VLAN via switch chip: cannot ping router interface

Hi everyone,

I’ve followed the article about the VLAN-switch chip on the wiki to create a VLAN that can take advantage of the full wire speed the switch chip offers.
My VLAN is in essence working however, I cannot ping a single interface on the router.

Please take a look at following:

/interface ethernet switch rule>

   Flags: X - disabled, I - invalid
 0   switch=switch1 ports=ether3-local vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether2-local

 1   switch=switch1 ports=ether2-local vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether3-local

/interface ethernet switch vlan>

 #   SWITCH                            VLAN-ID PORTS
 0   switch1                             0            ether2-local
                                                          ether3-local
                                                           cpu

The above rules allow a device attached to ether2-local to ping a device attached to ether3-local. Ether3-local also is also assigned an IP:
/ip address print

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.0.249/24   192.168.0.0     192.168.0.255   ether3-local

However, nor ether2-local, nor ether3-local can ping 192.168.0.249

1 way to solve this is to change “copy to cpu=no” to “copy to cpu=yes” in the above switch rules. However, that means that every frame from ether2-local to ether3-local and vice versa is copied to the cpu. That doesn’t sound smart or even preferable.

So I’ve tried to come up with rules to solve this but I’ve been unable to get it right.

So below rules do not work:

2   switch=switch1 ports=ether3-local vlan-header=not-present copy-to-cpu=yes
     redirect-to-cpu=no mirror=no new-dst-ports=cpu

 3   switch=switch1 ports=cpu vlan-header=not-present copy-to-cpu=yes
     redirect-to-cpu=no mirror=no new-dst-ports=ether3-local

Can someone explain me what I should do to get it right?

many thanks,
Jeroen

have you try to delete old arp entries if any

I’m sure I rebooted but now I’m not sure I really did. I’ll check out the table just to be sure.

do reboot both machines. or simply remove old arp entries from. i have such problem every time when i set vlans, 'cause I am the king of the forgetting

Unfortunately, no dice. Must be something wrong with the rules themselves. I wonder what it could be as it all seems to logically fit.

and what about the medium - some switch that do not support vlan tagging?

I’m pinging from a computer connected directly to the mikrotik (port ether2-local). I’m having problems pinging any IP on the router itself. But client computers can ping eachother just fine.

And if the clients can’t reach the router I can’t even manage it apart from using the serial console.

I had some similar problems with a 450G. I eventually fixed it by removing the IP address from the master port of the switch and adding it again.

Regards

Andrew

Oh oh master port? I’ll check what it is but I’ve not tinkered with whathever that is. I only put an IP on ether3-local and tried to reach that:).
So I forgot a vital step if I understand you correctly:-)?

Have you seen this? http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features.

Regards

Andrew

I had once(and at the time I thought I shouldn’t worry about that), but I’m not at all sure whether it is really needed. I think you can just write rules to allow access to the CPU port.

You see, with Mikrotik you need to write a rule to allow one access/untagged port, access to another. That is why Mikrotik gives the ether ports (access ports) the same ID in the VLAN table (0 for untagged ports = access ports). If you do the master port thing and put ports in the in the same switch (I tried) I assume you no longer need those rules. You’d then probably need rules to prevent them accessing each other (this last one is a guess though).

But thanks for bringing it up, I feel it is worth investigating.

edit: I’ve read the text more accurately and I’m more convinced you may be right. I’ll report back after some tinkering:)

Still stuck:(. Does anyone know how to fix this one?

Just a wild guess: do you have default gateway configured on the devices?

Can you ping when devices are on the same network?

Yep, I’ve got a gateway. I can ping between devices on the same network just fine (if I add rules to the rule table to allow this). I just can’t ping any IP assigned to the router itself.

I.E. I do not know how to pass packets from the switch logic to the cpu port.

Setup a master port on the switch and assign the router interface IP to this interface.

Then add the cpu port into the vlan if you’ve set the vlan mode to secure. You don’t need any switch rules once this is done.

Regards

Andrew

Thanks Andrew, I’ll try that. I have made some progress though. It does show some quirky behaviour

/ip address print

Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   192.168.0.240/24   192.168.0.0     192.168.0.255   ether4

/interface ethernet switch rule> print

Flags: X - disabled, I - invalid
 0   switch=switch1 ports=ether4 vlan-header=not-present
     dst-address=192.168.0.240/32 copy-to-cpu=no redirect-to-cpu=no mirror=no
     new-dst-ports=cpu

 1 X switch=switch1 ports=ether4 vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether5

 2 X switch=switch1 ports=ether5 vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether4

My computer is attached to ether4.

If rules 1 and 2 are disabled, I can ping the IP 192.168.0.240 on the router. Obviously, I cannot ping the other computer attached to ether5 (since the rules that allow that are disabled).

Now get this, when I enable rules 1 and 2 I can still ping 192.168.0.240 from my computer. I can then also still ping the computer attached to ether 5. However, the ARP entry on my computer for 192.168.0.240 times out with rules 1 and 2 enabled. And sadly, after it times out, pinging 192.168.0.240 is no longer possible.

So darn, I thought I almost had it! I’m going to try your suggestion now with hopefully better luck than my try:)

cheers,
Jeroen

oh yes, one important note. Once a rule is mathed in the rule table, the other rules that follow the rule that was matched are no longer being looked at. What I mean is if you have, for instance, these rules:

switch=switch1 ports=ether4 vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether5

switch=switch1 ports=ether4 vlan-header=not-present copy-to-cpu=no
     redirect-to-cpu=no mirror=no new-dst-ports=ether6

Ether4 will never ever be able to reach ether6. The first rule will always match and the 2nd will never match. That should explain why I moved the cpu rule to the top and why I used dst-address as an extra matching condition.

Andrew, I’ve set ether3 as master port and assigned an IP to it. Ether4 and 5, the slave ports, can now communicate with the CPU port (=the IP on the master port).

However, as a side effect ether4 can now talk to ether5 without me allowing this. If I would like these ports to behave as in different VLANs I need to disallow stuf now?

However, as a side effect ether4 can now talk to ether5 without me allowing this

That’s a function of switch. At least you can now ping the router!

If you don’t want to allow communication between the ports then you need to place them in different vlans or if you want them in the same vlan then you setup some rules to disallow communication between them.

Regards

Andrew

Well yeah, I shouldn’t have called it a side-effect lol. However, you can’t just put a port in a VLAN with Mikrotik.

It is the rule table that decides (by the means of defining rules) where a tagged frame is allowed to go to.

Say you have 3 ports on the Mikrotik that are in VLAN 10, lets call these ports A, B and C. You’d need to specify (=create a rule) 3 times that frames arriving on the Mikrotiks trunk port (tagged with VLAN-ID 10 in this example), are allowed to travel to ports A, B and C.

1. Trunk - > A
2. Trunk → B
3. Trunk → C

Vice versa you need 3 rules to specify that untagged frames for ports A, B and C are to be tagged if they need to go on the trunk.
Moreover, you also need to specify that ports A,B,C are allowed to communicate with eachother as they are all supposed to be access ports in the same VLAN.

So you see, the VLAN-table on the Mikrotik has only 1 purpose and that is ingress filtering. Strickt ingress filtering occurs when VLAN-mode is set to secure. So the VLAN-table defines what kind of frames are allowed to enter a specific port. Untagged or tagged, and if tagged, which ID they must have.

The trunk should obviously be in VLAN-10 for the Mikrotik, and in every other VLAN it is supposed to trunk frames for.
However, the access ports all have VLAN-ID = 0 to indicate no tagged frames can INGRESS an access port on the Mikrotik (so a device attached to an access port is not allowed to send tagged frames). So every access port is in VLAN 0 = the untagged VLAN.

On most switches the VLAN-table is used by the switch to decide whether a frame is to be tagged (if it must travel over a trunk). It is also used to allow communication between ports in the same VLAN (whether these ports are in the same VLAN is checked by consulting the VLAN table).

Also PVID is a concept that the Mikrotik does not know. The PVID is normally used to for the switch to decide what tag to give a frame before letting it onto the trunk. In Mikrotik, as described above, this is accomplished by adding another rule:).

So to summarise:

• Tagging of frames is accomplished by rules
• Communication between access ports in the same VLAN is accomplished by creating rules

Most of the time, the above 2 things are accomplished by using the PVID and the VLAN-table.

I hope that makes sense. It sure it that reason why I am struggling..

Maybe if you post exactly what you’re trying to achieve…

Regards

Andrew