Community discussions

MikroTik App
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Problem with L2/L3 Tunnel VLAN

Fri Feb 19, 2021 2:00 pm

Hello everyone,
I configured for my company 2 Mikrotik :

City 1 : CCR1036-12G-4S
City 2: CCR1036-8G-2S+

Both Mikrotik are connected with L2/L3 fiber tunnel dedicated (NO VPN) (1gbps)
I do not want to pass all VLAN into tunnel, but I want use different network subnets (using route), except for some VLAN .
I should use the tunnel to pass Layer 3 traffic (with static route) and VLAN Layer 2 traffic.
Both Mikrotik are connected via eth3 using 2 IP point to point (/30 private subnet)
I configured a Mikrotik bridge (both side) with eth3 and eth8 (eth8 port carry VLAN1000, tagged from Cisco Switch, connected via trunk port).
This configuration works well until I create a VLAN1000 Interface under the bridge.
I created this interface to monitor the specific VLAN directly under the bridge.
Hovewer if active the VLAN1000 Interface under both bridge , the connection is intermittent and I miss packet/ICMP.
Why this happen? Just as soon as I disable VLAN1000 Interface under Bridge the connection is perfectly stable.
Regards
 
tdw
Forum Veteran
Forum Veteran
Posts: 760
Joined: Sat May 05, 2018 11:55 am

Re: Problem with L2/L3 Tunnel VLAN

Fri Feb 19, 2021 2:43 pm

It isn't clear exactly what your configuration is, posting the output of /export hide-sensitive is much more informative than some vague description. If you have multiple bridges, VLANs attached to interfaces which are members of a bridge, or VLAN interfaces as members of a bridge it could be one of the many cases described here https://wiki.mikrotik.com/wiki/Manual:L ... figuration
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6667
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with L2/L3 Tunnel VLAN

Fri Feb 19, 2021 2:48 pm

Plus a diagram would help as well.
When you say directly connected HOW. Do you mean there is a dedicated cable between the two offices??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Fri Feb 19, 2021 7:53 pm

Hi all,
we have a Transport L2 dedicated fiber with technologies SWITCHED; (1gbps)
In attaching the schema and the config. At the moment the interface VLAN1000 is disabled.
Config Side A (Side B is similar with the same bridge)

Schema
https://ibb.co/5W0Zq8S
Regards
Last edited by cadei on Mon Feb 22, 2021 1:39 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 7140
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2/L3 Tunnel VLAN

Sat Feb 20, 2021 12:11 pm

Instead of posting the configuration on an external site with its own rules for personal data collection you have to accept, put the configuration export here inline, between [code] and [/code] tags if you don't have sufficient score to attach files here yet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 10:47 am

Hello everyone,
do you have any news?
Regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6667
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 1:25 pm

If you read the post above you would realize that you need to
/export hide-sensitive file=anynameyouwish

and then open the file in notepad++ and then post it here in the thread but using the code tags above (black square with white square brackets)

No one is going to open the crap site posting you provided.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 1:38 pm

Below the configuration:
# feb/19/2021 14:32:21 by RouterOS 6.47.7
# software id = 2KHU-GK34
#
# model = CCR1036-12G-4S
# serial number = XXXXX
/interface bridge
add name="bridge L2 PtoP_" priority=0x4000 vlan-filtering=yes
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no fast-forward=no name=bridge_trunk
/interface ethernet
set [ find default-name=ether1 ] comment="wan 1 port" speed=100Mbps
set [ find default-name=ether2 ] comment="wan2 port" speed=100Mbps
set [ find default-name=ether3 ] comment="Link PtoP side City1" speed=\
    100Mbps
set [ find default-name=ether4 ] arp=reply-only speed=100Mbps
set [ find default-name=ether5 ] arp=reply-only speed=100Mbps
set [ find default-name=ether6 ] arp=reply-only speed=100Mbps
set [ find default-name=ether7 ] arp=reply-only speed=100Mbps
set [ find default-name=ether8 ] arp=reply-only speed=100Mbps
set [ find default-name=ether9 ] arp=reply-only speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] comment="VIDEO PORT " speed=100Mbps
set [ find default-name=sfp1 ] advertise=1000M-full comment="AREA MEDIA"
set [ find default-name=sfp2 ] advertise=1000M-full comment="RACK SERVER"
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full \
    
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full
/interface pptp-server
add name=pptp-in1 user=""
/interface vlan
add interface=bridge_trunk name=VLAN10-srv vlan-id=10
add arp=reply-only interface=bridge_trunk name=VLAN20-amm vlan-id=20
add arp=reply-only interface=bridge_trunk name=VLAN30-aut vlan-id=30
add arp=reply-only interface=bridge_trunk name=VLAN40-rd vlan-id=40
add arp=reply-only interface=bridge_trunk name=VLAN50-test vlan-id=50
add arp=reply-only interface=bridge_trunk name=VLAN60-dev vlan-id=60
add arp=reply-only interface=bridge_trunk name=VLAN70-guest vlan-id=70
add interface=bridge_trunk name=VLAN80-voip vlan-id=80
add arp=reply-only interface=bridge_trunk name=VLAN90-dtt vlan-id=90
add disabled=yes interface="bridge L2 PtoP_" name=VLAN1000-Video vlan-id=\
    1000
add interface=bridge_trunk name=vlan71-domo_iot vlan-id=71
/interface list
add comment="interfacce wan" name=WAN-Interfaces
add name=GUEST-Interfaces
add name=NOWINBOX_Interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp_pool2 ranges=10.10.20.11-10.10.20.254
add name=dhcp_pool3 ranges=10.10.30.11-10.10.30.254
add name=dhcp_pool4 ranges=10.10.40.10-10.10.40.254
add name=dhcp_pool5 ranges=10.10.50.10-10.10.50.254
add name=dhcp_pool6 ranges=10.10.60.10-10.10.60.254
add name=dhcp_pool7 ranges=172.16.0.10-172.16.0.254
add name=dhcp_pool1 ranges=10.10.0.30-10.10.0.254
add name=dhcp_pool8 ranges=192.168.0.30-192.168.0.254
add name=dhcp_poolsrv ranges=10.10.10.20-10.10.10.254
add name=dhcp_pooldtt ranges=10.10.90.10-10.10.90.254

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=VLAN20-amm \
    lease-time=1d name=dhcp2-amm
add add-arp=yes address-pool=dhcp_pool3 authoritative=after-2sec-delay \
    disabled=no interface=VLAN30-aut lease-time=1d name=dhcp3-aut
add add-arp=yes address-pool=dhcp_pool4 disabled=no interface=VLAN40-rd \
    lease-time=1d name=dhcp4-rd
add add-arp=yes address-pool=dhcp_pool5 disabled=no interface=VLAN50-test \
    lease-time=1d name=dhcp5-val
add add-arp=yes address-pool=dhcp_pool6 disabled=no interface=VLAN60-dev \
    lease-time=1d name=dhcp6-dev
add address-pool=dhcp_pool1 disabled=no interface=bridge_trunk lease-time=1d \
    name=dhcp-trunk
add add-arp=yes address-pool=dhcp_pool7 disabled=no interface=VLAN70-guest \
    lease-time=1d name=dhcp7-guest
add add-arp=yes address-pool=dhcp_pool8 disabled=no interface=VLAN80-voip \
    lease-time=12h name=dhcp8
add address-pool=dhcp_poolsrv disabled=no interface=VLAN10-srv lease-time=1d \
    name=dhcp-srv
add add-arp=yes address-pool=dhcp_pooldtt disabled=no interface=VLAN90-dtt \
    lease-time=1d name=dhcp90-tech
add add-arp=yes address-pool=dhcp-pool71 always-broadcast=yes disabled=no \
    interface=vlan71-domo_iot lease-time=1d name=dhcp71-domo_iot

/interface bridge port
add bridge="bridge L2 PtoP_" interface=ether3 priority=0x70
add bridge=bridge_trunk interface=ether4
add bridge=bridge_trunk interface=ether5
add bridge=bridge_trunk interface=ether6
add bridge=bridge_trunk interface=ether7
add bridge=bridge_trunk interface=ether8
add bridge=bridge_trunk interface=sfp1 priority=0x70
add bridge=bridge_trunk interface=ether9
add bridge=bridge_trunk interface=ether10
add bridge=bridge_trunk interface=sfp2 priority=0x70
add bridge=bridge_trunk interface=sfp3 priority=0x70
add bridge=bridge_trunk interface=ether11
add bridge="bridge L2 PtoP_" interface=ether12
add disabled=yes interface=ether3
add disabled=yes interface=ether12
add bridge="bridge L2 PtoP_" disabled=yes interface=*21
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set arp-timeout=1d
/interface bridge vlan
add bridge="bridge L2 PtoP_" tagged="ether12,ether3,bridge L2 PtoP_" \
    vlan-ids=1000

/interface list member
add interface=ether1 list=WAN-Interfaces
add interface=ether2 list=WAN-Interfaces
add interface=VLAN70-guest list=GUEST-Interfaces
add interface=VLAN70-guest list=NOWINBOX_Interfaces
add interface=VLAN80-voip list=NOWINBOX_Interfaces
add interface=vlan71-domo_iot list=NOWINBOX_Interfaces
add interface=VLAN20-amm list=NOWINBOX_Interfaces
add interface=VLAN30-aut list=NOWINBOX_Interfaces
add disabled=yes interface=VLAN10-srv list=NOWINBOX_Interfaces
add interface=VLAN40-rd list=NOWINBOX_Interfaces
add interface=VLAN60-dev list=NOWINBOX_Interfaces
add interface=VLAN90-dtt list=NOWINBOX_Interfaces
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=VPN-Server-Certificate \
    default-profile=Profile-admin enabled=yes
/ip address
add address=192.168.3.254/24 comment=wan1 interface=ether1 network=\
    192.168.3.0
add address=10.10.20.1/24 interface=VLAN20-amm network=10.10.20.0
add address=10.10.40.1/24 interface=VLAN40-rd network=10.10.40.0
add address=10.10.50.1/24 interface=VLAN50-test network=10.10.50.0
add address=10.10.30.1/24 interface=VLAN30-aut network=10.10.30.0
add address=10.10.60.1/24 interface=VLAN60-dev network=10.10.60.0
add address=192.168.0.1/24 interface=VLAN80-voip network=192.168.0.0
add address=172.16.0.1/24 interface=VLAN70-guest network=172.16.0.0
add address=192.168.4.254/24 interface=ether2 network=192.168.4.0
add address=10.10.10.1/24 interface=VLAN10-srv network=10.10.10.0
add address=10.10.0.1/24 interface=bridge_trunk network=10.10.0.0
add address=10.10.90.1/24 interface=VLAN90-dtt network=10.10.90.0
add address=172.16.1.1/24 interface=vlan71-domo_iot network=172.16.1.0
add address=172.31.31.1/30 comment="LINK PtoP" interface=ether3 \
    network=172.31.31.0
add address=192.168.200.1/24 disabled=yes network=192.168.200.0
add address=192.168.201.1/24 disabled=yes network=192.168.201.0
/ip arp



/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.50.0/24 gateway=10.10.50.1
add address=10.10.60.0/24 gateway=10.10.60.1
add address=10.10.90.0/24 gateway=10.10.90.1
add address=172.16.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.1
add address=172.16.1.0/24 dns-server=8.8.8.8 gateway=172.16.1.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=log chain=forward disabled=yes in-interface=*F0361C log=yes \
    log-prefix="" out-interface="bridge L2 PtoP_"


add action=drop chain=input comment=\
    "blocca le connessioni WAN sulla porta 8291 - 1723 (ONLY Blacklist)" \
    dst-port=8291,1723 in-interface-list=WAN-Interfaces log=yes log-prefix=\
    "DROP connection for winbox access" protocol=tcp src-address-list=\
    winbox_blacklist
add action=tarpit chain=input comment=\
    "block WAN sulla porta 8291 - INLOCALE" dst-port=8291 \
    in-interface-list=NOWINBOX_Interfaces log=yes log-prefix=\
    "****LOCAL DROP connection for winbox access" protocol=tcp
add action=drop chain=input comment=\
    "block  WAN port(21,22,23,80)" \
    dst-port=21,22,23,80 in-interface-list=WAN-Interfaces log=yes log-prefix=\
    "****access remote warning****" protocol=tcp

add action=add-src-to-address-list address-list=blacklist_expected \
    address-list-timeout=1w3d chain=input comment="WinBox Suspect" \
    connection-state=new dst-port=8291 in-interface-list=WAN-Interfaces \
    log-prefix="\"suspect access to winbox\"" protocol=tcp
add action=drop chain=input comment=\
    "ddos" \
    connection-state=new dst-address-list=ddos-dst log-prefix=\
    "\"BLOCKED DDOS\"" src-address-list=ddos-src
add action=drop chain=forward comment=\
    "Drop to port scan list from forward chain" log-prefix="drop to forward" \
    src-address-list=Port_Scanner
add action=tarpit chain=input comment="Tarpit to port scan list" log-prefix=\
    "TARPIT  SCANNER LIST (input)" protocol=tcp src-address-list=Port_Scanner
add action=drop chain=input comment="Drop to port scan list from input chain" \
    log=yes log-prefix="dropping scanner" src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=3d chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1 src-address-list=!ddosExclude
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=3d chain=input comment="NMAP FIN Stealth scan" log=\
    yes log-prefix="Fin scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=input comment="FIN/PSH/URG scan" log=yes log-prefix=\
    "FIN/PSH/URG SCAN" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=log chain=input comment="NMAP NULL scan" log=yes log-prefix=\
    "NMAP NULL SCAN" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=input comment="SYN/FIN scan" log=yes log-prefix=\
    "****SYN/FIN SCAN*****" protocol=tcp tcp-flags=fin,syn
add action=log chain=input comment="SYN/RST scan" log=yes log-prefix=\
    "****SYN/RST SCAN*****" protocol=tcp tcp-flags=syn,rst
add action=log chain=input comment="ALL/ALL PORT scan" log=yes log-prefix=\
    "ALL/ALL Port  SCAN" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=jump chain=input comment="Jump for icmp input flow" \
    in-interface-list=WAN-Interfaces jump-target=ICMP log-prefix=JXXXJUMP \
    protocol=icmp src-address-list=!ddosExclude
add action=jump chain=input comment=\
    "filtra le nuove connessioni SYN e le passa al controllo detec-syn" \
    connection-state=new in-interface-list=WAN-Interfaces jump-target=\
    detect-syn log-prefix=new-connect protocol=tcp tcp-flags=syn
add action=accept chain=detect-syn connection-state=new dst-limit=\
    500,5,dst-address/1m40s in-interface-list=WAN-Interfaces protocol=tcp \
    tcp-flags=syn
add action=tarpit chain=detect-syn comment="drop connessioni SYN" \
    connection-state=new in-interface-list=WAN-Interfaces log=yes log-prefix=\
    "***tarpit SYN connection****" protocol=tcp tcp-flags=syn
add action=jump chain=input comment=\
    "ddos" \
    connection-state=new in-interface-list=WAN-Interfaces jump-target=\
    detect-ddos 
add action=return chain=detect-ddos comment=\
    "monitor connection " dst-limit=\
    50,50,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-src \
    address-list-timeout=2d chain=detect-ddos comment=\
    "list  ddos (temp)" log=yes \
    log-prefix="adding SRC DDOS" src-address-list=!ddosExclude
add action=add-dst-to-address-list address-list=ddos-dst \
    address-list-timeout=2d chain=detect-ddos comment=\
    "" log=\
    yes log-prefix="adding DST DDOS"
add action=accept chain=forward comment=\
    "printer(OUT)"
    out-interface=VLAN60-dev src-address=10.10.20.20
add action=drop chain=forward in-interface=VLAN20-amm log-prefix=@@@@@@@@@@ \
    out-interface=all-vlan
add action=drop chain=forward in-interface=VLAN40-rd log-prefix=rd \
    out-interface=all-vlan
add action=drop chain=forward in-interface=VLAN50-test log-prefix=XXXX \
    out-interface=all-vlan
add action=drop chain=forward in-interface=VLAN60-dev log-prefix=XXX \
    out-interface=all-vlan
add action=drop chain=forward in-interface=VLAN70-guest log-prefix=\
    "guyest drop" out-interface=all-vlan
add action=drop chain=forward in-interface=VLAN80-voip out-interface=all-vlan
add action=drop chain=forward in-interface=vlan71-domo_iot out-interface=\
    all-vlan

add action=drop chain=forward comment="block access to wan router interface" \
    dst-address-list="router WAN" in-interface=all-vlan log=yes log-prefix=\
    "dropping wan"

add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet log-prefix="<<<icmp detect >>" \
    protocol=icmp
add action=accept chain=ICMP comment="Echo reply (ping attack)" icmp-options=\
    0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded (ping attack)" \
    icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable (Ping Attack)" \
    icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment="PMTUD (Ping attack)" icmp-options=3:4 \
    protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" \
    in-interface-list=WAN-Interfaces log=yes log-prefix="DROPPING ICMP" \
    protocol=icmp src-address-list=!ddosExclude
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection started from OUTSIDE" connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=wlan1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=wlan2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge_trunk new-connection-mark=\
    wlan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge_trunk new-connection-mark=\
    wlan2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "mark routing  to_wlan1(no local subnet)" \
    connection-mark=wlan1_conn dst-address-list=!local_subnet in-interface=\
    bridge_trunk new-routing-mark=to_wlan1 passthrough=yes
add action=mark-routing chain=prerouting comment=\
    mark routing  to_wlan2(no local subnet)" \
    connection-mark=wlan2_conn dst-address-list=!local_subnet in-interface=\
    bridge_trunk new-routing-mark=to_wlan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wlan1_conn \
    new-routing-mark=to_wlan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wlan2_conn \
    new-routing-mark=to_wlan2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

ip route
add check-gateway=ping distance=1 gateway=192.168.3.1 routing-mark=to_wlan1
add check-gateway=ping distance=1 gateway=192.168.4.1 routing-mark=to_wlan2
add check-gateway=ping distance=1 gateway=192.168.3.1
add check-gateway=ping distance=2 gateway=192.168.4.1
add check-gateway=ping comment="check internet" disabled=yes distance=1 \
    gateway=8.8.8.8 target-scope=30
add check-gateway=ping comment="check ping internet" disabled=yes distance=1 \
    dst-address=8.8.8.8/32 gateway=192.168.3.1
add comment="Route bridge" distance=1 dst-address=10.10.1.0/24 \
    gateway=172.31.31.2 scope=10
add comment="Route SRV" distance=1 dst-address=10.10.11.0/24 \
    gateway=172.31.31.2 scope=10
add comment="Route Tech" distance=1 dst-address=10.10.91.0/24 \
    gateway=172.31.31.2 scope=10
add distance=1 dst-address=172.41.41.0/24 gateway=172.31.31.2
add comment="Route bridge Voip " distance=1 dst-address=192.168.81.0/24 \
    gateway=172.31.31.2 scope=10
	


/ppp secret

/snmp
set contact=Mikrotik enabled=yes location=KK trap-version=3
/system clock
set time-zone-name=Europe/Rome
/system logging
add action=RemoteLog prefix=syslog-info topics=info
add action=remote prefix=syslog-system topics=system
add action=remote prefix=syslog-warning topics=warning
add action=remote prefix=syslog-account topics=account
add disabled=yes prefix=syslog-ppp topics=ppp
add action=RemoteLog topics=dhcp
add action=RemoteLog topics=firewall
add disabled=yes topics=pptp
add disabled=yes topics=l2tp
add prefix=****BRIDGE topics=bridge
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=193.204.114.232
/system routerboard settings
set auto-upgrade=yes
/tool mac-server ping
set enabled=no


 
tdw
Forum Veteran
Forum Veteran
Posts: 760
Joined: Sat May 05, 2018 11:55 am

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 3:17 pm

There is some redundant configuration from bridges and interfaces being deleted which should be cleaned up:
/interface bridge port
....
add disabled=yes interface=ether3
add disabled=yes interface=ether12
add bridge="bridge L2 PtoP_" disabled=yes interface=*21


/ip firewall filter
add action=log chain=forward disabled=yes in-interface=*F0361C log=yes \
log-prefix="" out-interface="bridge L2 PtoP_"


Then you have an IP address incorrectly attached to ether3 - addresses and services should be attached to the parent bridge.
/ip address
....
add address=172.31.31.1/30 comment="LINK PtoP" interface=ether3"bridge L2 PtoP_" \
network=172.31.31.0


In previous posts you mention ether3 and ether8 in a bridge, this does not correspond with the configuration which has ether3 and ether12.

I can't see that enabling the VLAN1000-Video VLAN interface would change anything as it is not used in the configuration "bridge L2 PtoP_", ether3 and ether12 will pass untagged traffic and VLAN1000 tagged traffic regardless of the state of that VLAN interface.
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 5:11 pm

I have already tried to assign the IP to master bridge, without success.
When I enable VLAN1000 under the "bridge L2 PtoP_" the issue reappears. I tried to change eth8 and eth12 and the issue is the same.
Regards
 
sindy
Forum Guru
Forum Guru
Posts: 7140
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2/L3 Tunnel VLAN

Mon Feb 22, 2021 10:13 pm

What are your reasons to use
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

?
I don't say it is definitely the cause of the issue you experience, but as you don't use any /queue tree or /queue simple settings, it just causes the bridged traffic, including the one of VLAN 1000, to be processed by the IP firewall. So if nothing else, it at least generates an unnecessary CPU load.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Tue Feb 23, 2021 11:22 am

Currently, I forgot the reason for this flag. :)
However, I use several Bridge references in Firewall Section ( IP filter, Mangle section ..)
Do you think this could have an impact on a production environment? I can disable it without risk?
regards
 
sindy
Forum Guru
Forum Guru
Posts: 7140
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2/L3 Tunnel VLAN

Tue Feb 23, 2021 12:09 pm

Do you think this could have an impact on a production environment? I can disable it without risk?
Those brief but therefore misleading names...

What all those use-ip-firewall... items under /interface bridge settings do if enabled is that they push through the IP firewall also frames which would normally be only forwarded between ports of the same bridge and never reach the IP stack of the router. The original purpose was to allow to provide QoS (queue) treatment also to bridged frames, and an additional effect is that you can refer to in-bridge-interface and out-bridge-interface in /ip firewall rules.

Those settings are not necessary to make the IP firewall handle packets which are routed from/to an /interface bridge and/or /interface vlan. Handling of these packets by IP firewall is automatic.

Since you use neither queues nor matching on (in|out)-bridge-interface in firewall rules, setting all the three use-ip-firewall... items to no should not affect the normal operation. It can change some behaviour but nothing in your configuration suggests that it should be your case.

I'd recommend to post your updated configuration once you've done the cleanups recommended by @tdw.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
cadei
newbie
Topic Author
Posts: 37
Joined: Mon Apr 30, 2018 12:02 pm

Re: Problem with L2/L3 Tunnel VLAN

Tue Feb 23, 2021 4:53 pm

OK . ASAP I will disable this flag, and I will try the new settings.
Do you think that this will fix the issue?
 
sindy
Forum Guru
Forum Guru
Posts: 7140
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problem with L2/L3 Tunnel VLAN

Tue Feb 23, 2021 5:48 pm

I give it a 60 % chance. The issue itself is weird, so removal of unusual (as in "rarely used and therefore lacking any significant experience among the users") configuration is quite likely to help.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 169 guests