Community discussions

MikroTik App
 
Jest
just joined
Topic Author
Posts: 2
Joined: Sun Apr 30, 2023 1:29 pm

Ping issues in same VLAN

Sun Apr 30, 2023 2:25 pm

Hi there,

I'm very new to MT gear and systems ; I'm just trying to setup a very simple config on a newly acquired CRS326-24G-2S+ but I'm facing some issues.
What I'm trying to achieve: setup 2 isolated VLANs - one is for my isolated home lab, and the other one should be "attached" to my home network.
Basically, I just want to split the switch in half using VLANs. No router involved as I do not want any inter-VLAN communication (at least for now).
I know this is probably overkill at this scale, but the main goal for me is to learn - hence this home lab setup.

I followed some guides I found here and there and the MT doc https://wiki.mikrotik.com/wiki/Manual:I ... by_Bridge).

Here is the configuration (based on the default config):
/interface bridge
add admin-mac=18:FD:74:FF:0C:4C auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether16 ] name=ether16-mgmt
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=172.20.0.200-172.20.0.249
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan20 lease-time=1d name=dhcp2
/interface bridge port
add bridge=bridge interface=ether1 pvid=20
add bridge=bridge interface=ether2 pvid=20
add bridge=bridge interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether5 pvid=20
add bridge=bridge interface=ether6 pvid=20
add bridge=bridge interface=ether7 pvid=20
add bridge=bridge interface=ether8 pvid=20
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether17 pvid=10
add bridge=bridge interface=ether18 pvid=10
add bridge=bridge interface=ether19 pvid=10
add bridge=bridge interface=ether20 pvid=10
add bridge=bridge interface=ether21 pvid=10
add bridge=bridge interface=ether22 pvid=10
add bridge=bridge interface=ether23 pvid=10
add bridge=bridge interface=ether24 pvid=10
add bridge=bridge interface=sfp-sfpplus1 pvid=10
add bridge=bridge interface=sfp-sfpplus2 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=\
    10
add bridge=bridge tagged=bridge untagged=ether3,ether4,ether5,ether6,ether7,ether1,ether2,ether8 vlan-ids=20
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether16-mgmt network=192.168.88.0
add address=172.20.0.1/24 interface=vlan20 network=172.20.0.0
add address=192.168.1.2/24 interface=vlan10 network=192.168.1.0
/ip dhcp-server network
add address=172.20.0.0/24 gateway=172.20.0.1
/system routerboard settings
set boot-os=router-os
sfp-sfpplus2 is connected to my ISP router
sfp-sfpplus1 is my desktop
ether1 and ether2 both have a Win machine connected to.
ether16 is outside the bridge (in case I messed up a config and I'm locked out of the router)...

I managed to setup my 2 VLANs, got DHCP server running on VLAN 20 (VLAN 10 already have my ISP router DHCP). I set up the 2 Windows machines on VLAN 20 ether1 and 2 (say PC1 and PC2), they got an IP no problem and they appear in the ARP table as well.
The issue is:
  • I cannot ping from PC1 to PC2 and vice-versa (it throws a timeout systematically)
  • Each host can ping the gateway (here 172.20.0.1) BUT I cannot ping from the router to a host (e.g running ping src-address=172.20.0.1 172.20.0.249 - for PC1)
  • The same happens on VLAN 10 BUT, not for my desktop weirdly, which can be pinged from the CRS...
I also made sure both PC1 and PC2 where considered on private network in Windows, no FW blocking ICMP.
I tried some tools (like Torch and Packet Sniffer) but as far as I understand, I see nothing that can help me - namely, Torch sees the packet being sent, but no echo I guess.
I also tried an even simpler setup: PC1 and PC2 on a single VLAN 20 same as above, nothing else - same result.

I'm sure I missed something very simple (Routing ? Firewall rules ? NAT ?) or maybe my setup is dumb and won't work like that. But I'm very open to suggestions and teachings.

Thanks for your help!
 
Jest
just joined
Topic Author
Posts: 2
Joined: Sun Apr 30, 2023 1:29 pm

Re: Ping issues in same VLAN  [SOLVED]

Sat May 06, 2023 9:07 pm

Hello again,

I managed to solve it, even though it is kind of stupid, I think the answer can be useful to beginners like me.
After some thorough tests and research, it turns out only ICMP type 0 (replies) were somehow blocked going out of my computer. So pinging from PC to router, no problem. The other way, the reply is "not sent" to the router and I have a timeout on the router. Same happened on my laptop (2nd computer). WireShark also shows the reply packet is not even recorded.

=> The culprit was Bitdefender firewall Stealth Mode. It was enabled (by default) on both my PCs.

So to anybody using Bitdefender, disable Stealth Mode for the correct interface in firewall advanced settings.... Of course I should have tested with BD firewall off at first, but I never had any issues before because Stealth Mode was disabled on my other NIC. Since I'm using another NIC, I never thought of this.
Note: I'm not sure if BD firewall can be turned off on specific NIC.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Ping issues in same VLAN

Mon May 08, 2023 5:30 pm

Note that in current Windows installations, ping is blocked by default in the Windows firewall.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Ping issues in same VLAN

Mon May 08, 2023 9:22 pm

Note that in current Windows installations, ping is blocked by default in the Windows firewall.
I am not sure what "current" means, does that include Win 10 22H2?

I think it may depend on whether you have the more restrictive "Public" profile (for use when connecting to untrusted networks), or the "Private" profile (for use in a home network).

This is the way that computers in my home work (for ones that haven't had the firewall adjusted to allow pings from RFC1918 addresses in the private profile)

Public profile: block ping requests from all devices.
Private profile: respond to pings from the local connected networks, block pings from internet interface and "remote" networks (which includes local subnets that have no connected routes).

Here's how to adjust a profile to allow pings from rfc1918 addresses. (you can adjust either public or private profile). It is in the advanced firewall settings under "File and Printer Sharing (Echo Request - ICMPv4-In) Properties"
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Ping issues in same VLAN

Mon May 08, 2023 9:28 pm

Note that in current Windows installations, ping is blocked by default in the Windows firewall.
I am not sure what "current" means, does that include Win 10 22H2?
Started in Windows 7 if I recall. Still that way as far as I know on a fresh new install. Public vs Private vs Domain network does not matter - all three default to blocked for Ping. Stupid. One of several thing I change almost immediately on a new Windows install. I don't remember having to change that when I installed Windows Server Essentials 2019 last year - but that is a server OS. I may have had to change it, but I don't remember having to do so...
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Ping issues in same VLAN

Mon May 08, 2023 9:44 pm

Started in Windows 7 if I recall. Still that way as far as I know on a fresh new install. Public vs Private vs Domain network does not matter - all three default to blocked for Ping. Stupid. One of several thing I change almost immediately on a new Windows install. I don't remember having to change that when I installed Windows Server Essentials 2019 last year - but that is a server OS. I may have had to change it, but I don't remember having to do so...
It's possible that I changed all the computers long ago and didn't remember changing it.

They Say Memory Is The 2nd Thing To Go
I Can't Remember What The 1st Thing Is

Who is online

Users browsing this forum: Bing [Bot], SMARTNETTT, Turbovix and 33 guests