Community discussions

MikroTik App
 
cjgvandiemen
just joined
Topic Author
Posts: 2
Joined: Wed May 11, 2022 3:55 pm

VLAN/Subnet issue - unable to do network scan and ping

Wed May 11, 2022 4:11 pm

All,

I'm running a CRS125 as my main router (with some other Mikrotik devices connected). Configuration done by tutorials and perseverance as I'm not too much of an expert.

Just made my first steps in setting up VLANs to improve security of my network (mostly for separating IoT-like devices from my main network).
As most devices that are to be placed in a separate VLAN connect via WiFi, I started with adding the VLAN tag (10) based on MAC address using the access control list of Capsman.
Addresses (192.168.77.0/24) and DHCP are setup and clients get the proper IP address. Isolating them from my main network works with added IP firewall rules.

Problem is that whenever multiple clients are in the VLAN (10) and IP subnet (192.168.77.0/24), they cannot 'see' each other. When performing a network scan from one of those clients no other devices (besides device that runs the scan and the gateway) show up. This poses a problem as some of the configuration apps of my IoT devices seem to do a network scan to find connected/available devices (these now don't show up even though I can see that their connected to the network). Also pinging within the VLAN's subnet doesn't work. If I do this on my non-VLAN'ed main network, both scan and ping work as expected.

Strange thing is that when I use the IP scan tool from my CRS125 (on the VLAN and 192.168.77.0/24 subnet), all connected device do show up. So it seems an issue with a restriction that is applied on my client?!

I can really use some help to get this sorted. Attached a hide-sensitive, non-verbose export of my config.
# may/11/2022 15:03:39 by RouterOS 6.45.3
# software id = 1SJ8-589Z
#
# model = CRS125-24G-1S-2HnD
# serial number = 49C604879977
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX \
    frequency=5180 name=CH36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX \
    frequency=5200 name=CH40
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5220 name=CH44
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5240 name=CH48
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XX \
    frequency=5260 name=CH52 skip-dfs-channels=no
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5270 name=\
    CH54
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5550 name=CH100
/interface bridge
add admin-mac=4C:5E:0C:90:9B:0A auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(14dBm), SSID: vandiemen_mt, local forwarding
set [ find default-name=wlan1 ] antenna-gain=6 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=netherlands disabled=no distance=indoors frequency=\
    auto frequency-mode=regulatory-domain installation=indoor mode=ap-bridge \
    ssid=MikroTik-909B22 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/caps-man security
add authentication-types=wpa2-psk name=vandiemen_mt_security
add authentication-types=wpa2-psk name=vandiemen_guest_security
/caps-man configuration
add channel=CH1 country=netherlands datapath.bridge=bridge \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=yes \
    installation=indoor name=vandiemen_config_2_ch1 security=\
    vandiemen_mt_security ssid=vandiemen_mt
add channel=CH6 country=netherlands datapath.bridge=bridge \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=yes \
    installation=indoor name=vandiemen_config_ch6 security=\
    vandiemen_mt_security ssid=vandiemen_mt
add channel=CH11 country=netherlands datapath.bridge=bridge \
    datapath.client-to-client-forwarding=no datapath.local-forwarding=yes \
    installation=indoor name=vandiemen_config_ch11 security=\
    vandiemen_mt_security ssid=vandiemen_mt
add channel=CH40 channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz \
    channel.extension-channel=XXXX country=netherlands datapath.bridge=bridge \
    datapath.local-forwarding=yes installation=any name=\
    vandiemen_config_5_ch36 security=vandiemen_mt_security ssid=vandiemen_mt5
add channel=CH40 channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz \
    channel.extension-channel=XXXX country=netherlands datapath.bridge=bridge \
    datapath.vlan-id=20 datapath.vlan-mode=use-tag installation=any name=\
    vandiemen_guest_config_5_ch40 security=vandiemen_guest_security ssid=\
    vandiemen_mt5_guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.99
add name=infra ranges=192.168.88.1-192.168.88.9
add name=static ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool5 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool6 ranges=192.68.88.2-192.68.88.254
add name=dhcp_pool7 ranges=192.67.88.2-192.67.88.254
add name=dhcp_pool8 ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool7 disabled=no interface=vlan20 name=dhcp2
add address-pool=dhcp_pool8 disabled=no interface=vlan10 name=dhcp1
/caps-man access-list
add allow-signal-out-of-range=10s comment="Appliance" disabled=no \
    mac-address=68:A4:0E:40:23:5F signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Appliance" disabled=no \
    mac-address=68:A4:0E:34:9C:6C signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Appliance" disabled=no \
    mac-address=68:A4:0E:34:A3:65 signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Intelligent light" disabled=no \
    mac-address=30:AE:A4:24:F5:B0 signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Voice Assistant" disabled=no \
    mac-address=00:FC:8B:7D:01:02 signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Audio streamer" disabled=no \
    mac-address=00:22:6C:E7:F8:63 signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s comment="Audio streamer" disabled=no \
    mac-address=00:22:6C:2F:62:5A signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
add allow-signal-out-of-range=10s disabled=no mac-address=F0:A3:5A:63:F3:43 \
    signal-range=-120..120 ssid-regexp="" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-id=10 vlan-mode=use-tag
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=vandiemen_config_2_ch1 \
    name-format=identity radio-mac=4C:5E:0C:90:9B:22
add action=create-dynamic-enabled master-configuration=vandiemen_config_ch6 \
    name-format=identity radio-mac=6C:3B:6B:F2:AA:C7
add action=create-dynamic-enabled master-configuration=vandiemen_config_ch11 \
    name-format=identity radio-mac=B8:69:F4:86:60:51
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
    master-configuration=vandiemen_config_5_ch36 name-format=identity \
    radio-mac=08:55:31:8D:70:A7 slave-configurations=\
    vandiemen_guest_config_5_ch40
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
    enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.77.1/24 comment="Wireless VLAN10" interface=vlan10 \
    network=192.168.77.0
add address=192.67.88.1/24 interface=vlan20 network=192.67.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.88.201 client-id=1:b8:27:eb:8b:86:13 comment=\
    "Home server" mac-address=B8:27:EB:8B:86:13 server=defconf
add address=192.168.88.2 client-id=1:6c:3b:6b:f2:aa:bd comment=\
    "MikroTik RB2011" mac-address=6C:3B:6B:F2:AA:BD server=defconf
add address=192.168.88.3 client-id=1:b8:69:f4:86:60:50 comment=\
    "MikroTik CAP lite" mac-address=B8:69:F4:86:60:50 server=defconf
add address=192.168.88.9 client-id=1:b8:27:eb:99:5a:f3 comment=\
    "PI hole" mac-address=B8:27:EB:99:5A:F3 server=defconf
add address=192.168.88.202 comment="Light appliance" mac-address=24:0A:C4:11:0D:18 \
    server=defconf
add address=192.168.88.209 comment="Tradfri gateway" mac-address=\
    D4:4D:A4:36:D3:91 server=defconf
add address=192.168.88.102 client-id=1:84:fc:ac:6:63:25 mac-address=\
    84:FC:AC:06:63:25 server=defconf
add address=192.168.88.208 client-id=1:c8:db:26:c:90:98 comment="Harmony Hub" \
    mac-address=C8:DB:26:0C:90:98 server=defconf
add address=192.168.88.103 client-id=1:f2:1b:d6:4d:92:6e mac-address=\
    F2:1B:D6:4D:92:6E server=defconf
add address=192.168.88.213 client-id=1:94:db:56:e3:11:7d comment=\
    "DN1080" mac-address=94:DB:56:E3:11:7D server=defconf
add address=192.168.88.4 client-id=1:8:55:31:8d:70:a4 mac-address=\
    08:55:31:8D:70:A4 server=defconf
add address=192.168.88.104 client-id=1:7e:d0:35:4:1c:17 mac-address=\
    7E:D0:35:04:1C:17 server=defconf
add address=192.168.88.105 client-id=1:84:ab:1a:7d:32:28 mac-address=\
    EA:FB:FC:55:40:28 server=defconf
add address=192.168.88.101 client-id=1:fa:91:b6:76:28:8a mac-address=\
    FA:91:B6:76:28:8A server=defconf
add address=192.168.88.100 client-id=1:f0:a3:5a:63:f3:43 mac-address=\
    F0:A3:5A:63:F3:43 server=defconf
/ip dhcp-server network
add address=192.168.77.0/24 gateway=192.168.77.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.9,8.8.8.8 \
    gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.77.0/24 list=vlan10
add address=192.168.88.0/24 list=network
add address=192.67.88.0/24 list=vlan20
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "Block traffic to internal network from VLAN10" dst-address-list=network \
    src-address-list=vlan10
add action=drop chain=forward dst-address-list=network src-address-list=\
    vlan20
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment=\
    "Block incoming traffic to router from VLAN10" src-address-list=vlan10
add action=drop chain=input src-address-list=vlan20
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="MikroTik CRS125"
/system logging
add topics=caps
/system scheduler
add interval=1d name=capsman_disable on-event=capsman_disable policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/13/2022 start-time=00:00:00
add interval=1d name=capsman_enable on-event=capsman_enable policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/14/2022 start-time=06:30:00
/system script
add dont-require-permissions=no name=capsman_disable owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "caps-man manager set enabled=no"
add dont-require-permissions=no name=capsman_enable owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "caps-man manager set enabled=yes"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all filter-ip-address=\
    192.168.88.210/32,192.168.88.211/32,192.168.88.212/32 filter-ip-protocol=\
    tcp streaming-enabled=yes streaming-server=192.168.88.15
You do not have the required permissions to view the files attached to this post.
 
cjgvandiemen
just joined
Topic Author
Posts: 2
Joined: Wed May 11, 2022 3:55 pm

Re: VLAN/Subnet issue - unable to do network scan and ping

Thu May 12, 2022 2:54 pm

Doing some more searching I found the 'multicast helper' option in the CAPSMAN configuration. Turning this to 'full' for all my configurations seems to do the trick.
What still puzzles is me is why I didn't have any issues with the non VLAN tagged clients (and subnet) as the CAPSMAN configuration for both is the same.

Who is online

Users browsing this forum: F3BOli, mtkvvv, syahpian and 35 guests