Router and Switch configuration. Why can I ping the router but not the switch?

Hi all,

my router is a RB5009UG+S+ and my switch is a CRS328-24P-4S+
I managed to setup the whole thing by my own and it seems to work for now (of course firewall can be improved later)
IP of my router is 10.0.17.1 and IP of my switch is 10.0.17.100.
I have a management vlan #17 which should only be allowed to access router and switch. My “normal” vlan is #30 where most of my clients are connected to.
The only way to login on router and switch is by having access to my management network. When I am in my normal network, no access is possible. So far so good.
Today I figured out that I can ping my router when I am in vlan #30. But I can’t ping my switch while I am in #30.

Since I am still learning on network and RouterOS things, can someone here maybe try to explain why this is happening? I just try to understand what’s happening here.

Here are my configs:

# 2024-12-29 13:01:30 by RouterOS 7.15.3
# software id 
#
# model = RB5009UG+S+
# serial number = xxx
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Trunk zum Switch"
set [ find default-name=ether3 ] comment=\
    "F\FCr den Notfall, wenn ich mich mal wieder aussperre"
/interface vlan
add interface=bridge name=door32 vlan-id=32
add interface=bridge name=homeautomation31 vlan-id=31
add interface=bridge name=house30 vlan-id=30
add interface=bridge name=mgmt17 vlan-id=17
add interface=ether2 name=pppoe-na10 vlan-id=10
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 comment=ISP disabled=no \
    interface=pppoe-na10 name=pppoe-na use-peer-dns=yes user=\
    xxx@xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=143.0.0.2
add name=dhcp_pool5 ranges=10.0.30.200-10.0.30.250
add name=dhcp_pool6 ranges=10.0.17.2-10.0.17.6
add name=dhcp_pool7 ranges=10.0.31.200-10.0.31.250
add name=dhcp_pool8 ranges=10.0.32.200-10.0.32.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface=ether3 lease-time=10m name=dhcp1
add address-pool=dhcp_pool5 interface=house30 lease-time=10m name=dhcp2
add address-pool=dhcp_pool6 interface=mgmt17 lease-time=10m name=dhcp3
add address-pool=dhcp_pool7 interface=homeautomation31 lease-time=10m name=\
    dhcp4
add address-pool=dhcp_pool8 interface=door32 lease-time=10m name=dhcp5
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 internal-path-cost=10 path-cost=10 pvid=17
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=30
add bridge=bridge tagged=bridge,ether4,ether1 vlan-ids=17
add bridge=bridge tagged=bridge,ether1 vlan-ids=31
add bridge=bridge tagged=bridge,ether1 vlan-ids=32
/interface list member
add comment=LAN interface=bridge list=LAN
add comment=ISP interface=pppoe-na list=WAN
add interface=house30 list=LAN
add comment="mgmt interfaces" interface=ether4 list=MGMT
add interface=mgmt17 list=MGMT
add interface=homeautomation31 list=LAN
add interface=door32 list=LAN
add interface=ether3 list=MGMT
/ip address
add address=143.0.0.1/24 interface=ether3 network=143.0.0.0
add address=10.0.30.1/24 interface=house30 network=10.0.30.0
add address=10.0.17.1/24 interface=mgmt17 network=10.0.17.0
add address=10.0.31.1/24 interface=homeautomation31 network=10.0.31.0
add address=10.0.32.1/24 interface=door32 network=10.0.32.0
/ip dhcp-server network
add address=10.0.17.0/24 dns-server=8.8.8.8 gateway=10.0.17.1
add address=10.0.30.0/24 dns-server=8.8.8.8 gateway=10.0.30.1
add address=10.0.31.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.31.1
add address=10.0.32.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.32.1
add address=17.0.0.0/24 dns-server=8.8.8.8 gateway=17.0.0.1
add address=30.0.0.0/24 dns-server=8.8.8.8 gateway=30.0.0.1
add address=143.0.0.0/24 dns-server=8.8.8.8 gateway=143.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment=\
    "defconf: drop all not coming from Management VLAN" in-interface-list=\
    !MGMT
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no

=======================================================================================================================================

# 1971-01-06 01:57:49 by RouterOS 7.13
# software id
#
# model = CRS328-24P-4S+
# serial number = xxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] name=2n-front-eth4
set [ find default-name=ether15 ] name=Notfall-eth15
set [ find default-name=ether5 ] name=dg-eth5
set [ find default-name=ether18 ] name=nuc-eth18
set [ find default-name=ether2 ] name=kitchen-eth2
set [ find default-name=ether21 ] name=office1-eth21
set [ find default-name=ether22 ] name=office2-eth22
set [ find default-name=ether20 ] name=office3-eth20
set [ find default-name=ether19 ] name=office4-eth19
set [ find default-name=ether17 ] name=rasp-eth17
set [ find default-name=ether3 ] name=sma-sm-eth3
set [ find default-name=ether9 ] name=sma-wr-eth9
set [ find default-name=ether10 ] name=playsi-eth10
set [ find default-name=ether1 ] name=trunk-eth1
set [ find default-name=ether8 ] name=wifi-eg-eth8
set [ find default-name=ether6 ] name=wifi-kg-eth6
set [ find default-name=ether7 ] name=wifi-og-eth7
set [ find default-name=ether24 ] name=wz1-eth24
set [ find default-name=ether23 ] name=wz2-eth23
/interface vlan
add interface=bridge name=mgmt17 vlan-id=17
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.144.2-192.168.144.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Notfall-eth15 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=trunk-eth1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=2n-front-eth4 pvid=32
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=dg-eth5 pvid=31
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=knx-eth2 pvid=31
add bridge=bridge interface=office1-eth21 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=office2-eth22 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=office3-eth20 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=office4-eth19 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sma-sm-eth3 pvid=31
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sma-wr-eth9 pvid=31
add bridge=bridge interface=wifi-eg-eth8 pvid=30
add bridge=bridge interface=wifi-kg-eth6 pvid=30
add bridge=bridge interface=wifi-og-eth7 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wz1-eth24 pvid=31
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wz2-eth23 pvid=31
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=rasp-eth17 pvid=30
add bridge=bridge interface=intelnuc-eth18 pvid=17
add bridge=bridge interface=playsi-eth10 pvid=30
/interface bridge vlan
add bridge=bridge tagged=trunk-eth1,intelnuc-eth18 vlan-ids=30
add bridge=bridge tagged=\
    trunk-eth1,bridge,wifi-eg-eth8,wifi-og-eth7,wifi-kg-eth6 vlan-ids=17
add bridge=bridge tagged=\
    bridge,trunk-eth1,wifi-kg-eth6,wifi-eg-eth8,wifi-og-eth7,intelnuc-eth18 \
    vlan-ids=31
add bridge=bridge tagged=\
    bridge,trunk-eth1,wifi-kg-eth6,wifi-eg-eth8,wifi-og-eth7,intelnuc-eth18 \
    vlan-ids=32
/ip address
add address=192.168.144.1/24 interface=Notfall-eth15 network=192.168.144.0
add address=10.0.17.100/24 interface=mgmt17 network=10.0.17.0
/ip dhcp-server network
add address=192.168.144.0/24 dns-server=8.8.8.8 gateway=192.168.144.1
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/system swos
set identity=MikroTik

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=10.0.17.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

when I add this route to my switch, ping from #30 also works.

Now I still need to understand why

In short: being able to access router’s IP address via “non-native” interface is more or less cosmetic thing.

A longer explanation: looking at packet flow it becomes obvious that one of early things that stateful firewall does is to classify ingress packets to firewall chains. If packet is targeting any of router’s IP addresses (and is not being DST-NATed), then packet enters chain=input. And when it’s there, generally in-interface is not considered unless filter rules explicitly do. Routing decisions are made only for packets which need to leave router (either being forwarded or are output of router’s own IP stack), so they don’t affect ingress packets destined to router itself.

Things are different for switch as it (most probably) only has single IP address (in vlan17) so traffic can only target single switch address … and has to pass your router and its firewall (if it allows such communication). Some other prerequisites have to be met, such as setting of route which allows return packets to arrive at connection peer. Router obviously does have it (connected subnets always have an implicit route towards member devices), switch obviously didn’t.

So if you want to make sure that only clients from VLAN 17 can create management connections to your router, then you’d have to change chain=input … depending on the whole rule set it might be easiest to rearange rules and insert a “chain=input action=drop in-interface=**!**vlan17” (or something like this … note the exclamation mark which negates the evaluation result) before rules allowing management access. Another possibility is to add “in-interface=vlan17” to existing rules allowing management access which adds requirement about correct ingress interface.

One might be tempted to use src-address instead of in-interface … it is similar but not the same, sometimes it’s possible to spoof src address in a way which allows bi-directional communication … in-interface can’t be spoofed.