Community discussions

MikroTik App
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Connect devices in different VLANs

Thu May 27, 2021 1:05 pm

Goodmorning everyone.
I have a configuration with an untagged LAN and several vlans all into bridge1.
My configuration is this:
/interface bridge
add arp=proxy-arp comment="LAN untagged + VLAN" name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] comment=ISP2
set [ find default-name=ether10 ] comment=ISP1
/interface vlan
add comment="vlan Gra." interface=bridge1 name=vlan100 vlan-id=100
add comment="vlan service" interface=bridge1 name=vlan200 vlan-id=200
add arp=proxy-arp comment="vlan Simone" interface=bridge1 name=vlan300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.101-192.168.3.149
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.200
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool3 ranges=192.168.5.100-192.168.5.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp-master
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp-graziano
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp-service
add address-pool=dhcp_pool3 disabled=no interface=vlan300 name=dhcp-simone
/ppp profile
add bridge=bridge1 bridge-learning=yes local-address=192.168.3.75 name="ovpn profile"
add change-tcp-mss=yes name="ISP1 profile"
/interface pppoe-client
add add-default-route=yes comment="PppoE ISP1" default-route-distance=10 disabled=no interface=ether10 name=pppoe-out1 password=*********** profile="ISP1 profile" user=*************
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,ether5 vlan-ids=100,200
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes port=1190
/ip address
add address=192.168.3.75/24 interface=bridge1 network=192.168.3.0
add address=192.168.1.1/24 interface=vlan100 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200 network=192.168.2.0
add address=192.168.5.1/24 interface=vlan300 network=192.168.5.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
/ip dhcp-client
add default-route-distance=20 disabled=no interface=ether9
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.75
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade ISP1" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Masquerade ISP2" out-interface=ether9
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=!192.168.3.75 src-address=192.168.3.0/24
Thanks to the ProxyARP from the untagged LAN I can reach the devices in the vlans, and from the vlans I can reach the devices in the untagged LAN.
But when I try to access from one vlan to a device in another vlan the request times out. I honestly can't understand why.
Can anyone kindly help me to solve this problem of mine?
Thank you very much
Simone
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect devices in different VLANs

Thu May 27, 2021 2:07 pm

When you bother to post a complete config I will bother to comment.
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Connect devices in different VLANs

Thu May 27, 2021 4:33 pm

When you bother to post a complete config I will bother to comment.
I apologize. I thought I'd make your job easier to remove the uninteresting parts.
This is the complete code
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.48.2 (c) 1999-2021       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[simone@Byte Solutions Routerboard] > export
# may/27/2021 15:24:37 by RouterOS 6.48.2
# software id = **********
#
# model = RouterBOARD 3011UiAS
# serial number = ************
/interface bridge
add arp=proxy-arp comment="LAN untagged + VLAN" name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] comment=FASTWEB
set [ find default-name=ether10 ] comment=EOLO
/interface vlan
add comment="vlan Graziano WiFi" interface=bridge1 name=vlan100 vlan-id=100
add comment="vlan service" interface=bridge1 name=vlan200 vlan-id=200
add arp=proxy-arp comment="vlan Simone" interface=bridge1 name=vlan300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.101-192.168.3.149,192.168.3.201-192.168.3.249
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.200
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool3 ranges=192.168.5.100-192.168.5.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp-master
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp-graziano
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp-service
add address-pool=dhcp_pool3 disabled=no interface=vlan300 name=dhcp-simone
/ppp profile
add bridge=bridge1 bridge-learning=yes local-address=192.168.3.75 name="ovpn profile"
add change-tcp-mss=yes name="EOLO profile"
/interface pppoe-client
add add-default-route=yes comment="PppoE EOLO" default-route-distance=10 disabled=no interface=ether10 name=pppoe-out1 password=******* profile="EOLO profile" user=******
/queue tree
add limit-at=15M max-limit=30M name="Total Download" parent=bridge1
add limit-at=1M max-limit=1M name="SIP connection down" packet-mark="SIP packet" parent="Total Download" priority=1
add limit-at=1M max-limit=1M name="RTP connection down" packet-mark="RTP packet" parent="Total Download" priority=1
add name="Other traffic down" packet-mark=no-mark parent="Total Download"
add limit-at=1500k max-limit=3M name="Total Upload" parent=pppoe-out1
add limit-at=1M max-limit=1M name="SIP connection up" parent="Total Upload" priority=1
add limit-at=1M max-limit=1M name="RTP connection up" packet-mark="RTP packet" parent="Total Upload" priority=1
add name="Other traffic up" packet-mark=no-mark parent="Total Upload"
/queue type
add kind=pcq name=voip_download pcq-classifier=dst-address pcq-rate=128k
add kind=pcq name=voip_upload pcq-classifier=src-address pcq-rate=128k
/interface bridge port
add bridge=bridge1 interface=ether1 multicast-router=disabled
add bridge=bridge1 interface=ether2 multicast-router=disabled
add bridge=bridge1 interface=ether3 multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
add bridge=bridge1 interface=ether5 multicast-router=disabled
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,ether5 vlan-ids=300
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,ether5 vlan-ids=100,200
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes port=1190
/ip address
add address=192.168.3.75/24 interface=bridge1 network=192.168.3.0
add address=192.168.1.1/24 interface=vlan100 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200 network=192.168.2.0
add address=192.168.5.1/24 interface=vlan300 network=192.168.5.0
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
/ip dhcp-client
add default-route-distance=20 disabled=no interface=ether9
/ip dhcp-server lease
add address=192.168.3.149 client-id=1:c:38:*****mac-address=0C:38******* server=dhcp-master
add address=192.168.3.123 mac-address=7C:2F:****** server=dhcp-master
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.75
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
/ip firewall address-list
add address=*********** list="Winbox Access"
add address=192.168.3.0/24 list="Winbox Access"
add address=192.168.5.0/24 list="Winbox Access"
add address=************ list="3CX Byte Solutions Server"
add address=************ list="Backup 3CX FTP"
add address=************ list="Backup 3CX FTP"
/ip firewall filter
add action=drop chain=output comment="drop OpenDNS1 su WAN2" dst-address=208.67.222.222 out-interface=ether9
add action=drop chain=output comment="drop OpenDNS2 su WAN1" dst-address=208.67.220.220 out-interface=pppoe-out1
add action=drop chain=input comment="Regola Drop accesso WinBox" dst-port=8291 protocol=tcp src-address-list="!Winbox Access"
/ip firewall mangle
add action=mark-connection chain=forward comment="SIP connection Mark" dst-address-list="3CX Byte Solutions Server" dst-port=5060 new-connection-mark="SIP 3cx conn" passthrough=\
    yes protocol=udp
add action=mark-packet chain=forward comment="SIP packet Mark" connection-mark="SIP 3cx conn" new-packet-mark="SIP packet" passthrough=yes
add action=mark-connection chain=output comment="OpenDNS1 mark" dst-address=208.67.222.222 new-connection-mark=wan1-check passthrough=yes
add action=mark-connection chain=output comment="OpenDNS2 Mark" dst-address=208.67.220.220 new-connection-mark=wan2-check passthrough=yes
add action=mark-routing chain=prerouting comment="OpenDNS1 routing" connection-mark=wan1-check new-routing-mark=to_wan1 passthrough=no
add action=mark-routing chain=prerouting comment="OpenDNS2 routing" connection-mark=wan2-check new-routing-mark=to_wan2 passthrough=no
add action=mark-connection chain=forward comment="RTP connection Mark" new-connection-mark="RTP connection" passthrough=yes protocol=udp src-port=9000-10999
add action=mark-packet chain=forward comment="RTP packet Mark" connection-mark="RTP connection" new-packet-mark="RTP packet" passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade EOLO" out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="Masquerade Fastweb" out-interface=ether9
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=!192.168.3.75 src-address=192.168.3.0/24
add action=dst-nat chain=dstnat comment="FTP Port" dst-port=21 in-interface=pppoe-out1 protocol=tcp src-address-list="Backup 3CX FTP" to-addresses=192.168.3.173 to-ports=21
add action=dst-nat chain=dstnat comment="NAS Management WAN" dst-address-type="" dst-port=5050 hotspot="" in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.3.173 to-ports=\
    5050
add action=dst-nat chain=dstnat comment="NAS Management LAN" dst-address=192.168.3.75 dst-address-type=local dst-port=5050 protocol=tcp to-addresses=192.168.3.173 to-ports=5050
add action=dst-nat chain=dstnat comment="hap1 Management LAN" dst-address=192.168.3.75 dst-address-type=local dst-port=85 protocol=tcp to-addresses=192.168.3.53 to-ports=85
add action=dst-nat chain=dstnat comment="VPN Port" dst-port=1194 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.3.173 to-ports=1194
add action=dst-nat chain=dstnat comment="SIP port Citofono" dst-port=5064 in-interface=pppoe-out1 protocol=udp src-address=********* to-addresses=192.168.3.33 to-ports=5064
add action=dst-nat chain=dstnat comment="SIP port Telefono Fanvil" dst-port=5060 in-interface=pppoe-out1 protocol=udp src-address=************ to-addresses=192.168.3.149 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="SIP port Base DECT" dst-port=5066 in-interface=pppoe-out1 protocol=udp src-address=********* to-addresses=192.168.3.123 to-ports=5066
add action=dst-nat chain=dstnat comment="hap1 Management WAN" dst-port=85 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.3.53 to-ports=85
/ip firewall service-port
set sip ports=5060,5061,5064,5066 sip-timeout=2s
/ip route
add comment="Rotta OpenDNS2 per WAN Error" distance=1 dst-address=208.67.220.220/32 gateway=192.168.78.1
add comment="Rotta OpenDNS1 per WAN Error" distance=1 dst-address=208.67.222.222/32 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd interface pages
set 0 interfaces=ether10
/ppp secret
add comment="Password: **********" name=hap01 password=*********** profile="ovpn profile" remote-address=192.168.3.53 routes=192.168.3.0/24 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="Byte Solutions Routerboard"
/tool e-mail
set address=smtp.gmail.com from="Byte Solutions Routerboard" password=************* port=587 start-tls=yes user=************@gmail.com
/tool netwatch
add down-script=":log error \"WAN1 Link is down\"; /tool e-mail send to=\"***********@gmail.com\" subject=\"WAN1 Link is down at \$[/system clock get time]\" from=\"\$[/system identit\
    y get name] \"" host=208.67.222.222 interval=2m timeout=5s up-script=\
    ":log error \"WAN1 Link is up\"; /tool e-mail send to=\"**********@gmail.com\" subject=\"WAN1 Link is up at \$[/system clock get time]\" from=\"\$[/system identity get name] \""
add down-script=":log error \"WAN2 Link is down\"; /tool e-mail send to=\"*********@gmail.com\" subject=\"WAN2 Link is down at \$[/system clock get time]\" from=\"\$[/system identit\
    y get name] \"" host=208.67.220.220 interval=2m timeout=5s up-script=\
    ":log error \"WAN2 Link is up\"; /tool e-mail send to=\"**********@gmail.com\" subject=\"WAN2 Link is up at \$[/system clock get time]\" from=\"\$[/system identity get name] \""

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect devices in different VLANs

Fri May 28, 2021 3:55 am

(1) This makes no sense to me..........
/ip pool
add name=dhcp_pool0 ranges=192.168.3.101-192.168.3.149,1 92.168.3.201-192.168.3.249

As for the rest cannot make heads or tails of your config, why use proxy arp why have the bridge give out addresses.
Seems like layers of complexity for no reason.

Why not simply use vlans for all subnets and then the bridge does nothing but bridging, much cleaner.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connect devices in different VLANs

Sat May 29, 2021 4:39 pm

Given that you have no access ports to the VLANs at the 3011 itself, I induce that there is either an external switch or an external access point (or more) to which the devices are connected. I cannot find any explanation of what you experience in the configuration of the 3011, so I expect some issue outside it.
To check, set hw=no on all rows of /interface bridge port. Then, start pinging indefinitely 192.168.x.y in one VLAN from some device in another VLAN, make a command line window as wide as your screen allows, and run /tool sniffer quick ip-address=192.168.x.y ip-protocol=ping in that window.

If everything is correct in the Mikrotik configuration as I assume, you should see the following picture (interface, direction, VLAN ID):
(etherX, <-, NNN)
(bridge1, <-, NNN)
(vlanNNN, <-, -)
(vlanMMM, ->, -)
(bridge1, ->, MMM)
(etherY, ->, MMM)

And then, a response packet would normally take a reverse path. Of course there will be much more columns, the example contains just those needed for illustration of the idea.

So do this experiment and post the results. Depending on them, we can think of further steps.

Other than this, your firewall is basically non-existent; as you use a PPPoE client interface, I assume there is no other device acting as a firewall between the 3011 and the internet. In contrary to popular belief, the NAT (masquerade) alone does not protect you from all attacks.

Other points - the arp=proxy-arp setting on bridge1 is only necessary in order that devices in 192.168.3.0/24 could talk to the hAP via OpenVPN. If you gave the hAP an address which doesn't fit to 192.168.3.0/24, you wouldn't need the arp=proxy-arp setting. Also the routes attribute of the /ppp secret row works different than you expect - it doesn't push the routes to the client, it just tells the server to add these routes via this client to its own routing table when this client gets up.
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Connect devices in different VLANs

Tue Jun 01, 2021 4:51 pm

Given that you have no access ports to the VLANs at the 3011 itself, I induce that there is either an external switch or an external access point (or more) to which the devices are connected. I cannot find any explanation of what you experience in the configuration of the 3011, so I expect some issue outside it.
To check, set hw=no on all rows of /interface bridge port. Then, start pinging indefinitely 192.168.x.y in one VLAN from some device in another VLAN, make a command line window as wide as your screen allows, and run /tool sniffer quick ip-address=192.168.x.y ip-protocol=ping in that window.

If everything is correct in the Mikrotik configuration as I assume, you should see the following picture (interface, direction, VLAN ID):
(etherX, <-, NNN)
(bridge1, <-, NNN)
(vlanNNN, <-, -)
(vlanMMM, ->, -)
(bridge1, ->, MMM)
(etherY, ->, MMM)

And then, a response packet would normally take a reverse path. Of course there will be much more columns, the example contains just those needed for illustration of the idea.

So do this experiment and post the results. Depending on them, we can think of further steps.

Other than this, your firewall is basically non-existent; as you use a PPPoE client interface, I assume there is no other device acting as a firewall between the 3011 and the internet. In contrary to popular belief, the NAT (masquerade) alone does not protect you from all attacks.

Other points - the arp=proxy-arp setting on bridge1 is only necessary in order that devices in 192.168.3.0/24 could talk to the hAP via OpenVPN. If you gave the hAP an address which doesn't fit to 192.168.3.0/24, you wouldn't need the arp=proxy-arp setting. Also the routes attribute of the /ppp secret row works different than you expect - it doesn't push the routes to the client, it just tells the server to add these routes via this client to its own routing table when this client gets up.
Yes, right. I have three UniFi Access Points that generate different SSIDs with different vlans attributed.
I removed the check on "Hardware Offload" and issued the packet sniffer command, but the result is totally different from what you showed me.
/tool ​​sniffer quick ip-address=192.168.5.163 ip-protocol=ping

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[simone@Byte Solutions Routerboard] > /tool 

.. -- go up to root
bandwidth-server -- Bandwidth tester service
bandwidth-test -- Run bandwidth test to remote router
dns-update -- Dynamic DNS update
e-mail -- 
fetch -- 
flood-ping -- Send a lot of ICMP Echo packets and wait for response
graphing -- System resource and traffic graphing
ip-scan -- 
mac-scan -- Scan for MAC addresses
mac-server -- MAC Telnet Server
mac-telnet -- MAC Telnet Client
netwatch -- Network watching tool
ping-speed -- The ICMP bandwidth test
profile -- 
romon -- 
sms -- 
sniffer -- Packet sniffering
snmp-get -- 
snmp-walk -- 
speed-test -- 
torch -- Realtime traffic monitor
traceroute -- Trace route to host
traffic-generator -- 
traffic-monitor -- The traffic monitor tool
wol -- 
export -- Print or save an export script that can be used to restore configuration


[simone@Byte Solutions Routerboard] > /tool 

.. -- go up to root
bandwidth-server -- Bandwidth tester service
bandwidth-test -- Run bandwidth test to remote router
dns-update -- Dynamic DNS update
e-mail -- 
fetch -- 
flood-ping -- Send a lot of ICMP Echo packets and wait for response
graphing -- System resource and traffic graphing
ip-scan -- 
mac-scan -- Scan for MAC addresses
mac-server -- MAC Telnet Server
mac-telnet -- MAC Telnet Client
netwatch -- Network watching tool
ping-speed -- The ICMP bandwidth test
profile -- 
romon -- 
sms -- 
sniffer -- Packet sniffering
snmp-get -- 
snmp-walk -- 
speed-test -- 
torch -- Realtime traffic monitor
traceroute -- Trace route to host
traffic-generator -- 
traffic-monitor -- The traffic monitor tool
wol -- 
export -- Print or save an export script that can be used to restore configuration

Arp-proxy I used it otherwise I can't reach the web interface of hap1 from the other devices in the LAN.
In this regard, using arp-proxy I can reach hap1 from subnet 192.168.3.0/24 but I can't reach it from any of the vlans.
I created a "hap1 management WAN" NAT rule (you can find the rule in my export in the previous answer) but it doesn't work, while all the other nat rules work. I do not understand why.

Thanks for your help
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect devices in different VLANs

Tue Jun 01, 2021 6:42 pm

I still think the setup is overly complex but without a network diagram to demonstrate what equipment is used and what subnets are at play its difficult to guess and make suggestions.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Connect devices in different VLANs

Tue Jun 01, 2021 7:01 pm

Fai le cose "Berbenne" c'è un IP orfano?
(orphan IP?)
/ip address
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Connect devices in different VLANs

Tue Jun 01, 2021 8:28 pm

Fai le cose "Berbenne" c'è un IP orfano?
(orphan IP?)
/ip address
add address=192.168.4.1/24 interface=bridge1 network=192.168.4.0
Yes, you are right, the orphan IP was a member of subnet 192.168.4.0/24 no longer used and deleted. I also removed the orphan IP.
 
simonefil
newbie
Topic Author
Posts: 42
Joined: Tue Apr 13, 2021 9:22 pm
Location: Bergamo - Italy
Contact:

Re: Connect devices in different VLANs

Thu Jun 03, 2021 4:21 pm

Given that you have no access ports to the VLANs at the 3011 itself, I induce that there is either an external switch or an external access point (or more) to which the devices are connected. I cannot find any explanation of what you experience in the configuration of the 3011, so I expect some issue outside it.
To check, set hw=no on all rows of /interface bridge port. Then, start pinging indefinitely 192.168.x.y in one VLAN from some device in another VLAN, make a command line window as wide as your screen allows, and run /tool sniffer quick ip-address=192.168.x.y ip-protocol=ping in that window.

If everything is correct in the Mikrotik configuration as I assume, you should see the following picture (interface, direction, VLAN ID):
(etherX, <-, NNN)
(bridge1, <-, NNN)
(vlanNNN, <-, -)
(vlanMMM, ->, -)
(bridge1, ->, MMM)
(etherY, ->, MMM)

And then, a response packet would normally take a reverse path. Of course there will be much more columns, the example contains just those needed for illustration of the idea.

So do this experiment and post the results. Depending on them, we can think of further steps.

Other than this, your firewall is basically non-existent; as you use a PPPoE client interface, I assume there is no other device acting as a firewall between the 3011 and the internet. In contrary to popular belief, the NAT (masquerade) alone does not protect you from all attacks.

Other points - the arp=proxy-arp setting on bridge1 is only necessary in order that devices in 192.168.3.0/24 could talk to the hAP via OpenVPN. If you gave the hAP an address which doesn't fit to 192.168.3.0/24, you wouldn't need the arp=proxy-arp setting. Also the routes attribute of the /ppp secret row works different than you expect - it doesn't push the routes to the client, it just tells the server to add these routes via this client to its own routing table when this client gets up.
Another tip. In your message you talk about a non-existent firewall, as the masquerade does not protect all attacks.
What advice can you give me to apply to the firewall?
Thank you

Who is online

Users browsing this forum: archemist, GoogleOther [Bot], lurker888, tangent and 62 guests