Router OS 7.15.3 | intra vlan routing issue

pedroolguin123 · September 4, 2024, 6:36pm

Hello everyone,

Im dealing with this issue… seems that hosts are no able to communicate with the GW IP (address in vlan interface) nor communicating with other vlans hosts. However they are reachable from other networks beyond MK device.

I have this configuration:

/interface bridge
add name=AAA-AGG port-cost-mode=short priority=0 vlan-filtering=yes

/interface vlan
add interface=AAA-AGG name="vlan 11" vlan-id=11
add interface=AAA-AGG name="vlan 12" vlan-id=12
add interface=AAA-AGG name="vlan 13" vlan-id=13
add interface=AAA-AGG name="vlan 14" vlan-id=14
add interface=AAA-AGG name="vlan 20" vlan-id=20
add interface=AAA-AGG name="vlan 30" vlan-id=30

interface bridge port
add bridge=AAA-AGG frame-types=admit-only-vlan-tagged interface=LAGG1
add bridge=AAA-AGG frame-types=admit-only-vlan-tagged interface=LAGG2
add bridge=AAA-AGG frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=AAA-AGG frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=AAA-AGG frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=30
add bridge=AAA-AGG frame-types=admit-only-untagged-and-priority-tagged interface=wlan2 pvid=20
add bridge=AAA-AGG frame-types=admit-only-untagged-and-priority-tagged interface=wlan1 pvid=20

/interface bridge vlan
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 vlan-ids=11
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 vlan-ids=12
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 vlan-ids=13
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 vlan-ids=14
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 vlan-ids=20
add bridge=AAA-AGG tagged=AAA-AGG,LAGG1,LAGG2 untagged=ether3,ether4,ether5 vlan-ids=30
add bridge=AAA-AGG untagged=AAA-AGG vlan-ids=1

/ip address
add address=10.7.11.1/24 interface="vlan 11" network=10.7.11.0
add address=10.7.12.1/24 interface="vlan 12" network=10.7.12.0
add address=10.7.13.1/24 interface="vlan 13" network=10.7.13.0
add address=10.7.14.1/24 interface="vlan 14" network=10.7.14.0
add address=10.7.30.1/24 interface="vlan 30" network=10.7.30.0
add address=192.168.20.1/24 interface="vlan 20" network=192.168.20.0

This behavior happen also with FW disabled.

Please let me know if you need any additional info.
BR,

pedroolguin123 · September 5, 2024, 6:56pm

Hello people,

Seems that local traffic was beeing forwarded across the IPSEC we use.

To prevent this we added a new FIRST policy at ..

/ip ipsec policy
add action=none comment=“Prevent local traffic to be forwarded across the IPSEC” dst-address=10.7.0.0/16 src-address=10.7.0.0/16

BR