Join domain problem between two bridges

RouterOS General
1

Hi everyone,

I setup bridge1(include port6~10 and spf+1) in RB4011iGS+ and bridge2(all ports) in CRS309-1G-8S+, then connect spf+1 of the two devices.
My AD servers are in the bridge2, all computers in the bridge2 have no problem to join the domain.
All computers under the bridge1 are able to ping AD server and get the correct IP from DHCP of AD server.
But all computers under the bridge1 cannot join the domain (Can’t find network path).


name=“bridge1” mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto
mac-address=74:4D:28:88:XX:XX protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes
ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=no dhcp-snooping=no

name=“bridge2” mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto
mac-address=74:4D:28:10:XX:XX protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no
admin-mac=74:4D:28:10:XX:XX ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no

Any idea?

Thanks.

2

Post output of /interface export from both devices.

3

Hi mkx,

Thanks for your reply.

jun/06/2019 13:13:32 by RouterOS 6.44.3

software id = 0CZS-RSBM

model = RB4011iGS+

serial number = XXXXXX

/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether8 ] mac-address=74:4D:28:88:E3:CC
set [ find default-name=ether10 ] mac-address=74:4D:28:88:E3:CE
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592
/interface pppoe-client
add dial-on-demand=yes disabled=no interface=ether2 keepalive-timeout=60
max-mru=1480 max-mtu=1480 name=pppoe-out1 password=xxxxxx user=
xxxxxx@xxxxx.net
add dial-on-demand=yes disabled=no interface=ether3 keepalive-timeout=60
max-mru=1480 max-mtu=1480 name=pppoe-out2 password=xxxxx user=
xxxxxx@xxxxx.net
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether9,ether10
add mode=802.3ad name=bonding2 slaves=ether7,ether8
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface bridge port
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=bonding2
add bridge=bridge interface=bonding1
add bridge=bridge interface=sfp-sfpplus1
/interface bridge settings
set use-ip-firewall=yes
/interface l2tp-server server
set default-profile=l2tp-profile enabled=yes ipsec-secret=xxxxx use-ipsec=
yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set authentication=mschap2 default-profile=pptp-profile

jun/06/2019 13:14:10 by RouterOS 6.44.3

software id = GI61-0BPD

model = CRS309-1G-8S+

serial number = XXXXX

/interface bridge
add admin-mac=74:4D:28:10:DA:37 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus5 ] auto-negotiation=no
set [ find default-name=sfp-sfpplus6 ] auto-negotiation=no mac-address=
74:4D:28:10:DA:33
/interface bonding
add mode=802.3ad name=bonding1 slaves=sfp-sfpplus5,sfp-sfpplus6
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus5
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7
add bridge=bridge comment=defconf interface=sfp-sfpplus8
add bridge=bridge interface=bonding1
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN

4

There are two things which look suspicious to me:

  1. On RB4011, you have /interface bridge settings set use-ip-firewall=yes. That isn’t necessarily wrong, but you want to check the /ip firewall settings if there are some rules which might interfere with intra-LAN traffic. While there are good reasons to have this setting set to yes usually that’s not needed …
    Note that bridge firewalling might seem to work intermittently … because it only affects traffic which actually passes device’s CPU. With configuration of your RB that’s all the traffic through sfp+ (because that port connects directly to CPU) while it doesn’t necessarily affect traffic between ether ports (those are connected to switch chip). It also affects traffic through bonds (they are implemented in software so traffic between bonds and the rest of network passes CPU as well).
  2. On CRS bridge MAC is set to the same value as port sfp-sfpplus6 … and probably interface bonding1 has the same MAC address. Both physical ports, members of bonding1, are also members of bridge (although disabled). You might want to set bridge MAC to some unique value (such as 76:4D:28:10:DA:37) and remove bond members from bridge (leave only bonding1 as bridge member).
  3. Both devices are having same bridge priority (default value of 8000). Which doesn’t matter if there’s no loop in the connectivity (STP protocols fight against it). But it doesn’t hurt to change priority on one of devices to some other (round) value so that one of devices is persistently declared as root bridge. Which device should become root depends on topology, probably the center switch is a good candidate to become root bridge.

You’re saying that computers are able to join AD … meaning that L2 (ethernet) connectivity is just fine. Therefore the most suspicious is the item #1 in the list above …

5

mkx, thanks!!

I have changed settings on RB4011, and it works!! :smiley:
About your other advice, I will try to rearrange my network devices as well.