Ping not going outside of my vlans

tomdrk · August 2, 2023, 7:15pm

Hi,
I put in place 3 vlans on a crs326 and a separate uplink interface to a crs309. I sadly cant ping and name resolution google or any other public IP
local ip work fine
crs309:

# 2023-08-02 20:57:43 by RouterOS 7.10
# software id = IMS4-51NW
#
# model = CRS309-1G-8S+
# serial number = HE508Z4TAJB
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus8 ] advertise=\
    10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface list
add name=list1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool_vlan_esxi ranges=172.16.10.2-172.16.10.14
add name=dhcp_pool_vlan_iLo ranges=172.16.20.2-172.16.20.14
add name=dhcp_pool_vlan_normal ranges=172.16.30.2-172.16.30.254
add name=dhcp_pool7 ranges=172.16.50.2
add name=dhcp_pool8 ranges=172.16.50.2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
add bridge=bridge interface=sfp-sfpplus5
add bridge=bridge interface=sfp-sfpplus6
add bridge=bridge interface=sfp-sfpplus7
add bridge=bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.1.244/24 interface=bridge network=192.168.1.0
add address=172.16.50.1/24 interface=sfp-sfpplus8 network=172.16.50.0
/ip dhcp-server network
add address=172.16.50.0/30 gateway=172.16.50.1 netmask=30
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=172.16.10.0/28 \
    new-routing-mark=main passthrough=yes src-address=172.16.50.0/24
add action=mark-routing chain=prerouting dst-address=172.16.20.0/28 \
    new-routing-mark=main passthrough=yes src-address=172.16.50.0/24
add action=mark-routing chain=prerouting dst-address=172.16.30.0/28 \
    new-routing-mark=main passthrough=yes src-address=172.16.50.0/24
/ip route
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=192.168.1.245 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=172.16.10.1/28 gateway=172.16.50.2 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=172.16.20.1/28 gateway=172.16.50.2 routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.16.30.0/24 gateway=172.16.50.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Freyr
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os

crs326

# 2023-08-02 18:49:22 by RouterOS 7.10.2
# software id = 1GRE-YVYJ
#
# model = CRS326-24G-2S+
# serial number = HDC080RG2WE
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
add interface=bridge name=vlan-20 vlan-id=20
add interface=bridge name=vlan-30 vlan-id=30
add interface=bridge name=vlan-99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp-vlan-10 ranges=172.16.10.2-172.16.10.14
add name=dhcp-vlan-20 ranges=172.16.20.2-172.16.20.14
add name=dhcp-vlan-30 ranges=172.16.30.2-172.16.30.254
/ip dhcp-server
add address-pool=dhcp-vlan-10 interface=vlan-10 name=vlan-10
add address-pool=dhcp-vlan-20 bootp-support=dynamic interface=vlan-20 name=\
    vlan-20
add address-pool=dhcp-vlan-30 interface=vlan-30 name=vlan-30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=20
add bridge=bridge interface=ether10 pvid=20
add bridge=bridge interface=ether11 pvid=20
add bridge=bridge interface=ether12 pvid=20
add bridge=bridge interface=ether13 pvid=20
add bridge=bridge interface=ether14 pvid=20
add bridge=bridge interface=ether15 pvid=20
add bridge=bridge interface=ether16 pvid=20
add bridge=bridge interface=ether17 pvid=30
add bridge=bridge interface=ether18 pvid=30
add bridge=bridge interface=ether19 pvid=30
add bridge=bridge interface=ether20 pvid=30
add bridge=bridge interface=ether21 pvid=30
add bridge=bridge interface=ether22 pvid=30
add bridge=bridge interface=ether23 pvid=30
add bridge=bridge interface=ether24 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge tagged=bridge untagged=\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16 vlan-ids=\
    20
add bridge=bridge tagged=sfp-sfpplus2,bridge vlan-ids=99
add bridge=bridge tagged=bridge untagged=\
    ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=\
    30
/ip address
add address=172.16.10.1/28 interface=vlan-10 network=172.16.10.0
add address=172.16.20.1/28 interface=vlan-20 network=172.16.20.0
add address=172.16.50.2/24 interface=sfp-sfpplus2 network=172.16.50.0
add address=172.16.30.1/24 interface=vlan-30 network=172.16.30.0
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=172.16.10.0/28 gateway=172.16.10.1
add address=172.16.20.0/28 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=172.16.50.0/24 list=spf+2
/ip firewall filter
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=input
add action=accept chain=input protocol=icmp
add action=accept chain=forward in-interface-list=all out-interface-list=all
/ip route
add disabled=no dst-address=10.0.0.0/8 gateway=172.16.50.1 routing-table=main \
    suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=172.16.50.1
/system identity
set name=CRS326
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os

tomdrk · August 4, 2023, 8:02pm

Hi,
I tested a different configuration with the crs309 as a router and the crs326 as a switch. After some troubleshooting I managed the get some ping to the www tracert and ping worked only after I activated masquerade on the router which is kind of a issue for my usage case in a homelab as I have multiple vlans in my home on different mikrotik and static routing is very important.
I will test if I can put only the vlans and dhcp on the crs326 and look if the problem is only getting fixed with masquerade.

akakua · August 5, 2023, 2:11am

Do you have routes to 172.16.10.0/28, 172.16.20.0/28, 172.16.30.0/24, 72.16.50.0/24 on router 192.168.1.1?

tomdrk · August 5, 2023, 2:19pm

Hi,
router 192.168.1.1 is my isp router so i can’t add any route or modify anything

rextended · August 5, 2023, 3:13pm

When specifying a model, write it in full. crs309 = CRS309-1G-8S+, crs326 = CRS326-24G-2S+ (is clear only on the export, can be also CRS326-24S+2Q+)
What do you need VLANs for?
They are two Switches, as routers they are bad.
If you can’t change anything in the ISP’s router, the only thing you can do is worsen the network configuration.
Double NAT sucks.
What’s the point of using mangle if you only have one exit gateway?
What’s the point of using mangle if you have to use the “main” route table?

holvoetn · August 5, 2023, 3:23pm

Just out of curiosity, why keeps everyone saying that ?
I have a couple of double NAT setups and I have yet to see a single problem because of that thing alone.
There are some additional challenges, yes, but mostly solvable.

rextended · August 5, 2023, 3:26pm

Why specify pools on both?
Where is the (double) NAT (crappy)?

rextended · August 5, 2023, 3:29pm

Especially from someone posting an initial configuration like the OP’s.
Especially with a more than gigabit Switch, the ideal is to change all the passing packets, by reNATting them twice.
(The declared speed, as router with 25 filter rules, are only 270Mbps and is calculated without NAT, and think with the NAT how much it still goes down…
against 88000Mbps as Switch, and that’s how it was designed…)

tomdrk · August 5, 2023, 3:37pm

Mistake on my side deleted them

tomdrk · August 5, 2023, 4:15pm

hmm just setup up my crs326-24G-2S+ new again still cant ping getting blocked at my crs309-1G-8S+. I didn’t setup vlan yet, trying to ping 192.168.1.1 or 1.1.1.1 via my uplink to my crs309 its getting timeout. No firewall rules are set on either device so I don’t know what could cause this

rextended · August 5, 2023, 4:20pm

tomdrk · August 5, 2023, 4:25pm

Okay I just did that add masquerade and it works thanks man

holvoetn · August 5, 2023, 4:25pm

Solvable problem

rextended · August 5, 2023, 4:26pm

Read also the other points carefully…
I never* write anything at random…

anav · August 5, 2023, 7:05pm

Live a little, with 9 lives you can take some risks!

rextended · August 6, 2023, 2:25am

Are the "*"