Community discussions

MikroTik App
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Imposible getting ping when using vlans

Fri Nov 19, 2021 11:02 pm

Hello, i'm trying to get ping between 2 PC's with firewall disabled but I can't get response.

PC1 - RBM33G - RB450G - Cisco 2950 - PC2

PC1:

Ethernet: 192.168.100.200/24 - Gateway: 192.168.100.1

RBM33G:

Ether1 and Ether2 under Bridge1
Bridge1: 192.168.100.1/24

RB450G:

Ether1 under VLAN60
VLAN60: 10.0.60.1/24 + DHCP Server
Ether2: 192.168.100.2/24

Cisco 2950:

Ether1: Mode trunk
Ether2: Mode access VLAN60

PC2:

Ethernet: 10.0.60.254 (DHCP)

Configs:

Cisco:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport trunk native vlan 100
switchport trunk allowed vlan 1,60,100
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 60
switchport mode access

!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport mode trunk
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan100
ip address 10.0.100.101 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.100.1
ip http server
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
end
RB450G:
/interface ethernet
set [ find default-name=ether2 ] name=ether2-Telefonia
/interface vlan
add interface=ether1 name=vlan60 vlan-id=60
add interface=ether5 name=vlan100 vlan-id=100
/ip pool
add name=dhcp_pool1 ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan60 name=dhcp2
/ip address
add address=10.0.60.1/24 interface=vlan60 network=10.0.60.0
add address=192.168.100.2/24 interface=ether2-Telefonia network=192.168.100.0
add address=10.0.100.1/24 interface=vlan100 network=10.0.100.0
/ip dhcp-server network
add address=10.0.60.0/24 gateway=10.0.60.1
/ip dns
set servers=8.8.8.8,8.8.4.4
RBM33G:
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4
Regards.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 1:35 am

Remember that by default, Widows does not allow ping responses. Been bitten by that one more than once...
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 1:59 am

Thanks for reply.

I know that Windows by default have ping blocked. Now I added all ICMPv4 traffic to permit on all interfaces and IP's on both machines. If I ping from RBM33G to PC1 and from RB450G to PC2, both works well.

As adittion if I try to ping from PC2 to RBM33G it not works.

Regards.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 2:15 am

You would be amazed how many don't know that Windows blocks ICMP by default. Hence the reason I asked.
I think you are in the right direction for testing. Try segments and see what works and what does not. Using Torch to see what ICMP packet flowing and where may also help.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 3:43 am

PC1 has 192.168.100.1 on RBM33G as gateway, but I don't see any route to 10.0.60.0/24 on RBM33G.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 3:57 am

PC1 has 192.168.100.1 on RBM33G as gateway, but I don't see any route to 10.0.60.0/24 on RBM33G.
Thanks for reply. I added the following on RBM33G:

/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=bridge1

Still not working.

Regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 4:05 am

gateway=192.168.100.2
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 2:38 pm

/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2

Still not working.

Actual config of RBM33G:
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2
And to finish with "Windows ping problem", I replaced the PC1 for a linux device that you can ping it.
So, now the excersice is ping from PC2 (Windows) to PC1 (Linux).

Thanks and regards.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 4:15 pm

I dont understand the network as described and the config depends on that structure.

What is/are acting as switch(es) and what is acting as router(s) here??
What is/are connected to ISP modem(s)?
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 4:47 pm

Cisco 2950 is a leyer2 switch and RBM33G is acting as "layer3 switch" well, bridging and routing.

This is a home lab for now. No ISP for now.

Image
Regards.
Last edited by krafg on Sat Nov 20, 2021 5:01 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 4:58 pm

How about ping between RBM33G and RB450G (192.168.100.1 <-> 192.168.100.2), does that work? If not, then how exactly are they connected? From what you posted, I'd assume cable between RBM33G's ether1 or ether2 and RB450G's ether2. Which is also weird, because if RBM33G's interfaces are bridged, it would make more sense for PC1 to use directly 192.168.100.2 as gateway.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 5:25 pm

On latest post I published a diagram.

Pinging from 192.168.100.1 to 192.168.100.2 is OK and viceversa .

I know that the ideal scenario is connect directly the pc to one router only but the problem is that on the real scenario we can't do it.

Regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 7:02 pm

Then how complete is RBM33G's config you posted? Are there any firewall rules? Usual stateful firewall would have problem with how it's connected, because it creates asymmetric routing:

- in one direction, 192.168.100.200 sends packet to its gateway 192.168.100.1 and RBM33G sends it to 192.168.100.2
- in other direction, RB450G sends packet directly to 192.168.100.200, because it's in same subnet as RB450G's 192.168.100.2 => it passes through RBM33G, but it's only bridged and IP firewall doesn't see => for stateful firewall it's invalid packet

But if there really isn't firewall on RBM33G, then it would work. Anyway, this should be simple to debug, if you can play with it. Packet sniffer is your friend. Keep the ping running, see how far it gets and you'll know where to look for problem.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 8:25 pm

RBM33G have all config posted here except LTE interfaces that are disabled and something about default wireless security profile. I omitted both to reduce the code a bit.

So, no have any firewall rules configured on any device.

Regards.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 11:12 pm

Update. I added a simple NAT (masquerade) on RB450G and ping finally works fine.

Is there a way to avoid the NAT? It would be ideal.

Regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sat Nov 20, 2021 11:44 pm

I don't see exact rule, but generally when masquerade fixes a problem like this, it means there's a missing route somewhere (or firewall blocking).
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Sun Nov 21, 2021 2:59 am

I configured OSPF and added permit rules for traffic and anyway is not working without NAT.

RBM33G:
# jan/02/1970 00:53:45 by RouterOS 6.49
# software id = AIY8-I70Z
#
# model = RouterBOARD M33G
# serial number = 78F108C8BF83
/interface bridge
add name=bridge1
/interface lte
set [ find ] disabled=yes name=lte1
set [ find ] allow-roaming=no disabled=yes name=lte2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=10.0.60.0/24 src-address=192.168.100.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=10.0.60.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.60.0/24 gateway=192.168.100.2
add disabled=yes distance=1 dst-address=10.0.100.0/24 gateway=192.168.100.2
/routing ospf network
add area=backbone network=192.168.100.0/24
RB450G:
# jan/02/1970 01:45:26 by RouterOS 6.49
# software id = B115-B22T
#
# model = 450G
# serial number = 33B604CFD300
/interface ethernet
set [ find default-name=ether2 ] name=ether2-Telefonia
/interface vlan
add interface=ether1 name=vlan60 vlan-id=60
add interface=ether5 name=vlan100 vlan-id=100
/ip pool
add name=dhcp_pool1 ranges=10.0.60.2-10.0.60.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan60 name=dhcp2
/ip address
add address=10.0.60.1/24 interface=vlan60 network=10.0.60.0
add address=192.168.100.2/24 interface=ether2-Telefonia network=192.168.100.0
add address=10.0.100.1/24 interface=vlan100 network=10.0.100.0
/ip dhcp-server network
add address=10.0.60.0/24 gateway=10.0.60.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward dst-address=10.0.60.0/24 src-address=192.168.100.0/24
add action=accept chain=forward dst-address=192.168.100.0/24 src-address=10.0.60.0/24
/routing ospf network
add area=backbone network=10.0.60.0/24
add area=backbone network=10.0.100.0/24
add area=backbone network=192.168.100.0/24
Now I posted complete config.

How is possible that if are not rules blocking traffic and all networks are declared on both devices I can't get connection. I'm thinking that this is a MikroTik bug or something.

Image

Image

Image

Regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Sun Nov 21, 2021 6:40 pm

And the magic NAT rule that fixes it is what exactly?

The weird part is that not even ping to 192.168.100.2 works. It's from PC2 (10.0.60.254), right? But its default gateway is 10.0.60.1, i.e. RB450G, which also has 192.168.100.2. So RB450G definitely knows where to find 10.0.60.254. It's almost direct link between the two, except for Cisco, but it doesn't look like it should interfere, because if it did, even dhcp wouldn't pass.

Btw, both OSPF and those firewall rules can't help, RB450G has all routes, for RBM33G you have the same manual ones, and if there's no firewall filter, everything is allowed by default.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans

Mon Nov 22, 2021 5:17 pm

And the magic NAT rule that fixes it is what exactly?
Sorry I posted the config with the rule removed, so it's:
/ip firewall nat
add action=masquerade chain=srcnat
Applied on RB450G
The weird part is that not even ping to 192.168.100.2 works. It's from PC2 (10.0.60.254), right?
Yes, you are right. but today I turned on again my lab and now I can ping 192.168.100.2 from 10.0.60.254, but 192.168.100.200 I can't.

Image

The actual config it's without NAT, like I posted the last time.

Regards.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Imposible getting ping when using vlans

Mon Nov 22, 2021 7:21 pm

Hmm...

- ping from 10.0.60.254 to 192.168.100.2 works => routing from 10.0.60.254 to 192.168.100.0/24 is ok
- ping from 10.0.60.254 to 192.168.100.200 doesn't work => there's some problem beyond RB450G
- masquerade changes source from 10.0.60.254 to 192.168.100.2 and it works => it looks like device 192.168.100.200 doesn't have route to 10.0.60.254

So check config of 192.168.100.200, if it really has route to 10.0.60.254. Default gateway 192.168.100.1 covers that and you wrote that it's there, but just make sure that it really is.

Otherwise I'm running out of ideas. If it's lab, then experiment. Test if changing 192.168.100.200's gateway to 192.168.100.2 works. Or if connecting it directly to RB450G without RBM33G helps. I don't see why it should, but for the lack of better ideas...

In any case, nothing here is in any way complicated, it's all the most basic networking, there's no reason why it shouldn't work.
 
User avatar
krafg
Forum Guru
Forum Guru
Topic Author
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: Imposible getting ping when using vlans  [SOLVED]

Fri Dec 03, 2021 4:15 pm

Hello, I have good news.

First, I apologize, but lately I have very very limited time, so, I abandonated this problem.

Okay, Now yes the good news is that on real network, finally I solved the problem doing a simple NAT with destination address 192.168.100.200, so, by this way all Internet traffic on both ISP are not affected and internal communication is working flawlessly. This is the best scenario because on the real network I not have access to 192.168.100.1 (ISP router - Gateway of 192.168.100.200). On a few words, the final objetive is done.

Now, anyway is interesting try to solve the problem on lab without doing NAT, so, on next days I will do the tests that you mention.

Thanks a lot for the support.
Regards.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Energizer, jamesperks, johnson73, Joseph and 78 guests