Qnap TS-328 unreachable in LAN but accessible via web

Tamarael · Fri Jan 21, 2022 8:18 pm

Hey guys,
Newbie here with a newbie issue.
I am sure I am missing something on my config that is causing me to not be able to ping/connect/see my Qnap NAS while using a CRS326-24G2s+RM bridged to a HexS.
my setup is the following:

ISP--------->HexS------->CRS----->LAN
on the LAN I have my PC and NAS on the same subnet 192.168.88.0/24
I followed the wiki setup and I can ping pretty much all my devices but the NAS
I also want to mention that i have a Pi hole running on 192.168.1.70 that is connected directly to the ISP router.

Below is my current config.
Any help you can provide, is much appreciated.

# jan/21/2022 18:13:13 by RouterOS 6.49.2
# software id = 
#
# model = RB760iGS
# serial number = 
/interface bridge
add name=local
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=1:4:d9:f5:84:67:5a mac-address=\
    04:D9:F5:84:67:5A server=dhcp1
add address=192.168.88.99 client-id=1:2c:c8:1b:6:4f:bb mac-address=\
    2C:C8:1B:06:4F:BB server=dhcp1
add address=192.168.88.97 client-id=1:dc:a6:32:1c:7:24 mac-address=\
    DC:A6:32:1C:07:24 server=dhcp1
add address=192.168.88.95 client-id=1:84:a9:38:b7:b4:e mac-address=\
    84:A9:38:B7:B4:0E server=dhcp1
add address=192.168.88.94 client-id=1:24:5e:be:20:e9:f6 mac-address=\
    24:5E:BE:20:E9:F6 server=dhcp1
add address=192.168.88.98 client-id=1:b8:27:eb:2:53:9f mac-address=\
    B8:27:EB:02:53:9F server=dhcp1
add address=192.168.88.96 client-id=1:b8:27:eb:9e:ee:b8 mac-address=\
    B8:27:EB:9E:EE:B8 server=dhcp1
add address=192.168.88.92 client-id=1:e8:65:d4:dc:f9:88 mac-address=\
    E8:65:D4:DC:F9:88 server=dhcp1
add address=192.168.88.91 mac-address=6C:AD:F8:D4:C5:4A server=dhcp1
add address=192.168.88.90 mac-address=1C:F2:9A:67:CE:6A server=dhcp1
add address=192.168.88.85 client-id=1:50:ed:3c:58:46:76 mac-address=\
    50:ED:3C:58:46:76 server=dhcp1
add address=192.168.88.83 client-id=1:b8:27:eb:be:9b:eb mac-address=\
    B8:27:EB:BE:9B:EB server=dhcp1
add address=192.168.88.82 client-id=1:e8:65:d4:dc:f9:80 mac-address=\
    E8:65:D4:DC:F9:80 server=dhcp1
add address=192.168.88.80 client-id=1:0:e:c6:a3:cd:9c comment=MiBox \
    mac-address=00:0E:C6:A3:CD:9C server=dhcp1
add address=192.168.88.79 client-id=1:24:5e:be:20:e9:f7 mac-address=\
    24:5E:BE:20:E9:F7 server=dhcp1
add address=192.168.88.78 client-id=1:48:ba:4e:68:4f:d0 mac-address=\
    48:BA:4E:68:4F:D0 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.1.70 gateway=192.168.88.1
/ip dns
set servers=192.168.1.70
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
    port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established, related" connection-state=\
    established,related
add action=accept chain=forward comment="accept established, related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp \
    to-addresses=192.168.88.97
/ip proxy
set port=80
/ip proxy access
add action=deny dst-host=*.baidu.*
add action=deny dst-host=*.qq.*
add action=deny dst-host=*.taobao.*
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Lisbon
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

Sob · Mon Jan 24, 2022 12:04 am

It's not here, communication between different 192.168.88.x devices should not go to HEX S at all.

Tamarael · Mon Jan 24, 2022 2:59 am

Ok, so you mean I should check the CRS??

Sob · Mon Jan 24, 2022 3:11 am

Yes. And NAS too, make sure everything is configured correctly.

Tamarael · Mon Jan 24, 2022 9:44 am

Yes. And NAS too, make sure everything is configured correctly.

You see, this is my problem, to me, it is. I have been unable to find the source of the issue, I have set the CRS to "Bridge all ports" where in my understanding would work as a "dumb" switch with the HexS doing all the work.
Would you please be able to help me understand what I am missing then?

Sob · Mon Jan 24, 2022 7:03 pm

Try to post CRS's config. And since you mentioned dumb switch, if you have one, it can be used for simple test. Disconnect both PC and NAS from CRS and connect them to dumb switch. If they can communicate, their config is fine and problem is with CRS. If they can't, then CRS is most likely innocent.

Tamarael · Mon Jan 24, 2022 7:19 pm

Thanks for help Sob,
Well, I have tried your suggestion, and it works fine, that is how i set it up before the CRS.
Here is the code:

# jan/24/2022 17:15:51 by RouterOS 6.49.2
# software id = 
#
# model = CRS326-24G-2S+
# serial number = 
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=192.168.88.99/24 disabled=yes interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add disabled=no interface=bridge1
/ip dns
set servers=192.168.88.1
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=MikroTik-Switch
/system routerboard settings
set boot-os=router-os

Sob · Mon Jan 24, 2022 8:04 pm

Hmm, that's also just like dumb switch, all ports bridged and nothing to filter any traffic. For the lack of better ideas, keep the ping running and check interfaces (where PC and NAS are connected) using Tools->Torch, to see what's going on there.

Tamarael · Tue Jan 25, 2022 3:21 am

Ok, so I tested that and here are the results:
While the pings to the device 192.168.88.96 were responded and none failed, as you can see in the image below, there are no packets being sent to this device:
https://1drv.ms/u/s!Ag82xGhEC3LRhYACvvC ... A?e=QLUY10
Same when it fails, ether 15 is where the NAS is and ether 2 is my pc:
https://1drv.ms/u/s!Ag82xGhEC3LRhYADPTg ... w?e=Gh5hx3

Interestingly enough, I can access the NAS via WEB.

Sob · Tue Jan 25, 2022 5:06 am

Well, not seeing packets can be because of hardware offload. I thought that using Torch is supposed to deal with that, but maybe not. As a test, try to set those two bridge ports as hw=no (Hardware Offload checkbox in WinBox). But it's really weird why some traffic would work and some not.

Tamarael · Tue Jan 25, 2022 8:01 pm

Could not find where I setup the offloading, sorry

Tamarael · Tue Jan 25, 2022 9:25 pm

Could not find where I setup the offloading, sorry

I found a post online about this, and if my understanding is correct, the offloading is "ON", right?

[admin@MikroTik-Switch] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                        BRIDGE                        HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether1                           bridge1                       yes    1     0x80         10                 10       none
 1   H ether2                           bridge1                       yes    1     0x80         10                 10       none
 2   H ether3                           bridge1                       yes    1     0x80         10                 10       none
 3   H ether4                           bridge1                       yes    1     0x80         10                 10       none
 4 I H ether5                           bridge1                       yes    1     0x80         10                 10       none
 5 I H ether6                           bridge1                       yes    1     0x80         10                 10       none
 6   H ether7                           bridge1                       yes    1     0x80         10                 10       none
 7   H ether8                           bridge1                       yes    1     0x80         10                 10       none
 8   H ether9                           bridge1                       yes    1     0x80         10                 10       none
 9   H ether10                          bridge1                       yes    1     0x80         10                 10       none
10   H ether11                          bridge1                       yes    1     0x80         10                 10       none
11 I H ether12                          bridge1                       yes    1     0x80         10                 10       none
12 I H ether13                          bridge1                       yes    1     0x80         10                 10       none
13 I H ether14                          bridge1                       yes    1     0x80         10                 10       none
14   H ether15                          bridge1                       yes    1     0x80         10                 10       none
15 I H ether16                          bridge1                       yes    1     0x80         10                 10       none
16 I H ether17                          bridge1                       yes    1     0x80         10                 10       none
17 I H ether18                          bridge1                       yes    1     0x80         10                 10       none
18 I H ether19                          bridge1                       yes    1     0x80         10                 10       none
19 I H ether20                          bridge1                       yes    1     0x80         10                 10       none
20 I H ether21                          bridge1                       yes    1     0x80         10                 10       none
21 I H ether22                          bridge1                       yes    1     0x80         10                 10       none
22 I H ether23                          bridge1                       yes    1     0x80         10                 10       none
23 I H ether24                          bridge1                       yes    1     0x80         10                 10       none
24 I H sfp-sfpplus1                     bridge1                       yes    1     0x80         10                 10       none
25 I H sfp-sfpplus2                     bridge1                       yes    1     0x80         10                 10       none
[admin@MikroTik-Switch] >

Sob · Tue Jan 25, 2022 11:30 pm

Yes, it's the HW column. And it's configured in Bridge->Ports, properties of individual ports, Hardware Offload checkbox.

Tamarael · Wed Jan 26, 2022 1:33 am

OK, so I unchecked it and now I can see the requests.
It times out and I don't know how to interpret what I currently see there. I was able to confirm the requests are leaving my pc and reaching the NAS but from the NAS I can only see one ICMP request being sent to my PC.

Sob · Wed Jan 26, 2022 1:51 am

And with another dumb switch (just plug cables elsewhere and don't touch anything else) it works. Hmm. I'm afraid I'm running out of sensible ideas (so no magic, ghosts, space aliens, ...).

Tamarael · Wed Jan 26, 2022 1:56 am

I am thinking of removing the HexS from the network and setting up the CRS as the only "router" and seeing if it works

Sob · Wed Jan 26, 2022 2:13 am

You can try, but I don't see why it should help. Current config on CRS is as simple as it can be, just all ports bridged and that's it. Ok, you can make it even simpler by removing everything from "/interface list" (including "/interface list member"), because that's currently not needed, but it's also not used, so it's not breaking anything. Even if you change CRS into router, you'll still have LAN consisting of the same bridge you have now, and nothing will change for packets flowing between devices connected to ports of this bridge.

Tamarael · Wed Jan 26, 2022 2:41 am

How can i remove it?

Sob · Wed Jan 26, 2022 2:47 am

Go to Interfaces->Interface List, there you have members that you can select and delete (with minus button). To access and possibly delete lists themselves, there's Lists button. But it won't change anything.

2frogs · Wed Jan 26, 2022 3:45 am

I would suggest looking on the QNAP/ Control Panel -> Security and be sure your local IP is not being blocked.

Tamarael · Wed Jan 26, 2022 10:28 am

Go to Interfaces->Interface List, there you have members that you can select and delete (with minus button). To access and possibly delete lists themselves, there's Lists button. But it won't change anything.

Cleared, thanks

Tamarael · Wed Jan 26, 2022 10:41 am

I would suggest looking on the QNAP/ Control Panel -> Security and be sure your local IP is not being blocked.

Checked, nothing there, thanks for the suggestion though.

Tamarael · Sat Jan 29, 2022 10:29 pm

Found the reason for this: the QNAP Firewall was blocking it. Now, I turned the firewall off as it is behind the HexS firewall.
Thanks for the tips and help so far.

Sob · Sat Jan 29, 2022 11:44 pm

It doesn't really explain how it could have worked with different switch.

Qnap TS-328 unreachable in LAN but accessible via web

Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Re: Qnap TS-328 unreachable in LAN but accessible via web

Who is online