Ping router interface in vlan environment

dubuscyr · August 2, 2017, 1:28pm

Hi everybody !

I have a working vlan network but there is a little tiny thing not working, and I think this is the tree hiding the forest

I followed multiples guides to configure my routers. I’m not an expert especially with mikrotik products (I discovered it recently).

I have a RB 3011, a mAP and a few manageable switchs (TPLINK).

I have two VLAN, one named “private” with workstations, NAS, printers on it and one named “public” with a lot of different devices that only want internet. The mAP is emitting two SSID, one for the private VLAN and the other for the public VLAN.

This is working fine, but strangely, the mAP and the RB 3011 are not able to ping each other. This is (so far) the only problem I have. But I reviewed all my configurations and I cannot figure it out, so I think I have a deep misunderstanding of something. I will try to paste the releveant piece of configuration below. Please tell me if you need more informations.

General informations :

Vlan public : 10.0.10.0/24
Vlan private : 10.0.0.0/24
IPs of the RB : 10.0.0.1 on private and 10.0.10.1 on public
IPs of the mAP : 10.0.0.2 on private and 10.0.10.2 on public
On the RB 3011 the mAP is plugged on eth10
On the mAP the RB is plugged on eth1

RB 3011 configuration :
(I removed everything unrelated such as DHCP, DNS, etc.)

/interface bridge
add admin-mac=6C:3B:6B:F8:8E:BB auto-mac=no comment=defconf fast-forward=no name=bridge
add admin-mac=AA:24:75:31:E9:DD arp=reply-only auto-mac=no fast-forward=no name=bridge-vlan-private
add admin-mac=1C:FC:4B:89:A7:74 auto-mac=no fast-forward=no name=bridge-vlan-public

/interface vlan
add interface=ether10 name=vlan-private-map-wifi-eth10 vlan-id=3
add interface=ether10 name=vlan-public-map-wifi-eth10 vlan-id=2

/interface bridge port
add bridge=bridge-vlan-public interface=vlan-public-map-wifi-eth10
add bridge=bridge-vlan-private interface=vlan-private-map-wifi-eth10

/ip address
add address=10.0.10.1/24 interface=vlan-public-map-wifi-eth10 network=10.0.10.0
add address=10.0.0.1/24 interface=vlan-private-map-wifi-eth10 network=10.0.0.0
add address=ww.xx.yy.zz/nn interface=ether1 network=ww.xx.yy.zz

/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=10.0.10.0/24 src-address=10.0.0.0/24
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/24 src-address=10.0.10.0/24

mAP configuration :

/interface bridge
add admin-mac=32:E6:45:4A:04:DB auto-mac=no comment=defconf name=bridge
add admin-mac=CE:E8:70:01:FD:B9 auto-mac=no name=bridge-vlan-private
add admin-mac=FB:CE:B6:36:DE:8B auto-mac=no name=bridge-vlan-public

/interface vlan
add interface=ether1 name=vlan-private-eth1 vlan-id=3
add interface=ether1 name=vlan-public-eth1 vlan-id=2

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan-public security-profile=wifi-public ssid=public wireless-protocol=802.11
add disabled=no mac-address=E6:8D:8C:7F:3C:E7 master-interface=wlan-public name=wlan-private security-profile=wifi-private ssid=intra wds-default-bridge=bridge-vlan-private wds-mode=dynamic-mesh

/interface bridge port
add bridge=bridge-vlan-public interface=vlan-public-eth1
add bridge=bridge-vlan-private interface=vlan-private-eth1
add bridge=bridge-vlan-private interface=wlan-private
add bridge=bridge-vlan-public interface=wlan-public

/ip address
add address=10.0.10.2/24 interface=vlan-public-eth1 network=10.0.10.0
add address=10.0.0.2/24 interface=vlan-private-eth1 network=10.0.0.0

/ip route
add distance=1 gateway=bridge-vlan-public

The problem is : when I try to ping the mAP from the RB or the RB from the mAP I get a timeout.

Everything else is working. All my eth in the public bridge on the RB are well associated on the public vlan and get the right IP from the DHCP, and the same for private network. The two differents SSID are working well too.

I think I missed something on addresses because I dont really get why I should put addresses there and not there, but I read the guides twice and I don’t see what I did wrong.

Here are the guides I’m talking about :
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
https://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment

Thank you all !

Cyril

Ibersystems · August 2, 2017, 3:33pm

Hi! Try to put the IPs in the bridges insteaqd of VLAN interfaces.

dubuscyr · August 3, 2017, 6:40pm

Hi,

Thanks for your reply.

I associated the IP 10.0.10.1 to the bridge interface “bridge-vlan-public” on the RB 3011 and the IP 10.0.10.2 to the bridge interface “bridge-vlan-public” on the mAP and they still dont ping each other.

I looked at the routes, for each device the route toward the 10.0.10.0/24 network is via “bridge-vlan-public” so I think it’s good.

I still can’t ping the mAP from the RB and the RB from the mAP.

Any suggestions ? Did I missed something in my configuration ?

And BTW can you explain me why I should put IPs on bridges and not on VLAN interfaces ? This is something I don’t understand.

Thanks

pe1chl · August 3, 2017, 6:57pm

When you have interfaces (including VLAN interfaces) that are members of a bridge, you should do all IP configuration for them on the bridge and not on the interfaces themselves.
It sometimes works when you do, sometimes not.

dubuscyr · August 4, 2017, 11:59am

Hi pe1chl,

Thanks for pointing it, I wasn’t aware of this.

In my case it did not solve the problem, the router and the mAP are still blind to each other whereas the other devices are perfectly fine. I suspect this has something to do with the link between the router and the mAP being a trunk or something like that but my understanding is not good enough to get it right.

Does someone see something odd in my configuration ? Do you need more informations ?

Thanks

pe1chl · August 4, 2017, 12:42pm

It is not a problem to have the router and access point management IP on a trunk/vlan, I use this all the time.
At the moment I have no time to really delve into your config but at cursory look it seems OK.
Just make VLAN subinterfaces on your ethernet trunk interface and put those subinterfaces on a bridge with the IP config.
That is what you have done.
Turn off STP on the bridges (protocol=none) to avoid any trouble with the problematic STP implementation.

dubuscyr · August 4, 2017, 12:43pm

I made some progress !

The DHCP on the private network block the ARP request on non authorized MAC address.

Since my IP are on the bridges, the MAC has changed and when I put the MAC of the mAP’s bridge into the RB DHCP server, it delivered a proper IP and the two are now able to talk to each other on private network.

But the DHCP on the public network has no MAC filter and they still cannot talk (the public DHCP server do not deliver an IP to the public bridge of the mAP and when I assign an IP manually I still cannot ping).

Anyway, I come closer to the proper solution I think and more important the mAP has now finally internet and I can update it.

Half solved

dubuscyr · August 4, 2017, 12:46pm

Just saw your answer, thanks.

Once I attribute the IP to the bridges, the problem looked obvious for the private network (MAC filter) but still not for the public network.

I will dig a bit and if I found something I will post it here.

I was afraid of missing something huge that would cause me some troubles in the future but I’m now reassured that you guys didn’t find my configuration too odd.

Thanks !