Imposible getting ping when using vlans

krafg · November 19, 2021, 9:02pm

Hello, i’m trying to get ping between 2 PC’s with firewall disabled but I can’t get response.

PC1 - RBM33G - RB450G - Cisco 2950 - PC2

PC1:

Ethernet: 192.168.100.200/24 - Gateway: 192.168.100.1

RBM33G:

Ether1 and Ether2 under Bridge1
Bridge1: 192.168.100.1/24

RB450G:

Ether1 under VLAN60
VLAN60: 10.0.60.1/24 + DHCP Server
Ether2: 192.168.100.2/24

Cisco 2950:

Ether1: Mode trunk
Ether2: Mode access VLAN60

PC2:

Ethernet: 10.0.60.254 (DHCP)

Configs:

Cisco:

version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport trunk native vlan 100
switchport trunk allowed vlan 1,60,100
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 60
switchport mode access
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.0.100.101 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.100.1
ip http server
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
end

RB450G:

/interface ethernet
set [ find default-name=ether2 ] name=ether2-Telefonia
/interface vlan
add interface=ether1 name=vlan60 vlan-id=60
add interface=ether5 name=vlan100 vlan-id=100
/ip pool
add name=dhcp_pool1 ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan60 name=dhcp2
/ip address
add address=10.0.60.1/24 interface=vlan60 network=10.0.60.0
add address=192.168.100.2/24 interface=ether2-Telefonia network=192.168.100.0
add address=10.0.100.1/24 interface=vlan100 network=10.0.100.0
/ip dhcp-server network
add address=10.0.60.0/24 gateway=10.0.60.1
/ip dns
set servers=8.8.8.8,8.8.4.4

RBM33G:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4

Regards.

k6ccc · November 19, 2021, 11:35pm

Remember that by default, Widows does not allow ping responses. Been bitten by that one more than once…

krafg · November 19, 2021, 11:59pm

Thanks for reply.

I know that Windows by default have ping blocked. Now I added all ICMPv4 traffic to permit on all interfaces and IP’s on both machines. If I ping from RBM33G to PC1 and from RB450G to PC2, both works well.

As adittion if I try to ping from PC2 to RBM33G it not works.

Regards.

k6ccc · November 20, 2021, 12:15am

You would be amazed how many don’t know that Windows blocks ICMP by default. Hence the reason I asked.
I think you are in the right direction for testing. Try segments and see what works and what does not. Using Torch to see what ICMP packet flowing and where may also help.

Sob · November 20, 2021, 1:43am

PC1 has 192.168.100.1 on RBM33G as gateway, but I don’t see any route to 10.0.60.0/24 on RBM33G.

krafg · November 20, 2021, 1:57am

Thanks for reply. I added the following on RBM33G:

/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=bridge1

Still not working.

Regards.

Sob · November 20, 2021, 2:05am

gateway=192.168.100.2

krafg · November 20, 2021, 12:38pm

/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2

Still not working.

Actual config of RBM33G:

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2

And to finish with “Windows ping problem”, I replaced the PC1 for a linux device that you can ping it.
So, now the excersice is ping from PC2 (Windows) to PC1 (Linux).

Thanks and regards.

anav · November 20, 2021, 2:15pm

I dont understand the network as described and the config depends on that structure.

What is/are acting as switch(es) and what is acting as router(s) here??
What is/are connected to ISP modem(s)?

krafg · November 20, 2021, 2:47pm

Cisco 2950 is a leyer2 switch and RBM33G is acting as “layer3 switch” well, bridging and routing.

This is a home lab for now. No ISP for now.

Regards.

Sob · November 20, 2021, 2:58pm

How about ping between RBM33G and RB450G (192.168.100.1 ↔ 192.168.100.2), does that work? If not, then how exactly are they connected? From what you posted, I’d assume cable between RBM33G’s ether1 or ether2 and RB450G’s ether2. Which is also weird, because if RBM33G’s interfaces are bridged, it would make more sense for PC1 to use directly 192.168.100.2 as gateway.

krafg · November 20, 2021, 3:25pm

On latest post I published a diagram.

Pinging from 192.168.100.1 to 192.168.100.2 is OK and viceversa .

I know that the ideal scenario is connect directly the pc to one router only but the problem is that on the real scenario we can’t do it.

Regards.

Sob · November 20, 2021, 5:02pm

Then how complete is RBM33G’s config you posted? Are there any firewall rules? Usual stateful firewall would have problem with how it’s connected, because it creates asymmetric routing:

in one direction, 192.168.100.200 sends packet to its gateway 192.168.100.1 and RBM33G sends it to 192.168.100.2
in other direction, RB450G sends packet directly to 192.168.100.200, because it’s in same subnet as RB450G’s 192.168.100.2 => it passes through RBM33G, but it’s only bridged and IP firewall doesn’t see => for stateful firewall it’s invalid packet

But if there really isn’t firewall on RBM33G, then it would work. Anyway, this should be simple to debug, if you can play with it. Packet sniffer is your friend. Keep the ping running, see how far it gets and you’ll know where to look for problem.

krafg · November 20, 2021, 6:25pm

RBM33G have all config posted here except LTE interfaces that are disabled and something about default wireless security profile. I omitted both to reduce the code a bit.

So, no have any firewall rules configured on any device.

Regards.

krafg · November 20, 2021, 9:12pm

Update. I added a simple NAT (masquerade) on RB450G and ping finally works fine.

Is there a way to avoid the NAT? It would be ideal.

Regards.

Sob · November 20, 2021, 9:44pm

I don’t see exact rule, but generally when masquerade fixes a problem like this, it means there’s a missing route somewhere (or firewall blocking).

krafg · November 21, 2021, 12:59am

I configured OSPF and added permit rules for traffic and anyway is not working without NAT.

RBM33G:

# jan/02/1970 00:53:45 by RouterOS 6.49
# software id = AIY8-I70Z
#
# model = RouterBOARD M33G
# serial number = 78F108C8BF83
/interface bridge
add name=bridge1
/interface lte
set [ find ] disabled=yes name=lte1
set [ find ] allow-roaming=no disabled=yes name=lte2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=10.0.60.0/24 src-address=192.168.100.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=10.0.60.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2
add disabled=yes distance=1 dst-address=10.0.100.0/24 gateway=192.168.100.2
/routing ospf network
add area=backbone network=192.168.100.0/24

RB450G:

# jan/02/1970 01:45:26 by RouterOS 6.49
# software id = B115-B22T
#
# model = 450G
# serial number = 33B604CFD300
/interface ethernet
set [ find default-name=ether2 ] name=ether2-Telefonia
/interface vlan
add interface=ether1 name=vlan60 vlan-id=60
add interface=ether5 name=vlan100 vlan-id=100
/ip pool
add name=dhcp_pool1 ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan60 name=dhcp2
/ip address
add address=10.0.60.1/24 interface=vlan60 network=10.0.60.0
add address=192.168.100.2/24 interface=ether2-Telefonia network=192.168.100.0
add address=10.0.100.1/24 interface=vlan100 network=10.0.100.0
/ip dhcp-server network
add address=10.0.60.0/24 gateway=10.0.60.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=10.0.60.0/24 src-address=192.168.100.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=10.0.60.0/24
/routing ospf network
add area=backbone network=10.0.60.0/24
add area=backbone network=10.0.100.0/24
add area=backbone network=192.168.100.0/24

Now I posted complete config.

How is possible that if are not rules blocking traffic and all networks are declared on both devices I can’t get connection. I’m thinking that this is a MikroTik bug or something.

Regards.

Sob · November 21, 2021, 4:40pm

And the magic NAT rule that fixes it is what exactly?

The weird part is that not even ping to 192.168.100.2 works. It’s from PC2 (10.0.60.254), right? But its default gateway is 10.0.60.1, i.e. RB450G, which also has 192.168.100.2. So RB450G definitely knows where to find 10.0.60.254. It’s almost direct link between the two, except for Cisco, but it doesn’t look like it should interfere, because if it did, even dhcp wouldn’t pass.

Btw, both OSPF and those firewall rules can’t help, RB450G has all routes, for RBM33G you have the same manual ones, and if there’s no firewall filter, everything is allowed by default.

krafg · November 22, 2021, 3:17pm

And the magic NAT rule that fixes it is what exactly?

Sorry I posted the config with the rule removed, so it’s:

/ip firewall nat
add action=masquerade chain=srcnat

Applied on RB450G

The weird part is that not even ping to 192.168.100.2 works. It’s from PC2 (10.0.60.254), right?

Yes, you are right. but today I turned on again my lab and now I can ping 192.168.100.2 from 10.0.60.254, but 192.168.100.200 I can’t.

The actual config it’s without NAT, like I posted the last time.

Regards.

Sob · November 22, 2021, 5:21pm

Hmm…

ping from 10.0.60.254 to 192.168.100.2 works => routing from 10.0.60.254 to 192.168.100.0/24 is ok
ping from 10.0.60.254 to 192.168.100.200 doesn’t work => there’s some problem beyond RB450G
masquerade changes source from 10.0.60.254 to 192.168.100.2 and it works => it looks like device 192.168.100.200 doesn’t have route to 10.0.60.254

So check config of 192.168.100.200, if it really has route to 10.0.60.254. Default gateway 192.168.100.1 covers that and you wrote that it’s there, but just make sure that it really is.

Otherwise I’m running out of ideas. If it’s lab, then experiment. Test if changing 192.168.100.200’s gateway to 192.168.100.2 works. Or if connecting it directly to RB450G without RBM33G helps. I don’t see why it should, but for the lack of better ideas…

In any case, nothing here is in any way complicated, it’s all the most basic networking, there’s no reason why it shouldn’t work.