Switch configuration in RB493 not working properly

drew010 · March 15, 2012, 7:35pm

Hardware: Routerboard 493AH
Firmware Version: 2.39
RouterOS Version: 5.14
Switch Chip: IC Plus 178C

I have applied some very basic configuration to a new RB493 from its default configuration. Everything works for the most part except for one major problem. When any PC on the switch sends traffic out to the internet, the return traffic destined only for the PC is passed to all switch ports.

Example:
Bob’s laptop is plugged into port 8 (192.168.50.150), John’s laptop is plugged into port 7 (192.168.50.149).
John runs wireshark and captures on his ethernet interface.
Bob goes to http://www.mikrotik.com, page loads fine
John sees all of the HTTP responses from http://www.mikrotik.com with destination address (192.168.50.150) even though John’s IP is 192.168.50.149. All of the other ports see the same response traffic.
John’s laptop DOES NOT see the any of the outgoing traffic from Bob, only the return traffic.

This happens for all traffic whether it is HTTP, ICMP, SSH, IMAP etc.

I have reverted to a basic configuration to test the problem. Here is ALL of the configuration entered into the router:

# add address to ether2 interface
/ip address add interface=ether2 address=192.168.50.1/24 network=192.168.50.0 broadcast=192.168.50.255 netmask=255.255.255.0

# make ether1 dhcp client
/ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no

# set up switch, make all ports slave to ether2
/interface ethernet set ether3 master-port=ether2
/interface ethernet set ether4 master-port=ether2
/interface ethernet set ether5 master-port=ether2
/interface ethernet set ether6 master-port=ether2
/interface ethernet set ether7 master-port=ether2
/interface ethernet set ether8 master-port=ether2
/interface ethernet set ether9 master-port=ether2

# configure dhcp server
/ip pool add name=dhcp ranges=192.168.50.100-192.168.50.150
/ip dhcp-server network add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=192.168.50.1 netmask=255.255.255.0
/ip dhcp-server add interface=ether2 name=dhcp-server address-pool=dhcp lease-time=1h enabled=yes

# configure firewall & NAT
/ip firewall filter add chain=input protocol=icmp action=accept
/ip firewall filter add chain=input connection-state=established action=accept
/ip firewall filter add chain=input connection-state=related action=accept
/ip firewall filter add chain=input in-interface=ether1 action=drop
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

# set up dns
/ip dns set servers=8.8.8.8,8.8.4.4

Can someone help me identify why this is happening and show any commands I may need to type to prevent this from happening so the traffic only goes the the correct port?

I see on the Switch Chip Features page that this switch does not support a host table. Is this why it doesn’t know what the correct port is or am I misunderstanding that?

reverged · March 16, 2012, 4:11am

The switch chip has a forwarding database of 1k mac addresses, otherwise, it is not a switch, it is a hub and that would be really, really bad.
http://www.icplus.com.tw/Data/Datasheet/IP178Cx-DS-R13-20080925.pdf

Mikrotik chooses not to let you see the hosts table or they have to write some code to get it.
The chip also supports vlans, etc, like most switch chips.

You could try removing the slave config, bridge each interface with equal horizon and see if the problem persists.

One thing I am curious about: What is the dst mac address on packets that John sees? (packets that belong to Bob)

drew010 · March 30, 2012, 5:19pm

Hi, Thanks for the reply.

At the moment, I was only able to test over a VPN using machines that are on location using RDP into a laptop and SSH into a server.

From the SSH connection, I used lynx to go to google and I could see the response packets on the laptop through the RDP session. The source MAC was ether2 on the RouterBoard; the destination MAC was the VMWare MAC address for the server (not the laptop [both are on separate physical ports]). The problem still occurs with physical machines too and not only the Virtual Machines, also on different ports.

popcorrin · December 31, 2012, 4:14pm

drew010:

Hardware: Routerboard 493AH
Firmware Version: 2.39
RouterOS Version: 5.14
Switch Chip: IC Plus 178C

I have applied some very basic configuration to a new RB493 from its default configuration. Everything works for the most part except for one major problem. When any PC on the switch sends traffic out to the internet, the return traffic destined only for the PC is passed to all switch ports.

Example:
Bob’s laptop is plugged into port 8 (192.168.50.150), John’s laptop is plugged into port 7 (192.168.50.149).
John runs wireshark and captures on his ethernet interface.
Bob goes to http://www.mikrotik.com, page loads fine
John sees all of the HTTP responses from http://www.mikrotik.com with destination address (192.168.50.150) even though John’s IP is 192.168.50.149. All of the other ports see the same response traffic.
John’s laptop DOES NOT see the any of the outgoing traffic from Bob, only the return traffic.

This happens for all traffic whether it is HTTP, ICMP, SSH, IMAP etc.

I have 3 493AH’s and I see the exact same behavior on all of them. I also have a handful of 493G’s and as far as I can tell they don’t seem to experience this issue.
Has there been any resolution for this problem?