Help Help !! can not route between VLAN's :( :(

Hello,

Despite my network knowledge and experiences with e.g. pfSense and a lots of effort (!), I do not manage to route traffic between two local VLAN’s on my new CRS317

The situation
I bought the CRS317 as “10G-core” next to my actual network. For this moment the intended situation is:

• pfSense as “border router” and gateway to ISP
• gs1920 (actual main switch) as 1G-network
• CRS317 as “internal router”, behind pfSense and as 10G-core

Local on the CRS317 there are three VLAN’s which should communicate between themselves:

• Greenzone 10G / NAS
• PC-LAN 10G / workstation
• Route99 the data-route between 1G-network and the 10G-CRS317
  (Default DATA-gateway)

•  Connections to other VLAN's not relevant here.
  

The problem
I can not even ping between the VLAN’s. It, seems (!!??) so easy, however not working

• Between “Greenzone 10G” and “PC-LAN 10G” vlans
• Not between the gateways, and not form the NAS towards the “PC-LAN 10G-gateway”
  Of course comparable problem towards Route99, but that is essentially the same.

Note that I did create a few FW-rules, not to block the traffic, but to see the counters and to create logs.

• When I ping between the NAS and its gateway, I see that the input and output chain are triggerd.
• When I ping towards the NAS I see that the forward chain is triggerd once (towards the NAS)
• At this moment the FW-rules are intended to pass every thing !

I sincerely hope that someone understands why it is not working, and is willing to help !!

Thanks in advance,

Louis
Below, detailed information.


Within GUI-screen interfaces – all vlans and interfaces have status “R” or “RS”

[admin@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                                                                     
 0   192.168.218.1/24   192.168.218.0   GreenZone 10G                                                                                                                                                                                                                                                 
 1   192.168.216.1/24   192.168.216.0   PC-LAN 10G                                                                                                                                                                                                                                                    
 2   192.168.10.12/24   192.168.10.0    MNGT-LAN                                                                                                                                                                                                                                                      
 3   192.168.88.1/24    192.168.88.0    VLAN88                                                                                                                                                                                                                                                        
 4 D 192.168.10.139/24  192.168.10.0    MNGT-LAN

[admin@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0          192.168.1.1     MNGT-LAN                  1
 1 ADS  0.0.0.0/0                          192.168.10.1              1
 2 ADC  192.168.10.0/24    192.168.10.12   MNGT-LAN                  0
 3 ADC  192.168.88.0/24    192.168.88.1    VLAN88                    0
 4 ADC  192.168.216.0/24   192.168.216.1   PC-LAN 10G                0
 5 ADC  192.168.218.0/24   192.168.218.1   GreenZone 10G             0

# aug/26/2019 19:43:22 by RouterOS 6.45.3
# software id = UT7L-U4J9
#
# model = CRS317-1G-16S+
# serial number = xyz
/interface bridge
add admin-mac=xyz auto-mac=no comment=defconf name=\
    VirtualSwitch1 vlan-filtering=yes
/interface ethernet

set [ find default-name=sfp-sfpplus2 ] advertise=100M-full,1000M-full name=\
    "02 GateWay"
set [ find default-name=sfp-sfpplus12 ] advertise=1000M-full,10000M-full \
    name="12 NAS_DATA"
set [ find default-name=sfp-sfpplus16 ] advertise=\
    100M-full,1000M-full,2500M-full,5000M-full,10000M-full name=\
    "16 PC-werkkamer"
set [ find default-name=ether1 ] advertise=100M-full,1000M-full name=\
    "17 LOC-MNGT"
/interface vlan
add interface=VirtualSwitch1 name=DEFAULT-LAN vlan-id=1
add interface=VirtualSwitch1 name="GreenZone 10G" vlan-id=218
add interface="05 GS1920" name=MNGT-LAN vlan-id=10
add interface=VirtualSwitch1 name="PC-LAN 10G" vlan-id=216
add interface="02 GateWay" name=Route99 vlan-id=99
add interface=VirtualSwitch1 name=VLAN88 vlan-id=88
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PCLAN_POOL ranges=192.168.216.128-192.168.216.253
add name=GZ_POOL ranges=192.168.218.128-192.168.218.253
/ip dhcp-server
add address-pool=PCLAN_POOL disabled=no interface="PC-LAN 10G" name=\
    PCLAN_DHCP
add address-pool=GZ_POOL disabled=no interface="GreenZone 10G" name=GZ_DHCP
/routing bgp instance
set default as=65456 out-filter=connected-in router-id=192.168.10.201 \
    routing-table=MNGT
/interface bridge port
add bridge=VirtualSwitch1 comment=defconf ingress-filtering=yes interface=\
    "17 LOC-MNGT" pvid=88
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="02 GateWay" pvid=\
    1002
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="12 NAS_DATA" \
    pvid=1012
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "16 PC-werkkamer" pvid=216
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=VirtualSwitch1 comment=MNGT-LAN tagged=\
    "05 GS1920,VirtualSwitch1,11 NAS_EM0" vlan-ids=10
add bridge=VirtualSwitch1 comment="PC-LAN 10G" tagged=\
    "PC-LAN 10G,VirtualSwitch1" untagged="16 PC-werkkamer" vlan-ids=216
add bridge=VirtualSwitch1 comment="GreenZone 10G" tagged=\
    "12 NAS_DATA,VirtualSwitch1" vlan-ids=218
add bridge=VirtualSwitch1 comment="DEFAULT LAN" tagged="VirtualSwitch1,05 GS19\
    20,07 SW-woonkamer,08 SW-logeerkamer,09 SW-SLK-L&N\",10 SW-werkkamer" \
    vlan-ids=1
add bridge=VirtualSwitch1 comment="Route99 CRS317 <> GS1920 DataGW" tagged=\
    "02 GateWay" vlan-ids=99
add bridge=VirtualSwitch1 comment="VLAN88 Local MNGT" tagged=VirtualSwitch1 \
    untagged="17 LOC-MNGT" vlan-ids=88
/interface list member
add interface="17 LOC-MNGT" list=LAN
add interface="02 GateWay" list=WAN
add interface="05 GS1920" list=LAN
add interface="12 NAS_DATA" list=LAN
add interface="13 Server" list=LAN
add interface="14 KVM-Link" list=LAN
add interface="15 S-Elise_LA" list=LAN
add interface="16 PC-werkkamer" list=LAN
/ip address
add address=192.168.218.1/24 interface="GreenZone 10G" network=192.168.218.0
add address=192.168.216.1/24 interface="PC-LAN 10G" network=192.168.216.0
add address=192.168.10.12/24 interface=MNGT-LAN network=192.168.10.0
add address=192.168.88.1/24 interface=VLAN88 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MNGT-LAN
/ip dhcp-server network
add address=192.168.216.0/24 dns-server=192.168.216.1 gateway=192.168.216.1
add address=192.168.218.0/24 dns-server=192.168.218.1 gateway=192.168.218.1
/ip firewall filter
add action=drop chain=forward comment=\
    "Block standarised IP-ranges which should not be there" dst-address-list=\
    bogons in-interface-list=WAN
add action=accept chain=input routing-mark=MNGT
add action=accept chain=output routing-mark=MNGT
add action=accept chain=forward routing-mark=MNGT
add action=accept chain=forward dst-address=192.168.218.18 log=yes \
    log-prefix=16to18 src-address=192.168.88.16
add action=accept chain=input log=yes log-prefix=in-src18 src-address=\
    192.168.218.18
add action=accept chain=input dst-address=192.168.218.18 log=yes log-prefix=\
    in-dst18
add action=accept chain=output log=yes log-prefix=out-src18 src-address=\
    192.168.218.18
add action=accept chain=output dst-address=192.168.218.18 log=yes log-prefix=\
    out-dst18
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward connection-state="" log=yes log-prefix=FORW
add action=drop chain=input log=yes
add action=drop chain=output log=yes
add action=drop chain=forward log=yes
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=MNGT-LAN \
    new-packet-mark=MNGT-TR passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=MNGT packet-mark=\
    MNGT-TR passthrough=yes
add action=mark-routing chain=output new-routing-mark=MNGT passthrough=yes \
    src-address=192.168.10.0/24
/ip route
add distance=1 gateway=MNGT-LAN pref-src=192.168.1.1 routing-mark=MNGT
/ip service
set winbox disabled=yes
/routing bgp network
add comment="GreenZone 10G" network=192.168.218.0/24
add comment="PC-LAN 10G" network=192.168.216.0/24
/routing bgp peer
add name=pfSense remote-address=192.168.10.200 remote-as=65123 ttl=default
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p5,p17 allow-from-vlan=88

The VLAN setup in config export is a minor mess. I suggest you to read through this tutorial.

BTW, when constructing a member list of interfaces, only individual interface names may be enclosed in double quotes, not the whole list. I.e. tagged=“05 GS1920,VirtualSwitch1,11 NAS_EM0” is not the same as tagged=“05 GS1920”,VirtualSwitch1,“11 NAS_EM0” … the first one sets a single port to be tagged member (but the name is really weird, includes spaces and commas) while the second one sets 3 ports to be tagged members (some of them have spaces in their names).

BTW2, CRS series are switches with some minor L3 capabilities, don’t expect it to be able to route anywhere near wire speed. Their CPU is simply too weak.

Thanks for the link! Looks like a great article.

I am not so glad with the rest of your reaction. Apart of the strange VLAN-routing problem, it is working as intended.

Related to the export, it is only part of the config, so perhaps, there is a quote to much or to less due to cut and pastes.
Also note that the data-gateway (route99) is not ready. Have to fix the switch local problem first. I will probably use a static route for that.

Related to your remark: ‘BTW2, CRS series are switches with some minor L3 capabilities, don’t expect it to be able to route anywhere near wire speed. Their CPU is simply too weak’, I am afraid that is true. To test outer performance and capabilities is one of the reasons I created this set-up. I like pfSense however, using the internal router function could be attractive because:

• One box (pfsense computer) less
• No connections between pfSense and the CRS

Of course I already did read and try a lot already. Not so that the suggested article is the first one I will read. Also not the first time that I am working with networks. So I would have preferred, if you could have told me what the problem is.

Louis

My guess is that the problem is what I wrote in the paragraph starting with “BTW, when constructing a member list of interfaces …”. However, I can’t tell if that’s the main reason because reasons for things not working as intended are numerous and you chose not to show complete configuration stuff.

Ok, few thinks,

• I did read the advised document, good document for beginners but it did not help me. Perhaps issue is related to the FW, even considering that IMHO I effectively turned it off (I regret there is no command for that). Only other issue could be level-2 routing yeh.

• I did not post the whole config, mainly because it is big and probably just take the attention away from what at this moment my main problem is. “inter vlan routing”. Behavoir is rather vague. As example I cannot ping between GW192.168.216.1 and GW 192.168.218.1. And I can not ping the GW192.168.216.1 from the NAS192.168.218.18

• Earlier I detected another issue, I have an incoming trunk (GS1920) with among other things the Management LAN (VLAN10). Of course the GW for that LAN is the source router (pfSense), but this stupid thing (CRS317), thinks that it is the GW. Result is that traffic can leave the VLAN where it should of course stay inside (I worked around that with mangle rules)
  Below the complete config (not yet ready, open issues the inter vlan routing and the incoming static trunk.
  I would very much appreciate if you could help. Trying to find the issue did cost me days!! If you know what is wrong implementing the solution is perhaps 15 min.

Sincerely,

Louis
PS also see my post about accessing CPU and Bridge-port.

# aug/27/2019 16:36:13 by RouterOS 6.45.3
# software id = UT7L-U4J9
#
# model = CRS317-1G-16S+
# serial number = xyz
/interface bridge
add admin-mac=xyzauto-mac=no comment=defconf name=\
    VirtualSwitch1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=100M-full,1000M-full name=\
    "01 GLASS-SW"
set [ find default-name=sfp-sfpplus2 ] advertise=100M-full,1000M-full name=\
    "02 GateWay"
set [ find default-name=sfp-sfpplus3 ] advertise=100M-full,1000M-full \
    disabled=yes name="03 R-IGB0-LAG"
set [ find default-name=sfp-sfpplus4 ] advertise=100M-full,1000M-full \
    disabled=yes name="04 R-IGB1-LAG"
set [ find default-name=sfp-sfpplus5 ] advertise=100M-full,1000M-full name=\
    "05 GS1920"
set [ find default-name=sfp-sfpplus6 ] advertise=100M-full,1000M-full \
    disabled=yes name="06 FB-L2_PC_L"
set [ find default-name=sfp-sfpplus7 ] advertise=100M-full,1000M-full \
    disabled=yes name="07 SW-woonkamer"
set [ find default-name=sfp-sfpplus8 ] advertise=100M-full,1000M-full \
    disabled=yes name="08 SW-logeerkamer"
set [ find default-name=sfp-sfpplus9 ] advertise=100M-full,1000M-full \
    disabled=yes name="09 SW-SLK-L&N\""
set [ find default-name=sfp-sfpplus10 ] advertise=100M-full,1000M-full \
    disabled=yes name="10 SW-werkkamer"
set [ find default-name=sfp-sfpplus11 ] advertise=100M-full,1000M-full name=\
    "11 NAS_EM0"
set [ find default-name=sfp-sfpplus12 ] advertise=1000M-full,10000M-full \
    name="12 NAS_DATA"
set [ find default-name=sfp-sfpplus13 ] advertise=\
    100M-full,1000M-full,2500M-full,5000M-full,10000M-full name="13 Server"
set [ find default-name=sfp-sfpplus14 ] advertise=100M-full,1000M-full \
    disabled=yes name="14 KVM-Link"
set [ find default-name=sfp-sfpplus15 ] advertise=100M-full,1000M-full \
    disabled=yes name="15 S-Elise_LA"
set [ find default-name=sfp-sfpplus16 ] advertise=\
    100M-full,1000M-full,2500M-full,5000M-full,10000M-full name=\
    "16 PC-werkkamer"
set [ find default-name=ether1 ] advertise=100M-full,1000M-full name=\
    "17 LOC-MNGT"
/interface vlan
add interface=VirtualSwitch1 name=DEFAULT-LAN vlan-id=1
add interface="05 GS1920" name=GreenZone vlan-id=18
add interface=VirtualSwitch1 name="GreenZone 10G" vlan-id=218
add interface="05 GS1920" name=GuestLAN vlan-id=26
add interface="05 GS1920" name=IOT-LAN vlan-id=13
add interface="05 GS1920" name=IPTV vlan-id=4
add interface="05 GS1920" name=Internet vlan-id=6
add interface="05 GS1920" name=KVM vlan-id=50
add interface="05 GS1920" name=MNGT-LAN vlan-id=10
add interface="05 GS1920" name=PC-LAN vlan-id=16
add interface=VirtualSwitch1 name="PC-LAN 10G" vlan-id=216
add interface="05 GS1920" name=RedZone vlan-id=14
add interface="02 GateWay" name=Route99-UpL vlan-id=99
add interface=VirtualSwitch1 name=VLAN88 vlan-id=88
add interface="05 GS1920" name=VoIP vlan-id=7
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=PCLAN_POOL ranges=192.168.216.128-192.168.216.253
add name=GZ_POOL ranges=192.168.218.128-192.168.218.253
/ip dhcp-server
add address-pool=PCLAN_POOL disabled=no interface="PC-LAN 10G" name=\
    PCLAN_DHCP
add address-pool=GZ_POOL disabled=no interface="GreenZone 10G" name=GZ_DHCP
/routing bgp instance
set default as=65456 out-filter=connected-in router-id=192.168.10.201 \
    routing-table=MNGT
/interface bridge port
add bridge=VirtualSwitch1 comment=defconf ingress-filtering=yes interface=\
    "17 LOC-MNGT" pvid=88
add bridge=VirtualSwitch1 comment=defconf edge=no ingress-filtering=yes \
    interface="01 GLASS-SW" pvid=10
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="02 GateWay" pvid=\
    1002
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="03 R-IGB0-LAG" \
    pvid=1003
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="04 R-IGB1-LAG" \
    pvid=1004
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="05 GS1920" pvid=\
    1005
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "06 FB-L2_PC_L" pvid=16
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="07 SW-woonkamer" \
    pvid=1007
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=\
    "08 SW-logeerkamer" pvid=1008
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="09 SW-SLK-L&N\"" \
    pvid=1009
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="10 SW-werkkamer" \
    pvid=1010
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="11 NAS_EM0" pvid=\
    1011
add bridge=VirtualSwitch1 comment=defconf edge=no frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface="12 NAS_DATA" \
    pvid=1012
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "13 Server" pvid=16
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "14 KVM-Link" pvid=50
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "15 S-Elise_LA" pvid=16
add bridge=VirtualSwitch1 comment=defconf edge=yes frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "16 PC-werkkamer" pvid=216
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=VirtualSwitch1 comment=MNGT-LAN tagged=\
    "05 GS1920,VirtualSwitch1,11 NAS_EM0" vlan-ids=10
add bridge=VirtualSwitch1 comment="PC-LAN 10G" tagged=\
    "PC-LAN 10G,VirtualSwitch1" untagged="16 PC-werkkamer" vlan-ids=216
add bridge=VirtualSwitch1 comment="GreenZone 10G" tagged=\
    "12 NAS_DATA,VirtualSwitch1" vlan-ids=218
add bridge=VirtualSwitch1 comment=IPTV tagged="05 GS1920,01 GLASS-SW" \
    vlan-ids=4
add bridge=VirtualSwitch1 comment=Internet tagged="01 GLASS-SW,05 GS1920" \
    vlan-ids=6
add bridge=VirtualSwitch1 comment="DEFAULT LAN" tagged="VirtualSwitch1,05 GS19\
    20,07 SW-woonkamer,08 SW-logeerkamer,09 SW-SLK-L&N\",10 SW-werkkamer" \
    vlan-ids=1
add bridge=VirtualSwitch1 comment=VoIP tagged="01 GLASS-SW,05 GS1920" \
    vlan-ids=7
add bridge=VirtualSwitch1 comment=IOT-LAN tagged="05 GS1920" vlan-ids=13
add bridge=VirtualSwitch1 comment=RedZone tagged="05 GS1920,13 Server" \
    vlan-ids=14
add bridge=VirtualSwitch1 comment=GreenZone tagged="05 GS1920,12 NAS_DATA" \
    vlan-ids=18
add bridge=VirtualSwitch1 comment=KVM-Link tagged="05 GS1920" untagged=\
    "14 KVM-Link" vlan-ids=50
add bridge=VirtualSwitch1 comment=PC-LAN disabled=yes tagged="05 GS1920" \
    untagged="16 PC-werkkamer,06 FB-L2_PC_L,15 S-Elise_LA" vlan-ids=16
add bridge=VirtualSwitch1 comment="Route99 CRS317 <> GS1920 DataGW" tagged=\
    "02 GateWay" vlan-ids=99
add bridge=VirtualSwitch1 comment="VLAN88 Local MNGT" tagged=VirtualSwitch1 \
    untagged="17 LOC-MNGT" vlan-ids=88
/interface list member
add interface="17 LOC-MNGT" list=LAN
add interface="01 GLASS-SW" list=LAN
add interface="02 GateWay" list=WAN
add interface="03 R-IGB0-LAG" list=LAN
add interface="04 R-IGB1-LAG" list=LAN
add interface="05 GS1920" list=LAN
add interface="06 FB-L2_PC_L" list=LAN
add interface="07 SW-woonkamer" list=LAN
add interface="08 SW-logeerkamer" list=LAN
add interface="09 SW-SLK-L&N\"" list=LAN
add interface="10 SW-werkkamer" list=LAN
add interface="11 NAS_EM0" list=LAN
add interface="12 NAS_DATA" list=LAN
add interface="13 Server" list=LAN
add interface="14 KVM-Link" list=LAN
add interface="15 S-Elise_LA" list=LAN
add interface="16 PC-werkkamer" list=LAN
/ip address
add address=192.168.218.1/24 interface="GreenZone 10G" network=192.168.218.0
add address=192.168.216.1/24 interface="PC-LAN 10G" network=192.168.216.0
add address=192.168.10.12/24 interface=MNGT-LAN network=192.168.10.0
add address=192.168.88.1/24 interface=VLAN88 network=192.168.88.0
add address=192.168.99.1/24 interface=Route99-UpL network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MNGT-LAN
/ip dhcp-server network
add address=192.168.216.0/24 dns-server=192.168.216.1 gateway=192.168.216.1
add address=192.168.218.0/24 dns-server=192.168.218.1 gateway=192.168.218.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=drop chain=forward comment=\
    "Block standarised IP-ranges which should not be there" dst-address-list=\
    bogons in-interface-list=WAN
add action=accept chain=input routing-mark=MNGT
add action=accept chain=output routing-mark=MNGT
add action=accept chain=forward routing-mark=MNGT
add action=accept chain=forward dst-address=192.168.218.18 log=yes \
    log-prefix=16to18 src-address=192.168.88.16
add action=accept chain=input log=yes log-prefix=in-src18 src-address=\
    192.168.218.18
add action=accept chain=input dst-address=192.168.218.18 log=yes log-prefix=\
    in-dst18
add action=accept chain=output log=yes log-prefix=out-src18 src-address=\
    192.168.218.18
add action=accept chain=output dst-address=192.168.218.18 log=yes log-prefix=\
    out-dst18
add action=accept chain=input
add action=accept chain=output
add action=accept chain=forward connection-state="" log=yes log-prefix=FORW
add action=drop chain=input log=yes
add action=drop chain=output log=yes
add action=drop chain=forward log=yes
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=MNGT-LAN \
    new-packet-mark=MNGT-TR passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=MNGT packet-mark=\
    MNGT-TR passthrough=yes
add action=mark-routing chain=output new-routing-mark=MNGT passthrough=yes \
    src-address=192.168.10.0/24
/ip route
add distance=1 gateway=MNGT-LAN pref-src=192.168.10.1 routing-mark=MNGT
add disabled=yes distance=1 gateway=Route99-UpL pref-src=192.168.99.1
/ip service
set winbox disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system ntp client
set enabled=yes primary-ntp=192.168.10.1
/system routerboard settings
set boot-os=router-os
/system script
add comment="Generate Bogon List" dont-require-permissions=no name=\
    BogonScript owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall address-list\
    \nadd address=0.0.0.0/8 comment=\"Self-Identification [RFC 3330]\" disable\
    d=no list=bogons;\
    \nadd address=10.0.0.0/8 comment=\"Private[RFC 1918] - CLASS A # Check if \
    you need this subnet before enable it\"\\\
    \ndisabled=yes list=bogons;\
    \nadd address=127.0.0.0/8 comment=\"Loopback [RFC 3330]\" disabled=no list\
    =bogons;\
    \nadd address=169.254.0.0/16 comment=\"Link Local [RFC 3330]\" disabled=no\
    \_list=bogons;\
    \nadd address=172.16.0.0/12 comment=\"Private[RFC 1918] - CLASS B # Check \
    if you need this subnet before enable it\"\\\
    \ndisabled=yes list=bogons;\
    \nadd address=192.168.0.0/16 comment=\"Private[RFC 1918] - CLASS C # Check\
    \_if you need this subnet before enable it\"\\\
    \ndisabled=yes list=bogons;\
    \nadd address=192.0.2.0/24 comment=\"Reserved - IANA - TestNet1\" disabled\
    =no list=bogons;\
    \nadd address=192.88.99.0/24 comment=\"6to4 Relay Anycast [RFC 3068]\" dis\
    abled=no list=bogons;\
    \nadd address=198.18.0.0/15 comment=\"NIDB Testing\" disabled=no list=bogo\
    ns;\
    \nadd address=198.51.100.0/24 comment=\"Reserved - IANA - TestNet2\" disab\
    led=no list=bogons;\
    \nadd address=203.0.113.0/24 comment=\"Reserved - IANA - TestNet3\" disabl\
    ed=no list=bogons;\
    \nadd address=224.0.0.0/4 comment=\"MC, Class D, IANA # Check if you need \
    this subnet before enable it\"\\\
    \ndisabled=yes list=bogons;"
/system swos
set allow-from-ports=p5,p17 allow-from-vlan=88

This information makes me think that it’s not really RB’s fault. What it normally happens is that RB will answer to packets sent to any of its own IP addresses regardless to which interface it’s bound. The reason: when packet gets into the packet flow, one of early checks is whether it should be dealt with using forward or input chain. Only single chain is processing any given packet (unless it’s encapsulated, e.g. into IPsec or MPLS, but that’s not the case here).
So, if you can ping 192.168.218.1 from NAS but not 192.168.216.1, please verify routing settings on NAS.

As I wrote earlier, the setup is minor mess (even if you don’t feel the same way). If I was you, I’d start from default setup and try to configure things from one step at the time. Add two VLANs, no firewall between them, check if things work. If not, debug this simple setup and make it work. Make another step …

I agree,

The fact that the NAS can’t ping 216, is of course that 218 is not the NAS its default route. I did already released that.
For testing I did change the NAS its default route to 218

Now I can ping 216.1 and 88.1 from the NAS. So after all with the actual config it seems to work (dispite the mess )

So the reason I could not find the problem, is there was no problem …..

• appart from the fact that I used the NAS to test, and the NAS had the wrong default route (in regard of this testing) AND
• the CRS-internal ping test which also did not and still does not forward the pings !!! very confusing!

Even now if I test with the ping tool, the routing is not at all OK, but if I test with the NAS it works !!

So, I can continue to finish the config now.

Louis

What exactly are your executing for this test?

Hello,

During my problem investigation, I was pinging gateways and devices. Those test told me that a couple of these “destinations” where not reachable. So I have been doing a lot of thinking and testing about “why for the hell does it not work?”. In a lot of cases I was searching for ghosts. There was no problem.

I am trying to fix other issues, now “such as not working basic vlan’s”. I still do not understand why it does not work (extreme things like works with V6, does not work with V4 etc. GW which can distribute DHCP but are not reachable etc.) So reading the Manual “Layer2 misconfigurations”.

What misconfigurations !!! Wrong RouterOS behaviour !!! “Problems to work around” should the title have been! Sorry!

I also read here about test tools only working if certain conditions are met !.

Stop that shit! It is absolutely necessary that you can trust what test tools are telling you!! If not leave them away! Better not tool that a test tool showing you incorrect data!

Louis