This is related to http://forum.mikrotik.com/t/6-41rc52-vlan-problem/114316/1
I reloaded the router (named sw1-exp) w/ fresh 6.40.5. Then I followed https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features. I did not do the spanning tree config.
Otherwise, general idea is as follows:
ether1 is the Internet access port (DHCP client)
other ports are internal LAN ports:
ether2 is connected to VLAN2 only (access port)
ether3 config is not changed
ether4 is connected to VLAN4 only (access port)
ether5 is connected to VLANs 2,4,9 (trunk port)
Management is supposed to be via trunk port, to address 192.168.99.1/24.
The test setup is as follows:
ether1 is connected to a network, which provides DHCP. This works and I can access the box from there (made firewall rule for this).
ether5 is connected to a Raspberry Pi (named pi) which runs Raspbian which has VLANs enabled. pi has IP 192.168.99.50/24 on VLAN9.
When I try to ping sw1-exp from pi, the switch does not respond to that and finally I get “destination unreachable” from pi.
While running tcpdump on pi during that attempt, I see the following:
22:13:27.810568 b8:27:eb:fc:ae:55 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.1 tell 192.168.99.50, length 28
22:13:28.851020 b8:27:eb:fc:ae:55 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.1 tell 192.168.99.50, length 28
22:13:29.163202 64:d1:54:22:26:c3 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 62: vlan 1, p 0, LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.64:d1:54:22:26:c0.8004, length 41
22:13:29.890571 b8:27:eb:fc:ae:55 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.1 tell 192.168.99.50, length 28
22:13:30.930572 b8:27:eb:fc:ae:55 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.1 tell 192.168.99.50, length 28
22:13:31.165375 64:d1:54:22:26:c3 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 62: vlan 1, p 0, LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.64:d1:54:22:26:c0.8004, length 41
So the switch is not answering to ARP requests but it is broadcasting STP stuff.
When I try to ping pi from sw1-exp, i get timeouts and finally “host unreachable”. That looks this way from pi:
22:19:06.367940 64:d1:54:22:26:c3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.50 tell 192.168.99.1, length 42
22:19:06.368243 b8:27:eb:fc:ae:55 > 64:d1:54:22:26:c3, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Reply 192.168.99.50 is-at b8:27:eb:fc:ae:55, length 28
22:19:07.365620 64:d1:54:22:26:c3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.50 tell 192.168.99.1, length 42
22:19:07.365924 b8:27:eb:fc:ae:55 > 64:d1:54:22:26:c3, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Reply 192.168.99.50 is-at b8:27:eb:fc:ae:55, length 28
22:19:07.505131 64:d1:54:22:26:c3 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 62: vlan 1, p 0, LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1w, Rapid STP, Flags [Learn, Forward], bridge-id 8000.64:d1:54:22:26:c0.8004, length 41
22:19:08.365634 64:d1:54:22:26:c3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 9, p 0, ethertype ARP, Request who-has 192.168.99.50 tell 192.168.99.1, length 42
22:19:08.365876 b8:27:eb:fc:ae:55 > 64:d1:54:22:26:c3, ethertype 802.1Q (0x8100), length 46: vlan 9, p 0, ethertype ARP, Reply 192.168.99.50 is-at b8:27:eb:fc:ae:55, length 28
So pi is receiving ARP requests from sw1-exp and replying to those but no ICMP packets are to be seen.
Questions:
- What am I doing wrong?
- Is the switch supposed to work this way?
- How I can make the VLANs work?
Below is the configuration I ended with:
# nov/30/2017 21:58:02 by RouterOS 6.40.5
# software id = ...
#
# model = 960PGS
# serial number = ...
/interface bridge
add admin-mac=64:D1:54:22:26:C0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=ether5 name=vlan9 vlan-id=9
/interface ethernet switch port
set 1 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 4 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.90.128-192.168.90.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=sfp1
/interface ethernet switch vlan
add independent-learning=yes ports=ether2-master,ether5 switch=switch1 \
vlan-id=2
add independent-learning=yes ports=ether4,ether5 switch=switch1 vlan-id=4
add independent-learning=yes ports=ether5,switch1-cpu switch=switch1 vlan-id=\
9
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.90.1/24 comment=defconf interface=ether2-master network=\
192.168.90.0
add address=192.168.99.1/24 interface=vlan9 network=192.168.99.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow test LAN (even on ether1)" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=accept chain=input dst-address=192.168.99.0/24 src-address=\
192.168.99.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Etc/GMT
/system identity
set name=sw1-exp
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool sniffer
set filter-interface=ether5
Any help would be greatly appreciated.
