one address not pingable across vlans using bridge filtering

squeegeesplatter · August 27, 2023, 5:12am

hey, look! another vlan question from a noob!

i swear i’ve read many posts about vlan issues. including viewtopic.php?p=706996. but i need another set of eyes. i’m doing something wrong, but i can’t figure out what it is.

here’s my network:

the problem is that 10.0.60.254 (vlan 60) is not reachable (not pingable) from my pc 192.168.88.x (no vlan). however, 10.0.50.254 (vlan 50) is reachable! i don’t understand why.

one weird (to me) thing i noticed is that the bridge hosts list shows three hosts on ether3 (vlan 60) while other interfaces have only one or two. i don’t know what this implies.

can someone review my config? i’m basically looking for a code review. my full config is attached
routerconfig.rsc (10.9 KB)
but here are the relevant (i think) pieces:

/interface vlan
add interface=bridge name=vlan-device vlan-id=40
add interface=bridge name=vlan-server-external vlan-id=60
add interface=bridge name=vlan-server-internal vlan-id=50

/interface list
add comment=defconf name=WAN
add name=VLAN-SERVER
add include=VLAN-SERVER name=VLAN
add comment="no VLAN" exclude=VLAN name=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-device ranges=10.0.40.2-10.0.40.254
add name=pool-server-internal ranges=10.0.50.2-10.0.50.254
add name=pool-server-external ranges=10.0.60.2-10.0.60.254

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=pool-device interface=vlan-device lease-time=10m name=\
    dhcp-server-device
add address-pool=pool-server-internal interface=vlan-server-internal \
    lease-time=10m name=dhcp-server-server-internal
add address-pool=pool-server-external interface=vlan-server-external \
    lease-time=10m name=dhcp-server-server-external

/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=50
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=60
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan-2
add bridge=bridge comment=defconf interface=wlan-5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2-device pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5-device pvid=40

/interface bridge vlan
add bridge=bridge comment=device tagged=bridge vlan-ids=40
add bridge=bridge comment=server-internal tagged=bridge vlan-ids=50
add bridge=bridge comment=server-external tagged=bridge vlan-ids=60

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan-device list=VLAN
add interface=vlan-server-external list=VLAN-SERVER
add interface=vlan-server-internal list=VLAN-SERVER

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.40.1/24 interface=vlan-device network=10.0.40.0
add address=10.0.50.1/24 interface=vlan-server-internal network=10.0.50.0
add address=10.0.60.1/24 interface=vlan-server-external network=10.0.60.0

/ip dhcp-server lease
add address=10.0.60.254 client-id=1:f4:6d:4:5:e7:27 mac-address=\
    F4:6D:04:05:E7:27 server=dhcp-server-server-external
add address=10.0.50.254 client-id=1:f4:6d:4:5:e8:b3 mac-address=\
    F4:6D:04:05:E8:B3 server=dhcp-server-server-internal

/ip dhcp-server network
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1 ntp-server=\
    10.0.40.1
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1 ntp-server=\
    10.0.50.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1 ntp-server=\
    10.0.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 ntp-server=192.168.88.1

mkx · August 27, 2023, 8:23am

How is the server configured with those teo NICs? Is there a bridge/virtual switch with both NICs configured as members by any chance?

anav · August 27, 2023, 11:38am

(1) What do you mean NONE? If you start using vlans, then simply make all subnets vlans, clean, apples to apples consistent approach.

(2) Questionable security approach - you have winbox&ssh disabled but you have IP Service WWW enabled. ???

(3) Just disable IPV6 if not using it.

(4) The confusing nomenclature for lists means errors, and yes, you have VLAN in commentary for DNS but use LAN for rules.
Stick to conventions for conventions, and use other names for distinct non OS conventional functions.
( NTP and DNS can go on same udp rule )

(5) What is the point of the above rules anyway if you have a nonsensical matching last rule…
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN log-prefix=a

If your last rule is block everything except from the LAN, why bother with allow services to LAN members above that…???
So change last rule to DROP ALL ELSE!!

/interface bridge
add admin-mac=CC:2D:E0:C2:9A:F2 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b country="united states3" \
    disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
    indoor mode=ap-bridge name=wlan-2 ssid=squeegee-2 wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states3" disabled=no distance=indoors \
    frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge name=\
    wlan-5 ssid=squeegee-5 wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=bridge name=vlan-device vlan-id=40
add interface=bridge name=vlan-server-external vlan-id=60
add interface=bridge name=vlan-server-internal vlan-id=50
add interface=bridge name=vlan-none  vlan-id=11
/interface list
add comment=defconf name=WAN
add name=VLAN-SERVER
add include=VLAN-SERVER name=VLAN
add comment="no VLAN" exclude=VLAN name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=\
    security-profile-device supplicant-identity=MikroTik
/interface wireless
add disabled=no hide-ssid=yes mac-address=CE:2D:E0:C2:9A:F6 master-interface=\
    wlan-2 name=wlan-2-device security-profile=security-profile-device ssid=\
    squeegee-2-device wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=CE:2D:E0:C2:9A:F7 master-interface=\
    wlan-5 name=wlan-5-device security-profile=security-profile-device ssid=\
    squeegee-5-device wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-device ranges=10.0.40.2-10.0.40.254
add name=pool-server-internal ranges=10.0.50.2-10.0.50.254
add name=pool-server-external ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlan-none lease-time=10m name=defconf
add address-pool=pool-device interface=vlan-device lease-time=10m name=\
    dhcp-server-device
add address-pool=pool-server-internal interface=vlan-server-internal \
    lease-time=10m name=dhcp-server-server-internal
add address-pool=pool-server-external interface=vlan-server-external \
    lease-time=10m name=dhcp-server-server-external
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=50
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=60
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan-2 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan-5 pvid=11
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan-2-device pvid=40
add bridge=bridge ingress-filtering=yes frame-types=\
    admit-only-untagged-and-priority-tagged interface=wlan-5-device pvid=40
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether4,ether5,wlan-2,wlan-5 vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=50
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=60
add bridge=bridge tagged=bridge untagged=wlan-2-device,wlan-5-device vlan-ids=40
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan-none list=LAN
add interface=vlan-server-external list=LAN
add interface=vlan-server-internal list=LAN
add interface=vlan-device list=LAN
add interface=vlan-server-external list=VLAN-SERVER  { but why you have no rules for this }
add interface=vlan-server-internal list=VLAN-SERVER  { but why you have no rules for this }
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan-none network=\
    192.168.88.0
add address=10.0.40.1/24 interface=vlan-device network=10.0.40.0
add address=10.0.50.1/24 interface=vlan-server-internal network=10.0.50.0
add address=10.0.60.1/24 interface=vlan-server-external network=10.0.60.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.home
/ip firewall address-list
add ip-address=admin-1  list=Authorized comment=admin-desktop
add ip-address=admin-2  list=Authorized comment=admin-laptop
add ip-address=admin-3  list=Authorized comment=admin-smartphone
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN  src-address=list=Authorized
add action=accept chain=input comment="accept Services UDP" \
    dst-port=53,123  in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept Services TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=b
add action=accept chain=forward comment="internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes   
set ssh disabled=yes
set www-ssl address=192.168.88.0/24 certificate=router.home \
    disabled=no tls-version=only-1.2
set api disabled=yes
set winbox disabled=no
set api-ssl disabled=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system identity
set name=router
/system logging
add action=disk prefix=a topics=firewall
add action=disk prefix=b topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.12
add address=216.239.35.4
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

…

Thus far with the above firewall rules, all vlans are not accessible to one another.
If you desire specific access then add forward chain rules before the drop all rule at the end.
Typically - All LAN to shared printer
Typically - ADMIN to all LAN

squeegeesplatter · August 28, 2023, 2:50am

@anav, thank you for the tips and corrections. i implemented your recommendations and everything is vlan’d (except ether5 which i kept as a backup in case i screwed up the vlans (which i did at one point; how prudent of me!)).

but, that didn’t change anything. 10.0.60.254 is still not pingable while 50.254 is.

@mkx, i don’t have any bridges or virtual switches on the server. the only network configuration i did was enable dhcp on the nics.

as a test, i tried a different operation system via a live usb and… it worked. i still don’t understand what’s going on, but switching the os “fixed” it and i’m ok with that “solution”. it’s just a home lab, so such a change isn’t a real disruption.

so, this issue is obviously (or, at least, very likely) not a mikrotik issue.

while i still wish i had an explanation, i don’t care to dig deeper; i’m not an os guy (nor am i a network guy for that matter).

for reference, i was using alpine linux and switched to ubuntu.