Community discussions

MikroTik App
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

CRS328 - can't ping device, packet sniffer shows no ICMP packets

Sat Jun 12, 2021 1:30 pm

I have my CRS328 configured with most ports on a bridge, including a trunk port (ether4) for a bunch of VLANs that connects to my EdgeRouter-X (including VIDs 311 and 312). Overview:

Device A = ether21 access port with VID=311, 192.168.3.17/29, works fine, can ping and see web interface from laptop on different VLAN & subnet.
Device B = ether3 access port with VID=312, 192.168.3.25/29, does not respond to pings at all.

The configuration of the VLANs on the EdgeRouter look correct: both set as VIDs on the trunk port, both assigned to same firewall rules, both have correct IP ranges and router IPs. The configuration for the two VLANs and two access ports on the Mikrotik CRS328 are simple and look identical.

I'm trying to debug why nothing can ping Device B, not even the switch itself. If I unplug the problematic Device B and hook it up to my PC directly (changing my PC's static IP and subnet, e.g. to 192.168.3.26/29), I can ping it fine, so the device itself is working and its IP is correct. Using tcpdump on the EdgeRouter-X shows ping packets being sent to the correct IP, so I think the problem is with the switch. I've tried using packet sniffer to show me all ICMP packets across ALL interfaces and it doesn't show any packets when I ping device A or B! I don't understand this since device A is actually responding to pings - perhaps my understanding of the packet sniffer is wrong or my configuration is messed up somehow? Exported switch config is below:
# jun/12/2021 11:25:01 by RouterOS 6.47.10
# software id = J06U-P53W
#
# model = CRS328-24P-4S+
# serial number = 
/interface ethernet set [ find default-name=ether1 ] comment="Switch management"
/interface ethernet set [ find default-name=ether6 ] disabled=yes
/interface ethernet set [ find default-name=ether7 ] disabled=yes
/interface ethernet set [ find default-name=ether8 ] disabled=yes
/interface ethernet set [ find default-name=ether9 ] disabled=yes
/interface ethernet set [ find default-name=ether10 ] disabled=yes
/interface ethernet set [ find default-name=ether12 ] disabled=yes
/interface ethernet set [ find default-name=ether14 ] disabled=yes
/interface ethernet set [ find default-name=ether16 ] disabled=yes
/interface ethernet set [ find default-name=ether17 ] disabled=yes
/interface ethernet set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface bridge add admin-mac=xx:xx:xx:xx:xx:01 auto-mac=no name=bridge1 protocol-mode=none vlan-filtering=yes
/interface vlan add interface=ether1 name=MGMT_LOCAL vlan-id=399
/interface vlan add interface=bridge1 name=MGMT_VLAN vlan-id=399
/interface list add name=MGMT
/interface bridge port add bridge=bridge1 comment=Fractal frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus1 pvid=100
/interface bridge port add bridge=bridge1 comment="Backup NAS" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus2 pvid=100
/interface bridge port add bridge=bridge1 comment="Dragonzord 10G" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp-sfpplus3 pvid=100
/interface bridge port add bridge=bridge1 comment="TV Switch" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether13 pvid=100
/interface bridge port add bridge=bridge1 comment="Dragonzord 1G" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether18 pvid=100
/interface bridge port add bridge=bridge1 comment=S5 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether19 pvid=100
/interface bridge port add bridge=bridge1 comment="Backup NAS" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether22 pvid=100
/interface bridge port add bridge=bridge1 comment="E's desktop" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether23 pvid=100
/interface bridge port add bridge=bridge1 comment="Xbox 360" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11 pvid=213
/interface bridge port add bridge=bridge1 comment="Lounge TV" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether15 pvid=211
/interface bridge port add bridge=bridge1 comment="E's work laptop" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether20 pvid=212
/interface bridge port add bridge=bridge1 comment="Modem management" frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=312
/interface bridge port add bridge=bridge1 comment=Printer frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether21 pvid=311
/interface bridge port add bridge=bridge1 comment="Router trunk - LAN" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
/interface bridge port add bridge=bridge1 comment="Router trunk - IoT/NoT" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
/interface bridge port add bridge=bridge1 comment="Switch management ON BRIDGE TEMP" frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/interface bridge port add bridge=bridge1 comment="WiFi AP 1 trunk" ingress-filtering=yes interface=ether24 pvid=100
/ip neighbor discovery-settings set discover-interface-list=MGMT
/interface bridge vlan add bridge=bridge1 comment=LAN tagged=ether2 vlan-ids=100
/interface bridge vlan add bridge=bridge1 comment="IoT/NoT WiFi" tagged=ether4,ether24 vlan-ids=200,300
/interface bridge vlan add bridge=bridge1 comment="Switch management" tagged=bridge1,ether5,ether4 vlan-ids=399
/interface bridge vlan add bridge=bridge1 comment="IoT - TVs" tagged=ether4 vlan-ids=211
/interface bridge vlan add bridge=bridge1 comment="NoT - Printers" tagged=ether4 vlan-ids=311
/interface bridge vlan add bridge=bridge1 comment="NoT - Modem" tagged=ether4 vlan-ids=312
/interface list member add interface=MGMT_VLAN list=MGMT
/interface list member add interface=MGMT_LOCAL list=MGMT
/ip address add address=192.168.3.1/28 interface=MGMT_VLAN network=192.168.3.0
/ip address add address=192.168.39.1/28 interface=MGMT_LOCAL network=192.168.39.0
/ip cloud set update-time=no
/ip route add distance=1 gateway=192.168.3.14
/ip ssh set strong-crypto=yes
/system clock set time-zone-name=Europe/London
/system identity set name=switch
/system ntp client set enabled=yes primary-ntp=192.168.1.89
/system routerboard settings set boot-os=router-os
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool sniffer set file-name=flash/new.cap filter-interface=all filter-ip-protocol=icmp memory-limit=1000KiB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

Sat Jun 12, 2021 2:02 pm

To use packet sniffer on CRS you need to disable HW offload for the port of interest.

Otherwise I don't see anything wrong with config.

In some rare cases some devices misbehaved even though config seemed right. Some cleansing action was needed, you might want to try one of these (you can try all from #1 forward and stop as soon as device starts to behave):
  1. power off CRS (disconnect power supply) and leave it unpowered for some minutes
  2. if #1 doesn't help, export configuration using /export file=anynameyouwish, save exported file off CRA, reset to factory default and import config back
  3. netinstall the device and import config created as in #2
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

Sat Jun 12, 2021 3:27 pm

To use packet sniffer on CRS you need to disable HW offload for the port of interest.
Thanks for the tip. I can now see the difference between Device A (top) and B (bottom, note I'm using ether6 now just for testing stuff):

Ping sniffer.png
It looks like the ping packet is being sent to the device but the device isn't responding. I'll try the power cycle and also refreshing the config but otherwise I'm not sure what else I can do except conclude that the device doesn't like the switch for some reason (given it works fine connected directly to my desktop). The only packets I can see coming from device B are ARP packets. :(
You do not have the required permissions to view the files attached to this post.
 
DragonQ
just joined
Topic Author
Posts: 20
Joined: Tue Apr 13, 2021 1:44 pm

Re: CRS328 - can't ping device, packet sniffer shows no ICMP packets

Sun Jun 13, 2021 11:04 am

If I move device B to the same VLAN & subnet as the switch itself (399, 192.168.3.2/28), the switch can ping the device but still nothing else can. Every other device can ping the switch though, so the routing tables must be correct. If I move device B to the LAN network (VID 100, 192.168.1.10/24), I can ping it fine from my laptop. I can't ping it from the switch but that's by design. I think I'll just have to conclude that the device doesn't like being on any subnet other than 192.168.1.0/24 (or possibly other 192.168.1.x subnets). Rather annoying but better than nothing.

EDIT: Turns out device B didn't like being on a different subnet to the pinging device because it has no option to set a default gateway. I've added a masquerade rule for its IP address on my router and now it works fine in the management VLAN. :)

Who is online

Users browsing this forum: ItchyAnkle, menyarito and 97 guests