No internet on vlan

Lennyz1988 · March 14, 2021, 10:00am

Hi,

I flashed my Mikrotik RB750Gr3 with the latest release 19.07.7. I want to set it up as a switch with vlan.

Modem(DHCP) > Router 1 (Switch) > Mikrotik (Switch with VLAN).

VLAN1 & 2: 192.168.192.0/24
VLAN30: 192.168.30.0/24 (DHCP server is working)

I want port 1 to 3 be part of the normal network and port 4 part of VLAN30. I made the VLAN30 however I am unable to get internet on that vlan. What am I missing here?

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd06:fc04:4fce::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'dhcp'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '08:55:31:91:2d:f0'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '08:55:31:91:2d:f1'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '30'
        option ports '2t 4 6t'

config interface 'VPN'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth0.30'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'VPN'

config forwarding
        option dest 'wan'
        option src 'vpn'

ulmwind · March 14, 2021, 12:32pm

Can you ping IP of Modem?
Have you started with default network configuration?

vgaetera · March 14, 2021, 2:03pm

uci set network.@switch_vlan[2].ports="4 6t"
uci commit network
/etc/init.d/network restart

Lennyz1988 · March 14, 2021, 3:52pm

I can ping the modem (192.168.192.1) from the ports that are assigned to vlan1. I cannot ping the modem from the ports assigned to vlan30.
Yes I reflashed the device and wiped the settings.

Lennyz1988 · March 14, 2021, 3:53pm

Still no internet.

vgaetera · March 14, 2021, 4:10pm

Collect the diagnostics and post to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; uci show dhcp; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Lennyz1988 · March 14, 2021, 4:16pm

trendy · March 14, 2021, 4:36pm

The default route is via lan, not wan.
You should enable masquerade on lan zone and add a forwarding from vpn to lan zone.

Lennyz1988 · March 14, 2021, 7:01pm

Thank you this was the solution. Everything is working perfectly now! everyone thank you for your help.

system · March 24, 2021, 7:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.