Community discussions

 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

MikroTik PseudoBridge, BroadCast domain problem

Fri Jan 08, 2016 8:08 am

Hello evrybody, I need some help please.

I have UniFi with dhcp and connected to my core network, and on this unify i have connected clients, laptops, mikrotiks as pseudobridge.

And the problem is that this MikroTik clients are not pingable inside this broadcast domain 192.168.1.0/24
I can ping laptops each other. And i can ping MikroTik from router but not from clients.

!!!!!The strangest thing:
Once I ping lets say laptop 192.168.1.10 FROM MikroTik than the MikroTik is pingable from 192.168.1.10. But if i dont ping a client from MikroTik than i cant ping the MikroTik from client.

And one other thing if I route another network on UniFi, lets say 192.168.2.0/24 and that the networks 192.168.1.0/24 and 192.168.2.0/24 are routed. I can ping MikroTiks from 192.168.2.0/24 network, without that MikroTiks would need to ping firts.

But if i used MikroTik router instead unifi works Ok. I used multiple vendors, but only MikroTik => MikroTik works Ok.
Please help me out here.

Like there is problem with MikroTiks that they dont accept ARP broadcast, some quick sketch and config:

pseudo.jpg
# jan/08/2016 06:57:07 by RouterOS 6.29.1
# software id = 0ZP0-J67I
#
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
    tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=podgora \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
    password123 wpa2-pre-shared-key=password123
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=2462 \
    l2mtu=1600 mode=station-pseudobridge security-profile=podgora ssid=\
    Innbox-internet-053be1
/ppp profile
set [ find name=default ] name=default
set [ find name=default-encryption ] name=default-encryption
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
    interface=wlan1
/system clock
set time-zone-name=Europe/Ljubljana
/system logging
add topics=wireless
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool romon port
add disabled=no

You do not have the required permissions to view the files attached to this post.
 
willbeillu
just joined
Posts: 2
Joined: Mon Jan 04, 2016 11:06 am

Re: MikroTik PseudoBridge, BroadCast domain problem

Fri Jan 08, 2016 10:16 am

Hi!


Why are you using pseudobridge? If you need L2 bridge - Unifi AP with Mikrotik as client is not a best choice i think, as manual say: "This mode is available for all protocols except nv2 and should be avoided when possible. "
In this mode mikrotik is forwarding almost all packets to it's single client but not process by itself.
http://wiki.mikrotik.com/wiki/Manual:Wi ... eudobridge

If you need to ping mikrotik directly - think about simple L3 cheme.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Fri Jan 08, 2016 3:14 pm

Ok, what else do you suggest that i use, i tried station mode, the same result. This two modes, are the only modes that mikrotik support with other vendors, please any help how to solve this problem ? For now i manage MikroTik`s from other network, but if I`am on site of this network and have access only wifi to this network. I need a solution to get this working, if there is any posibility to get this working.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Fri Jan 08, 2016 9:58 pm

Are you the admin of the UniFi or are you an end-user trying to put more things on the network?

You could probably do something clever by using station mode, and creating a bridge interface with ether1 and wlan1 connected to the bridge, and use a bridge NAT rule for forwarding frames out-interface=wlan1

(/int bridge nat add action=src-nat chain=srcnat out-interface=wlan1 to-src-mac-address=YOUR_WLAN_MAC)

The reason you're not getting the results that you want is that WiFi is not ethernet. It's very often bridged together, but on the air, the frames are all transmitted based on the AP/STATION relationship. Technically speaking, the AP doesn't know anything about multiple MAC addresses per station. This is what WDS fixes - a wireless station -> ethernet bridge must answer proxy arp on behalf of the devices behind it when not using WDS.

WDS with crypto is a proprietary solution that each vendor has their own way of working, so AirMax clients (for instance) can use station-wds mode along with encrpyted wireless, but you can't connect a station wds Mikrotik to that same access point. (and vice-versa).

Realize that the suggestion above is a "duct tape and chewing gum" solution. If you're trying to extend your network to another part of the property, then bite the bullet and pony up for one more Mikrotik, make a bridge out of them on a frequency that won't interfere with the existing wlan, and plug in the A side where you have access to the wired ethernet.

If you have coax between the existing wired ethernet and where you're trying to reach - try this device:
http://www.amazon.com/Actiontec-Bonded- ... B013J7O3X0
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Sat Jan 09, 2016 11:48 am

I`m the admin of the whole network, its not a problem to buy a one or two new mikrotik`s, but i have 9 UniFi AP`s and 30 hAP lite MikroTiks, that are connect through some cisco`s and CCR MikroTik that is routing all traffic to internet. Its like that because client behing mikrotik can have only ethernet conection.

This how i think the things should work, please corret me where I`am wrong.

I PING from PC 192.168.1.20 to PC 192.168.1.10, soo:
1.) The PC 192.168.1.20 sends ARP broadcast to broadcast domain 192.168.1.0/24
2.) All the client get that ARP broadcast
3.)The PC 192.168.1.10 answers with his MAC address
4.)PC 192.168.1.20 puts 192.168.1.10 in the ARP table
5.)And now they can communicate
This work as it should and i get icmp reply from 192.168.1.10

BUT,..why is diffrent with mikrotik

I PING from PC 192.168.1.20 to MikroTik 192.168.1.2, soo:
1.)The PC 192.168.1.20 sends ARP to broadcast domain 192.168.1.0/24
2.)All the clients get that ARP broadcast

!!!!!BUT now what ? MikroTik doesnt get my ARP broadcast? Or igornes it ? Or doesnt want to answer?
I dont know what is diffrent, MikroTik have the sam config as all other clients, a wifi interface in network 192.168.1.0/24 with MAC and IP.

!!!BUT if i do it reverse:
I PING from MikroTik 192.168.1.2 to PC 192.168.1.10, soo:
1.) The MikroTik 192.168.1.2 sends ARP broadcast to broadcast domain 192.168.1.0/24
2.) All the client get that ARP broadcast
3.)The PC 192.168.1.10 answers with his MAC address
4.)MikroTik 192.168.1.2 puts 192.168.1.10 in the ARP table
5.)And now they can communicate
This work as it should and i get icmp reply from 192.168.1.10

And now I can ping MikroTik from 192.168.1.10 and i get a reply, but first i had to ping the client from MikroTik.

But otherwise evryhing is working, I just cant explain myself why i cant ping mikrotik, if i dont ping the client from MikroTik before. Clients behind mikrotik`s can access internet, and evrything works ok, but i would really like to explain why this is not working like i expected to

But i can ping MikroTik from a diffrent router network. There has to be something with L2, or MikroTik special behivaour or something that I dont understand corret.

Plese, can somebody explain me where my thinking is not correct.

Another sketch, a bit more explainful maybe:
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Mon Jan 11, 2016 5:54 pm

In the updated diagram, your Mikrotik should just be a plain-jane station mode connection.

It's a router in this configuration - the devices behind it are not in the same IP range as the UniFi lan, so the workstations (e.g. 192.168.1.20) cannot see the 192.168.2.x network behind the Mikrotik and no ARPs should be getting forwarded.


Pseudobridge is designed to be a "backwards AP" - meaning to take a wireless network and bring it back onto a wired ethernet segment. Since wifi isn't actually ethernet, there are differences between them - the main one here being that the AP only considers the MAC addresses of actual wireless stations. (WDS extends this functionality into a true bridge, but you can't use WDS with encryption unless pairing up devices from the same vendor, each of whom has done their own method to accomplish dynamic WDS and encryption).

So the pseudobridge does for MAC addresses what NAT does for IP addresses - it's an N:1 mapping technique, so that all of the ethernet devices can communicate on the wlan, but using the single MAC address of the Mikrotik.

I'm not sure why the Mikrotik isn't answering ARP requests on the wlan1 IP while in pseudobridge mode. I would expect the configuration for pseudobridge to have a bridge interface with the Mikrotik having just one IP address (e.g. 192.168.1.2/24) and that being configured on the bridge interface and not the wlan1 interface. Then the ethernet devices should get DHCP from the same source as all of the other directly-connected wifi client devices.

So using pseudobridge, the PC that is shown as 192.168.2.x should be getting a 192.168.1.x address from the main DHCP instead.

If there's no need for the ethernet-only devices to communicate directly with the wifi-only client devices, then I recommend just setting the Mikrotik into station mode and using NAT.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Mon Jan 11, 2016 9:41 pm

Please read all my posts, the same with Station mode. :?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Mon Jan 11, 2016 10:20 pm

Please read all my posts, the same with Station mode. :?
just thinking of silly things now - the interface wlan1 arp type isn't set to anything unusual, right? (it should just be "enabled")

And honestly, there's been a lot of info going by on this thread as well as the several others that I've been working with, so if I forgot "and it happens on station mode with this guy too" by the time I came back here, please forgive me for giving free help and forgetting a detail. I won't do it again.

As far as your breaking down the ARP process example - I agree that it seems like the Mikrotik is not receiving or is ignoring the broadcasts. You could try to run sniffer on wlan1 for a bit and capture the results to a file, and open the file in wireshark. That would at least determine whether the wireless network isn't sending the frames or if the Mikrotik is dropping them for some reason.

Could you possibly have an old setting in the group ciphers setting? WiFi will transmit at 1 speed for user 1, and another speed for user 2, and has some basic rate slow settings for things like multicast/broadcast. If the Mikrotik accidentally has a different setting for Unicast Ciphers and Group Ciphers. If you don't have the group cipher set right, then basically the broadcasts are getting scrambled.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Tue Jan 12, 2016 6:41 pm

I`am sorry for reaction, but we are really working hard on this for a few days, and we are trying to get help from all sides, and I`am writing the same thing over and over again. Offcourse I`am helpful for your help, dont get me wrong.

Yes it is set to enabled, I have been doing some sniffing and it looks like it recives the broadcast. I will have to get more into sniffing, because this is the only thing that is left to do. Because we have been triying all other things.

And no I didn`t forget to put in station mode. I have contacted mikrotik support via email to, and they cant find the problem either.

I will look at setting for Unicast Ciphers and Group Ciphers to see if I can see anything, as soon as possible.

Once more, please dont understand me wrong with my last post, I`am offcourse gratefful for all the help that I can get. And I`will get back as soon as I found out something new. Thank you again for all your help.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Tue Jan 12, 2016 8:31 pm

Because we have been triying all other things.
Out of curiosity - does this include trying a different router, just in case this one is defective?
(I assume so)

Honestly, it should be pretty straightforward - put the key in the security profile, set the SSID in the wlan1 interface configuration, set to station mode, and put DHCP client on wlan1 interface.

Have you tried starting from a completely blank configuration?

If you've done both of these, then there could be something going on in UniFi land.... is there any kind of client-to-client filtering configured there? I assume no, since the Mikrotik can ping other wifi clients, but I'm just trying to throw everything (obscure or not) I can think of onto the table for consideration.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Tue Jan 12, 2016 10:03 pm

Yes we tried another router. We started from strach many times. We tried with diffrent vendors than UniFi, it is the same, we tried inbox v60 or something similiar. We tried with about 30 routers hAP Lite, and some RB951 and diffrent OS versions and diffrent firmware versions.

Right at the moment I`am doing some sniffing on MikroTik and laptop, connected both to inbox v60, and it looks like if I Initiate ping (ARP Broadcast) from my client to MikroTik, mikrotik doesnt recive broadcast, or at least is not seen under /tools packet sniffer

But the other way around if i initiate ping (ARP Broadcast from MikroTik) I get ARP broadcast on my PC, it is really strange. Where could get that ARP Broadcast from my laptop to MikroTik stuck and why ?

No client isolation, if i use two laptops instead of MikroTik as a client, works in both directions as it should

Maybe some idea ?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Tue Jan 12, 2016 10:49 pm

What happens if you clear the ARP cache on the Mikrotik and on the router (the IP default GW router), and then try to ping the Mikrotik from the router before the Mikrotik tries to use the default GW?

Some routers will automatically add entries to their ARP cache based on the source IP+MAC of packets they receive.
I'm just curious to see what happens if a broadcast originating from the actual wired LAN goes to the Mikrotik....

Or perhaps if you plug a test Mikrotik into the wired lan between the access points - can it ping/arp successfully with the wireless Mikrotik?
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: MikroTik PseudoBridge, BroadCast domain problem

Thu Jan 14, 2016 10:15 am

ZeroByte thank you for all your help and pointing me in the right direction. The problem was that MikroTik really choose diffrent group and unicast cipher. And it was the same with other vendor than UniFi. I set static aes on AP (UniFi or any other vendor) and on MikroTik and now it works as it should.

Who is online

Users browsing this forum: No registered users and 23 guests