i experimentally tried the "new VLAN Bridge-Implementation" as described e.g. here: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table (See code snipped below).
So far so good, everything works as expected. I get IP-Addresses from the DHCP Servers, if i connect a managed Netgear switch on the Truk port devices in the same VLAN can ping each other.
Now it comes to inter-VLAN Routing.
Since this is a Router having two interfaces (VLAN 10, 11) and no Firewall-rules are in the way, in my understanding i should be able to ping devices across VLANS. This is somehow not the case.
What i tried:
1) Test for each VLAN: Connect 2 Pcs (Win 10) on same vlan (one on Router Access port, one on Access port on a Netgear switch connected via Trunk port.) => DHCP and PING works
This shows me: VLAN Setup works basically, PCs are configured correctly (Ping enabled, no firewall-problems)
2) both PCs can ping the router on both interface-addresses (on 10.10.10.1 and 10.10.11.1) no matter which vlan they are on
This shows me: Standard-Gateways on the PCs are correct
3) Connect the same PCs on different vlan access ports (tied all combinations, both on Mikrotik, both on Netgear, across devices) => DHCP works (as expected different subnets), but i am not able to get a PING reply in either direction
Debug: Firewall Log-Rules (see code snipped) shows that Ping request is forwarded, also Wireshark on the destination PCs shows that Ping request arrives (with correct source and destination addresses). But it generates no response! In both directions same behaviour.
Since there is the same behaviour in both directions, this shows me that the standard-gateways on the PCs are correct but somehow the PC does not generate a ping-reply.
Experimental workaround: If i add a masquerade NAT rule, everything works fine. Src-nat is executed and Pings get replies correctly.
In my understanding this nat rule should not be necessary.
Thanks a lot for your help on this.
Code: Select all
# model = RB750UPr2
##ADD shared Bridge
/interface bridge add name=bridge_VLAN vlan-filtering=yes
##ADD Vlan interfaces on VLAN-Bridge for Router IP-Interface
/interface vlan add interface=bridge_VLAN name=V10_Lan vlan-id=10
/interface vlan add interface=bridge_VLAN name=V11_Config vlan-id=11
/ip address add address=10.10.11.1/24 interface=V11_Config network=10.10.11.0
/ip address add address=10.10.10.1/24 interface=V10_Lan network=10.10.10.0
##DHCP-Server on LAN and CONFIG Vlan
/ip pool add name=dhcp_pool_LAN ranges=10.10.10.20-10.10.10.30
/ip pool add name=dhcp_pool_Config ranges=10.10.11.10-10.10.11.20
/ip dhcp-server add address-pool=dhcp_pool_LAN disabled=no interface=V10_Lan name=dhcp_Lan
/ip dhcp-server add address-pool=dhcp_pool_Config disabled=no interface=V11_Config name=dhcp_Config
/ip dhcp-server network add address=10.10.10.0/24 dns-none=yes gateway=10.10.10.1
/ip dhcp-server add address=10.10.11.0/24 dns-none=yes gateway=10.10.11.1
##TRUNK at eht1
##AccessPort VLAN11 on eth4
##AccessPort VLAN10 on eht5
/interface bridge port add bridge=bridge_VLAN interface=ether1
/interface bridge port add bridge=bridge_VLAN interface=ether4 pvid=11
/interface bridge port add bridge=bridge_VLAN interface=ether5 pvid=10
/interface bridge vlan add bridge=bridge_VLAN tagged=bridge_VLAN,ether1 untagged=ether4 vlan-ids=11
/interface bridge vlan add bridge=bridge_VLAN tagged=ether1,bridge_VLAN untagged=ether5 vlan-ids=10
##Just Debug Log entries in the Firewall
/ip firewall filter add action=accept chain=input log=yes log-prefix=PING_INPUT_ protocol=icmp
/ip firewall filter add action=accept chain=forward log=yes log-prefix=PING_FWD_ protocol=icmp
##Debug nat entry
/ip firewall nat add action=masquerade chain=srcnat disabled=yes