Community discussions

MikroTik App
 
Matt77
just joined
Topic Author
Posts: 5
Joined: Thu Nov 30, 2023 10:26 am

Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 10:58 am

I installed a RB5009UPr+S+ running CAPSMAN and a CAP AC RBcAPGi-5acD2nD as access point. I run a DHCP from the RB5009UPr+S+-
Access to the internet over WLAN and LAN is working without an issues. However I am not able to connect devices inside the LAN which are connected to the Ethernet Ports of the RB5009UPr+S+. It is not possible to ping or make any connection from one port of the RB5009UPr+S+ to any other port within the same bridge. However I can Ping devices connected to the WLANS of the RBcAPGi-5acD2nD and I also can Ping the devices if I use an additional CSS610-8G-2S+IN.I would like to use the Ports on the RB5009 just like an internal switch.
So my conclusion is the ports are isolated from each other by default in RouterOS. What are the settings to allow communication between all port of a bridge? . In my case that’s all except ETH1.
Here a part of the export:
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
    192.168.77.0
Any input is welcome. Yes i searched first but couldn't find a simple solution.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20081
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 5:38 pm

You clearly know where the problem lies, by NOT including your full config.
 
Matt77
just joined
Topic Author
Posts: 5
Joined: Thu Nov 30, 2023 10:26 am

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 8:05 pm

Well I was looking at the bridge configuration.
Here you are
[admin@MikroTik] > export
# 2023-11-30 18:53:35 by RouterOS 7.12.1
# software id = NNNN-NNNN
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=78:9A:18:70:00:6C auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
/caps-man datapath
add bridge=bridge local-forwarding=yes name="datapath TeamNet"
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    securityTeamNet
/caps-man configuration
add country=switzerland datapath="datapath TeamNet" distance=indoors \
    hw-retries=0 installation=indoor load-balancing-group="" mode=ap name=\
    TeamNet security=securityTeamNet ssid=TeamNet
/caps-man interface
add configuration=TeamNet disabled=no mac-address=00:00:00:00:00:00 \
    master-interface=none name=cap1 radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.77.100-192.168.77.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/caps-man access-list
add allow-signal-out-of-range=10s disabled=no ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=TeamNet
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
    192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.77.23 client-id=1:24:5e:be:68:2c:7b comment=NAS \
    mac-address=24:5E:BE:68:2C:7B server=defconf
/ip dhcp-server network
add address=192.168.77.0/24 comment=defconf dns-server=192.168.77.1 gateway=\
    192.168.77.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.77.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting disabled=yes dst-address=!192.168.77.0/24 \
    src-address=!192.168.77.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20081
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 10:11 pm

This is an unusual rule, did you invent it yourself, or watch youtube from hell channel?? At least its disabled.
At the moment I see no reason why users cannot see each other being all on the same subnet and visible at L2.

If there are no issues between wired users but issues betwee wired and wired or wired and wired issues i would say PHUCK capsman.

/ip firewall raw
add action=accept chain=prerouting disabled=yes dst-address=!192.168.77.0/24 \
src-address=!192.168.77.0/24
 
Matt77
just joined
Topic Author
Posts: 5
Joined: Thu Nov 30, 2023 10:26 am

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 11:04 pm

I invented it by myself. The intention was to let all traffic from my LAN pass trough the firewall. So i played around. It didn't help so i disabled it. Now its deleted.

What i actually want, is switching all my port on the LAN without using the firewall rules.

It seems there is a problem with address resolution. This example is a static address in the DHCP server but i have the same outcome with dynamic addresses.
[admin@MikroTik] > ping address=192.168.77.23 interface bridge arp-ping=no count=10 
  SEQ HOST                                     SIZE TTL TIME       STATUS                   
    0 192.168.77.23                                                timeout                  
    1 192.168.77.23                                                timeout                  
    2 192.168.77.23                                                timeout                  
    3 192.168.77.23                                                timeout                  
    4 192.168.77.23                                                timeout                  
    5 192.168.77.23                                                timeout                  
    6 192.168.77.23                                                timeout                  
    7 192.168.77.23                                                timeout                  
    8 192.168.77.23                                                timeout                  
    9 192.168.77.23                                                timeout                  
    sent=10 received=0 packet-loss=100% 

[admin@MikroTik] > ping address=192.168.77.23 interface bridge arp-ping=yes count=10  
  SEQ HOST                                     SIZE TTL TIME       STATUS                   
    0 24:5E:BE:68:2C:7B                                 277us     
    1 24:5E:BE:68:2C:7B                                 296us     
    2 24:5E:BE:68:2C:7B                                 285us     
    3 24:5E:BE:68:2C:7B                                 289us     
    4 24:5E:BE:68:2C:7B                                 300us     
    5 24:5E:BE:68:2C:7B                                 286us     
    6 24:5E:BE:68:2C:7B                                 284us     
    7 24:5E:BE:68:2C:7B                                 299us     
    8 24:5E:BE:68:2C:7B                                 286us     
    9 24:5E:BE:68:2C:7B                                 284us     
    sent=10 received=10 packet-loss=0% min-rtt=277us avg-rtt=288us max-rtt=300us 

Again pinging devices connected by WLAN just works fine
[admin@MikroTik] > ping address=192.168.77.197 count 10                             
  SEQ HOST                                     SIZE TTL TIME       STATUS                   
    0 192.168.77.197                             56  64 5ms101us  
    1 192.168.77.197                             56  64 73ms199us 
    2 192.168.77.197                             56  64 198ms887us
    3 192.168.77.197                             56  64 107ms567us
    4 192.168.77.197                             56  64 144ms978us
    5 192.168.77.197                             56  64 8ms671us  
    6 192.168.77.197                             56  64 78ms957us 
    7 192.168.77.197                             56  64 100ms885us
    8 192.168.77.197                             56  64 131ms14us 
    9 192.168.77.197                             56  64 242ms922us
    sent=10 received=10 packet-loss=0% min-rtt=5ms101us avg-rtt=109ms218us 
   max-rtt=242ms922us 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20081
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 11:07 pm

Personally I dont ping other users for a living, it is of zero value to me.

Can users access the devices they need to access on the LAN and conduct work?
Or are they blocked?
It doesnt matter what port they are connected to if all ports are part of the same bridge.
All to say is so far I do not see a config issue nor understand what actual traffic user flow is being blocked???

The single LAN and bridge connects all users at layer2. The firewalls are layer 3 construct and cannot block users from the same LAN from seeing one another. L2 is by mac address L3 is by IP address.
 
Matt77
just joined
Topic Author
Posts: 5
Joined: Thu Nov 30, 2023 10:26 am

Re: Unintentionally isolated ethernet ports on RB5009

Thu Nov 30, 2023 11:46 pm

Don't worry as I am new to MikroTik this is a test setup and I enabled ICMP for troubleshooting.

I find it strange that the IP is in the ARP table but I cannot ping it even from the router it is directly connected to. I can ping any device wired or wireless just not the ones connected directly to the RB5009.
 
Matt77
just joined
Topic Author
Posts: 5
Joined: Thu Nov 30, 2023 10:26 am

Re: Unintentionally isolated ethernet ports on RB5009

Sat Dec 02, 2023 11:29 pm

It is solved. Ping and application with various protocols are working now.
Maybe I tried to many different things at once.
After a factory reset and restoring the backup everything works now. I also restarted all devices on the network.

Who is online

Users browsing this forum: anav, Bing [Bot], kab974, Overis and 16 guests