Set up new vlan bridging mechanism, but can't ping devices on my trunk port

ccc2177 · October 2, 2018, 4:24am

Hi, I am trying to set up VLANs to isolate subnets for my wifi network (vlanWifi with ID=300, 172.27.6.0/24) and my lan network (vlanInfra with ID=100, 172.27.7.0/24). vlanWifi has ether3 as an untagged port, vlanInfra has ether1 as an untagged port, and ether4 is a trunk port with both vlan IDs. I added all the ports to a bridge bridgeVlan with the vlan tag details, set two vlan interfaces on top of the bridge, assigned IPs to the vlan interfaces and set up my DHCP servers, and then enabled the bridge vlan filtering.

This works well for the untagged ports (ether1 and ether3), where the DHCP servers are picking up clients, but I can’t ping a static Linux client I connected to ether4, the trunk port.

I configured the Linux client using systemd syntax based on the Archlinux Wiki page on VLAN to have static IPs 172.27.7.2 for VLAN ID=100/ 172.27.6.2 for VLAN ID=300, with two systemd netdevs. I installed the right packages for vlan usage, and loaded the 8021q module, and these interfaces are up.

Could you please help me out? I am not sure what is wrong with my configuration.

Mikrotik configuration

# oct/01/2018 23:29:27 by RouterOS 6.43.2
# model = RouterBOARD 750G r3
/interface bridge
add admin-mac=64:D1:54:B3:82:21 auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridgeVlan pvid=2 vlan-filtering=yes
/interface vlan
add interface=bridgeVlan name=vlanInfra vlan-id=100
add interface=bridgeVlan name=vlanWifi vlan-id=300
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-infra ranges=172.27.7.5-172.27.7.254
add name=pool-wifi ranges=172.27.6.5-172.27.6.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-wifi disabled=no interface=vlanWifi name=dhcp-wifi
add add-arp=yes address-pool=pool-infra disabled=no interface=vlanInfra name=\
    dhcp-infra
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridgeVlan interface=ether1 pvid=100
add bridge=bridgeVlan interface=ether3 pvid=300
add bridge=bridgeVlan interface=ether4 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridgeVlan comment="Wifi vlan" tagged=ether4,bridgeVlan untagged=\
    ether3 vlan-ids=300
add bridge=bridgeVlan comment="Infra vlan" tagged=ether4,bridgeVlan untagged=\
    ether1 vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="mod from defconf" interface=ether5 list=WAN
add interface=bridgeVlan list=LAN
add interface=vlanInfra list=LAN
add interface=vlanWifi list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.27.7.1/24 comment=Infra interface=vlanInfra network=\
    172.27.7.0
add address=172.27.6.1/24 comment=Wifi interface=vlanWifi network=172.27.6.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether5 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.27.6.0/24 comment=Wifi domain=.wifi.test gateway=172.27.6.1 \
    netmask=24
add address=172.27.7.0/24 comment=Infra domain=.infra.test gateway=172.27.7.1 \
    netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-mac-protocol=vlan

Systemd-networkd configuration

eth0.network
------------
[Match]
Name=eth0
[Network]
DHCP=no
VLAN=eth0.100
VLAN=eth0.300

eth0.100.netdev
---------------
[NetDev]
Name=eth0.100
Kind=vlan
[VLAN]
Id=100

eth0.100.network
----------------
[Match]
Name=eth0.100
[Network]
DHCP=no
[Address]
Address=172.27.7.2/24
Gateway=172.27.7.1

eth0.300.netdev
---------------
[NetDev]
Name=eth0.300
Kind=vlan
[VLAN]
Id=300

eth0.300.network
----------------
[Match]
Name=eth0.300
[Network]
DHCP=no
[Address]
Address=172.27.6.2/24
Gateway=172.27.6.1

mkx · October 2, 2018, 5:58pm

What does command ifconfig, executed on linux client, show? It should show 3 active devices, hopefully all of them with non-zero packet count after you’ve been pinging all of it’s addresses.

ccc2177 · October 2, 2018, 11:04pm

Hi, thanks for the reply. I feel like the Linux setup is correct. The interfaces are up and the TX packet increases after I try to ping my router. See below.

There is another thing, I have enable proxy-arp on my VLAN bridge bridgeVlan and from that interface I can ARP ping 172.27.7.2, my Linux device. Regular ping doesn’t work, and I can’t do the same with the VLAN interfaces configured on top of the bridge.

root@beaglebone:/home/debian# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::9259:afff:fe4f:a9a3  prefixlen 64  scopeid 0x20<link>
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 155 (155.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 78  bytes 10815 (10.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 181  

eth0.100: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.7.2  netmask 255.255.255.0  broadcast 172.27.7.255
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33  bytes 3356 (3.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.6.2  netmask 255.255.255.0  broadcast 172.27.6.255
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18  bytes 2726 (2.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 742  bytes 54633 (53.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 742  bytes 54633 (53.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@beaglebone:/home/debian# ping -c 3 172.27.7.1
PING 172.27.7.1 (172.27.7.1) 56(84) bytes of data.
From 172.27.7.2 icmp_seq=1 Destination Host Unreachable
From 172.27.7.2 icmp_seq=2 Destination Host Unreachable
From 172.27.7.2 icmp_seq=3 Destination Host Unreachable

--- 172.27.7.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2035ms
pipe 3

root@beaglebone:/home/debian# ping -c 3 172.27.6.1
PING 172.27.6.1 (172.27.6.1) 56(84) bytes of data.
From 172.27.6.2 icmp_seq=1 Destination Host Unreachable
From 172.27.6.2 icmp_seq=2 Destination Host Unreachable
From 172.27.6.2 icmp_seq=3 Destination Host Unreachable

--- 172.27.6.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2028ms
pipe 3
 
root@beaglebone:/home/debian# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::9259:afff:fe4f:a9a3  prefixlen 64  scopeid 0x20<link>
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 465 (465.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 87  bytes 11391 (11.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 181  

eth0.100: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.7.2  netmask 255.255.255.0  broadcast 172.27.7.255
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39  bytes 3608 (3.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.27.6.2  netmask 255.255.255.0  broadcast 172.27.6.255
        ether 90:59:af:4f:a9:a3  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21  bytes 2852 (2.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 1230  bytes 87631 (85.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1230  bytes 87631 (85.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0