samsung smart TV +vlan = no internet access

RouterOS General
1

Hello everyone.

There is a huge problem with Samsung Smart TV (there are several tv, and no one works).
TV get an ip address, all ok, but internel service couldnt conect to the samsung servers and it is shows that no internet access at all.
By the way, all other devices -mobile, pads, wireless notebooks, wired pc - all works good. The only SmartTv and playstation doesn’t work.

Network is very simple - router = RB-951G-2HnD with eth1 internet uplink (real ip), eth3 - SW_WIFI uplink
SW_WIFI = Switch for WiFi and ethernet - CRS328-24P-4S+
Wifi - mikrotik doesn’t matter the model

firmware = 6.45.9

ROUTER
port 3 = SW_WIFI tag 13,14


# model = 951G-2HnD
# serial number = 

/interface bridge
add admin-mac=CC:2D:E0:B4:F3:A2 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add name=bridge-tv

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN

set [ find default-name=ether3 ] name=ether3-SW_WIFI
set [ find default-name=ether4 ] comment="samsung-temp" speed=10Mbps
/interface vlan
add interface=bridge name=bridge-vlan13 vlan-id=13
add interface=bridge name=bridge-vlan14 vlan-id=14

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name="home users" ranges=192.168.12.1-192.168.12.250
add name=vlan14 ranges=192.168.14.1-192.168.14.10
add name=pptp ranges=172.16.25.10-172.16.25.20
add name=bridge-tv ranges=192.168.88.10-192.168.88.30
/ip dhcp-server
add address-pool="home users" disabled=no interface=bridge lease-time=10m15s \
    name="home users lan"
add address-pool=vlan14 disabled=no interface=bridge-vlan14 lease-time=10m45s \
    name=vlan14
add address-pool=bridge-tv disabled=no interface=bridge-tv name=bridge-tv

/interface bridge port
add bridge=bridge interface=ether3-SW_WIFI
add bridge=bridge interface=ether5
add bridge=bridge-tv interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=WAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2-SW_VIDEO,ether3-SW_WIFI vlan-ids=13,14

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add comment=defconf interface=bridge-tv list=LAN

/ip address
add address=192.168.12.254/24 comment=defconf interface=bridge network=\
    192.168.12.0
add address=192.168.13.254/24 interface=bridge-vlan13 network=192.168.13.0
add address=192.168.14.254/24 interface=bridge-vlan14 network=192.168.14.0
add address=1.2.3.4/24 interface=ether1-WAN network=1.2.3.0
add address=192.168.88.254/24 interface=bridge-tv network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server lease
add address=192.168.14.253 client-id=1:c4:ad:34:62:4a:4f comment=SW_WIFI \
    mac-address=C4:AD:34:62:4A:4F server=vlan14
add address=192.168.12.243 client-id=1:98:6:3c:9a:97:3 comment=tv \
    mac-address=98:06:3C:9A:97:03 server="home users lan"
/ip dhcp-server network
add address=192.168.12.0/24 dns-server=8.8.4.4,8.8.8.8,1.1.1.1 gateway=\
    192.168.12.254 netmask=24
add address=192.168.13.0/24 dns-server=8.8.4.4,8.8.8.8,1.1.1.1 gateway=\
    192.168.13.254 netmask=24
add address=192.168.14.0/24 dns-server=8.8.4.4,8.8.8.8,1.1.1.1 gateway=\
    192.168.14.254 netmask=24
add address=192.168.88.0/24 dns-server=8.8.4.4,8.8.8.8,1.1.1.1 gateway=\
    192.168.88.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan

/ip firewall filter

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state="" \
    src-address=192.168.1.0/24

add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=#1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=#2
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=#3
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log-prefix=#4
add action=accept chain=input comment=UnblockCapsman disabled=yes \
    dst-address-type=local src-address-type=local
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn \
    tcp-mss=1453-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=1.2.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=router
/system logging
add topics=wireless
/system ntp client
set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=88.147.254.234
/system package update
set channel=long-term

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

SWITCH

port23 = tag vlan13, 14 uplink in port 3 router


# model = CRS328-24P-4S+
# serial number = 
/interface bridge
add admin-mac=52:BA:C3:F8:57:4D auto-mac=no comment=defconf name=bridge-vlan \
    vlan-filtering=yes
/interface vlan
add interface=ether23 name=vlan14 vlan-id=14
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge-vlan comment=defconf interface=ether1
add bridge=bridge-vlan comment=defconf interface=ether2
add bridge=bridge-vlan comment=defconf interface=ether3
add bridge=bridge-vlan comment=defconf interface=ether4
add bridge=bridge-vlan comment=defconf interface=ether5
add bridge=bridge-vlan comment=defconf interface=ether6
add bridge=bridge-vlan comment=defconf interface=ether7
add bridge=bridge-vlan comment=defconf interface=ether8
add bridge=bridge-vlan comment=defconf interface=ether9
add bridge=bridge-vlan comment=defconf interface=ether10
add bridge=bridge-vlan comment=defconf interface=ether11
add bridge=bridge-vlan comment=defconf interface=ether12
add bridge=bridge-vlan comment=defconf interface=ether13
add bridge=bridge-vlan comment=defconf interface=ether14
add bridge=bridge-vlan comment=defconf interface=ether15
add bridge=bridge-vlan comment=defconf interface=ether16
add bridge=bridge-vlan comment=defconf interface=ether17
add bridge=bridge-vlan comment=defconf interface=ether18
add bridge=bridge-vlan comment=defconf interface=ether19
add bridge=bridge-vlan comment=defconf interface=ether20
add bridge=bridge-vlan comment=defconf interface=ether21
add bridge=bridge-vlan comment=defconf interface=ether22
add bridge=bridge-vlan comment=defconf interface=ether23
add bridge=bridge-vlan comment=defconf interface=ether24 pvid=13
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-vlan tagged=ether23 untagged=ether24 vlan-ids=13
add bridge=bridge-vlan tagged="ether23,ether1,ether22,ether21,ether20,ether19,\
    ether18,ether17,ether16,ether15,ether14,ether13,ether12,ether11,ether10,et\
    her9,ether8,ether7,ether6,ether5,ether4,ether3,ether2" vlan-ids=14
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=vlan14
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=SW_WIFI
/system ntp client
set enabled=yes primary-ntp=85.21.78.91 secondary-ntp=88.147.254.234
/system package update
set channel=long-term
/system routerboard settings
set boot-os=router-os

Samsung get an ip = 192.168.12.243, dns 8.8.8.8 8.8.4.4 1.1.1.1 gw 192.168.13.254 and shows - no internet

And finally, if i reset config on router, put TV into port 2-5, get default 192.168.88.5 - EVERYTHING WORKS. internet works good in TV and no problem, at all.

I try to plug TV into eth5 on my router with config above - doesn’t work.


What’s wrong in my configs???

2

Did you resolve this issue?

3

One of the things is that you mention that you get gateway 13.254, which is not possible, it should be 12.254.
Can you see from the router the “arp” of the samsung?
Can you ping the samsung from the router?
What happends if you enable logging on the ipnat masq rule?
What happends if you enable logging on the ipfirewall outgoing rule?

What happends if you stick in a laptop on the samsung port instead? and see what happends then?

It also appears that you only have “tagged” ports (includes the vlan id in a packet), and no untagged ports (which ‘stick’ the vlan label after the packet has entered
the port, instead of having that included from the device behind it).

Thanks,

4

The top post was made in 2020, hopefully it has been somehow solved.
In any case is improbable that the OP will come back to provide details more than three years later.

5

Right, I did not bother to look at the post time. It came up as a recent topic so I decided to put on the ‘superhero’ suit.
I didn’t even notice it decoloured a bit because of age :wink:

Thanks for showing that and well, we’ll assume it was either resolved or an alternative was found :slight_smile:

6

Yep, it happens to forget to check the dates.