unifi ap / rb: can ping from router but cannot from hosts

lochesistemas · September 5, 2018, 9:57pm

Hi! I'm having a strange issue while pinging between bridge. I have 2 vlans with vlan filtering. If I disable the filter, I cannot ping from any device. However, if I enable the filter, I can ping everything within vlan200 (ie 192.168.200.250) but cannot ping from network 192.168.81.0

Here's my current config

sep/05/2018 18:50:31 by RouterOS 6.42.7

software id = RDPG-VAHY

model = RouterBOARD 962UiGS-5HacT2HnT

serial number = 8308072CEA76

/interface bridge
add admin-mac=64:D1:54:B8:C5:E9 auto-mac=no comment=defconf name=bridge
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether4 ] disabled=yes name=ether4-arnet
set [ find default-name=ether5 ] name=ether5-dvr
/interface vlan
add interface=bridge name=vlan200-seguridad vlan-id=200
add interface=bridge name=vlan250-huespedes vlan-id=250
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys name=privado
supplicant-identity="" wpa-pre-shared-key=bustillo wpa2-pre-shared-key=
bustillo
add authentication-types=wpa-psk,wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys name=charming
supplicant-identity="" wpa-pre-shared-key=tripadvisor
wpa2-pre-shared-key=tripadvisor
add authentication-types=wpa-psk,wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys name=casa
supplicant-identity="" wpa-pre-shared-key=bustillo wpa2-pre-shared-key=
bustillo
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge
name=Privado security-profile=privado ssid=Privado
set [ find default-name=wlan2 ] band=5ghz-a/n/ac mode=ap-bridge name=
"Privado 5Ghz" security-profile=privado ssid=Privado
add disabled=no keepalive-frames=disabled mac-address=66:D1:54:B8:C5:EF
master-interface=Privado multicast-buffering=disabled name=CHARMING
security-profile=charming ssid=CHARMING vlan-id=250 vlan-mode=use-tag
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=66:D1:54:B8:C5:F1 master-interface=
"Privado 5Ghz" multicast-buffering=disabled name="CHARMING 5Ghz"
security-profile=charming ssid=CHARMING vlan-id=250 vlan-mode=use-tag
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=66:D1:54:B8:C5:F0 master-interface=
Privado multicast-buffering=disabled name=Casa security-profile=casa
ssid=Casa vlan-id=200 vlan-mode=use-tag wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=66:D1:54:B8:C5:EE master-interface=
"Privado 5Ghz" multicast-buffering=disabled name="Casa 5Ghz"
security-profile=casa ssid=Casa vlan-id=200 vlan-mode=use-tag
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-administracion ranges=192.168.81.102-192.168.81.249
add name=pool-seguridad ranges=192.168.200.1-192.168.200.249
add name=pool-huespedes ranges=192.168.250.2-192.168.250.249
/ip dhcp-server
add address-pool=pool-administracion disabled=no interface=bridge name=
dhcp-administracion
add address-pool=pool-huespedes disabled=no interface=vlan250-huespedes
lease-time=1d name=dhcp-huespdes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-lan
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge interface=ether5-dvr pvid=200
add bridge=bridge interface=vlan200-seguridad pvid=200
add bridge=bridge interface=vlan250-huespedes pvid=250
add bridge=bridge interface=Privado
add bridge=bridge interface=CHARMING pvid=250
/interface bridge vlan
add bridge=bridge tagged=ether2-lan,bridge,CHARMING vlan-ids=250,200
/interface list member
add interface=bridge list=LAN
add interface=vlan200-seguridad list=LAN
add interface=vlan250-huespedes list=LAN
add interface=ether1-wan list=WAN
add interface=ether4-arnet list=WAN
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=
"Privado,Privado 5Ghz"
/ip address
add address=192.168.81.1/24 interface=bridge network=192.168.81.0
add address=200.5.226.238/30 interface=ether1-wan network=200.5.226.236
add address=192.168.200.254/24 interface=vlan200-seguridad network=
192.168.200.0
add address=192.168.250.1/24 interface=vlan250-huespedes network=
192.168.250.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether4-arnet
/ip dhcp-server network
add address=192.168.81.0/24 gateway=192.168.81.1 netmask=24
add address=192.168.250.0/24 gateway=192.168.250.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.81.2-192.168.81.40 comment="1era tanda" list=arnet
add address=192.168.81.41 comment="CAMARA EN VIVO" list=fibra
add address=192.168.81.42-192.168.81.254 comment="2da tanda" list=arnet
add address=192.168.200.1-192.168.200.254 comment="nvr e iphone alberto"
list=fibra
add address=192.168.250.1-192.168.250.254 comment=huespedes list=fibra
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=arnet passthrough=
yes src-address-list=arnet
add action=mark-routing chain=prerouting new-routing-mark=fibra passthrough=
yes src-address-list=fibra
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan
add action=masquerade chain=srcnat out-interface=ether4-arnet
add action=dst-nat chain=dstnat dst-port=8888 in-interface=ether1-wan
protocol=tcp to-addresses=192.168.81.41 to-ports=80
/ip route
add check-gateway=ping distance=1 gateway=ether4-arnet routing-mark=arnet
add check-gateway=ping distance=1 gateway=200.5.226.237 routing-mark=fibra
add check-gateway=ping distance=2 gateway=200.5.226.237
add check-gateway=ping distance=2 gateway=ether4-arnet
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.81.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system routerboard settings
set silent-boot=no

lochesistemas · September 6, 2018, 11:42am

no one?

lochesistemas · September 6, 2018, 12:48pm

after several days, I found the solution by adding two route rules and everything is working fine now.

/ip route rule
add action=lookup-only-in-table dst-address=192.168.81.0/24 table=main
add action=lookup-only-in-table dst-address=192.168.200.0/24 table=main

now I can ping and access from everywhere.