Community discussions

MikroTik App
 
ihphar
just joined
Topic Author
Posts: 4
Joined: Mon May 25, 2020 8:24 pm

Inter-VLAN Routing problem (VLAN Bridge implementation)

Tue May 26, 2020 11:17 am

Hello,

i experimentally tried the "new VLAN Bridge-Implementation" as described e.g. here: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table (See code snipped below).
So far so good, everything works as expected. I get IP-Addresses from the DHCP Servers, if i connect a managed Netgear switch on the Truk port devices in the same VLAN can ping each other.

Now it comes to inter-VLAN Routing.
Since this is a Router having two interfaces (VLAN 10, 11) and no Firewall-rules are in the way, in my understanding i should be able to ping devices across VLANS. This is somehow not the case.

What i tried:
1) Test for each VLAN: Connect 2 Pcs (Win 10) on same vlan (one on Router Access port, one on Access port on a Netgear switch connected via Trunk port.) => DHCP and PING works
This shows me: VLAN Setup works basically, PCs are configured correctly (Ping enabled, no firewall-problems)
2) both PCs can ping the router on both interface-addresses (on 10.10.10.1 and 10.10.11.1) no matter which vlan they are on
This shows me: Standard-Gateways on the PCs are correct
3) Connect the same PCs on different vlan access ports (tied all combinations, both on Mikrotik, both on Netgear, across devices) => DHCP works (as expected different subnets), but i am not able to get a PING reply in either direction
Debug: Firewall Log-Rules (see code snipped) shows that Ping request is forwarded, also Wireshark on the destination PCs shows that Ping request arrives (with correct source and destination addresses). But it generates no response! In both directions same behaviour.
Since there is the same behaviour in both directions, this shows me that the standard-gateways on the PCs are correct but somehow the PC does not generate a ping-reply.
Experimental workaround: If i add a masquerade NAT rule, everything works fine. Src-nat is executed and Pings get replies correctly.

In my understanding this nat rule should not be necessary.

Thanks a lot for your help on this.
# model = RB750UPr2

##ADD shared Bridge
/interface bridge add name=bridge_VLAN vlan-filtering=yes

##ADD Vlan interfaces on VLAN-Bridge for Router IP-Interface
/interface vlan add interface=bridge_VLAN name=V10_Lan vlan-id=10
/interface vlan add interface=bridge_VLAN name=V11_Config vlan-id=11

/ip address add address=10.10.11.1/24 interface=V11_Config network=10.10.11.0
/ip address add address=10.10.10.1/24 interface=V10_Lan network=10.10.10.0

##DHCP-Server on LAN and CONFIG Vlan
/ip pool add name=dhcp_pool_LAN ranges=10.10.10.20-10.10.10.30
/ip pool add name=dhcp_pool_Config ranges=10.10.11.10-10.10.11.20

/ip dhcp-server add address-pool=dhcp_pool_LAN disabled=no interface=V10_Lan name=dhcp_Lan
/ip dhcp-server add address-pool=dhcp_pool_Config disabled=no interface=V11_Config name=dhcp_Config
/ip dhcp-server network add address=10.10.10.0/24 dns-none=yes gateway=10.10.10.1
/ip dhcp-server add address=10.10.11.0/24 dns-none=yes gateway=10.10.11.1

##TRUNK at eht1
##AccessPort VLAN11 on eth4
##AccessPort VLAN10 on eht5
/interface bridge port add bridge=bridge_VLAN interface=ether1
/interface bridge port add bridge=bridge_VLAN interface=ether4 pvid=11
/interface bridge port add bridge=bridge_VLAN interface=ether5 pvid=10

/interface bridge vlan add bridge=bridge_VLAN tagged=bridge_VLAN,ether1 untagged=ether4 vlan-ids=11
/interface bridge vlan add bridge=bridge_VLAN tagged=ether1,bridge_VLAN untagged=ether5 vlan-ids=10

##Just Debug Log entries in the Firewall
/ip firewall filter add action=accept chain=input log=yes log-prefix=PING_INPUT_ protocol=icmp
/ip firewall filter add action=accept chain=forward log=yes log-prefix=PING_FWD_ protocol=icmp

##Debug nat entry
/ip firewall nat add action=masquerade chain=srcnat disabled=yes
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Tue May 26, 2020 11:40 am

Wireshark on the destination PCs shows that Ping request arrives (with correct source and destination addresses). But it generates no response!
So the problem is not in the router, it is in the PC!
It has no route for your other network, or it has a firewall that blocks ping from outside the local network.
Try with the firewall on the PC disabled and when it helps, improve your firewall configuration on the PC and enable it again.
 
mbovenka
Member
Member
Posts: 338
Joined: Mon Oct 14, 2019 10:14 am

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Tue May 26, 2020 12:56 pm

Wireshark on the destination PCs shows that Ping request arrives (with correct source and destination addresses). But it generates no response!
So the problem is not in the router, it is in the PC!

Yup. My guess is: Windows PC with firewall enabled. The Windows builtin firewall blocks ping by default; always has, AFAIK.
 
ihphar
just joined
Topic Author
Posts: 4
Joined: Mon May 25, 2020 8:24 pm

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Tue May 26, 2020 2:23 pm

Thank you for your quick responses.
So the problem is not in the router, it is in the PC!
It has no route for your other network, or it has a firewall that blocks ping from outside the local network.
Try with the firewall on the PC disabled and when it helps, improve your firewall configuration on the PC and enable it again.
That would have been my first guess too, thats why i made and wrote about the (successful) ping tests? If this is a clean configured Access-port it should not depend on the VLAN or subnet or am i wrong?

Why does it work with the masquerade?

I will try it tomorrow, also other ports and protocols, beside ping.
Last edited by ihphar on Wed May 27, 2020 4:51 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)  [SOLVED]

Tue May 26, 2020 3:48 pm

The reason is that the firewall in the PC has some allow rules for traffic that originates on the local subnet, but not for traffic from your other network. That traffic is blocked.
When you setup NAT the PC sees a source address in the local network and allows it.
You need to fix this in the PC firewall rules.
 
ihphar
just joined
Topic Author
Posts: 4
Joined: Mon May 25, 2020 8:24 pm

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Wed May 27, 2020 4:49 pm

In
The reason is that the firewall in the PC has some allow rules for traffic that originates on the local subnet, but not for traffic from your other network. That traffic is blocked.
When you setup NAT the PC sees a source address in the local network and allows it.
You need to fix this in the PC firewall rules.
As expected this was indeed the problem.
I have never seen the "Remote Address scope"-setting in windows firewall before. Allowing all subnets it works as expected.

Thank you very much for your help,
this thread can be closed
 
YO3IPT
just joined
Posts: 5
Joined: Fri Sep 11, 2020 12:37 am

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Sat May 01, 2021 9:38 pm

Hello everyone,

It's an old thread, but i have the same issue. In my case I use src-nat to change the address for each VLAN as an out interface, but my question is does it add any performance penalty ?
I mean, does it load the CPU, or slow down throughput more than just routing with the routing table?
I want to know if it's worth modifying the firewall rules for all the PC's in each VLAN (all on Win10) ?
Because if it's all the same I'd rather do src-nat on the MikroTiks than change the settings for all of the devices....

Thank you for your response
 
YO3IPT
just joined
Posts: 5
Joined: Fri Sep 11, 2020 12:37 am

Re: Inter-VLAN Routing problem (VLAN Bridge implementation)

Sun May 02, 2021 10:45 pm

Hello everyone,

It's an old thread, but i have the same issue. In my case I use src-nat to change the address for each VLAN as an out interface, but my question is does it add any performance penalty ?
I mean, does it load the CPU, or slow down throughput more than just routing with the routing table?
I want to know if it's worth modifying the firewall rules for all the PC's in each VLAN (all on Win10) ?
Because if it's all the same I'd rather do src-nat on the MikroTiks than change the settings for all of the devices....

Thank you for your response

Who is online

Users browsing this forum: NetTecture and 24 guests