Problem routing two bridges

RouterOS General
1

Hello,

This is my first post and I am quite new to mikrotik, although I understand a bit about networking.

I have purchased a RB952Ui-5ac2nD and have left the default configuration but have created a new bridge and changed the ether4 and ether5 ports to this new bridge.

Then I created a new network for that bridge, 192.168.77.1.

I assumed that by default, I could ping from one network to another, but I cannot.

From the router terminal itself I ping any of the two networks and it works, but if I ping from bridge0 (the default configuration to the network of bridge 1 does not reach).


ping from router

> ping 192.168.77.1  
  SEQ HOST                                     SIZE TTL TIME       STATUS                        
    0 192.168.77.1                               56  64 412us     
    1 192.168.77.1                               56  64 392us     
    2 192.168.77.1                               56  64 383us     
    sent=3 received=3 packet-loss=0% min-rtt=383us avg-rtt=395us max-rtt=412us

ping from bridge0 to bridge1 address

> ping 192.168.77.1 interface=bridge0
  SEQ HOST                                     SIZE TTL TIME       STATUS                        
    0 192.168.77.1                                                 timeout                       
    1 192.168.77.1                                                 timeout                       
    2 192.168.77.1                                                 timeout                       
    3 192.168.88.1                               84  64 92ms746us  host unreachable              
    sent=8 received=0 packet-loss=100%

ping from bridge1 to bridge0 address

> ping 192.168.88.1 interface=bridge1  
  SEQ HOST                                     SIZE TTL TIME       STATUS                        
    0 192.168.88.1                                                 timeout                       
    1 192.168.88.1                                                 timeout                       
    2 192.168.88.1                                                 timeout                       
    3 192.168.77.1                               84  64 89ms870us  host unreachable              
    sent=4 received=0 packet-loss=100%

What am I doing wrong?

This is the router configuration:

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge0
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-xxxxxx wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-xxxxx wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge0 lease-time=10m name=defconf
/interface bridge port
add bridge=bridge0 comment=defconf interface=ether2
add bridge=bridge0 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge0 comment=defconf interface=wlan1
add bridge=bridge0 comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge0 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge0 network=\
    192.168.88.0
add address=192.168.77.1/24 interface=bridge1 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

It is generally advised not to use multiple bridges unless you really know why you need it. It can be a shortcut solution but it’s not optimal performance wise (only 1 bridge can be HW offloaded and you will not know in advance which one) nor suited for future adaptation. For 2 subnets, it may do.
Your device does not know where to go to…
I suppose you did not define the needed route towards the other subnet ?
Add route for 192.168.77.0/24 gateway bridge1

You also may have to revise your firewall rules to allow communication between both subnets.

Better approach (a bit more work to setup but more future proof and can, for some devices, benefit from HW offload) is to use VLAN, one per required subnet.
Check this excellent tutorial from member pcunite:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

I created two bridges because it was the easiest way to do this test and I didn’t want to make it more complicated. This is the first part of a more complex configuration. But if I can’t get beyond that, we’re off to a bad start.

The router automatically creates the routes by creating the networks and associating them to the corresponding interfaces.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY  DISTANCE
DAc 192.168.77.0/24  bridge1         0
DAc 192.168.88.0/24  bridge0         0

And I have not touched the firewall rules, the mikrotik standard, which in principle does not block access to the lan.

I have also added bridge1 to the list of LAN interfaces, but I still can’t get it to work.

I know I can solve it with VLAN but this simple configuration should work without problems, and I don’t know if I’m skipping something obvious, or if I don’t understand the operation of this Router that doesn’t know how to route.

4

I just did another test, this time physically connecting a laptop to the ether5 port and from the laptop I can ping the two subnets.

That is, the router ping tool does not give correct results, I need a physical computer to be able to do the tests.

Well, one more thing I have learned today

5

When you run ping with interface= property set, this actually overrides the egress interface selection (you probably expected that it somehow selects source IP address). Essentially you’re overriding part of routing process, which (among other things) selects egress interface.
So you’re trying to ping 192.168.77.1 by pushing ICMP packets out of bridge0. But bridge0 doesn’t have way to reach that subnet.

In your first (successful) test case, router pings its own IP stack (the other IP address) without ever touching underlying network layers (either of bridge). Because that’s the way linux networking stack works. In essence, you can’t force linux device to use up all the network layers below L3 if it determines that destination is one of its own addresses. And I guess it’s the same with all OSes.

So yes, when trying so verify some routing settings, it is vital to use real-life test setup (in your case that’s two laptops, each connected to one of bridges).