ICMP Traceroute to VLAN Interface not working correctly

RouterOS General
1

HI all: really strange behaviour here

RB3011UiAS
RuoterOS 7.19.1

If I configure my RB3011 with no VLANs, just the default router configuration after issuing “reset configuration” with WAN on eth1 and the rest of the ports on a bridge for LAN and I do a traceroute from a PC to the bridge IP 192.168.45.1, both ICMP and UDP traceroutes work as expected (scenario 1):

[root@freepbx ~]# traceroute 192.168.45.1
traceroute to 192.168.45.1 (192.168.45.1), 30 hops max, 60 byte packets
1 router.lan (192.168.45.1) 0.211 ms 0.443 ms 0.493 ms

[root@freepbx ~]# traceroute -I 192.168.45.1
traceroute to 192.168.45.1 (192.168.45.1), 30 hops max, 60 byte packets
1 router.lan (192.168.45.1) 0.201 ms 0.437 ms 0.487 ms


But if I create a VLAN on the bridge and configure everything accordingly, UDP traceroute to the VLAN interface IP 192.168.45.1 works as expected but ICMP traceroute from the same PC as before fails (scenario 2):

[root@freepbx ~]# traceroute 192.168.45.1
traceroute to 192.168.45.1 (192.168.45.1), 30 hops max, 60 byte packets
1 router.lan (192.168.45.1) 0.389 ms 0.417 ms 0.499 ms

[root@freepbx ~]# traceroute -I 192.168.45.1
traceroute to 192.168.45.1 (192.168.45.1), 30 hops max, 60 byte packets
1 router.lan (192.168.45.1) 0.408 ms * *

I really don’t know what I might be missing, firewall rules are the default ones installed by routeros after “reset configuration” in both scenarios, the only thing changing between them is plain bridge on scenario 1 and VLAN on scenario 2

2

Please post your interface configuration (/interface/export) for us to see how exactly did you “inject” VLAN configuration.

3

I followed the instructions from this link:

https://help.mikrotik.com/docs/spaces/ROS/pages/103841826/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip

ether1=WAN
ether2, 3, 4 and 5=bridge LAN

ether2=tagged port (trunk)
ether3, 4 and 5=untagged port (access)

/interface bridge
add admin-mac=CC:2D:E0:40:34:19 auto-mac=no comment=defconf name=bridge1 port-cost-mode=short
/interface vlan
add comment=“VLAN 45 CUI” interface=bridge1 name=VLAN45 vlan-id=45
/interface ethernet switch port
set 1 vlan-mode=secure
set 2 default-vlan-id=45 vlan-mode=secure
set 3 default-vlan-id=45 vlan-mode=secure
set 4 default-vlan-id=45 vlan-mode=secure
set 10 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=45
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN

4

Your device has two switch chips built in … you’re setting port 10 under /interface ethernet switch port … but you want to check (using print command) that it actually belongs to same switch chip (i.e. is it switch1-cpu) as other (ether) ports.

Other than that: your router does respond to ICMP traceroute. It just doesn’t do it 100% of time. Which can be acceptable, some (highly utilized) routers skip sending out those ICMP time exceeded due to (too) high CPU load. I doubt this is the case with your router but never the less.
You may check your firewall to see if it has any rules regarding ICMP (they are IMO not needed in IPv4 and outright detrimental in IPv6) … blocking ICMP doesn’t help with security in any way.

5

Just to clarify, because those index numbers can be misleading:

/interface ethernet switch port
set 1 vlan-mode=secure This is eth2
set 2 default-vlan-id=45 vlan-mode=secure This is eth3
set 3 default-vlan-id=45 vlan-mode=secure This is eth4
set 4 default-vlan-id=45 vlan-mode=secure This is eth5
set 10 vlan-mode=secure This is switch1-cpu

I don’t have any specific firewall rules to block ICMP, on the contrary, the default rule to allow ICMP replies on the input chain is enabled.

I just don’t understand why it doesn’t work when setting up VLANs, is not a heavy loaded router at all. In fact it sits at around 20% when in heavy use.