strange vlan issue

arheops · September 14, 2015, 10:07am

I have following issue

box 1 connected to catalyst via trunk dot1q interface, vlan2 used, catalyst connected to mikrotik tagged interface.
box2,box3 connected to mikrotik.

box1 can ping mikrotik ip binded to vlan2, but not box2/box3 with vlan2.

i have followed wiki page, but seams missed someting.
please advice what can be wrong and how to debug it.

here is mikrotik config

[admin@FF_r1] > export
# sep/14/2015 06:02:49 by RouterOS 6.29.1
# software id = TQGD-U4KL
#
/interface bridge
add mtu=1500 name=bridge1 protocol-mode=stp
add name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] name=eth1-DC
# this one is trunked to catalyst
set [ find default-name=ether23 ] name=ethe23_sw1

/interface vlan
add interface=ethe23_sw1 l2mtu=1584 name=vlan2 vlan-id=2

/interface ethernet
# this one to box2
set [ find default-name=ether8 ] master-port=ethe23_sw1 name=eth8
#this one to box3
set [ find default-name=ether20 ] master-port=ethe23_sw1 name=ethe20_to_first_Fa0_6
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ethe20_to_first_Fa0_6,eth8
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr pfs-group=none

/interface ethernet switch egress-vlan-tag
add vlan-id=4090
add tagged-ports=ethe23_sw1 vlan-id=4091
add disabled=yes tagged-ports=ethe23_sw1,switch1-cpu vlan-id=2
add tagged-ports=ethe23_sw1 vlan-id=2

/interface ethernet switch egress-vlan-translation
add customer-vid=2 ports=eth8,ethe20_to_first_Fa0_6

/interface ethernet switch ingress-vlan-translation
add new-customer-vid=2 ports=ethe20_to_first_Fa0_6,eth8
/interface ethernet switch vlan
add ports=eth8,ethe20_to_first_Fa0_6,switch1-cpu vlan-id=2

/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ethe24_sw2_unsure network=192.168.88.0
add address=XXXX.X/27 comment="main ip" interface=eth1-DC network=64.71.176.64
add address=10.244.0.66/24 interface=vlan2 network=10.244.0.0
add address=10.1.0.66/24 interface=vlan2 network=10.1.0.0

/ip firewall filter
add chain=forward src-address=10.127.127.0
add chain=forward dst-address=10.127.127.0/24
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=output dst-address=0.0.0.0 src-address=0.0.0.0
add chain=input dst-address=0.0.0.0 src-address=0.0.0.0
add chain=input dst-address=64.71.176.76 in-interface=eth1-DC
add chain=forward dst-address=0.0.0.0 src-address=0.0.0.0
/ip firewall nat
add chain=dstnat disabled=yes dst-address=0.0.0.0 in-interface=eth1-DC src-address=0.0.0.0
add action=masquerade chain=srcnat out-interface=eth1-DC src-address=10.127.127.0/24 to-addresses=64.71.176.66
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=family-phone-vpn-66
/ip proxy
set cache-path=web-proxy1