Partial VLAN configuration

ladegro · August 16, 2019, 2:58pm

The following is an overview of my network setup:

where

Main Router, running DHCP server for every vlan, reachable at 10.0.10.1, 10.0.15.1, 10.0.20.1, 10.0.30.1 and 192.168.10.1.
Access point for downstairs. It has a raspberry Pi connected to it but mostly does wifi now
Access point at the attic, has some clients connected to it (workstation, printer, raspi) but also serves as AP for the upper floors
CRS112 Not yet installed, right now served by an HP 1810-8G managed switch

I have set up VLAN’s based on what I think is the latest version of the guide, knowing that by using the bridge-vlan way of configuring, I’m not using the full switching potential as every packet will flow through the CPU. But I care more for a working network than some speed drops (for now).

Inspiration was found in these threads:
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

The way I have set up the bridge VLAN’s on 1):

[admin@MT-CCR] > /interface bridge print
Flags: X - disabled, R - running 
 0 R name="bridge-lan" mtu=auto actual-mtu=1500 l2mtu=1580 arp=proxy-arp arp-timeout=auto mac-address=64:D1:54:D5:21:53 protocol-mode=rstp fast-forward=no 
     igmp-snooping=yes multicast-router=temporary-query multicast-querier=no startup-query-count=2 last-member-query-count=2 last-member-interval=1s 
     membership-interval=4m20s querier-interval=4m15s query-interval=2m5s query-response-interval=10s startup-query-interval=31s250ms igmp-version=2 
     auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=no dhcp-snooping=no

and:

[admin@MT-CCR] > /interface bridge vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                     VLAN-IDS  CURRENT-TAGGED                                    CURRENT-UNTAGGED                                   
 0   bridge-lan                                 30        bridge-lan                                       
                                                          ether2-HAPac Zolder                              
                                                          ether4-HAPac-Meterkast                           
 1   bridge-lan                                 10        bridge-lan                                        ether7-envoy                                       
                                                          ether2-HAPac Zolder                              
                                                          ether4-HAPac-Meterkast                           
                                                          ether8-HPswitch                                  
                                                          CAP5G-HAPac-Meterkast-1                          
 2   bridge-lan                                 20        bridge-lan                                       
                                                          ether2-HAPac Zolder                              
                                                          ether4-HAPac-Meterkast                           
                                                          CAP2G-HAPac-Meterkast-1-1                        
                                                          CAP2G-HAPac-Zolder-1-1                           
 3   bridge-lan                                 15        bridge-lan                                        ether3-Server                                      
                                                          ether2-HAPac Zolder                               ether6-Raspi                                       
                                                          ether4-HAPac-Meterkast                           
 4   bridge-lan                                 100       bridge-lan                                       
                                                          ether2-HAPac Zolder                              
                                                          ether4-HAPac-Meterkast                           
                                                          ether8-HPswitch                                  
 5 D bridge-lan                                 1                                                           bridge-lan                                         
                                                                                                            ether2-HAPac Zolder

For now, let’s forget about 20,30 and 100. I know they’re not correct but if I get traffic between 10 and 15 flowing, I’m confident the rest will also be logical.

Unfortunately, I can’t seem to get it working. It feels like I’m close but missing one or two crucial components or settings.
What is working:

Based on the port, the correct VLAN seems to be chosen and the correct DHCP server serves an ip&subnet. (this is still rubbish for CAPSMAN served wifi SSIDs)
Within one subnet/VLAN I can ping and connect freely between clients
From my workstation connected to 3) I can ping the Server connected to 1) (so from vlan 10 → 15).

What is not working:
- I cannot ping back the workstation connected to 3), from the server connected to 1).

If I do a traceroute, there is exactly one hop, to the gateway 10.0.15.1. Then it stops, as if it doesn’t know to look for this clients ip (10.0.10.5) through 3).

I think there’s some missing config in routing tables but I can’t figure out what. And why traffic is indeed flowing in the other direction (might be because the DHCP client on 3) receives an ip from 1) and also sets a default route for that subnet?).

I’ll happily share config exports if you tell me which ones (instead of dumping too much crap).

IP Routing Table:

[admin@MT-CCR] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  0.0.0.0/0                          pptp-PIA                  1
 1 X S  0.0.0.0/0                          ovpn-out1-winds...        1
 2 ADS  0.0.0.0/0                          pppoe-KPN                 0
 3  DS  0.0.0.0/0                          10.216.240.1            254
 4 ADC  10.0.10.0/24       10.0.10.1       vlan10-home               0
 5 ADC  10.0.15.0/24       10.0.15.1       vlan15-servers            0
 6 ADC  10.0.20.0/24       10.0.20.1       vlan20-automation         0
 7 ADC  10.0.30.0/24       10.0.30.1       vlan30-guests             0
 8 ADC  10.100.0.0/24      10.100.0.1      bridge-lan                0
 9 ADC  10.216.240.0/22    10.216.241.162  vlan4-iptv                0
10 ADC  192.168.10.0/24    192.168.10.1    vlan100-management        0
11 ADC  195.190.228.114/32 86.82.30.243    pppoe-KPN                 0
12 ADS  213.75.112.0/21                    10.216.240.1            254

sindy · August 16, 2019, 8:13pm

To know which part of the configuration to ask for, we would have to know where the problem is. So post the complete export (check my automatic signature below first), just don’t forget to use the [code] and [/code] tag around the configuration exports of both machines.

You have posted only the bridge status and the routing table of the CCR (which looks fine to me) but nothing about the hAP ac. The workstation should be connected to an access port to VLAN 10 on the hAP ac and it should have 10.0.10.1 as a gateway to 10.0.15.0/24, as otherwise the request packets from the server get from VLAN/subnet 15 to VLAN/subnet 10 on the CCR but the responses go from VLAN/subnet 10 to VLAN/subnet 15 on the hAP ac, so if there is an stateful IP firewall on at least one of them, it may not let the responses through because it didn’t see the requests.

Also, the workstation may have its own firewall which blocks incoming ping requests. To check what is actually wrong, /tool sniffer quick is very useful, allowing you to see how far the packet gets. If it leaves the port to which the workstation is connected, the issue is the firewall on the workstation; if it doesn’t reach even the trunk port towards the hAP ac on the CCR, the issue is in the CCR.

Just make sure that, if use of vlan-filtering=yes didn’t cause that, that “hardware acceleration” of the bridge on the hAP ac is disabled for both the trunk port towards the CCR and the access port towards the workstation. With hardware acceleration enabled the sniffer cannot see some packets.

ladegro · August 16, 2019, 8:55pm

Okay I will create the exports and check the information you provided, thanks for that.
I forgot to mention that the workstation (a windows 10 machine with its firewall disabled) can be pinged from both the HAP-AC as the CCR.
Your logic about the returning packet makes sense, not sure yet how to set that up but the export will show I think.

Export of the CCR:

# aug/16/2019 22:39:50 by RouterOS 6.45.3
# software id = 7P09-2CFT
#
# model = CCR1009-7G-1C-1S+
/caps-man channel
add band=2ghz-g/n name=channel-2G
add band=5ghz-a/n/ac name=channel-5G
/interface bridge
add arp=proxy-arp fast-forward=no igmp-snooping=yes name=bridge-lan \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] arp=proxy-arp combo-mode=copper name=\
    combo1-WAN
set [ find default-name=ether1 ] advertise=1000M-full name=\
    "ether2-HAPac Zolder" speed=100Mbps
set [ find default-name=ether2 ] name=ether3-Server speed=100Mbps
set [ find default-name=ether3 ] name=ether4-HAPac-Meterkast speed=100Mbps
set [ find default-name=ether4 ] name=ether5-Flex speed=100Mbps
set [ find default-name=ether5 ] name=ether6-Raspi speed=100Mbps
set [ find default-name=ether6 ] name=ether7-envoy speed=100Mbps
set [ find default-name=ether7 ] name=ether8-HPswitch speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full,10000M-full auto-negotiation=no
/interface pptp-client
add connect-to=israel.privateinternetaccess.com name=pptp-PIA user=x9282326
/interface vlan
add arp=proxy-arp interface=combo1-WAN name=vlan4-iptv vlan-id=4
add interface=combo1-WAN name=vlan6-internet vlan-id=6
add arp=proxy-arp interface=bridge-lan name=vlan10-home vlan-id=10
add arp=proxy-arp interface=bridge-lan name=vlan15-servers vlan-id=15
add interface=bridge-lan name=vlan20-automation vlan-id=20
add interface=bridge-lan name=vlan30-guests vlan-id=30
add interface=bridge-lan name=vlan100-management vlan-id=100
/caps-man datapath
add bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=no \
    name=dp-VL10-home vlan-id=10 vlan-mode=use-tag
add bridge=bridge-lan local-forwarding=no name=dp-VL20-automation vlan-id=20 \
    vlan-mode=use-tag
add bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=no \
    name=dp-VL30-guests vlan-id=30 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 comment=\
    "user: 9C-6F-52-15-E0-19@direct-adsl" default-route-distance=0 disabled=\
    no interface=vlan6-internet keepalive-timeout=20 max-mru=1480 max-mtu=\
    1480 name=pppoe-KPN user=9C-6F-52-15-E0-19@direct-adsl
/caps-man security
add authentication-types=wpa2-psk name=security-default
add authentication-types=wpa2-psk name=security-guests
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=5m name=security-automation
/caps-man configuration
add channel=channel-2G country=netherlands datapath=dp-VL10-home \
    datapath.local-forwarding=yes name=config-wifi_2G security=\
    security-default ssid=LaDy_2GL
add channel=channel-5G country=netherlands datapath=dp-VL10-home name=\
    config-wifi_5G security=security-default ssid=LaDy_5GL
add channel=channel-2G country=netherlands datapath=dp-VL10-home \
    datapath.local-forwarding=no name=config-wifi_Guests security=\
    security-guests ssid=LaDy_Guests
add channel=channel-2G channel.frequency="" channel.secondary-frequency="" \
    country=netherlands datapath=dp-VL20-automation hide-ssid=no name=\
    config-wifi_automation security=security-automation ssid=LaDy_Domotica
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'10.0.10.255'"
add code=42 name=option42-ntp value="'10.0.10.1'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
add name=REGULAR options=option42-ntp
/ip ipsec profile
add enc-algorithm=aes-192,aes-128,3des name=profile_1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=VL100-management ranges=192.168.10.5-192.168.10.254
add name=l2tp-pool ranges=192.168.11.200-192.168.11.254
add name=VL20-automation ranges=10.0.20.5-10.0.20.254
add name=VL10-trusted ranges=10.0.10.10-10.0.10.254
add name=VL30-guests ranges=10.0.30.1-10.0.30.254
add name=VL15-servers ranges=10.0.15.1-10.0.15.254
add name=Backup-Pool ranges=10.100.0.1-10.100.0.254
/ip dhcp-server
add address-pool=VL100-management disabled=no interface=vlan100-management \
    name="vlan100-trusted management"
add address-pool=VL20-automation disabled=no interface=vlan20-automation \
    name=vlan20-automation
add add-arp=yes address-pool=VL10-trusted dhcp-option-set=REGULAR disabled=no \
    interface=vlan10-home name="vlan10-trusted homenet"
add address-pool=VL30-guests disabled=no interface=vlan30-guests name=\
    vlan30-guests
add address-pool=VL15-servers disabled=no interface=vlan15-servers name=\
    vlan15-servers
add address-pool=Backup-Pool disabled=no interface=bridge-lan name=\
    backup-dhcp
/ip ipsec mode-config
add address-pool=l2tp-pool name=cfg1 system-dns=no
/ppp profile
add change-tcp-mss=yes name=openVpn-client only-one=yes use-compression=no \
    use-encryption=required use-mpls=no use-upnp=no
add local-address=VL100-management name=default-l2tp on-up="/tool e-mail send \
    to=\"email\" subject=\"[MikroTik] Iemand logde in op VPN\" body\
    =\"\$user logde in op VPN.\"\r\
    \n" remote-address=l2tp-pool
/interface ovpn-client
add certificate=ca-windscribe.crt_0 cipher=aes256 connect-to=\
    ca.windscribe.com disabled=yes mac-address=02:B3:C9:13:EB:B7 name=\
    ovpn-out1-windscribe port=54783 profile=openVpn-client user=\
    ladegro_ztqvcfn6
/routing bgp instance
set default disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man manager
set ca-certificate=CAPsMAN-CA-1CDAF9107C99 certificate=CAPsMAN-1CDAF9107C99 \
    enabled=yes
/caps-man manager interface
add interface=ether5-Flex
add interface=ether3-Server
add disabled=no interface="ether2-HAPac Zolder"
add disabled=no interface=ether3-Server
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config-wifi_2G name-format=prefix-identity name-prefix=CAP2G \
    slave-configurations=config-wifi_automation,config-wifi_Guests
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    config-wifi_5G name-format=prefix-identity name-prefix=CAP5G
/interface bridge port
add bridge=bridge-lan hw=no interface="ether2-HAPac Zolder"
add bridge=bridge-lan interface=ether3-Server pvid=15
add bridge=bridge-lan hw=no interface=ether4-HAPac-Meterkast pvid=100
add bridge=bridge-lan hw=no interface=ether5-Flex pvid=100
add bridge=bridge-lan hw=no interface=ether6-Raspi pvid=15
add bridge=bridge-lan hw=no interface=ether7-envoy pvid=10
add bridge=bridge-lan hw=no interface=ether8-HPswitch pvid=100
add bridge=bridge-lan hw=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-lan tagged=\
    "ether2-HAPac Zolder,ether4-HAPac-Meterkast,bridge-lan" vlan-ids=30
add bridge=bridge-lan tagged=\
    "ether4-HAPac-Meterkast,ether2-HAPac Zolder,bridge-lan,ether8-HPswitch" \
    untagged=ether7-envoy vlan-ids=10
add bridge=bridge-lan tagged=\
    "ether4-HAPac-Meterkast,ether2-HAPac Zolder,bridge-lan" vlan-ids=20
add bridge=bridge-lan tagged=\
    "bridge-lan,ether4-HAPac-Meterkast,ether2-HAPac Zolder" untagged=\
    ether3-Server,ether6-Raspi vlan-ids=15
add bridge=bridge-lan tagged=\
    "ether2-HAPac Zolder,ether4-HAPac-Meterkast,bridge-lan,ether8-HPswitch" \
    untagged=ether5-Flex vlan-ids=100
/interface l2tp-server server
set authentication=mschap2 default-profile=default-l2tp enabled=yes \
    use-ipsec=yes
/interface list member
add interface=bridge-lan list=LAN
add interface=combo1-WAN list=WAN
add interface=pppoe-KPN list=WAN
add interface=vlan4-iptv list=WAN
add interface=vlan6-internet list=WAN
add interface=vlan10-home list=LAN
add interface=vlan15-servers list=LAN
add interface=vlan20-automation list=LAN
add interface=vlan30-guests list=LAN
add interface=vlan100-management list=LAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=vlan100-management \
    network=192.168.10.0
add address=10.0.20.1/24 interface=vlan20-automation network=10.0.20.0
add address=10.0.10.1/24 interface=vlan10-home network=10.0.10.0
add address=10.0.30.1/24 interface=vlan30-guests network=10.0.30.0
add address=10.0.15.1/24 interface=vlan15-servers network=10.0.15.0
add address=10.100.0.1/24 interface=bridge-lan network=10.100.0.0
add address=192.168.2.1 disabled=yes interface=bridge-lan network=192.168.2.0
/ip dhcp-client
add comment="uitgezet op combo1-WAN ivm directe koppeling zonder Experiabox. d\
    hcp zit nu op ppoe-verbinding" dhcp-options=hostname,clientid interface=\
    combo1-WAN use-peer-dns=no
add add-default-route=special-classless default-route-distance=254 \
    dhcp-options=option60-vendorclass,hostname,clientid disabled=no \
    interface=vlan4-iptv use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.10.0/24 comment="Trusted Home VLAN" dns-server=10.0.10.1 \
    gateway=10.0.10.1
add address=10.0.15.0/24 comment="Server VLAN" dns-server=10.0.15.1 gateway=\
    10.0.15.1
add address=10.0.20.0/24 comment="Automation VLAN" dns-server=10.0.15.6 \
    gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.100.0.0/24 comment="Backup-DHCP (no VLAN)" dns-server=\
    10.100.0.1 gateway=10.100.0.1
add address=192.168.10.0/24 comment="Management VLAN" dns-server=192.168.10.1 \
    gateway=192.168.10.1 ntp-server=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=\
    8.8.4.4,1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.10.0/23 list=LAN
/ip firewall filter
add action=log chain=forward log-prefix=HERMES- src-address=192.168.10.10
add action=accept chain=input comment=IpSec dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IpSec protocol=ipsec-esp
add action=accept chain=input comment="IpSec Authentication" protocol=\
    ipsec-ah
add action=accept chain=input comment="IPTV Multicast" dst-address=\
    224.0.0.0/8 in-interface=vlan4-iptv protocol=igmp
add action=accept chain=forward comment="IPTV Multicast" dst-address=\
    224.0.0.0/8 in-interface=vlan4-iptv protocol=udp
add action=accept chain=forward comment="IPTV Multicast" dst-address=\
    224.0.0.0/8 in-interface=vlan4-iptv protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related routing-mark=!PPTP-VPN
add action=drop chain=input comment="Drop input from guest VLAN" \
    in-interface=vlan30-guests
add action=accept chain=input comment=\
    "defconf: Accept established, related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept all from LAN" \
    in-interface-list=LAN
add action=drop chain=input comment="Disable outside DNS requests" \
    connection-state=new dst-port=53 in-interface=pppoe-KPN protocol=tcp
add action=drop chain=input comment="Disable outside DNS or NTP requests" \
    connection-state=new dst-port=53,123 in-interface=pppoe-KPN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=reject chain=input comment="Protect against KPN block" \
    in-interface=pppoe-KPN protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=input comment="Drop all remaining WAN connections" \
    in-interface-list=WAN
add action=drop chain=forward comment=\
    "Forbid traffic from Automation VLAN 20 to internet" disabled=yes \
    in-interface=vlan20-automation out-interface=pppoe-KPN
add action=drop chain=forward comment=\
    "Forbid traffic to other than WAN on Guest network VLAN 30" disabled=yes \
    in-interface=vlan30-guests out-interface=!pppoe-KPN
add action=accept chain=forward comment=\
    "defconf: accept related, established, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Drop all WAN not DST NATted" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark VPN traffic" \
    connection-nat-state=!dstnat disabled=yes dst-address=!192.168.10.0/24 \
    dst-address-list=!Host_ianbrown dst-port=\
    !32400,222,2006,993,995,563,9119,80,443,987,587,25,465 new-routing-mark=\
    PPTP-VPN passthrough=yes port="" protocol=tcp src-address=192.168.10.10
add action=mark-routing chain=prerouting comment="Mark VPN UDP traffic" \
    disabled=yes dst-address=!192.168.10.0/24 new-routing-mark=PPTP-VPN \
    passthrough=yes port=!32400 protocol=udp src-address=192.168.10.10
/ip firewall nat
add action=redirect chain=dstnat comment=\
    "FORCE DNS TO LOCAL MIKROTIK DNS SERVER" dst-port=53 in-interface-list=\
    LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment=\
    "FORCE DNS TCP TO LOCAL MIKROTIK DNS SERVER" dst-port=53 \
    in-interface-list=LAN protocol=tcp to-ports=53
add action=masquerade chain=srcnat out-interface=pptp-PIA
add action=masquerade chain=srcnat comment="Masquerade iptv" dst-address=\
    some/16 out-interface=vlan4-iptv
add action=masquerade chain=srcnat comment="Masquerade iptv" dst-address=\
    some/16 out-interface=vlan4-iptv
add action=masquerade chain=srcnat out-interface=pppoe-KPN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
/ip ipsec identity
# Wrong mode-config
add generate-policy=port-override mode-config=request-only peer=peer1 \
    remote-id=ignore
/ip route
add distance=1 gateway=pptp-PIA routing-mark=PPTP-VPN
add disabled=yes distance=1 gateway=ovpn-out1-windscribe routing-mark=\
    PPTP-VPN-Windscribe
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set time-interval=hour
/ppp secret
add name=laurens profile=default-l2tp service=l2tp
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=some/16,some/16 interface=vlan4-iptv \
    upstream=yes
add interface=vlan10-home
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=MT-CCR
/system logging
add disabled=yes prefix="L2TPDBG===>" topics=l2tp
add disabled=yes prefix="IPSECDBG===>" topics=ipsec
add disabled=yes topics=igmp-proxy
/system ntp client
set enabled=yes primary-ntp=some secondary-ntp=some
/system ntp server
set enabled=yes
/system routerboard settings
# Warning: cpu not running at default frequency
set cpu-frequency=600MHz

Export of the HAP-AC:

# aug/16/2019 22:50:45 by RouterOS 6.45.1
# software id = LFJC-SY1T
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=6C:3B:6B:18:97:F9 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Brother
set [ find default-name=ether2 ] name=ether2-Zeus
set [ find default-name=ether3 ] name=ether3-toCCR
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(20dBm), SSID: LaDy_2GL, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-1897FF wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5540/20-Ceee/ac(27dBm), SSID: LaDy_5GL, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-zolder wireless-protocol=802.11
# managed by CAPsMAN
# SSID: LaDy_Domotica, CAPsMAN forwarding
add mac-address=6E:3B:6B:18:97:FF master-interface=wlan1 mode=station name=\
    wlan27 ssid=HAPac-Zolder
# managed by CAPsMAN
# SSID: LaDy_Guests, CAPsMAN forwarding
add mac-address=6E:3B:6B:18:98:00 master-interface=wlan1 mode=station name=\
    wlan28 ssid=HAPac-Zolder
/interface vlan
add arp=proxy-arp interface=bridge name=vlan10-Home vlan-id=10
add interface=bridge name=vlan15-Servers vlan-id=15
add interface=bridge name=vlan100-Management vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-Zeus pvid=10
add bridge=bridge comment=defconf interface=ether3-toCCR
add bridge=bridge comment=defconf interface=ether4 pvid=15
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1-Brother pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3-toCCR vlan-ids=100
add bridge=bridge tagged=ether3-toCCR,bridge untagged=\
    ether2-Zeus,ether1-Brother,ether5,wlan1 vlan-ids=10
add bridge=bridge tagged=ether3-toCCR,bridge,wlan28 untagged=\
    ether4,ether2-Zeus vlan-ids=15
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1-Brother list=WAN
add interface=vlan10-Home list=LAN
add interface=vlan100-Management list=LAN
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=vlan100-Management enabled=yes \
    interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    vlan100-Management
add dhcp-options=hostname,clientid disabled=no interface=vlan10-Home
add dhcp-options=hostname,clientid disabled=no interface=vlan15-Servers
/ip dhcp-relay
add dhcp-server=10.0.10.1 interface=vlan10-Home name=relay1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=HAPac-Zolder
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I think part of my misunderstanding of VLAN configuration is the correct place to add the VLAN id. As I understood it, it should be done on the VLAN tab of the Bridge, but what should you do with the PVID value on the ports tab (double clicking an interface, then on the VLAN tab). Should that one stay at 1?

sindy · August 16, 2019, 9:43pm

That’s not surprising because both the hAP ac and the CCR have an interface in the subnet/vlan “10” so no routing is necessary when you ping the workstation in that subnet/vlan from either of the two.

But your configuration shows it’s not the case - the hAP ac doesn’t have a static IP in the subnet/vlan 10 so it’s unlikely you’d set the address from 10.0.10.0/24 dynamically assigned to the hAP ac as a gateway for the workstation. If the workstation gets its IP configuration from the DHCP server running on the CCR, it also gets the 10.0.10.1 as a default gateway so it should be allright.

It’s a bit confusing but think of it the following way:

the pvid value in /interface bridge port defines with what VLAN-ID the tagless frames should be tagged on ingress through that port
the position of the interface on tagged or untagged list for given vlan-ids in /interface bridge vlan defines whether the frame should be kept tagged or get untagged on egress through that port

So both have to be set in accord for normal use cases.
So having the same port on the untagged list for more than one vlan-ids, as you currently have e.g. for vlan-ids=10 and vlan-ids=15 for ether2-Zeus, is wrong, but it does not explain your trouble.

Another mistake that I can see but that also doesn’t explain your trouble is that you’ve attached a DHCP relay to vlan 10 on the hAP ac - this is not necessary because the DHCP server for 10.0.10.0/24 is visible directly in that VLAN. So just remove the dhcp-relay which is only necessary where the DHCP-server is not listening directly in the L2 segment it serves.

The IP firewall on the hAP ac is not relevant at all as the packets from the workstation towards 10.0.15.0/24 get to the 10.0.10.1 on the CCR at L2 layer; the firewall on the CCR doesn’t seem to prevent forwarding between 10.0.10.0/24 and 10.0.15.0/24. So I’m afraid you’ll have to run the packet sniffer to see what’s going on.

tdw · August 16, 2019, 10:08pm

@sindy has covered points I was going to raise, a couple more:

On your HP1810-8G you don’t have to configure the ingress PVID, as shown under VLANs > VLAN Ports, separately - it is automatically generated from the ports set to Untagged under VLANs > Participation / Tagging. Also the HP only permits one VLAN to be selected as Untagged on a port, RouterOS doesn’t - you have to check yourself.

Why the liberal use of proxy-arp? As you are not sharing any of the ethernet subnets with your VPN server pool addresses it should be unnecessary.

In addition to the comments from sindy on the hAP AC you only need a single address, either static or using dhcp-client, for management access as all inter-VLAN traffic will be routed by the CCR.

ladegro · August 17, 2019, 7:32am

Ok, so what I did

delete the Zeus workstation from the vlan-15 untagged part on /interface bridge vlan
removed the dhcp clients on the Hap-ac for networks other than management network
checked that vlan id’s for ports were the same on /interface bridge vlan and /interface port vlan
removed the dhcp relay on hap-ac (which was disabled by the way)

The liberal use of proxy-arp was set, iirc, to allow for IPTV to work. But I just followed another guide there so not sure in what way it would be required. Will try to adjust once I have these VLAN issues gone (as they don’t seem related?)

This didn’t change the outcome. I’ll try with packet sniffer tomorrow when time allows…

Edit: just checked a bit with the GUI version in Winbox of the packet sniffer. Filtered on the server-interface and the HAPAC interface and ICMP protocol. But not sure what to look for?

ladegro · August 18, 2019, 8:27am

When sniffing on the HAP ac, I can see the receiving of icmp packets but I don’t see any replies from the workstation:

with as result on the HAP-AC:

and when I sniff on the CCR:

I verified that from another laptop I can ping the workstation without problems (from the same vlan/subnet) hence I assume any firewall issues are ootq?

I don’t understand why no reply packets are seen… Strangely enough there is no mention of vlan 15, only vlan 10?

tdw · August 18, 2019, 10:03am

The CCR packet sniffer shows:
Untagged packets arriving on ether3-Server from 10.0.15.10 destined for 10.0.10.5
Tagged packets with VID 10 leaving on ether2-HAPac from 10.0.15.10 destined for 10.0.10.5
so the CCR is forwarding the packets as expected.

The hAP packet sniffer shows:
Tagged packets with VID 10 arriving on ether3-toCCR from 10.0.15.10 destined for 10.0.10.5
Untagged packets leaving on ether2-Zeus from 10.0.15.10 destined for 10.0.10.5
so the hAP is also forwarding packets as expected.

It looks very much as though the workstation is not sending any replies, most likely a firewall on the computer [10.0.10.5] - try using tcpdump or Wireshark to check the ICMP requests are being received and if any replies are being sent.

Not seeing VID 15 is expected as the link carrying that traffic from the server is untagged, the CCR has routed the packet before it proceeds further.

sindy · August 18, 2019, 10:08am

Assuming that the other laptop is in the same subnet/vlan like the workstation, the issue may be the firewall on the workstation. E.g. Windows reportedly only respond icmp echo requests (pings) if they come from the subnet to the pinged address belongs.

It’s because sniffing takes place as close to the wire as possible. Hence on the CCR, the ingress frame on ether3-Server is first sniffed and only then tagged with VID 15; the egress frame is first tagged with VID 10 and only then sniffed on ether2-HAPac Zolder. On the hAP AC, the ingress frame on ether3-toCCR comes tagged, and gets untagged before being sniffed on ether2-Zeus.

ladegro · August 18, 2019, 2:07pm

You guys seem to be right. When completely disabling all firewalls on the workstation, de ping reply comes back succesfully!
Another problem with piHole not working (and which I pointed for towards the VLAN config) seemed to be caused by an old firewall rule.

Not a problem after all with mikrotik it seems Thanks for the help and insights.

Only remaining issue is that I can’t seem to get the VLANs working correctly over CAPSMAN managed SSIDs. Though I’ve added them to the datapath of the different configurations, in some modes (eg. vlan 30 guests), client’s don’t get a working route to the network. But I assume that might be another issue so I’ll investigate and open a new topic if needed.