RB4011 VLAN traffic getting dropped

techfellow · Wed Mar 06, 2024 8:59 pm

Hello all

I just bought RB4011+Wifi and have configured VLANs on it the new way.
There is one CAP ac connected to it and generally all is working well, I got 3 VLANs - all the ethernet ports on VLAN1 for simplicity.
Basically all is how I wanted - 3 VLANs:

30 - IOT - Wifi on 2G - IP 30./24

1 - Servers - IP 50./23

52 - Clients - Wifi on 5G -IP 52./24

The issue: I am able to connect from wifi 5G (vlan52) to all servers connected to ethernet ports (vlan1) without issues, but I have noticed that I am not able to connect to some VMs running on the servers from a Wifi 5G (vlan52). Some are working fine and to some I have no communication. Than I tried connecting to printer from vlan52, connected to Wifi 2G - vlan30 also without success.

Previously all was working great on hAP ac2 with 3 bridges and no vlans.

I am attaching export without Firewall as it have nothing to do with the issue in my opinion as disabling all the rules did not changed a thing.

# 2024-03-06 19:35:02 by RouterOS 7.14
# model = RB4011iGS+5HacQ2HnD
/caps-man channel add band=2ghz-onlyn control-channel-width=20mhz frequency=2412 name=channel_30 save-selected=no skip-dfs-channels=yes
/caps-man channel add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ce frequency=5260 name=channel_52 save-selected=no skip-dfs-channels=no tx-power=38
/interface bridge add name=bridge vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ]
/interface ethernet set [ find default-name=ether2 ] 
/interface ethernet set [ find default-name=ether3 ]
/interface ethernet set [ find default-name=ether4 ] 
/interface ethernet set [ find default-name=ether6 ] 
/interface ethernet set [ find default-name=ether7 ] 
/interface ethernet set [ find default-name=ether8 ] 
/interface ethernet set [ find default-name=ether9 ]
/interface ethernet set [ find default-name=ether10 ] 
/interface wireless set [ find default-name=wlan1 ] band=5ghz-onlyac channel-width=20/40mhz-Ce name=wlan_5 ssid=""
/interface wireless set [ find default-name=wlan2 ] band=2ghz-onlyn country=poland name=wlan_24 ssid=""
/interface vlan add interface=bridge name=vl_clients vlan-id=52
/interface vlan add interface=bridge name=vl_iot vlan-id=30
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=dp_52 vlan-id=52 vlan-mode=use-tag
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=dp_30 vlan-id=30 vlan-mode=use-tag
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes eap-radius-accounting=no encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=security1
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes eap-radius-accounting=no encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=security2
/caps-man configuration add channel=channel_30 country=poland datapath=dp_30 hw-protection-mode=rts-cts installation=indoor keepalive-frames=enabled mode=ap name=cfg_30 rx-chains=0,1,2,3 security=security1 ssid=SSID1 tx-chains=0,1,2,3
/caps-man configuration add channel=channel_52 country=poland datapath=dp_52 hw-protection-mode=rts-cts hw-retries=3 installation=indoor keepalive-frames=enabled mode=ap name=cfg_52 rx-chains=0,1,2,3 security=security2 ssid=SSID2 tx-chains=0,1,2,3
/caps-man interface add configuration=cfg_30 disabled=no l2mtu=1600 mac-address= master-interface=none name=cap2g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_52 disabled=no l2mtu=1600 mac-address= master-interface=none name=cap5g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_30 disabled=no l2mtu=1600 mac-address= master-interface=none name=mt2g radio-mac= radio-name=""
/caps-man interface add configuration=cfg_52 disabled=no l2mtu=1600 mac-address= master-interface=none name=mt5g radio-mac= radio-name=""
/interface list add name=WAN
/interface list add name=LAN
/interface list add name=neighbords
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=pool_vl30 ranges=192.168.30.10-192.168.30.90
/ip pool add name=pool_vl50 ranges=192.168.50.1-192.168.50.99
/ip pool add name=pool_vl52 ranges=192.168.52.100-192.168.52.200
/ip dhcp-server add add-arp=yes address-pool=pool_vl30 interface=vl_iot lease-time=4w2d name=dhcp_vl30
/ip dhcp-server add add-arp=yes address-pool=pool_vl52 interface=vl_clients lease-time=3d name=dhcp_vl52
/ip dhcp-server add add-arp=yes address-pool=pool_vl50 interface=bridge lease-time=3d name=dhcp_vl50
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man manager interface add disabled=no interface=ether10
/caps-man manager interface add disabled=no interface=lo
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg_30 name-format=prefix name-prefix=CAP2G_
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_52 name-format=prefix name-prefix=CAP5G_
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=veth1
/ip firewall connection tracking set tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=52
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=30
/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge list=neighbords
/interface list member add interface=bridge list=LAN
/interface list member add interface=vl_clients list=LAN
/interface list member add interface=vl_clients list=neighbords
/interface list member add interface=vl_iot list=LAN
/interface wireless cap set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=lo enabled=yes interfaces=wlan_24,wlan_5
/ip address add address=192.168.50.250/23 interface=bridge network=192.168.50.0
/ip address add address=192.168.30.250/24 interface=vl_iot network=192.168.30.0
/ip address add address=192.168.52.250/24 interface=vl_clients network=192.168.52.0
/ip dns set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=200

techfellow · Thu Mar 07, 2024 7:28 pm

Moving forward with this issue

After resetting printer to defaults the connection is back

With the connectivity to VMs I had a look and if there are more than one network interface connected to VM, especially one that is able to communicate with the host only (like 192.168.122.0/24), the connection from other VLAN is not possible as the returning packet is trying to reach gateway for the internal network.
This gateway should than communicate by the host to main (Mikrotik) network.
Eg. SSH connection 192.168.52.200:58012 to 192.168.1.100:22 is passing the bridge, and returning connection from 192.168.1.100:22 to 192.168.52.200:58012 is not able to pass, either server bridge or Mikrotik bridge.
Adding manually route to Mikrotik gateway, makes it work/

I do not know how it worked before the VLANs with configuration based on 3 bridges as the connectivity was possible.

techfellow · Sat Mar 09, 2024 7:28 pm

Moving forward

I have noticed that traffic coming from internal VM network (like 192.168.121.1) to VLAN52 is going through VLAN1 (network connected to host 50.) is looking like this:

MTR to 192.168.52.100 (VLAN52) from VM on Host Network (192.168.121.1) and 192.168.50.250 is Mikrotik.
1. 192.168.121.1
2. 192.168.50.250
3. ???

This traffic initiated on internal VM network going through VLAN1 to VLAN52 is able to pass, but the traffic initiated on VLAN52 and going to VM NIC connected to VLAN1 is not able to comeback to VLAN52. Taking into account that VMs and Mikrotik do not have the Firewall activated, why this traffic is getting dropped ?

gigabyte091 · Sat Mar 09, 2024 11:41 pm

So I would recommend you to read this before starting messing with VLANs: https://forum.mikrotik.com/viewtopic.php?t=143620

If you plan to use VLANs then don't use VLAN1.

k6ccc · Sun Mar 10, 2024 12:03 am

+1 on NOT using VLAN 1. Although the Mikrotik will handle it fine, LOTS of other devices treat VLAN 1 as something special - often unpredictably.

techfellow · Thu Mar 21, 2024 10:57 am

Thank you for all responses

I have changed the VLAN1 to VLAN50 with no effect.
Still Virtual Machines going through host network in VLAN50 are unable to communicate back to clients in VLAN52.
I do not know if this is Linux VM Host bridge issue or a Mikrotik forwarding.

I will try to enable on those VMs option to reply with the same interface, similarly to:
https://serverfault.com/questions/99992 ... ing-in-lan

I think the topic can be closed

RB4011 VLAN traffic getting dropped

RB4011 VLAN traffic getting dropped

Re: RB4011 VLAN traffic getting dropped

Re: RB4011 VLAN traffic getting dropped

Re: RB4011 VLAN traffic getting dropped

Re: RB4011 VLAN traffic getting dropped

Re: RB4011 VLAN traffic getting dropped

Who is online