https://i.imgur.com/sQFvmZj.png
From PC1 (192.168.9.253) I cannot ping vlan gateway 192.168.9.1 on RB4011iGS+ and vlan ip 192.168.9.2 on HAP AC. Also, all three of these IP addresses cannot ping each other (RB4011iGS+ cannot ping 192.168.9.2 or 192.168.9.253, HAP AC cannot ping 192.168.9.1 or 192.168.9.253).
I disabled firewall completely, but yet no success. I have masquerade going out from internet interface (eth1 on RB4011iGS+). I see that some broadcast traffic is going through the trunk, but PC1 does not even get MAC addresses of 192.168.9.1 and 192.168.9.2 in ARP table.
RB4011iGS+ config:
Code: Select all
# nov/15/2018 13:15:25 by RouterOS 6.43.4
# software id = WP4U-Z565
#
# model = RB4011iGS+
# serial number = 968A09187F4C
/interface bridge
add admin-mac=B8:69:F4:92:25:57 auto-mac=no comment=defconf name=br1-lan pvid=11 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1598
set [ find default-name=ether2 ] l2mtu=1598
set [ find default-name=ether3 ] l2mtu=1598
set [ find default-name=ether4 ] l2mtu=1598
set [ find default-name=ether5 ] l2mtu=1598
set [ find default-name=ether6 ] l2mtu=1598
set [ find default-name=ether7 ] l2mtu=1598
set [ find default-name=ether8 ] l2mtu=1598
set [ find default-name=ether9 ] l2mtu=1598
set [ find default-name=ether10 ] l2mtu=1598
/interface vlan
add interface=ether10 name=vlan1-lan vlan-id=11
add interface=ether10 name=vlan2-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-lan ranges=192.168.9.50-192.168.9.254
add name=dhcp-guest ranges=192.168.13.50-192.168.13.254
/ip dhcp-server
add address-pool=dhcp-lan disabled=no interface=br1-lan name=defconf
add address-pool=dhcp-guest disabled=no name=dhcp-guest
/interface bridge port
add bridge=br1-lan comment=defconf interface=ether2
add bridge=br1-lan comment=defconf interface=ether3
add bridge=br1-lan comment=defconf interface=ether4
add bridge=br1-lan comment=defconf interface=ether5
add bridge=br1-lan comment=defconf interface=ether6 pvid=11
add bridge=br1-lan comment=defconf interface=ether7
add bridge=br1-lan comment=defconf interface=ether8
add bridge=br1-lan comment=defconf interface=ether9
add bridge=br1-lan comment=defconf interface=ether10
add bridge=br1-lan comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br1-lan tagged=ether10 vlan-ids=11
add bridge=br1-lan tagged=ether10 vlan-ids=22
/interface list member
add comment=defconf interface=br1-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.9.1/24 comment=defconf interface=br1-lan network=192.168.9.0
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=192.168.13.1/24 interface=vlan2-guest network=192.168.13.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.1 netmask=24
add address=192.168.13.0/24 gateway=192.168.13.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-port=3484 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=3306
add action=netmap chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.9.6 to-ports=3389
add action=masquerade chain=srcnat dst-port=80 protocol=tcp src-address=192.168.9.0/24
add action=netmap chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=80
add action=netmap chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp to-addresses=192.168.9.4 to-ports=21
/ip route
add distance=1 gateway=192.168.100.1
/ip traffic-flow
set cache-entries=32k enabled=yes interfaces=br1-lan
/ip traffic-flow target
add dst-address=192.168.9.4 version=5
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether10
Code: Select all
# nov/15/2018 13:09:47 by RouterOS 6.43.2
# software id = R9TC-1I4K
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6737065A9A5D
/interface bridge
add admin-mac=6C:3B:6B:11:EB:C1 auto-mac=no comment=defconf name=bridge pvid=11 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC7 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-11EBC6 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan1-lan vlan-id=11
add interface=ether1 name=vlan2-guest vlan-id=22
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=1620290162 wpa2-pre-shared-key=1620290162
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik wpa-pre-shared-key=1620290162 wpa2-pre-shared-key=1620290162
/interface wireless
add disabled=no mac-address=6E:3B:6B:11:EB:C6 master-interface=wlan2 name=wlan5 security-profile=profile ssid=alch19
add disabled=no mac-address=6E:3B:6B:11:EB:C7 master-interface=wlan1 name=wlan6 security-profile=profile ssid=alch19
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=wlan5
add action=drop chain=forward disabled=yes out-interface=wlan5
add action=drop chain=forward disabled=yes in-interface=wlan6
add action=drop chain=forward disabled=yes out-interface=wlan6
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=22
add bridge=bridge comment=defconf interface=ether4 pvid=11
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1 pvid=11
add bridge=bridge interface=wlan5
add bridge=bridge interface=wlan6
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=11
add bridge=bridge tagged=ether1 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.9.2/24 comment=defconf interface=bridge network=192.168.9.0
add address=192.168.14.2/24 interface=sfp1 network=192.168.14.0
add address=192.168.13.2/24 network=192.168.13.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=sfp1
/ip dhcp-server network
add address=192.168.9.0/24 comment=defconf gateway=192.168.9.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.2 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.14.1
/system clock
set time-zone-name=Europe/Moscow
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=ether1 filter-ip-address=!192.168.13.2/32