Try to understandig bridges

silvioli · Sat Jul 20, 2013 3:16 pm

I try to understand RouterOS and i play around for a while with a vm in virtualbox. At this moment i try bridges. My goal is to bring two interface in one network together. For example PC1(IP:192.168.1.10) on ether1 can talk with PC2(192.168.1.20) on ether2. The bridge which i've configured with this two ports (ether1 and ether2) has the IP 192.168.1.1

Now i try to ping from PC1(192.168.1.10) the PC2(192.168.1.20) but i fail.

My question is now, is my understanding of bridges right and how i bring it to work?

Following you find my RouterOS-Config

ros code

# jul/20/2013 13:42:49 by RouterOS 6.1
#
/interface bridge
add arp=reply-only name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip arp
add address=192.168.1.20 interface=bridge1 mac-address=08:00:27:94:10:A3
add address=192.168.3.30 interface=ether3 mac-address=08:00:27:2D:53:38
add address=192.168.1.10 interface=bridge1 mac-address=08:00:27:32:C7:A2

PS: Excuse my bad english. My german is better

but there is no german forum for RouterOS.

Greetings
Silvio

silvioli · Wed Jul 24, 2013 1:23 pm

Nobody has a short answer for me?

soulflyhigh · Wed Jul 24, 2013 3:24 pm

/interface bridge
add arp=reply-only name=bridge1

Try this instead :

/interface bridge
set bridge1 arp=enabled

silvioli · Wed Jul 24, 2013 4:21 pm

On my first try I have configured the bridge the way you've written but the ping is also failed.

By my understanding this setting will only create the arp-entries dynamicly.
I've created the Entries manually for better security because by this way I have the control which mac can recieve packets.

Is the bridge for my goal the right way to configure on RouterOS a single network on more than one interface or is there another option (without VLAN)?

Greetings
Silvio

janisk · Wed Jul 24, 2013 4:33 pm

on one host each ethernet interface represents one Ethernet subnet. Each subnet should have separate IP network assigned to it as broadcast packets are sent over in one ethernet subnet. If you want to expand ethernet subnet and as the result connects more hosts to it you can use switches, hubs or use a bridge that basically is switch software implementation.

In your case you have done everything correctly by adding bridge and ports to it. As the result hosts on ethernet networks that where on ports added to bridge now are on same broadcast area (ethernet network)

Please note that all of this is OSI layer2. ARP is somewhere between Layer2 and Layer3.

silvioli · Wed Jul 24, 2013 6:00 pm

Ok, but in this case I dont understand why it not work.

A Ping from 192.168.1.10 to the Bridge-Default-Gateway 192.168.1.1 gets an answer but a ping from the other pc2 192.168.1.20 to the same Gateway will fail. Both pc's have a Default-Gateway 192.168.1.1 configured. A Bridge with arp=enabled adds dynamicly the right mac's of both Hosts to the arp-table.

Can be the virtualization the reason?

Without the Bridge and with two Networks (pc1 in 192.168.1.0 and pc2 in 192.168.2.0) it works fine.

Rudios · Wed Jul 24, 2013 9:14 pm

Local PC firewall or the firewall on the routerboard?

silvioli · Thu Jul 25, 2013 10:15 am

Both firewalls on PC's and RB are deaktivated. So i think that this can not be the problem.
Otherwise the Ping will also get no answer from the PC to the Default-Gateway or reverse.

Hint: I configured the RB only like i posted in my first post in this thread.
That means no firewall, all hosts have static arp-entries (all mac are right) and the test-lab includes a x86-VM-RouterOS 6 with 2 XP (SP2)-VM Clients (without local Firewall) and static Network-Configuration.

It's also funny that the first booted XP-Client can ping the Default-Geateway but not the second. So if pc1 the first, the pc can ping the gateway and pc2 can not. however pc2 ist the first ready booted, this pc2 can ping the gateway and pc1 can not.

I'm a little bit confused about the behavior.

Following i add the arp and route output. The layer 2 communication seems to work because the arp entries of both clients will be added dynamicly.

ros code

/ip route print

# jul/25/2013  9:57: 5 by RouterOS 6.1
# Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADC  192.168.1.0/24     192.168.1.1     bridge1                   0
1 ADC  192.168.3.0/24     192.168.3.1     ether3                    0
2 ADC  192.168.4.0/24     192.168.4.1     ether4                    0

ros code

/ip arp print

# jul/25/2013  9:56:56 by RouterOS 6.1
# Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published

#   ADDRESS         MAC-ADDRESS       INTERFACE
0 D 192.168.1.20    08:00:27:94:10:A3 bridge1
1 D 192.168.1.10    08:00:27:32:C7:A2 bridge1

Greetings
Silvio

janisk · Thu Jul 25, 2013 11:15 am

check settings for other interface in your VM. Check if IP addresses do not have some typo in the network mask, broadcast address etc. Check VM network settings for other interface, maybe interface settings are somehow different.

silvioli · Thu Jul 25, 2013 11:51 am

Checked!

For me it seems to be correctly.

batch code

PC1>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

batch code

PC2>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.20
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1

batch code

PC1>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.

PC1>arp -a

Interface: 192.168.1.10 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.1.1           08-00-27-a7-ac-6a     dynamic
  192.168.1.20          00-00-00-00-00-00     invalid

batch code

PC2>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

PC2>arp -a

Interface: 192.168.1.20 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.1.1           08-00-27-a7-ac-6a     dynamic
  192.168.1.10          08-00-27-32-c7-a2     dynamic

The arp-entry of pc2 on the pc1 is invald. Does anybody knows why?
As you can see in my other post is that the arp-table on the RouterOS is correctly.

As i said, the communication between pc1 and pc2 is possible with the configuration without bridges and 2 networks on the same lab-conditions.