I have a small network comprised of an ISP provided device, one RB5009 for routing, and two hAP ax2 performing access point duties, configured with three VLANs, one management, one guest, one VIP.
While most of the devices connected to the network get internet access, I recently discovered I cannot ping devices across the same VLAN (or from the RB5009 router to any device on the network), or SSH from my PC to a Raspberry PI I added recently, with the Raspberry PI also not getting an internet connection.
I have tried adding some NAT rules to the hAP devices, to no avail, I have also tried connecting the Raspberry PI to the main router and to one of the APs, without being able to ping or SSH into it in both cases. Thus, I arrived here, with no more ideas, and I am hoping someone here can help me out. Hell, I’ll even pay for the tech support. I have attached the config exports for the main router and one of the APs (the config is the same for both, and they are provisioned via CAPsMAN).
Would this be caused by VLAN and ingress filtering being turned on? What am I missing? hAP.rsc (2.18 KB) Main_Router.rsc (11.8 KB)
So basically you configured ether ports as hybrid ports on ingress (untagged frame, entering port from wire, will get tagged with VID 33) and tagged on egress (taged frame with VID 33 will keep its VLAN tag on way out to frame).
This kind of mismatch is often “tollerated” if connected device runs Windows OS (because many NIC drivers strip VLAN headers on ingress if NIC is not configured to work with VLANs), but linux-based devices (including ROS devices and rPIs) don’t tollerate such blunder … and discard frames which carry VLAN tag with unconfigured VID.
The solution: remove ether ports from list of tagged members of VLAN 33 (ROS will add them as untagged members due to pvid setting).
And a suggestion (my personal POV): set ports, which connect LAN infrastructure (router and APs), as full trunk ports (i.e. all VLANs tagged). Currently they are set as hybrid/access ports. Yes, this means that configuration of ports will vary depending on device connected (LAN infrastructure v.s. end device), but in principle it does add to security of the network. And to me it also adds to “readability” of config (but this is subjective).
On my tablet I have SSH client. There is no winbox for android. And I don’t particularly like new webfig layout. Copy-paste works great in CLI (over ssh), it takes to run terminal window from inside winbox to do the same in winbox (and terminal features of terminal of winbox don’t reach the ankles of a decent ssh client, e.g. putty or mobaXterm, not to mention native linux terminals).
I also have a linux server on my LAN (file server, DLNA server, DHCP server, primary DNS server for my own domain, web server) and using ssh to manage it is the most natural way.
First of all, I would like to thank both of you for the input, the tips from anav solved my issue, and I learned a new thing. Lemme know where I should send that coffee!
Now, I want to know a bit more about what you said regarding setting ports which connect the infrastructure with all VLANs tagged. On the RB5009 all of them are currently set with all VLANs tagged. Should I change that so just the ones carrying data to the ax2 devices are fully tagged and configure the rest to only have one VLAN tagged? Also, if I choose to revert this change, should I instead try and configure the NIC on the rPI to tag its traffic with the VID that I need?
On the 5009, port with traffic will either be:
a. access ports going to dumb devices, untagged for the vlan associated with that device.
b. trunk port going to smart devices (that can read vlan tags) carrying all the vlans that the device is responsible for forwarding ( AP over wifi, Switch on its other ports access or trunk as appropriate )
c. trunk port should also carry the trusted or managment vlan ( used at the minimum to provide smart devices with their IP address on that vlan and perhaps also data (trusted vlan).
If you have unifi APs, then hybrid ports are probably required (at least if the default setup on unifi is not changed ).