No ARP replies from CRS317/6.41rc with bridged VLANs

smidde · December 3, 2017, 12:08am

I’ve run in to a bit of an issue with the CRS317 on 6.41rc56. I configured a basic 4 port setup: 2 VLAN trunk ports, 2 access ports, IP Addresses on both VLANs.

Traffic will pass through the VLAN bridge but I can’t reach (TCP/ICMP) the CRS. Wireshark helped me uncover that the ARP Requests to 192.168.100.2 or 192.168.0.36 are not being replied to neither on tagged nor untagged ports. Any ideas what’s going on?

My test config:

# dec/03/2017 00:49:25 by RouterOS 6.41rc56
# software id = VAP1-62GB
#
# model = CRS317-1G-16S+
# serial number = 7A14079AB861
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=sfp-sfpplus1 pvid=2
add bridge=bridge1 ingress-filtering=yes interface=sfp-sfpplus2 pvid=20
add bridge=bridge1 interface=sfp-sfpplus15 pvid=20
add bridge=bridge1 interface=sfp-sfpplus16 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus2,bridge1 untagged=sfp-sfpplus15,sfp-sfpplus16 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 vlan-ids=2
/ip address
add address=192.168.0.36/27 interface=bridge1 network=192.168.0.32
add address=192.168.100.2/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=192.168.0.4,192.168.0.240
/system clock
set time-zone-name=Europe/Zurich
/system ntp client
set server-dns-names=pool.ntp.org
/system package update
set channel=release-candidate
/system routerboard settings
set boot-os=router-os

Why would /ip arp say “punlished=no”:

[admin@MikroTik] /ip arp> print detail
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete 
 0 D  address=192.168.100.1 interface=bridge1 published=no 

[admin@MikroTik] /interface bridge> print
Flags: X - disabled, R - running 
 0 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=64:D1:54:F0:48:68 
     protocol-mode=rstp fast-forward=yes igmp-snooping=no priority=0x8000 auto-mac=yes max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 max-hops=20 vlan-filtering=yes pvid=1 

[admin@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                         BRIDGE                        HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H sfp-sfpplus1                      bridge1                       yes    2     0x80         10                 10       none
 1   H sfp-sfpplus2                      bridge1                       yes   20     0x80         10                 10       none
 2   H sfp-sfpplus15                     bridge1                       yes   20     0x80         10                 10       none
 3   H sfp-sfpplus16                     bridge1                       yes   20     0x80         10                 10       none

[admin@MikroTik] /interface bridge vlan> print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                           VLAN-IDS  CURRENT-TAGGED                          CURRENT-UNTAGGED                         
 0   bridge1                          20        bridge1                                 sfp-sfpplus15                            
                                                sfp-sfpplus2                            sfp-sfpplus16                            
 1 D bridge1                          1                                                 bridge1                                  
 2   bridge1                          2         bridge1                                
                                                sfp-sfpplus1                           

[admin@MikroTik] /ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.0.36/27 network=192.168.0.32 interface=bridge1 actual-interface=bridge1 

 1   address=192.168.100.2/24 network=192.168.100.0 interface=bridge1 actual-interface=bridge1

drbunsen · December 4, 2017, 10:55am

Hi,
I believe it’s due to your bridge1 not being an untagged member in any of the two vlans. You can see the switch put it as dynamic in the default vlan1, so from there it should work. Try it from sfp-sfpplus3 which should be on vlan 1 and I guess it will work.
Put the bridge1 as untagged member of vlan 2 and/or 20 and it should work from there as well.

smidde · December 6, 2017, 3:59am

After a lot of trial and error I’ve come up with the config below. The only real change is that I attached the IP addresses to the vlan IFs instead of the Bridge. The current build seems pretty flakey to me though as every time I reboot I get a different ARP-request reply behavior: sometimes the CRS317 will start to reply to requests for both IP addresses, sometimes only for one, sometimes for none. I hope this gets addressed in the next release as this implies not having reliable admin access.

# dec/06/2017 03:57:29 by RouterOS 6.41rc56
# software id = VAP1-62GB
#
# model = CRS317-1G-16S+
# serial number = 7A14079AB861
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none pvid=2 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=sfp-sfpplus1 pvid=2
add bridge=bridge1 ingress-filtering=yes interface=sfp-sfpplus2 pvid=20
add bridge=bridge1 ingress-filtering=yes interface=sfp-sfpplus4 pvid=2
add bridge=bridge1 interface=sfp-sfpplus15 pvid=20
add bridge=bridge1 interface=sfp-sfpplus16 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2 untagged=sfp-sfpplus15,sfp-sfpplus16 vlan-ids=20
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=sfp-sfpplus14 vlan-ids=2
/ip address
add address=192.168.0.36/27 interface=vlan2 network=192.168.0.32
add address=192.168.100.5/24 interface=vlan20 network=192.168.100.0
/ip dns
set servers=192.168.0.4,192.168.0.240
/ip route
add distance=1 gateway=192.168.100.1
/system clock
set time-zone-name=Europe/Zurich
/system ntp client
set server-dns-names=pool.ntp.org
/system package update
set channel=release-candidate
/system routerboard settings
set boot-os=router-os