Community discussions

MikroTik App
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

WAN over VLAN

Thu May 06, 2021 1:09 pm

vlan.png
I have two wans with working PCC load balancing. I wanted to change the configuration so that with only one ethernet cable and a managed swicth I can separately transport both wan2 and use the remaining switch ports as LAN. Can you recommend a guide or some basic information?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sat May 08, 2021 9:24 pm

  1. if ether10 of the 3011 is a member port of a bridge, hook an /interface vlan with vlan-id=100 to that bridge, otherwise add it directly to ether10. Let's name it wan2-100 for simplicity.
  2. move all the IP address configuration from the current etherX acting as WAN2 to wan2-100 you've added above. Also modify all firewall rules that refer to etherX as in-interface or out-interface to refer to wan2-100. If etherX is the interface on any /interface list member rows, change all these rows to read interface=wan2-100 as well.
  3. on the Netgear, permit tagged VLAN 100 on ether1, and make ether5 an access port to VLAN 100.
  4. finally, move the cable from etherX of the 3011 previously acting as WAN2 to ether5 of the Netgear.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sat May 08, 2021 10:44 pm

hi sindy, thanks for your reply;
the eth10 port is now working as a load balancing wan2,
when I go to hook the vlan100 I will have to assign to the vlan created a static ip of the same class that I have now on WAN2?
In the netgear switch will the untagged ports be connected to the LAN bridge?
Tonight after a backup, I will start to do some tests.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sat May 08, 2021 11:01 pm

If the ether10 itself currently acts as WAN2, do you want ether2..ether4 of the netgear to extend some existing LAN bridge of the 3011? Or will it be a separate LAN segment? The necessary changes on the 3011 depend on the answer.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sat May 08, 2021 11:10 pm

I would like the netgear to have 3 ports connected to the 3011 LAN bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN over VLAN

Sun May 09, 2021 12:28 am

post your config
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sun May 09, 2021 10:15 am

OK. So let's assume you've started from a default configuration, where ether2..ether10 were member ports of a bridge named bridge, and you've just removed ether10 from that bridge and used it as WAN2.

So as I wrote above
/interface vlan add name=wan2-100 interface=bridge vlan-id=100
/ip address set [find interface=ether10] interface=wan2-100
/ip route rule set [find interface=ether10] interface=wan2-100
/ip dhcp-client set [find interface=ether10] interface=wan2-100
/interface pppoe-client set [find interface=ether10] interface=wan2-100
/interface list member set [find interface=ether10] interface=wan2-100
/ip firewall raw set [find in-interface~"^ether10\$"] in-interface=wan2-100
/ip firewall raw set [find out-interface~"^ether10\$"] out-interface=wan2-100
/ip firewall mangle set [find in-interface~"^ether10\$"] in-interface=wan2-100
/ip firewall mangle set [find out-interface~"^ether10\$"] out-interface=wan2-100
/ip firewall filter set [find in-interface~"^ether10\$"] in-interface=wan2-100
/ip firewall filter set [find out-interface~"^ether10\$"] out-interface=wan2-100
/ip firewall nat set [find in-interface~"^ether10\$"] in-interface=wan2-100
/ip firewall nat set [find out-interface~"^ether10\$"] out-interface=wan2-100
/interface bridge port add bridge=bridge interface=ether10


After this, the tagless frames of the LAN bridge will pass tagless through ether2..ether10, and frames tagged with VID 100 will pass tagged through all of these ports. If you insist that tagged frames must not egress from ether2..ether9, you have to first define /interface bridge vlan add vlan-ids=100 bridge=bridge tagged=bridge,ether10 and then allow VLAN filtering on the bridge using /interface bridge set bridge vlan-filtering=yes, but doing so disables switch chip forwarding on the 3011 so think twice whether you really need it. I'm almost sure that on a 3011 in particular, you can accomplish this using the VLAN configuration of the switch chips instead, but that's a separate can of worms.

On the Netgear, ether2..ether4 must be access ports to VLAN 1 (the default setting), ether5 must be set as an access port to VLAN 100, and ether1 must be a hybrid port where VLAN 1 is untagged and VLAN 100 is tagged.

So go to the Advanced VLAN settings and add VLAN 100; then go to VLAN membership, choose VLAN 1 and remove port 05 from it; then choose VLAN 100, choose port 05 and add it as untagged, then choose port 01 and add it as tagged. Last, in Port PVID configuration, set the PVID of 05 to 100 (untagging on egress and tagging on ingress are configured separately on this device).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 10:49 am

@anav
here is my configuration
testvlan.txt
@sindy
I wasn't able to do much this morning especially with the vlan on the switch, I'll try again with the directions you wrote above
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sun May 09, 2021 11:26 am

So before copy-pasting my script above, rename ether10-WAN2 to ether10.
Then copy-paste that script except the last row.
Instead of the last row, use /interface bridge port enable [find interface=ether10].
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 11:46 am

@sindy
the ip provided by the LTE router to the WAN2 of the 3011 is dynamic and when I connect it to the eth5 of the netgear it will be maintained even when passing as VLAN100 ?
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sun May 09, 2021 11:57 am

Yes, if everything else works properly, there will be no problem. However, the configuration you've posted shows that a static address is assigned to WAN2:
/ip address
...
add address=192.168.9.2/24 interface=ether10-WAN2 network=192.168.9.0

So what have I missed?

Also, take care about changing the autoenableWAN2 script. But if this script is needed to force the LTE device to behave properly, it won't fulfil this purpose any more as the ether5 of the Netgear will stay physically up even if you disable the wan2-100 interface on the 3011.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 12:13 pm

....
So what have I missed?
....
you're right, I'm the one who got lost :-)
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 2:06 pm

vlansetting.png
membership1-100.png
PVID.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN over VLAN

Sun May 09, 2021 3:09 pm

I am confused on the purpose of the bridge networks (which seems to provide DHCP for all the RB3011 ports) and then there is vlan10.
Probably fine, except I would do it differently

Vlan10 as defined to the bridge and vlan20 also defined to the bridge, to cover off what is going to the bridgfe ports which is still not clear........
For both vlans define address, dhcp server, dhcp server network and pools, in this way the bridge does nothing but bridging (clean)

such that etherport1 on the switch, a trunk port, carries vlan10?, vlan20 and vlan100 to the RB3011 from the netgear switch.
vlan100 is attached to port5 as untagged on the switch pvid 100 assigned to eth5
vlan 20 is untagged for ports 2,3,4 they need pvid 20 assigned.
the only port with the default of pvid=1 on the netgear switch will be the trunk port (eth1).
This works well on all my switches, netgear, tplink, dlink etc.........

In any case once the vlan10 and rest of network the bridge currently dishes out is understood it will fall out naturally.

The other reasons I suggest this is that most brands of vlan devices dont encompass the bridge concept and thus mirroring the standard vlan setup is easier to do when using them in the mix.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 4:04 pm

@anav
the vlan10 that you see in my configuration is used to reach the management interface of the two ubiquity access points that I have, and should keep separate data traffic from the management traffic, I do not know if it is set correctly also because from each android wifi client I can reach the configuration screen of the access points and this should not happen if not enabling the vlan on the android devices.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sun May 09, 2021 4:12 pm

this should not happen if not enabling the vlan on the android devices.
It's a misunderstanding. The fact that the subnet 172.16.10.0/24 lives in a dedicated VLAN does not mean that devices in other subnets cannot reach devices in 172.16.10.0/24, as the very purpose of a router is to forward traffic among subnets. To selectively prevent forwarding of some traffic types, you have to use firewall rules.

Other than that, you've posted the configuration of the GS105E without any question or statement. The configuration is correct (except that if you want to connect one of the Ubiquiti devices to it, you have to add VLAN 10 as well), but what was the purpose of posting it?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN over VLAN

Sun May 09, 2021 4:38 pm

As SIndy writes, you need to complete your network diagram to understand what you are doing.
Where are the ubiquit access points, what else is attached to ports 3,4,5

I understand what you are doing a bit better now with vlan10 being the management vlan.
The netgear switch itself should have an IP address on the vlan10 network.

The ubiquit access points are odd ducks from what I gather, depending upon model, they require a hybrid port,
the managment traffic untagged and the rest of the vlans tagged.
If this is the case then the switch will have to be setup appropriately and I am not familiar with hybrid on netgear but will research.
However I suspect that if the ubiquite expects untagged traffic and tagged vlans to arrive at its door, then you will set pvid of port to 10 and then also tag the port for vlans 20,100 for the wlans associated.

Also can you confirm what is attached to the RB ports and more specifically any access points that can read vlan tags, any other managed switches or all DUMB devices that cannot read vlan tags??
Last edited by anav on Sun May 09, 2021 4:50 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 4:43 pm

@sindy
The purpose of publishing it is to get your feedback on whether I have configured the switch correctly. It was just the configuration of the switch that was not working , I will try again tonight.I am now testing the switch with the image configuration and I can reach vlan10 anyway.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 4:52 pm

@anav
On the 3011 from ports 2--->9 there are connected 2 accesspoints a miniserver for home automation and clients computers. Client computers are connected to the netgear switch on ports 2,3,4.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Sun May 09, 2021 8:03 pm

I am now testing the switch with the image configuration and I can reach vlan10 anyway.
Again... when something is connected to port 02 of Netgear, it gets an IP address from 10.0.0.0/24 because that port is an access one to VLAN 1 which is tagless at port 01 of the GS105E and at ether2..ether10 of the 3011. When it attempts to establish a connection to an address in 172.16.10.0/24, it finds out that the destination is not in the same subnet, so it determines the MAC address of the gateway (10.0.0.1) and sends the packet to it. And the router receives this packet and forwards it to 172.16.10.x, sending it from its VLAN 10 interface.

To prevent this, add another rule to the end of chain forward of your firewall filter:
/ip firewall filter add chain=forward in-interface=bridge out-interface=vlan10 action=drop
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN over VLAN

Sun May 09, 2021 8:58 pm

Working my way through the config I am confused on your two WAN inputs.
Can you confirm that they are fixed WANIPs that wont change so there is no dhcp client settings for example.
wan1 is 192.168.8.2
wan2 is 192.168.9.2

My main difficult is how to handle vlan100 and wan 2.
Its easy to accept it on etherport 5 of the switch and assign vlan100 to the incoming traffic and drop the vlan100 on the outgoing traffic.
Its easy to carry this traffic to etherport1 on the switch (the trunk port) and carry it along with vlans10(MGMT) and vlan20 (users) to the corresponding trunk port on the RB3011 etherport 10.

Here we have a bridge that all three vlans belong to
with vlan10=lan list memeber
with vlan20=lan list member and
with vlan100=WAN list member.

How do I get the RB3011 to accept Vlan100 as incoming wan traffic.
Is it enough to state its a WLAN list member.
What is the format of the IP address since I also have the questions above, for VLAN100??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sun May 09, 2021 9:45 pm

@anav
Yes, the 2 WANs have fixed IPs
wan1 is 192.168.8.2
wan2 is 192.168.9.2
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 6:49 am

I tried the script; I had to enter / interface bridge port add bridge = bridge interface = ether10 instead of / interface bridge port enable [find interface = ether10] .
From a client connected to the netgear I can't reach the main page of the LTE router (192.168.9.1) and the ping doesn't work,
from 3011 if I ping 192.168.9.1 it responds .
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 8:05 am

When you connect the same client to any of ether2..ether9 on the 3011 instead of 02..04 on the GS105E, do you get the same result?

Can you show me the export after applying my script?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 8:54 am

When connecting a computer to a bridge port on the 3011, I cannot ping 192.168.9.1.
Here is the configuration after the changes.
mod_vlan.rsc
I do not understand these settings
bridge.png
interface_list.png
You do not have the required permissions to view the files attached to this post.
Last edited by frank333 on Tue May 11, 2021 7:48 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 11:44 am

This interface list row is definitely an error - my script should have changed ether10 to wan2-100 on it. I've tested it on my lab CHR and it worked, interesting.

Nevertheless, this does not explain why you cannot ping the LTE IP. So once you fix that row, make the command line window as wide as your screen allows, run /tool sniffer quick ip-address=192.168.9.1 in it, and start pinging 192.168.9.1 from a PC connected to a bridge port of the 3011. If everything was OK, you would see the following:
etherX    ... <- ...       ip.of.the.pc    192.168.9.1  ...  ip:icmp
bridge    ... <- ...       ip.of.the.pc    192.168.9.1  ...  ip:icmp
wan2-100  ... -> ...        192.168.9.2    192.168.9.1  ...  ip:icmp
bridge    ... -> ...  100   192.168.9.2    192.168.9.1  ...  ip:icmp
ether10   ... -> ...  100   192.168.9.2    192.168.9.1  ...  ip:icmp
ether10   ... <- ...  100   192.168.9.1    192.168.9.2  ...  ip:icmp
bridge    ... <- ...  100   192.168.9.1    192.168.9.2  ...  ip:icmp
wan2-100  ... <- ...        192.168.9.1    192.168.9.2  ...  ip:icmp
bridge    ... -> ...        192.168.9.1   ip.of.the.pc  ...  ip:icmp
etherX    ... -> ...        192.168.9.1   ip.of.the.pc  ...  ip:icmp
But I assume you actually get
etherX    ... <- ...       ip.of.the.pc    192.168.9.1  ...  ip:icmp
bridge    ... <- ...       ip.of.the.pc    192.168.9.1  ...  ip:icmp
ether1    ... -> ...        192.168.8.2    192.168.9.1  ...  ip:icmp
In another words, this has nothing to do with moving the WAN 2 configuration from bare ether10 to wan2-100, it's your PCC rules that causes this. When you ping from a PC, the PCC rule in mangle.forward may assign a connection-mark value WAN1_conn, which one of the subsequent rules translates to routing-mark value to_WAN1.

And since ICMP uses no ports, the result of the PCC evaluation only depends on source and destination addresses, so you get always the same result when pinging from the same PC.

You've fallen into the same rabbit hole like many others - the match condition dst-address-type=!local matches on any other destination address than one of the router's own ones, so it does not prevent the rule assigning WAN1_conn from acting on packets towards 192.168.9.1.

So add all the connected subnets (192.168.8.0/24, 192.168.9.0/24, 172.16.10.0/24, 10.0.0.0/24) to an address-list called connected-subnets and replace dst-address-type=!local in the PCC rules by dst-address-list=!connected-subnets.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WAN over VLAN

Mon May 10, 2021 3:08 pm

Bogged down in scripts..................
Why not solve this cleanly first without scripts, then get fancy??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 3:25 pm

@anav:
What scripts? Where?

If you mean the reconfiguration script a few posts above, a script is the most concise way of expressing the necessary configuration changes. I'm not going to create a presentation with screenshots of all the relevant windows before and after. But you can always translate a script into corresponding mouse clicks rather than copy-pasting it, the choice is yours.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 3:30 pm

I've tried changing the mangle as you told me, I can't ping from any pc, either directly to the 3011 or from the netgear.
rule_mangle(1).rsc
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 3:42 pm

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 3:52 pm

How does /ip firewall address-list export look like, and what does the sniffing as suggested above show?
I cannot add wan2-100 to the bridge, nor can I add it to the interface list, I can use wireshark on the port for sniffing.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 4:00 pm

If you have in mind adding wan2-100 as a member port of a bridge, it's correct that you cannot add it. wan2-100 is a VLAN interface whose tagged end is attached to the bridge, so making its tagless end a member port of the same bridge would create a loop, hence it is good it is not possible. Your previous configuration export shows that everything is correct in this regard.

Regarding making wan2-100 a member of an interface list instead of ether10 - if it is not possible to replace the interface on the row, just first add another row (list=WAN, interface=wan2-100) and then remove (or just disable) the one with (list=WAN, interface=ether10). But again, this has nothing to do with the pinging of 192.168.9.1.

Wireshark will only show the situation on a single interface, so you'll see that ping requests are leaving the PC and nothing comes back; that's clear even without Wireshark. Sniffing on the 3011 the way I've suggested above shows you the whole path of the packet through the router, which is what we need.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 4:01 pm

in the interface list I succeeded ,
interface_list.png
eth10 remains in the bridge
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 4:02 pm

eth10 remains in the bridge
That's correct.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 4:13 pm

sniff.png
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 4:51 pm

Ah, hw=yes strikes again...

Please set hardware acceleration to no under /interface bridge port for ether10 and for the port to which you connect the PC, and try again. When hw=yes, some packets do not get captured on the Ethernet interface. I keep forgetting about that.

In any case, your sniff only shows pings sent by the 3011 itself once every 30 s, nothing from the PC, so it seems the pings didn't make it to the 3011... can the PC ping e.g. 8.8.8.8?

If yes, running Wireshark directly at the PC might help after all.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 5:05 pm

sniff.png
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 5:15 pm

OK, still the same - the 3011 pings the LTE from wan2-100 and gets a response every 30 s, except that now with hw=no you can see also the ping request to leave tagged via ether10, not just the response to come in through there. So everything is fine regarding the VLAN setup.

As the ping requests from the PC aren't visible, it's not the 3011 that doesn't let them through or diverts them to a wrong out-interface, there must be something wrong already at the PC itself.

Could it be that the PC has multiple Ethernet or wireless ports, or that some VPN is running on it?

Can you ping 192.168.9.2 (the 3011's own address in 192.168.9.0/24) from the PC?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 5:25 pm

yes,and pings at 8.8.8 also work
f@ff:~$ ping 192.168.9.2
PING 192.168.9.2 (192.168.9.2) 56(84) bytes of data.
64 bytes from 192.168.9.2: icmp_seq=1 ttl=64 time=0.217 ms
64 bytes from 192.168.9.2: icmp_seq=2 ttl=64 time=0.199 ms
64 bytes from 192.168.9.2: icmp_seq=3 ttl=64 time=0.168 ms
64 bytes from 192.168.9.2: icmp_seq=4 ttl=64 time=0.188 ms
^C
--- 192.168.9.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3053ms
rtt min/avg/max/mdev = 0.168/0.193/0.217/0.017 ms
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Mon May 10, 2021 5:33 pm

OK, so please show me the output of /tool sniffer quick ip-protocol=icmp ip-address=192.168.9.2 while pinging 192.168.9.2 from the PC.

And then Wireshark on the PC while pinging 192.168.9.1. It starts being crazy.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 5:52 pm

sniff.png
let's continue another day, I'm not able to start the quick sniffer directly from a computer, and not even with wireshark
You do not have the required permissions to view the files attached to this post.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Mon May 10, 2021 6:00 pm

sniff.png
from another bridge port
You do not have the required permissions to view the files attached to this post.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Tue May 11, 2021 7:23 am

the configuration
modvlan.rsc

If I disable WAN1 the ping on 192.168.9.1 works.
sniff.png
I have RouterOS version v6.46.6 (testing) maybe upgrading to the latest one could solve it, but I've read about problems with 3011
this one below from another computer ping 192.168.9.1
sniff.png
tracepath with both connections active
f@ff:~$ tracepath 192.168.9.1
1?: [LOCALHOST] pmtu 1500
1: _gateway 0.325ms
1: _gateway 0.260ms
2: 192.168.8.1 0.846ms
3: 172.16.134.129 60.352ms
4: 172.16.134.32 51.352ms
5: 172.16.18.48 36.166ms
6: 151.6.48.213 44.220ms
7: 151.6.48.0 43.222ms
8: 151.6.0.92 47.127ms
9: no reply
10: 192.168.9.1 1.013ms reached
Resume: pmtu 1500 hops 10 back 2
f@ff:~$
You do not have the required permissions to view the files attached to this post.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Sat May 15, 2021 3:04 am

If I disable the mangle rules that redirect to one or the other wan the pings work.
 
User avatar
frank333
Member Candidate
Member Candidate
Topic Author
Posts: 210
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: WAN over VLAN

Wed May 26, 2021 10:25 am

@sindy
I know it's a risk, for rb3011, should I try to update ROS to 48.2?
 
sindy
Forum Guru
Forum Guru
Posts: 7281
Joined: Mon Dec 04, 2017 9:19 pm

Re: WAN over VLAN

Wed May 26, 2021 12:47 pm

Can't say right now - my life has enough dynamics these days, so I'm at long-term 6.47.9 everywhere.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot] and 233 guests