I can't ping between 2 vlan

NorthBZH · Tue Dec 07, 2021 12:44 pm

Hello everyone,

I start the administration of mikrotik, I managed to configure vlan with dedicated DHCP

VLAN10 192.168.10.0/24
VLAN20 192.168.20.0/24
...

Everything works well, I have my addresses distributed on the correct vlan, the internet works but I have a 192.168.1.100 printer on the client's network which must be accessible from each vlan.
I have looked all over the forum and cannot find anyone with the same concerns.

when i type the following command in my mikrotik i always have timeout
ping 192.168.1.100 src-address = 192.168.10.1

here is my configuration:

# dec/07/2021 11:37:48 by RouterOS 6.47.9
# software id = D9BC-BT45
#
# model = RBD52G-5HacD2HnD
# serial number = CDFC0E44F8C9
/interface bridge
add admin-mac=2C:C8:1B:C6:64:F0 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-full,100M-full,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=xxxxxxxxx use-peer-dns=yes user=xxx@xxx.xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-C664F4 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-C664F5 wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
add interface=bridge name=vlan40 vlan-id=40
add interface=bridge name=vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool_vlan10 ranges=192.168.10.10-192.168.10.90
add name=dhcp_pool_vlan20 ranges=192.168.20.10-192.168.20.90
add name=dhcp_pool_vlan30 ranges=192.168.30.10-192.168.30.90
add name=dhcp_pool_vlan40 ranges=192.168.40.10-192.168.40.90
add name=dhcp_pool_vlan50 ranges=192.168.50.10-192.168.50.90
add name=dhcp_pool6 ranges=192.168.1.10-192.168.1.90
/ip dhcp-server
add address-pool=dhcp_pool_vlan10 disabled=no interface=vlan10 name=\
    dhcp_vlan10
add address-pool=dhcp_pool_vlan20 disabled=no interface=vlan20 name=\
    dhcp_vlan20
add address-pool=dhcp_pool_vlan30 disabled=no interface=vlan30 name=\
    dhcp_vlan30
add address-pool=dhcp_pool_vlan40 disabled=no interface=vlan40 name=\
    dhcp_vlan40
add address-pool=dhcp_pool_vlan50 disabled=no interface=vlan50 name=\
    dhcp_vlan50
add address-pool=dhcp_pool6 interface=bridge name=dhcp1
/snmp community
set [ find default=yes ] name=Gconvergence10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.254/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50 network=192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.254
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=91.211.64.100,91.211.64.116
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=pppoe-out1 out-interface-list=all
add action=dst-nat chain=dstnat dst-port=30443 in-interface=all-ppp protocol=\
    tcp to-addresses=192.168.1.253 to-ports=443
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0\
    /16,91.211.65.102/32,192.168.1.0/24"
set ftp address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0/16\
    ,91.211.65.102/32,192.168.1.0/24"
set www address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0/16\
    ,91.211.65.102/32,80.14.61.235/32,192.168.1.0/24,192.168.10.0/24,192.168.2\
    0.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24"
set ssh address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0/16\
    ,91.211.65.102/32,192.168.1.0/24"
set api address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0/16\
    ,91.211.65.102/32,192.168.1.0/24"
set winbox address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.0\
    /16,91.211.65.102/32,80.14.61.235/32,192.168.1.0/24,192.168.10.0/24,192.16\
    8.20.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50.0/24"
set api-ssl address="91.211.65.5/32,91.211.65.106/32,91.211.64.0/24,100.127.0.\
    0/16,91.211.65.102/32,192.168.1.0/24"
/snmp
set contact=KOSC_FTTH enabled=yes location=NAT_CPE trap-generators=interfaces \
    trap-interfaces=all
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=XxX_xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thank you to everyone who will take the time to help me.
Kindly

anav · Wed Dec 08, 2021 9:15 pm

The biggest problem is the lack of a proper firewall, the rest can wait.
Suggest.......
ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 {disable if not required}
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic outbound" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ {disable if not required}
connection-state=new in-interface-list=WAN
add action=drop chain=forward

anav · Wed Dec 08, 2021 9:29 pm

What I dont understand is why assign vlans for all subnets but then use the bridge for one subnet.
I prefer to have the bridge just being the bridge and not cloud up my config with mixing apples and oranges..
Thus create vlan11 assign it to the bridge.
Change currently bridge associated "dhcp server" and associated "IP address" to vlan11

vlan11 will be your home lan (and TRUSTED subnet).

Now for interface list members this is what you should have!

/interface list member
add comment=defconf interface=vlan11 list=LAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan40 list=LAN
add interface=vlan50 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

Your masquerade rule is WEIRD, change to..... drop the out-interface=ALL??
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1

Your DSTNAT Rule needs some tidying up..........
from
add action=dst-nat chain=dstnat dst-port=30443 in-interface=all-ppp protocol=\
tcp to-addresses=192.168.1.253 to-ports=443

TO
add action=dst-nat chain=dstnat dst-port=30443 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.253 to-ports=443

suggest you DISABLE all the non secure methods of reaching the router ASAP.......
telnet
ftp
www
api

Your list of access to SSH, WINBOX is rather large. It should only be the ADMIN(s).
Typically one has a dedicated PC, or a laptop etc.............
Typically access WOULD ONLY be from vlan11 (your trusted home LAN).
I can see if you want to be able to access the router from each of the VLANS if thats where you are located and this should be done by statically setting your dhcp lease of your device (be it smartphone or laptop) when on the various vlans.
A bit more explanation of what you are trying to accomplish will enable you to provide best security and limited access to the router!!!

anav · Wed Dec 08, 2021 9:33 pm

Now for your printer issue.
Easy since you have no firewall rules in place, everybody should be able to access the printer LOL.

So lets apply the proper firewall rule into the set I gave you.....

This will be a rule in the forward chain ( across the router so WAN to LAN, LAN to WAN and LAN to LAN).
With the drop rule at the end of the forward chain, this means all traffic is dropped unless we allow it. Best security!
So you will note that we ensure we allow LAN to WAN (internet traffic)!!
We also allow port forwarding before the drop rule. We also tend to put rules that will be matched more frequently higher up.
So internet usage will be greater than port forwarding for example.
Now we want to all all users access to the printer.....

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic outbound" in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward in-interface-list=LAN dst-address=192.168.1.100

add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ {disable if not required}
connection-state=new in-interface-list=WAN
add action=drop chain=forward

PS also time to upgrade the firmware to latest stable.......... (not 7.1 unless you are very familiar with it)

Sob · Wed Dec 08, 2021 10:15 pm

@NorthBZH: Does the printer have 192.168.1.254 as its default gateway?

What I dont understand is why assign vlans for all subnets but then use the bridge for one subnet.
I prefer to have the bridge just being the bridge and not cloud up my config with mixing apples and oranges..

Just because you prefer something else, it doesn't mean that other way is wrong. Using bridge interface as untagged port is perfectly valid config.

anav · Wed Dec 08, 2021 10:31 pm

@NorthBZH: Does the printer have 192.168.1.254 as its default gateway?

What I dont understand is why assign vlans for all subnets but then use the bridge for one subnet.
I prefer to have the bridge just being the bridge and not cloud up my config with mixing apples and oranges..
Just because you prefer something else, it doesn't mean that other way is wrong. Using bridge interface as untagged port is perfectly valid config.

Hi Sob,
Is the advice based on the fact that .254 is not the usual gateway in settings, whereas 192.168.1.1 is more common?
But there are only two ways to setup a printer.
a. manually in which case he may have put in the wrong gateway?
b. autoget DHCP in which case it shouldnt matter.

As an aside does it really matter if one puts 192.168.1.1 or 192.168.1.254? Does it not mean the same thing, I mean its not a destination.......

As for the wrong way and my way....
NO you are correct both work but I prefer
a. consistent approach
b. bridge not involved with dhcp directly (personal preference and no need).

Sob · Wed Dec 08, 2021 10:53 pm

Obviously, the only correct gateway in /24 subnet is .1, anything else is heresy. But since someone else can read it, I do admit that it's not entirely serious answer.

But on topic, printer has .100, which looks like something manually chosen, and there are no static leases in config, so my guess is that it's manual.

NorthBZH · Thu Dec 09, 2021 10:18 am

Hello everyone,
Thank you very much for all of your responses.

I offered a firewall to the client but he does not want because it is an association that does not want to put a lot of money but remains demanding

As I told you, this is my first Mikrotik so I take note of all your remarks.

I will test everything you told me and I will give you the result.

thanks again

spynappels · Thu Dec 09, 2021 10:31 am

I offered a firewall to the client but he does not want because it is an association that does not want to put a lot of money but remains demanding

This is worrying. Either the client hires you for your expertise and goes with your recommendations, or you need to get their wishes and demands in writing and get them to acknowledge in writing that they are not implementing your recommendations.
It's not like adding firewall rules on the router increases the capital expenditure significantly, it's not adding another physical device. (Unless you are charging some mad rate per firewall rule or something...)

anav · Thu Dec 09, 2021 12:37 pm

Yes I am very confused............
If you are not aware of how to configure a MT, what is going on here??

Sob · Thu Dec 09, 2021 1:03 pm

Check printer's gateway. Or, as a both quick test and possible workaround, you can try srcnat:

/ip firewall nat
add chain=srcnat dst-address=192.168.1.100 action=masquerage

It will make all connections to printer from other subnets appear as if they are from router (192.168.1.254). And if the problem is printer's default gateway, this will make it work. But then if would be still better to fix printer's config.

Another possibility would be that printer doesn't like connections from different subnets, but something like that should be probably configurable.

I can't ping between 2 vlan

I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Re: I can't ping between 2 vlan

Who is online