inter-vlan routing problem

mmrcela · September 14, 2011, 10:15am

I have a problem regarding VLANs. It seems that Mikrotik won’t route between VLANs as expected. To be more precise, it will forward traffic from VLAN 1 to VLAN 2, but it won’t forward it the other way around, from VLAN 2 to VLAN 1.

This is what I have done on Mikrotik: created VLAN interfaces on ether4, assigned ip addresses to VLANs (VLAN 1 got 192.168.0.254/24, and VLAN 2 got 192.168.2.254/24), enabled proxy-arp on both VLANs, set up dhcp on each VLAN interface (devices got their information as expected).

The switch is 3com and is set up to use tagging of VLANs 1 & 2 on its port towards Mikrotik (ports towards individual devices are, of course, untagged for that VLAN.

Does anybody know why Mikrotik will forward traffic from one VLAN to the other, but not the other way around? If it is a switch problem, it wouldn’t work at all…

p.s. Also, I have checked the arp table in Mikrotik. It has all the necessary MAC addresses on the correct VLAN interfaces…

fewi · September 14, 2011, 12:59pm

Post the router configuration. Out of the box it would route between VLAN interfaces just fine. I’d prefer not to guess why yours isn’t.

mmrcela · September 14, 2011, 2:07pm

Hi, fewi! Here is the printout you’ll need. I didn’t include firewall print because it’s very big and complicated. Firewall isn’t the problem because I disabled all firewall rules for a moment and it still didn’t work.

/ip address print detail

0 address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255
interface=vlan1 actual-interface=vlan1

1 address=192.168.2.254/24 network=192.168.2.0 broadcast=192.168.2.255
interface=vlan2 actual-interface=vlan2

3 address=192.168.3.254/24 network=192.168.3.0 broadcast=192.168.3.255
interface=vlan3 actual-interface=vlan3

4 address=192.168.99.254/24 network=192.168.99.0 broadcast=192.168.99.255
interface=vlan99 actual-interface=vlan99

/ip route print detail

0 ADS dst-address=0.0.0.0/0 gateway=x.x.208.1
gateway-status=x.x.208.1 reachable ether1 distance=1 scope=30
target-scope=10

2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.254 gateway=vlan1
gateway-status=vlan1 reachable distance=0 scope=10

3 A S dst-address=192.168.1.0/24 gateway=vlan2 gateway-status=vlan2 reachabl>
distance=1 scope=30 target-scope=10

4 ADC dst-address=192.168.2.0/24 pref-src=192.168.2.254 gateway=vlan2
gateway-status=vlan2 reachable distance=0 scope=10

5 ADC dst-address=192.168.3.0/24 pref-src=192.168.3.254 gateway=vlan3
gateway-status=vlan3 reachable distance=0 scope=10

6 ADC dst-address=192.168.99.0/24 pref-src=192.168.99.254 gateway=vlan99
gateway-status=vlan99 reachable distance=0 scope=10

/interface print detail

0 R name=“ether1” type=“ether” mtu=1500 l2mtu=1524

1 name=“ether2” type=“ether” mtu=1500 l2mtu=1524

2 name=“ether3” type=“ether” mtu=1500 l2mtu=1524

3 R name=“ether4” type=“ether” mtu=1500 l2mtu=1524

4 name=“ether5” type=“ether” mtu=1500 l2mtu=1524

5 R name=“bridge1” type=“bridge” mtu=1500 l2mtu=65535

6 R name=“vlan1” type=“vlan” mtu=1500 l2mtu=1520

7 R name=“vlan2” type=“vlan” mtu=1500 l2mtu=1520

8 R name=“vlan3” type=“vlan” mtu=1500 l2mtu=1520

9 R name=“vlan99” type=“vlan” mtu=1500 l2mtu=1520

p.s. all VLANs are on ether4…

fewi · September 14, 2011, 2:25pm

That looks fine, except for VLAN 2 - you appear to have an active static route for 192.168.1.0/24 via the VLAN 2 interface. What’s up with that?

By default a router will route any packet it has a route for. Your routing table has directly connected routes for all those VLAN interface. Ergo, it will route between them as long as packets are on the right logical or physical interfaces.

How are you testing and in what network infrastructure, what are you expecting the test to result in, and what are you seeing instead? Are you pinging between hosts? Have you turned off host firewalls?

Also, you mentioned VLAN 1 being used in testing. Does that mean you used VLAN id 1? That’s often a special id - I’m not sure how 3Com treats it, but it might be stripping off any VLAN tag for id 1 regardless of tagging/untagging status. Try testing between VLANs 2 and 3. If that works you’d want to get rid of the VLAN 1 interface on the router and just run it as a physical interface with the IP address right on the Ethernet interface. Maybe add the output of “/interface vlan export”, please wrap that in

 tags to keep it readable.

Additionally, what is your reasoning for turning on proxy ARP? Proxy ARP is an extremely ugly hack that is usually used to allow you to run the same IP space behind multiple interfaces. Your setup doesn't indicate it's needed at all. It will cause the router to poison ARP the network for all directly connected IP addresses, you should probably turn it off.

mmrcela · September 15, 2011, 7:09am

Yes, I tested by pinging, and it was the Windows firewall on my computer… I completely forgot about that. But another thing happened yesterday that doesn’t have any connection to my firewall. I tried to ping the same computer on VLAN 2, 192.168.2.2 (the computer I could reach from 192.168.0.4), but now I couldn’t from 192.168.0.5. Remote desktop also didn’t work. This morning when I tried it, it started working… I made no changes of any kind to either of the two computers, or on the Mikrotik or the switch.

But to answer your other questions. That static route was a route I set up for one of the previous VLANs and forgot to remove it (that’s why it routes to a different subnet than it is currently on VLAN 2, but I think it shouldn’t matter because of the worse metric). The reason why I have tried that is because once we had a situation when Mikrotik didn’t want to route to one of its directly connected subnets (no VLANs). In that situation we configured the static route and it suddenly started working. It wouldn’t even cross my mind to do that, since directly connected subnets doesn’t need static routes, but one of my colleagues that had more experience with Mikrotik suggested that, and it worked!

I already had checked 3Com documentation before I’ve put this on Mikrotik forum, so it’s not the problem with tagging. Unfortunately, I forgot to think about local firewalls!

My first implementation was with ARP enabled. Since that didn’t work, I remembered you mentioned Proxy ARP when we talked about that NAT problem, so I thought to give it a go. Thanks for shedding some light on Proxy ARP function!

fewi · September 15, 2011, 1:00pm

I think proxy ARP caused the issue this morning with .5.

Turn it off, reboot everything, then test some more.

fewi · September 15, 2011, 1:02pm

Oh, and I’ve come across that situation where it doesn’t route to directly connected VLANs. It can happen when you edit VLAN IDs. The better fix is to disable and enable the IP address on that interface. That causes the directly connected route to get re-installed. That has always worked for me.

I should probably raise a bug about that.

mmrcela · September 16, 2011, 6:59am

Actually, I have turned off proxy arp the day before, when I saw what you wrote about it. Arp was set to ‘enabled’. I didn’t reboot though…

Something else happened yesterday, even more disturbing. In the middle of the day all VLANs stopped working. I have checked, it’s not a problem with the switch. When I logged on to Mikrotik, I couldn’t see anything different. I’ve moved 192.168.0.254 address from the VLAN interface to ether4, and it started working. This morning, the same problem is still out there, so we can’t use VLANs now. When the thing happened, I was working on something completely different, and didn’t touch neither the Mikrotik or the switch.

BTW, we had some problems before with Mikrotik when it was supposed to be connecting between its directly connected subnets. It wasn’t the firewall problem, and the static route didn’t help in that situation. We had several ip addresses on one interface, no VLANs configured. Usually, it would connect those subnets ok, but every now and then it would stop routing traffic from one specific device to another. For example, if I had address 192.168.0.4 and wanted to reach 10.160.250.130, Mikrotik wouldn’t always route to that address (ping, remote desktop and so on). Usually, there was no problem, but sometime it would suddenly stop forwarding traffic. Even weirder, another address from my subnet, like 192.168.0.10, could still reach it. The only thing I could do is to change the ip of my computer. In a few days, it would again work as expected…

Thanks for the advice about disabling and enabling ip address on an interface. It’s good to know…

w4rh0und · September 19, 2011, 7:25pm

Inter-vlan routing should work by default without a problem, i have a lot of vlans at the office and at home as well and never had problems routing from one vlan to the other since all vlans are with distance 0 directly connected so no need for routes/proxy arp.

One thing i have seen when traffic is not going from - to a certain vlan, i saw it at a client he had a nat rules and did not specify an outside interface (the internet connection) and he was having a hard time since it was src-nating traffic between vlans. Or maybe some mangle - pre-routing rules?

Haven’t encountered a problem with vlans on mikrotik yet have been using it with all kind of cisco switches even with an ancient 2948 with catos works fine, haven’t tried editing the vlan id yet though.

mmrcela · September 20, 2011, 1:31pm

hm… no, that’s not the problem. I intentionally make all the natting roules as specific as possible to avoid natting traffic that doesn’t need to be natted. I had to learn that the hard way - once I lost an entire day on solving a problem and it turned out that my NAT rule was not specific enough, so it natted a lot of traffic that didn’t need to be natted. Mistake I’ll never make again!

but thanks for the advice…