Cannot reach hosts from router

Hi,

I’ve set up my router using VLANs. On the router there is a VLAN-interface in each VLAN on which DHCP is served. DHCP is working and all hosts receive addresses for their appropriate VLAN.

I am on VLAN 31 with my laptop. I can reach hosts on the internet and on the other VLANs.

On the router, I can only ping (/tool/ping) hosts in VLAN 31. Neither of the other VLANs nor internet are reachable.

Any idea what might be the issue? I am new to VLANs, so I assume it might be coming from there. In my old setup with multiple bridges and assigned ports I didn’t have that problem.

Does the router have IP addresses assigned in all different VLAN’s?
You might want to share your config: /export hide-sensitive file=anynameyoulike

No need to see the config. We can use our crystal ball, tarot cards, and ouji board, but lets do get together for a zoom séance, to seal the deal.

Yes, it has:

/ip address
add address=192.168.88.101/24 interface=ether1 network=192.168.88.0
add address=10.31.0.1/24 interface=vlan_31 network=10.31.0.0
add address=10.32.0.1/24 interface=vlan_32 network=10.32.0.0
add address=10.33.0.1/24 interface=vlan_33 network=10.33.0.0
add address=10.34.0.1/24 interface=vlan_34 network=10.34.0.0
add address=10.35.0.1/24 interface=vlan_35 network=10.35.0.0

The current routes are:

     DST-ADDRESS       GATEWAY    DISTANCE
DAv  0.0.0.0/0         pppoe-wan         1
DAc  10.31.0.0/24      vlan_31           0
DAc  10.32.0.0/24      vlan_32           0
DAc  10.33.0.0/24      vlan_33           0
DAc  10.34.0.0/24      vlan_34           0
DAc  10.35.0.0/24      vlan_35           0
DAc  xx.xx.xx.xx/32    pppoe-wan         0
DIcH 192.168.88.0/24   ether1            0

Bridge config:

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=31
add bridge=bridge1 interface=ether4 pvid=32
add bridge=bridge1 interface=ether5 pvid=33
add bridge=bridge1 interface=ether7
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether7 vlan-ids=31
add bridge=bridge1 tagged=bridge1,ether2,ether7 vlan-ids=32
add bridge=bridge1 tagged=bridge1,ether2,ether7 vlan-ids=33
add bridge=bridge1 tagged=bridge1,ether2,ether7 vlan-ids=34
add bridge=bridge1 tagged=bridge1,ether2,ether7 vlan-ids=35

Anav, I do now see how you achieved 10k+ posts… Do you really want all users seeking for help to post their entire config, which you can then parse in detail, (even portions that are entirely off-topic) and then write what’s wrong?

Do you really have that much time for free 1st level support for people you don’t even know?

My approach is a little different.

I do not expect others to solve my problems. I’d like to understand the problem and conquer it in an iterative process.

At first I’d appreciate hints. Like erlinden’s. Where would you look first. And I don’t mean things like: did you power-on the device?

Of course, you cannot know, who is on the other end: Is it some high school teenager who is fiddling with new toys? Is it a hard core sysadmin with 30 years of experience with other products? Or is it some random guy who likes to tinker who gives a sh$$ about productions issues?

A doctor doesn’t perform a full MRI scan each time you show up with flatulence. He first asks the simple questions…

So why don’t you come forward with: “have you thought of this-n-that?” “pls send the so-and-so config” “I had that when I forgot to configure blahblahblah”

I really hate these postings, were people attach their entire configs with comments and stuff, and all that off-topic clutter.

I like a more or less nicely written description of the issue I am dealing with, followed by questions and further clarification.

Maybe your experience is different, but I wouldn’t even reply to someone starting with a description of what he WANTS, and what he MESSED_UP so far, and ME to CLEAN it up.

Export of the firewall would be the next step:

/ip/firewall export

/ip firewall filter
add action=drop chain=input comment="drop invalid input packets" connection-state=invalid
add action=drop chain=input comment="drop input packets with TCP urgent flag" protocol=tcp \
    tcp-flags=urg
add action=accept chain=input comment="allow all input on ether1" in-interface=ether1
add action=accept chain=input comment="allow all input from VLAN 31" in-interface=vlan_31
add action=accept chain=input comment="DHCP, NTP for all but external" dst-port=67,68,123 \
    in-interface=!pppoe-wan protocol=udp
add action=drop chain=input comment="final DROP rule on input"
add action=drop chain=forward comment="drop invalid forward packets" connection-state=invalid
add action=drop chain=forward comment="drop forward packets with TCP urgent flag" protocol=tcp \
    tcp-flags=urg
add action=accept chain=forward comment="forward established and related" connection-state=\
    established,related
add action=accept chain=forward comment="forward to everywhere from VLAN 31" \
    in-interface=vlan_31
add action=accept chain=forward comment=\
    "forward TCP DNS requests to Pi-Hole as long as not coming via WAN" dst-address=10.32.0.2 \
    dst-port=53 in-interface=!pppoe-wan protocol=tcp
add action=accept chain=forward comment=\
    "forward UDP DNS requests to Pi-Hole as long as not coming via WAN" dst-address=10.32.0.2 \
    dst-port=53 in-interface=!pppoe-wan protocol=udp
add action=jump chain=forward comment=\
    "apply specific rules for outbound WAN from VLAN 32" in-interface=vlan_32 \
    jump-target=forward_untrusted out-interface=pppoe-wan
add action=drop chain=forward comment="final DROP rule on forward"
add action=accept chain=forward_untrusted comment="allow internet for Pi-Hole" src-address=\
    10.32.0.2
add action=drop chain=forward_untrusted comment="final DROP rule on forward_untrusted"
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade VLAN 31" out-interface=pppoe-wan \
    src-address=10.31.0.0/24
add action=masquerade chain=srcnat comment="masquerade VLAN 32" out-interface=\
    pppoe-wan src-address=10.32.0.0/24
add action=masquerade chain=srcnat comment="masquerade VLAN 33" out-interface=pppoe-wan \
    src-address=10.33.0.0/24
add action=masquerade chain=srcnat comment="masquerade VLAN 34" out-interface=pppoe-wan \
    src-address=10.34.0.0/24
add action=masquerade chain=srcnat comment="masquerade VLAN 35" out-interface=\
    pppoe-wan src-address=10.35.0.0/24
add action=dst-nat chain=dstnat comment="redirect TCP DNS over Pi-Hole" dst-address=!10.32.0.2 \
    dst-port=53 in-interface=!pppoe-wan protocol=tcp src-address=!10.32.0.2 to-addresses=\
    10.32.0.2
add action=dst-nat chain=dstnat comment="redirect UDP DNS over Pi-Hole" dst-address=!10.32.0.2 \
    dst-port=53 in-interface=!pppoe-wan protocol=udp src-address=!10.32.0.2 to-addresses=\
    10.32.0.2

I don't see drop rule counters counting up. I have no specific output rules.

Admittedly, my messaging is not tailored.
Experience has shown not to assume the level of knowledge of the poster.
Experience has shown that the quickest or at least statistically efficient path to success is to provide the config (and a network diagram to boot).
However, since you are special and know so much I wont take your shock at being asked to provide the full config as arrogance.

I will bow out as other more experienced forum advisors are more adept at more complex configurations or sussing out users needs with less information.
Meanwhile I will focus on new users:
https://forum.mikrotik.com/viewtopic.php?p=908118#p908118

You never know what’s off topic, as especially with these “mysteries”, the issue is very often in the part of config the OP doesn’t even expect to be related.

So when the config is posted, you can decide whether you want or not to respond to that topic.

When the OP is as vague as here, there may be a lot of suggestions to offer, so it takes more time to iterate than to read the config and answer once.

found it: missing established & related rule on input chain

What, no way, I need a drink, is the world coming to an end.

The issue was NOT in the original snippets of config provided by the OP.
Unheard of, impossible! Quick, check has hell frozen over?? ( that was for anybody that knows thats where they are headed ;-p )

Glad you have found the issue and fairly obvious from the firewall part of the config!
Now go eat some humble pie.

Muahahaaa, guess how I found it? Bye chatting with a buddy about it, trying some pings and traceroutes, enabling logging for the drop rules (which apperently did count up - my bad).

And I found it myself just by talking about it. Didn’t exchange a single line of config, BTW.

Now go eat some humble pie

Nah, I go for a rum now… Panama, 18 years

But what takes few minutes of chatting with buddy, can take half a day or more here, if you’re exchanging messages with people from all around the world. So it’s not very practical and posting config is usually better. Because then instead of asking several questions, I (or anyone else) can simply look at config and get most answers from there. It can also tell a lot about what I can expect from poster. Sometimes I can see that whole thing is messed up beyond repair, and I can decide in advance to leave the adventure to someone else. At the same time, I don’t like people posting long configs. Best case is someone who has basic idea about what’s going on, is able to post just the right amount of information, and needs only few hints to get going. Or if it’s some interesting exercise, that can be longer and it’s fun.

And @anav is special case, maybe one day I’ll understand his whole plan, which which so far seems to be:

1. Make everyone’s config match mine.
2. ???
3. PROFIT! (maybe?)

Motive: Help poor lost souls like myself, muddle a little bit less through the trials and tribulations of configuring Mikrotik Device. ( The play will be published shortly and could be viewed in a local theatre near you ). I don’t except offers unless they are in the form of Panama! and of course to do that you probably have to get on a plane to visit. Sob, I have a place for you if the Russkies dont stop at Ukraine.

There can only be one!! Config, the rest are imitations.
I call it the KISS config!