Won't pass traffic over 1468 bytes

Hey Gentlemen,

I need some help here… I have a RB450G in place that has a couple VLAN’s set up; Eth1 is gateway, Eth2-4 are essentially trunk ports to VLAN aware equipment, and Eth5 is bridged to my VLAN10 Trusted VLAN… this plugs into a dumb Netgear 5-port switch, and into a couple computers.

What I’m seeing - traffic goes to the internet just fine… and if I’m somewhere else on the network down the line (on the same vlan, elsewhere so the traffic never has to make it to the RB) traffic flows fine - but as soon as I need to go through the RB - either to traverse VLAN’s, or from a computer on that dumb switch on Eth5, traffic doesn’t pass. I can ping it and I see fragments come through, but that’s it. Also, VPN’d into the router, I can get to everything just fine… it’s just sitting on the network that it goes to hell.

Further testing via ping shows that packets up to 1468 bytes pass just fine - as soon as I go to 1469 or above, I get request timed out.

I’ve read a lot of stuff here and there about MTU settings and all that, and I’ve tried a couple tests, but I’m a little out of my league here, and could really use a hand. Below is my config - if you see anything relevant, please let me know! Thanks in advance!

# may/07/2012 17:28:09 by RouterOS 5.14
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=proxy-arp auto-mac=yes disabled=no forward-delay=15s l2mtu=1516 \
    max-message-age=20s mtu=1526 name=bridge1trusted priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:FA:99:BE mtu=1500 name=\
    ether1-gateway speed=100Mbps
set 1 arp=proxy-arp auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=\
    00:0C:42:FA:99:BF master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=\
    00:0C:42:FA:99:C0 master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=\
    00:0C:42:FA:99:C1 master-port=ether2-master-local mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=proxy-arp auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1520 mac-address=\
    00:0C:42:FA:99:C2 master-port=none mtu=1460 name=ether5-trusted speed=100Mbps
/interface pptp-server
add disabled=no name=pptp-in1 user=********
/interface vlan
add arp=proxy-arp disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan10trusted use-service-tag=no \
    vlan-id=10
add arp=enabled disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan20voip use-service-tag=no vlan-id=20
add arp=enabled disabled=no interface=ether2-master-local l2mtu=1516 mtu=1500 name=vlan30guest use-service-tag=no vlan-id=30
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1 switch-all-ports=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=pool0_management ranges=192.168.100.100-192.168.100.254
add name=pool1_trusted ranges=192.168.101.100-192.168.101.254
add name=pool2_voip ranges=192.168.102.100-192.168.102.254
add name=pool3_guest ranges=192.168.103.25-192.168.103.254
add name=pool4-vpn ranges=192.168.104.100-192.168.104.150
/ip dhcp-server
add address-pool=pool0_management authoritative=after-2sec-delay bootp-support=static disabled=no interface=\
    ether2-master-local lease-time=3d name=default
add address-pool=pool1_trusted authoritative=after-2sec-delay bootp-support=static disabled=no interface=bridge1trusted \
    lease-time=3d name=dhcp1
add address-pool=pool2_voip authoritative=after-2sec-delay bootp-support=static disabled=no interface=vlan20voip lease-time=\
    1d name=dhcp2
add address-pool=pool3_guest authoritative=after-2sec-delay bootp-support=static disabled=no interface=vlan30guest \
    lease-time=4h name=dhcp3
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default \
    use-vj-compression=default
add change-tcp-mss=default dns-server=192.168.100.1 local-address=192.168.100.1 name=profile1 only-one=default \
    remote-address=pool0_management use-compression=default use-encryption=default use-mpls=default use-vj-compression=\
    default
add change-tcp-mss=default local-address=pool4-vpn name=profile2 only-one=default remote-address=pool4-vpn use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=default
set 3 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=\
    default use-vj-compression=default
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=no interface=ether1-gateway \
    max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=********  profile=default service-name="" use-peer-dns=yes \
    user=**********@sbcglobal.net
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 \
    red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no name=default out-filter="" \
    redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in metric-bgp=auto metric-connected=20 \
    metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no \
    router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
/snmp community
set [ find default=yes ] address=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 encryption-password="" \
    encryption-protocol=DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=\
    remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy \
    skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy \
    skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=\
    default
/interface bridge port
add bridge=bridge1trusted disabled=no edge=auto external-fdb=auto horizon=none interface=ether5-trusted path-cost=10 \
    point-to-point=auto priority=0x80
add bridge=bridge1trusted disabled=no edge=auto external-fdb=auto horizon=none interface=vlan10trusted path-cost=10 \
    point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface ethernet switch vlan
add disabled=yes ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1 vlan-id=10
add disabled=yes ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1 vlan-id=20
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=\
    disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 \
    mac-address=FE:A5:57:72:9D:EC max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=\
    1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 \
    max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.100.1/24 comment="Default Interface - for Management Traffic Only!" disabled=no interface=\
    ether2-master-local network=192.168.100.0
add address=192.168.101.1/24 comment="Trusted Computer/Camera VLAN" disabled=no interface=vlan10trusted network=\
    192.168.101.0
add address=192.168.102.1/24 comment="VOIP VLAN (Future Use)" disabled=no interface=vlan20voip network=192.168.102.0
add address=192.168.103.1/24 comment="Guest VLAN (isolated)" disabled=no interface=vlan30guest network=192.168.103.0
add address=99.88.99.54/32 disabled=no interface=ether1-gateway network=255.255.255.248
add address=99.88.99.48/32 disabled=no interface=ether1-gateway network=255.255.255.248
add address=99.88.99.49/32 disabled=no interface=ether1-gateway network=255.255.255.248
add address=192.168.104.1/32 disabled=no interface=ether2-master-local network=192.168.104.1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.100.1 gateway=192.168.100.1 \
    ntp-server="" wins-server=""
add address=192.168.101.0/24 dhcp-option="" dns-server=192.168.101.1 gateway=192.168.101.1 ntp-server="" wins-server=""
add address=192.168.102.0/24 dhcp-option="" dns-server=192.168.102.1 gateway=192.168.102.1 ntp-server="" wins-server=""
add address=192.168.103.0/24 dhcp-option="" dns-server=192.168.103.1 gateway=192.168.103.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=68.94.156.1,68.94.157.1
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=pppoe-out1 to-addresses=0.0.0.0
add action=accept chain=dstnat disabled=yes in-interface=pptp-in1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-trusted disabled=no
set vlan10trusted disabled=yes
set vlan20voip disabled=yes
set vlan30guest disabled=yes
set bridge1trusted disabled=no
set pptp-in1 disabled=yes
set pppoe-out1 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=\
    8080 serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=********** password=************** profile=profile2 \
    routes="" service=pptp
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=********** password=************** profile=profile2 \
    routes="" service=any
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-trusted queue=only-hardware-queue
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s \
    preferred-gateway=0.0.0.0 timeout=1m ttl=50
/routing pim
set switch-to-spt=yes switch-to-spt-bytes=0 switch-to-spt-interval=1m40s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 \
    redistribute-bgp=no redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=main \
    timeout-timer=3m update-timer=30s
/system ntp client
set enabled=yes mode=unicast primary-ntp=132.163.4.102 secondary-ntp=130.126.24.24
/system ntp server
set broadcast=no broadcast-addresses="" enabled=yes manycast=yes multicast=yes

Gentlemen - I really am at a loss here, and would appreciate any help or even troubleshooting suggestions.

Here’s some additional info I’ve come up with, including a diagram of the whole setup:

In the attached image, you can get a basic gist of the network I’m dealing with here. I have a management VLAN (untagged) and a normal-use VLAN (VLAN10). Coming off the routerboard, I allow all VLAN’s except on Eth5, which is bridged with the trusted VLAN… so when it gets to my UAP-Outdoor wireless devices, you get a certain VLAN depending on the SSID you joined. All that seems to be working as expected.

Here’s the problem I’m having - The camera connected to the Nanostation - If I’m on the wifi at the tower on the same VLAN as it, I can access it. If I’m on the wifi at the office, on the same VLAN (UniFi so they’re all the same) I cannot. If I’m anywhere on a different VLAN, I cannot access the camera. If I’m VPN’d in, I can.

I was originally chalking this up to a routing issue, but I’m able to transverse from one vlan to the next just fine - except, if I pass back through the router for any reason, my packets drop.

Here’s what I finally found - I can ping the camera, but when I specify certain size packets, they start dropping over 1468. I didn’t specify don’t fragment. If I ping the AP that the camera is connected to, it doesn’t matter the size of the payload - I always get a response… unless I select DF. The camera is connected to the NSM5 directly; on the NSM5, WLAN.10 is bridged to LAN in order to put the camera on VLAN10. Interestingly enough, if I ping the NSM5 that the camera is plugged into, I can send larger packets and they just fragment as needed to pass; it’s when I hit the camera that I have the problem.

So - I’ve got to believe this is related to MTU, unless I’m totally missing something.

When I ping different devices and specify packet size, anything over 1500 bytes doesn’t make it (unless I ping the switch at the tower - it’ll take almost anything I send to it)… I’m not choosing don’t fragment, but the packets won’t fragment anyways - I don’t understand.

At this point, all ubnt gear has MTU set to 1600; the routerboard I’ve experimented with dropping it down to 1400, and upping to the max - but no matter what I do, I get the same results… am I not understanding something correctly here?

see if you can make any difference by changing the MSS.

/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1400 new-mss=1400

these kinda problems could get quite complicated and sometimes its very hard to diagnose them without sitting on the network. hope someone could help you more. but at this point, all i can think about, is that you should only use the default 1500 mtu on all your devices along the way, unless you absolutely need to change it.

Don’t have time to read through the whole shebang at this exact moment, but the title caught my eye…

I’m guessing you are running your ping tests from Windows. For some reason, Windows ping does not take into account either the IP header or the ICMP header in the ping size you specify, and those two headers add up to 28 bytes. This means that in Windows, the largest size you can specify for a non-fragmented ping packet on an interface with a 1500 MTU is 1472 bytes. So, in essence, when you specify a 1472-byte ping in Windows, it’s really sending 1500 total bytes.

I note that 1468 is 4 less than 1472. Or, to put it another way, 1468 + 28 is 4 less than 1472 + 28. Or rather, 1496 is 4 less than 1500.

4 bytes is the perfect number for a 1Q VLAN header to be hiding in.

I think you mentioned that all of your devices are VLAN-clean/aware. But I’d look at everything again, with a more discerning eye. You’re probably missing something somewhere that doesn’t like those VLAN headers, and it is effectively reducing your MTU by 4 less than whatever you’re setting it to.

“Devil” is right: you can surely work around the issue by mangling TCP MSS. But this will merely mask the true problem, not solve it. Something somewhere in the path is stealing 4 bytes of every frame, and the fact that you’re using 1Q VLANs and that they happen to add 4 bytes to a frame is a big clue…

Good luck,

– Nathan

I really appreciate the replies - if you do get a chance to look a little closer and have any more ideas, I’d be eternally grateful.

I was initially doing the ping through windows, but I also have a debian box there sitting directly on the untagged management VLAN and I’ve done some testing with that one too - and that one is polite enough to reply back with what the actual packet size will be after the overhead is added.

The part that I don’t understand, is I’ve set the MTU to 1600 on every device along the way, but that didn’t help - shouldn’t that make up for the 4 bytes from the VLAN being added? And Why can I reach every other device on this network except this camera - and I can reach the camera if I’m on the wireless at the tower location - just not if my trafic has to pass through the mikrotik in any way? That’s what really has me stumped.

CLTech,

I could be totally mistaken, but I have my doubts that the UBNT gear’s ethernet interfaces can do more than 1500 MTU (not counting ethernet frame headers). It’s wireless chip may be able to do 1600, but the unit as a whole probably can’t do 1600 end-to-end. I’d have to read up on it more.

Can you humor me by re-implementing your 3-port trunk port group as a software bridge instead of via the built-in switch chip? So, something along these lines:

/interface ethernet print
/interface ethernet set 1-3 master-port=none
/interface bridge add name=trunk-bridge
/interface bridge port add bridge=trunk-bridge interface=ether2-master-local
/interface bridge port add bridge=trunk-bridge interface=ether3-slave-local
/interface bridge port add bridge=trunk-bridge interface=ether4-slave-local
/interface vlan set [find] interface=trunk-bridge

(You’ll also, of course, need to make sure that you change any other references to ‘ether2-master-local’ anywhere else in the system to ‘trunk-bridge’.)

Then try again. If this works, it would suggest that MikroTik implements the switch chip master port interface using a VLAN between the CPU’s built-in ethernet interface and the port on the switch chip it’s attached to. In that case, creating VLANs on switch chip ports actually results (unbeknownst to you, the user) in you creating Q-in-Q tags within the MikroTik itself, even though that is not how it is represented in the RouterOS UI/config. Since this would be happening behind-the-curtains, so to speak, it might be contributing to your problem.

Also, looking at the one bridge interface you already have, I’m slightly confused/concerned by the fact that it shows an MTU that is higher than the interface’s L2MTU.

Thinking about this again after having typed all of this out, I wonder if perhaps, again, based on how MikroTik may have implemented the master switch port feature internally, it is best not to mix VLANs defined on the switch chip with software bridges? The other thing you could/should try would be to make ether5 a slave to ether2 and the use ‘/interface ethernet switch’ to untag VLAN 10 on ether5 instead of using a software bridge to do it.

My guess is that either implementing your VLAN trunk and access ports entirely in software bridges OR entirely in hardware switching will fix your problem. I’m thinking it’s the mixing-and-matching of both hardware and software switching that you’re doing that is possibly causing or somehow contributing to the problem.

– Nathan

Thanks for the tips. The equipment is located 2.5 hours away from me - I was working remotely and knocked myself out of the radio and camera in question but I’m driving up there in the morning so I’ll be able to try more on-site.

One thing I did notice - when I put the camera on the management vlan (removed the bridge that tied the radio’s wlan.10 vlan to the ethernet port; gave the camera an IP on the management vlan) that the problem seemed to go away - but that leaves it on the wrong subnet.

NathanA clearly knows more than me on this subject. specially vlans. so im not gonna comment on those. but regarding mtu, in my experience, you have a better chance solving these kinda problems by setting the mtu , actually lower. when you set the mtu on devices along the way to a lower value, if a packet with a bigger bytes comes through, the device will send an icmp packet back (Fragmentation Needed (Type 3, Code 4)), so the sender could be notified that it should adjust its packet size and send it again. i know of a lot of devices that can not handle more than 1500 mtu. (a quick search reveals a lot of mixed stuff about max mtu in ubnt. seems it depends on the product and the firmware version its using. so you might wanna also upgrade your ubnt to the latest version.) but when you set the mtu to a higher value, and for some reason, a device along the way with a lower mtu, fails to send the icmp packet back, or you fail to receive it, the ‘black hole’ state happens. which is basically what you’re experiencing.
also make sure, icmp packets are allowed to be sent, received and forwarded on all devices.

…how’d this turn out?

– Nathan

Hi Nathan - I need to say, I greatly appreciate your help - taking the time and the personal interest in my problem, and I do actually feel pretty guilty taking so long to get back to you.

I struggled with this quite a bit, and got to where the reward of the separate VLAN’s wasn’t worth the amount of time I had into it. This is a billable project, yet my 20+ hours on this issue is not billable, and was only delaying final payment. That said, I decided to flatten the network slightly and put the computers and cameras on the same VLAN. Talk about a deflated feeling of defeat!

That said, I have duplicates of all of the production gear - router, wireless units, cameras, etc - and hope to reproduce this in my lab as soon as I get a chance - because I’ve never let a computer get the best of me!! When I get there I may shoot you a PM - and an offer to look around yourself if you feel like it… that’s the beauty of the lab!

Thank you again - I truly do appreciate the personal interest you took on for my sake here.