOT name=IOTCode:
/ip firewall filteradd action=accept chain=forwardadd action=accept chain=inputI'm clearly missing something basic here - anyone have an idea?
Statistics: Posted by InfraErik — Wed Mar 26, 2025 9:57 am