Not working internet on vlan, cannot ping gw

Corbie · August 25, 2021, 8:15pm

Hi,

Dealing with problem on MikroTik RB4011.

Have VLAN with DHCP server on it(10.0.0.0/24). When i connect laptop into VLAN i get right ip adress, gw and dns from vlan-2 dhcp pool.

But internet is not working and cannot even ping my default GW (10.0.0.1 - vlan interface). On default LAN(1) everything works fine.

Export:

deleted
[admin@MikroTik] >

Routes are there too, dont know why it dont export them all

FW rule is there is just to check if there is any traffic on vlan. For example when i try to ping 8.8.8.8 on the vlan:

deleted

anav · August 25, 2021, 8:42pm

Please post config

/export hide-sensitive file=anynameyouwish

sindy · August 25, 2021, 8:52pm

Two points:

/interface vlan set [find interface=ether3] interface=rybna_lan

/ip address set [find interface=VLAN-BYTY] address=10.0.0.1/24

Corbie · August 26, 2021, 11:00am

Hi, it helped.

Can you please just explain what it exactly did or what was wrong?

Thanks,

sindy · August 26, 2021, 11:19am

You’ve assigned a /32 address to the VLAN interface, so no route to 10.0.0.0/24 via the VLAN interface has been created. As a consequence, packets for anything in 10.0.0.0/24 took the default route.

If an Ethernet interface is a member port of a bridge, the VLAN interface must be attached to the bridge, not to the Ethernet interface. It may partially work but it causes problems.

anav · August 26, 2021, 11:32am

Nice, I would have missed this reading quickly… Although I would have stated it differently, its not that he assigned anything specifically /32, its more like he simply forget some syntax and that is to add /24
add address=10.0.0.1 ??? interface=VLAN-BYTY network=10.0.0.0

I do have some questions…

What is the purpose of this rule??
The forward chain in its current configuration does not block traffic from the vlan to the internet or to your main LAN subnet so not sure why its there??
The only traffic being blocked is invalid traffic AND unsolicited WAN to LAN traffic (traffic heading to the LAN originated on the WAN).

add action=accept chain=forward src-address=10.0.0.0/24

My other question is that you have created a vlan for ether3 specifically but then have a general LAN subnet for the rest of the ports BUT INCLUDE ether 3.

What device is at the other end of ether 3, that can read both the LAN subnet traffic and the vlan (assuming a smart device??)

Corbie · August 26, 2021, 7:45pm

@sindy

Oh i didnt know it automatically assign /32 CIDR, thought its /24 all the time.

@anav

The FW rule was there only for logging traffic and debugging reasons it will not be active.

There is L2 switch on the end of ether3 port where i need to have LAN and vlan traffic aswell.

sindy · August 26, 2021, 8:06pm

The thing is that a /32 address makes sense in some setups too, so no mask given translates to a /32. Se s tim smiř

anav · August 27, 2021, 1:54am

Is it a smart switch (model)?