VLAN instable ping and connection

MrBonding · June 17, 2024, 9:24am

Hi,

I have configured several VLANs on my router, but I am experiencing considerable instability - losing approximately 8 pings every few seconds. Despite thorough double-checking, I have not identified any issues. Given my novice experience with VLANs, I am seeking advice.

I have a trunk linked to the switches trough SFP and a server connected to ether5 (VLAN400) with a static IP 10.10.40.10, which is the target device for my pings.

Here is my configuration:

/interface bridge add name=bridge1 vlan-filtering=yes

/interface ethernet set [ find default-name=ether1 ] comment=WAN
/interface ethernet set [ find default-name=ether2 ] comment=WAN
/interface ethernet set [ find default-name=ether3 ] comment=
/interface ethernet set [ find default-name=ether4 ] comment=
/interface ethernet set [ find default-name=ether5 ] comment="Server(VLAN 400)"
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment=Trunk
/interface ethernet set [ find default-name=sfp-sfpplus2 ] comment=Trunk

/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe password= user=
/interface wireguard add comment=back-to-home-vpn listen-port=1 mtu=1412 name=back-to-home-vpn private-key=

/interface vlan add interface=bridge1 name="vlan8" vlan-id=8
/interface vlan add interface=bridge1 name="vlan20" vlan-id=20
/interface vlan add interface=bridge1 name="vlan30" vlan-id=30
/interface vlan add interface=bridge1 name="vlan200" vlan-id=200
/interface vlan add interface=bridge1 name="vlan300" vlan-id=300
/interface vlan add interface=bridge1 name="vlan400" vlan-id=400
/interface vlan add interface=bridge1 name="vlan500" vlan-id=500
/interface vlan add interface=bridge1 name="vlan600" vlan-id=600
/interface vlan add interface=bridge1 name="vlan700" vlan-id=700

/ip hotspot user profile add keepalive-timeout=1w mac-cookie-timeout=1w name=userprofile rate-limit=20M/50M session-timeout=2w1d shared-users=1000000 transparent-proxy=yes
/ip hotspot profile add dns-name=house hotspot-address=10.10.20.1 install-hotspot-queue=yes login-by=http-chap,http-pap,trial,mac-cookie name=hsprof1 trial-uptime-limit=2w1d trial-uptime-reset=1s trial-user-profile=userprofile

/ip pool add name=dhcp_pool0 ranges=10.88.88.2-10.88.88.254
/ip pool add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip pool add name=dhcp_pool2 ranges=10.10.12.2-10.10.12.254
/ip pool add name=dhcp_pool3 ranges=192.168.8.2-192.168.8.254
/ip pool add name=dhcp_pool4 ranges=172.16.0.2-172.16.0.254
/ip pool add name=dhcp_pool5 ranges=10.10.20.2-10.10.23.254
/ip pool add name=dhcp_pool6 ranges=10.10.13.2-10.10.13.254
/ip pool add name=dhcp_pool7 ranges=10.10.30.2-10.10.30.254
/ip pool add name=dhcp_pool8 ranges=10.10.40.2-10.10.40.254
/ip pool add name=dhcp_pool9 ranges=10.10.50.2-10.10.50.254
/ip pool add name=dhcp_pool10 ranges=10.10.60.2-10.10.60.254
/ip pool add name=dhcp_pool11 ranges=10.10.70.2-10.10.70.254

/ip dhcp-server add address-pool=dhcp_pool2 interface="vlan20 Mgmnt ONTs" lease-time=1h name=dhcp_20
/ip dhcp-server add address-pool=dhcp_pool3 interface="vlan 8 Mgmt OLT" lease-time=1h name=dhcp_8
/ip dhcp-server add address-pool=dhcp_pool4 interface=bridge1 lease-time=4h name=dhcp_trunk
/ip dhcp-server add address-pool=dhcp_pool5 interface="vlan200 Clients" lease-time=1h name=dhcp__200
/ip dhcp-server add address-pool=dhcp_pool6 interface="vlan30 Inmotica" lease-time=1h name=dhcp_30
/ip dhcp-server add address-pool=dhcp_pool7 interface="vlan300 IPTV" lease-time=1h name=dhcp_300
/ip dhcp-server add address-pool=dhcp_pool8 interface="vlan400 Staff" lease-time=8h name=dhcp_400
/ip dhcp-server add address-pool=dhcp_pool9 interface="vlan500 VOIP" lease-time=8h name=dhcp_500
/ip dhcp-server add address-pool=dhcp_pool10 interface="vlan600 Events" lease-time=8h name=dhcp_600
/ip dhcp-server add address-pool=dhcp_pool11 interface="vlan700 CCTV" lease-time=8h name=dhcp_700
/ip hotspot add address-pool=dhcp_pool5 addresses-per-mac=unlimited disabled=no idle-timeout=none interface="vlan200" name=hotspot1 profile=hsprof1



/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 comment=Server interface=ether5 pvid=400
/interface bridge port add bridge=bridge1 interface=ether6
/interface bridge port add bridge=bridge1 interface=ether7
/interface bridge port add bridge=bridge1 interface=ether8
/interface bridge port add bridge=bridge1 interface=ether9
/interface bridge port add bridge=bridge1 interface=ether10
/interface bridge port add bridge=bridge1 interface=ether11
/interface bridge port add bridge=bridge1 interface=ether12
/interface bridge port add bridge=bridge1 interface=ether13
/interface bridge port add bridge=bridge1 interface=ether14
/interface bridge port add bridge=bridge1 comment=Trunk interface=sfp-sfpplus1
/interface bridge port add bridge=bridge1 comment=Trunk interface=sfp-sfpplus2

/interface bridge vlan add bridge=bridge1 comment=Trunk tagged=sfp-sfpplus1,sfp-sfpplus2,ether10,bridge1 vlan-ids=8,20,30,200,300,500,600,700
/interface bridge vlan add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether5 vlan-ids=400


/ip address add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
/ip address add address=192.168.8.1/24 interface="vlan8" network=192.168.8.0
/ip address add address=10.10.12.1/24 interface="vlan20" network=10.10.12.0
/ip address add address=10.10.13.1/24 interface="vlan30" network=10.10.13.0
/ip address add address=10.10.20.1/22 interface="vlan200" network=10.10.20.0
/ip address add address=10.10.30.1/24 interface="vlan300" network=10.10.30.0
/ip address add address=10.10.40.1/24 interface="vlan400" network=10.10.40.0
/ip address add address=10.10.50.1/24 interface="vlan500" network=10.10.50.0
/ip address add address=10.10.60.1/24 interface="vlan600" network=10.10.60.0
/ip address add address=10.10.70.1/24 interface="vlan700" network=10.10.70.0
/ip address add address=172.16.0.1/24 interface=bridge1 network=172.16.0.0

/ip dhcp-server network add address=10.10.12.0/24 dns-server=10.10.12.1 gateway=10.10.12.1
/ip dhcp-server network add address=10.10.13.0/24 dns-server=10.10.13.1 gateway=10.10.13.1
/ip dhcp-server network add address=10.10.20.0/22 dns-server=10.10.20.1 gateway=10.10.20.1
/ip dhcp-server network add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1
/ip dhcp-server network add address=10.10.40.0/24 dns-server=10.10.40.1 gateway=10.10.40.1
/ip dhcp-server network add address=10.10.50.0/24 dns-server=10.10.50.1 gateway=10.10.50.1
/ip dhcp-server network add address=10.10.60.0/24 dns-server=10.10.60.1 gateway=10.10.60.1
/ip dhcp-server network add address=10.10.70.0/24 dns-server=10.10.70.1 gateway=10.10.70.1
/ip dhcp-server network add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
/ip dhcp-server network add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1
/ip dns set allow-remote-requests=yes servers=8.8.8.8

/ip firewall filter add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall filter add action=accept chain=input in-interface=all-ppp
/ip firewall filter add action=accept chain=input comment="Allow SSH Input" dst-port=22 protocol=tcp
/ip firewall nat add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether2
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.12.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.13.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.20.0/22
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.30.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.40.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.50.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.60.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.70.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.8.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=172.16.0.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.10.20.0/22

/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=pppoe-ibred protocol=udp
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=ether2 protocol=udp
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=pppoe-ibred protocol=tcp
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=ether2 protocol=tcp
/ip firewall raw add action=accept chain=prerouting comment="Allow allowed" src-address-list=Allowed

Do you see anything wrong?

MrBonding · June 17, 2024, 10:06am

Too add more information,

I can ping the IP 172.16.0.10 which is part of the VLAN 1 with no ping loss, so there have to be a misconfiguration of the VLANs somewhere…
The device is a CCR2004-16G-2S+.

Many thanks!

anav · June 17, 2024, 11:30am

Many things wrong

first its not a complete export
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Your mixing apples and oranges, once you go vlans, dont have the bridge do any dhcp, simply give that subnet a vlan like the rest…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

MrBonding · June 17, 2024, 12:58pm

Thanks for the reply!

1.- Sorry, I have removed part of export that seemed unnecessary to me; I will incorporate the remaining configuration.

2.- I am unsure about this aspect; should I establish a VLAN with PVID 1 and configure DHCP on VLAN1 instead of the bridge? My intention is for have the Trunk to default VLAN1, enabling all connected switches to receive an IP automaticall with no further confiuration.

I’m reading trough the link you provided, Thanks!

anav · June 17, 2024, 1:51pm

As you can see on the provided link, use of vlan1 is a NO GO.
Make it vlan10 and you are good. Vlan1 is used by the router in the background, do not use!!

If you need an example, think of the base vlan as vlan1

MrBonding · June 20, 2024, 10:12pm

Thanks! I feel I’m getting close to the solution and understanding of VLANs in MikroTik. I’m still losing pings on my VLAN.

What I’ve corrected through the learning from the link you provided is that I’m not using VLAN1 anymore, but instead VLAN10 for my management VLAN.

I have set all the trunk ports’ PVID to 10 (and algo given the bridge PVID 10) so all devices get an automatic management IP, but here is where I’m confused. In the first example, he sends VLAN99 as a management IP but keeps all the PVID ports at 1. In the case we connect a new switch, it won’t get an IP from DHCP and will be inaccessible since, by default, devices get an IP from VLAN1. That’s how I understand it, but I’m feeling like I’m missing something. Clearly, something is wrong in my configuration because I’m still losing most of the pings.

Here is the config right now:

Many thanks!

/interface bridge add dhcp-snooping=yes name=bridge1 pvid=10 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment=WAN
/interface ethernet set [ find default-name=ether2 ] comment=
/interface ethernet set [ find default-name=ether3 ] comment=
/interface ethernet set [ find default-name=ether4 ] comment=
/interface ethernet set [ find default-name=ether5 ] comment=Trunk
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment=Trunk
/interface ethernet set [ find default-name=sfp-sfpplus2 ] comment=Trunk
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=
/interface wireguard add comment=back-to-home-vpn listen-port=1525 mtu=1412 name=back-to-home-vpn
/interface vlan add interface=bridge1 name="vlan" vlan-id=8
/interface vlan add interface=bridge1 name="vlan10" vlan-id=10
/interface vlan add interface=bridge1 name="vlan20" vlan-id=20
/interface vlan add interface=bridge1 name="vlan30 " vlan-id=30
/interface vlan add interface=bridge1 name="vlan200" vlan-id=200
/interface vlan add interface=bridge1 name="vlan300" vlan-id=300
/interface vlan add interface=bridge1 name="vlan400 " vlan-id=400
/interface vlan add interface=bridge1 name="vlan500" vlan-id=500
/interface vlan add interface=bridge1 name="vlan600" vlan-id=600
/interface vlan add interface=bridge1 name="vlan700" vlan-id=700

/ip pool add name=dhcp_pool0 ranges=10.88.88.2-10.88.88.254
/ip pool add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip pool add name=dhcp_pool2 ranges=10.10.12.2-10.10.12.254
/ip pool add name=dhcp_pool3 ranges=192.168.8.2-192.168.8.254
/ip pool add name=dhcp_pool4 ranges=172.16.0.10-172.16.0.254
/ip pool add name=dhcp_pool5 ranges=10.10.20.2-10.10.23.254
/ip pool add name=dhcp_pool6 ranges=10.10.13.2-10.10.13.254
/ip pool add name=dhcp_pool7 ranges=10.10.30.2-10.10.30.254
/ip pool add name=dhcp_pool8 ranges=10.10.40.2-10.10.40.254
/ip pool add name=dhcp_pool9 ranges=10.10.50.2-10.10.50.254
/ip pool add name=dhcp_pool10 ranges=10.10.60.2-10.10.60.254
/ip pool add name=dhcp_pool11 ranges=10.10.70.2-10.10.70.254
/ip dhcp-server add address-pool=dhcp_pool2 interface="vlan20" lease-time=1h name=dhcp_ont_20
/ip dhcp-server add address-pool=dhcp_pool3 interface="vlan 8" lease-time=1h name=dhcp_olt_8
/ip dhcp-server add address-pool=dhcp_pool4 interface="vlan10" lease-time=4h name=dhcp_trunk
/ip dhcp-server add address-pool=dhcp_pool5 interface="vlan200" lease-time=1h name=dhcp_clients_200
/ip dhcp-server add address-pool=dhcp_pool6 interface="vlan30" lease-time=1h name=dhcp_inmotica_30
/ip dhcp-server add address-pool=dhcp_pool7 interface="vlan300" lease-time=1h name=dhcp_iptv_300
/ip dhcp-server add address-pool=dhcp_pool8 interface="vlan400" lease-time=8h name=dhcp_staff_400
/ip dhcp-server add address-pool=dhcp_pool9 interface="vlan500" lease-time=8h name=dhcp_voip_500
/ip dhcp-server add address-pool=dhcp_pool10 interface="vlan600" lease-time=8h name=dhcp_events_600
/ip dhcp-server add address-pool=dhcp_pool11 interface="vlan700" lease-time=8h name=dhcp_cctv_700


/interface bridge port add bridge=bridge1 interface=ether3 pvid=10
/interface bridge port add bridge=bridge1 interface=ether4 pvid=10
/interface bridge port add bridge=bridge1 interface=ether5 pvid=10
/interface bridge port add bridge=bridge1 interface=ether6 pvid=10
/interface bridge port add bridge=bridge1 interface=ether7 pvid=10
/interface bridge port add bridge=bridge1 interface=ether8 pvid=10
/interface bridge port add bridge=bridge1 interface=ether9 pvid=10
/interface bridge port add bridge=bridge1 interface=ether10 pvid=10
/interface bridge port add bridge=bridge1 interface=ether11 pvid=10
/interface bridge port add bridge=bridge1 interface=ether12 pvid=10
/interface bridge port add bridge=bridge1 interface=ether13 pvid=10
/interface bridge port add bridge=bridge1 interface=ether14 pvid=10
/interface bridge port add bridge=bridge1 comment=Trunk interface=sfp-sfpplus1 pvid=10
/interface bridge port add bridge=bridge1 comment=Trunk interface=sfp-sfpplus2 pvid=10
/interface bridge vlan add bridge=bridge1 comment=Trunk tagged=sfp-sfpplus1,sfp-sfpplus2,bridge1 vlan-ids=8,10,20,30,200,300,400,500,600,700
/interface bridge vlan add bridge=bridge1 tagged=ether5 vlan-ids=300

/ip address add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
/ip address add address=192.168.8.1/24 interface="vlan8" network=192.168.8.0
/ip address add address=10.10.12.1/24 interface="vlan20" network=10.10.12.0
/ip address add address=10.10.13.1/24 interface="vlan30" network=10.10.13.0
/ip address add address=10.10.20.1/22 interface="vlan200" network=10.10.20.0
/ip address add address=10.10.30.1/24 interface="vlan300" network=10.10.30.0
/ip address add address=10.10.40.1/24 interface="vlan400" network=10.10.40.0
/ip address add address=10.10.50.1/24 interface="vlan500" network=10.10.50.0
/ip address add address=10.10.60.1/24 interface="vlan600" network=10.10.60.0
/ip address add address=10.10.70.1/24 interface="vlan700" network=10.10.70.0
/ip address add address=172.16.0.1/24 interface="vlan10 trunk" network=172.16.0.0

/ip cloud set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m

/ip dhcp-server alert add disabled=no interface=bridge1

/ip dhcp-server network add address=10.10.12.0/24 dns-server=10.10.12.1 gateway=10.10.12.1
/ip dhcp-server network add address=10.10.13.0/24 dns-server=10.10.13.1 gateway=10.10.13.1
/ip dhcp-server network add address=10.10.20.0/22 dns-server=10.10.20.1 gateway=10.10.20.1
/ip dhcp-server network add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1
/ip dhcp-server network add address=10.10.40.0/24 dns-server=10.10.40.1 gateway=10.10.40.1
/ip dhcp-server network add address=10.10.50.0/24 dns-server=10.10.50.1 gateway=10.10.50.1
/ip dhcp-server network add address=10.10.60.0/24 dns-server=10.10.60.1 gateway=10.10.60.1
/ip dhcp-server network add address=10.10.70.0/24 dns-server=10.10.70.1 gateway=10.10.70.1
/ip dhcp-server network add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
/ip dhcp-server network add address=192.168.8.0/24 dns-server=192.168.8.1 gateway=192.168.8.1

/ip dns set allow-remote-requests=yes servers=8.8.8.8

/ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether2
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.12.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.13.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.20.0/22
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.30.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.40.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.50.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.60.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.70.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.8.0/24
/ip firewall nat add action=masquerade chain=srcnat src-address=172.16.0.0/24

/tool graphing interface add
/tool graphing resource add
/tool romon set enabled=yes

MrBonding · June 21, 2024, 7:53am

Posting an update and a couple of questions,
I think I’ve narrowed down the ping loss issue. I’m not managing the switches right now (hence the automatic IP assignment on VLAN1…), and it looks like the installation team configured a parellell router and plugged in to one of the switches, so thats why the ping loss.

But here’s another problem I’m facing: I’m unable to DSNAT through VLANs from the outside. For example, I have a service on 10.10.30.2 listening on port 80, and I temporarily want to give someone from the outside access. To do this, I:

/ip firewall nat add action=dst-nat chain=dstnat comment= dst-port=53280 log=yes protocol=tcp to-addresses=10.10.30.2 to-ports=80

When I try to access it through DNS:53280, I see hits on the firewall, but the connection is refused and doesn’t reach the service in that VLAN. I’ve tested this on services in the base VLAN10 (172.16.0.0/24), and it works fine.