Hi,
This is so simple I'm really surprised it's giving me so much headache.
Last year I bought a hEx and using the initial instructions made only the absolutely required configuration to get it working with my ISP (in ether1, that's the default), then plugged all the other stuff in ether2...ether5, checked that internet connectivity works and got on with my life, only checking in every now and then to see that the firmware is up to date. No problems there.
Fast forward to this week when I finally needed my computers, all located in the same lan (192.168.88.0/24, again everything default) to talk to each other. Noticed they weren't doing that - no ping, no http, no nothing. I had assumed the default config would enable routing within lan, with this being a SOHO for-dummies model, but apparently not!
It looks like all the right ports are in the same bridge and since they're in the same subnet this should just work unless the firewall isn't playing nicely, so I added a forward chain accept firewall rule right after the drop invalid rule for any traffic that doesn't come from WAN. I can see my http packets increasing the packet count on that rule but it's still not working... I've also tried modifying the rule in various ways.
Being rather inexperienced with firewall and router configuration (I understand the theory but have rarely needed to do anything in practice) this has left me scratching my head. I'm 100% certain that the default config is stupid and 110% sure I'm making some stupid mistake trying to fix it but I just can't figure out what it is that I'm doing wrong. I tried Google searches and previous posts on this forum but didn't find the solution. Someone care to explain what I need to do to make this actually work?
Re: hEx not routing between hosts in same lan
Traffic on the LAN does not go via the firewall, unless you have bridge filtering enabled.
Have you checked things like you have the correct subnet mask etc
eg the IP on the bridge should be 192.168.88.1/24
Also check the DHCP leases.
Check on the connected machines that they also are getting the correct netmask
Have you checked things like you have the correct subnet mask etc
eg the IP on the bridge should be 192.168.88.1/24
Also check the DHCP leases.
Check on the connected machines that they also are getting the correct netmask
Re: hEx not routing between hosts in same lan [SOLVED]
You are correct, all on the same subnet on the same bridge. The only reason they cannot find each other would be due to firewalls on each PC.
To confirm, post your complete config
/export file=anynamewyouwant ( minus router serial number and any public WANIP information )
To confirm, post your complete config
/export file=anynamewyouwant ( minus router serial number and any public WANIP information )
Re: hEx not routing between hosts in same lan
The only reason they cannot find each other would be due to firewalls on each PC.
Well I use one more way to make this happen ( eg splitting 5GHz wifi devices from 2.4GHz wifi devices), or separating devices on one AP from another AP, in a fully bridged LAN.... Set same "horizon" value on those bridge ports, in the interconnecting bridge. (Use case : all can connect to internet, no inter-device connections)
Re: hEx not routing between hosts in same lan
That would be an EDGE case jajajajaja, I don't think the OP has gone out of his way with fancy configuration modifications not exactly mainstream knowledge, to sabotage his own connectivity.
Re: hEx not routing between hosts in same lan
Fully agree @anav! It's out of scope here.
But "the only reason" statement just triggered, my "in my managed networks often used (!) advanced config" reaction. Couldn't resist posting this.
Used with 100's of non-related users, that get internet via wifi, but should not interfere or interact with each other (virusses, skype, dropbox, NTLM broadcasts, Bonjour, .... etc)
Creating a "tree styled" isolated free-wifi network.
But "the only reason" statement just triggered, my "in my managed networks often used (!) advanced config" reaction. Couldn't resist posting this.
Used with 100's of non-related users, that get internet via wifi, but should not interfere or interact with each other (virusses, skype, dropbox, NTLM broadcasts, Bonjour, .... etc)
Creating a "tree styled" isolated free-wifi network.
Re: hEx not routing between hosts in same lan
So what does horizon value do or not do.... whilst waiting for OP response 
Re: hEx not routing between hosts in same lan
Like I wrote, I haven't done anything fancy.
DHCP leases are OK and all computers get netmask 255.255.255.0 like they should IMO.
DHCP leases are OK and all computers get netmask 255.255.255.0 like they should IMO.
You do not have the required permissions to view the files attached to this post.
Re: hEx not routing between hosts in same lan
Current config:
Code: Select all
# jan/11/2024 16:21:47 by RouterOS 6.49.11
# software id = EWIU-FRB3
/interface bridge
add admin-mac=(censored) auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="custom: allow peer to peer in local lan" connection-state=established,related,new,untracked in-interface-list=!WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set www-ssl disabled=no tls-version=only-1.2
/system clock
set time-zone-name=Europe/Helsinki
/system identity
set name=M5hEX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=0.0.0.0/0 filter-port=5001
Re: hEx not routing between hosts in same lan
See, I told you I was doing something stupidYou are correct, all on the same subnet on the same bridge. The only reason they cannot find each other would be due to firewalls on each PC.
To confirm, post your complete config
/export file=anynamewyouwant ( minus router serial number and any public WANIP information )
The reason WAS overzealous firewall configurations in ALL of the PCs on the network. It's going to take a while for me to reconfigure them but I have a couple of machines pinging each others successfully now. Thanks - if you hadn't suggested that my config is actually just fine I wouldn't have taken a closer look at the local firewalls.
P.S. Wasn't me setting them up like that, at least I can dodge the blame for that...
Re: hEx not routing between hosts in same lan
From MT wiki ...So what does horizon value do or not do.... whilst waiting for OP response
"Bridge horizon feature allows to configure bridge ports with horizon setting so that packet received over port with horizon value X is not forwarded or flooded to any port with the same horizon value X."
As said, I use this to separate wifi interfaces in the AP (no forwarding in wifi is valid for devices on the same wifi interface).
Powerbox with multiple AP's connected: AP's are on same horizon in Powerbox bridge, uplink horizon is not set.
This stops those chatty broadcasts between client devices.
Re: hEx not routing between hosts in same lan
Why needed if you use vlans to separate networks?
In what case would you need to separate 2.4ghz users from 5 ghz users on the same VLAN???
In what case would you need to separate 2.4ghz users from 5 ghz users on the same VLAN???
Re: hEx not routing between hosts in same lan
FWIW... Most Window's versions block ping, by default. That's a quick way to think things aren't working, when they are working.The reason WAS overzealous firewall configurations in ALL of the PCs on the network
Re: hEx not routing between hosts in same lan
This is off topic, but separating clients on a LAN is important in a wifi network.
Clients do talk (multicast, broadcast) a lot, without telling the owner.
Windows, Apple IOS, mDNS, Bonjour, dropbox, Skype, Microsoft Bits , .... all try to find help in neigboring devices.
These broadcasts/multicast do use "basic rates" (6Mbps, even 1Mbps sometimes) in wifi, consuming a lot of airtime.
Your school, campus or event network will be easily overloaded with this.
Imagine , just one iPhone , seeking it's home printer on an event, with Bonjour broadcast. Event has 50 AP's bridged together, for 400 devices (my case!) , all AP's will broadcast that Bonjour message, at basic rate. My other brand AP's yell "network busy" in the log, as not able to broadcast their beacon at that time.
Devices are in the same (V)LAN, because they are all there for the same purpose: students, visitors, public on event, employees, trade fair visitors, people at CES2024, shopping hall, city network, ... etc etc. , but they are not supposed to work together or offer services to each other. (Or virus infect each others device).
I separate all users in wifi. That's why there is the (non-)forwarding setting in the wifi options. But non-forwarding works only within the same (SSID) network. 2.4GHz and 5 GHz connections can still communicate to some opposite side. (other wifi interface, or other AP)
The requirements for your home network will differ. e.g. You may want to cast from a 2.4GHz device to your 5 GHz TV set.
Clients do talk (multicast, broadcast) a lot, without telling the owner.
Windows, Apple IOS, mDNS, Bonjour, dropbox, Skype, Microsoft Bits , .... all try to find help in neigboring devices.
These broadcasts/multicast do use "basic rates" (6Mbps, even 1Mbps sometimes) in wifi, consuming a lot of airtime.
Your school, campus or event network will be easily overloaded with this.
Imagine , just one iPhone , seeking it's home printer on an event, with Bonjour broadcast. Event has 50 AP's bridged together, for 400 devices (my case!) , all AP's will broadcast that Bonjour message, at basic rate. My other brand AP's yell "network busy" in the log, as not able to broadcast their beacon at that time.
Devices are in the same (V)LAN, because they are all there for the same purpose: students, visitors, public on event, employees, trade fair visitors, people at CES2024, shopping hall, city network, ... etc etc. , but they are not supposed to work together or offer services to each other. (Or virus infect each others device).
I separate all users in wifi. That's why there is the (non-)forwarding setting in the wifi options. But non-forwarding works only within the same (SSID) network. 2.4GHz and 5 GHz connections can still communicate to some opposite side. (other wifi interface, or other AP)
The requirements for your home network will differ. e.g. You may want to cast from a 2.4GHz device to your 5 GHz TV set.
Re: hEx not routing between hosts in same lan
True, and Windows clients did have ping blocked. They had almost everything else blocked as well, and Linux clients were pretty restricted too. Taught me to double checkFWIW... Most Window's versions block ping, by default. That's a quick way to think things aren't working, when they are working.The reason WAS overzealous firewall configurations in ALL of the PCs on the network
Re: hEx not routing between hosts in same lan
The only reason they cannot find each other would be due to firewalls on each PC.
Well I use one more way to make this happen ( eg splitting 5GHz wifi devices from 2.4GHz wifi devices), or separating devices on one AP from another AP, in a fully bridged LAN.... Set same "horizon" value on those bridge ports, in the interconnecting bridge. (Use case : all can connect to internet, no inter-device connections)
...
I separate all users in wifi. That's why there is the (non-)forwarding setting in the wifi options. But non-forwarding works only within the same (SSID) network. 2.4GHz and 5 GHz connections can still communicate to some opposite side. (other wifi interface, or other AP)
The requirements for your home network will differ. e.g. You may want to cast from a 2.4GHz device to your 5 GHz TV set.
Such a slick way of separating clients with bridge split-horizon! May I ask whether this method of separating the clients require less resources than achieving the same with firewall (despite that it disables hardware offloading)? or the reason for using this method is due to interoperability needs?
Re: hEx not routing between hosts in same lan
Don't know about resources.
Losing HW offfload for wifi interfaces looks less impact, as the wifi interfaces are not serviced by the switch hardware, but via CPU anyway.
"Use IP firewall" is an option setting for the bridge, but that is not HW offloadable.
So in the AP, using bridge split-horizon should have minor performance impact, by losing the HW offload.
There is more than IP on a network, and the limitation of broadcast/multicast (based on MAC addresses) is what we are after with this.
The "default" default setting for the "Multicast Helper" equals "OFF" or "Disabled", so multicasts and broadcasts go for those slow basic rates in wifi.
AP's in a house in the resort are uplink connected via CSS106, with crosstalk among them disabled in SWOS.
So maybe it should also be handled in the switch settings of the Powerbox Pro, not in the bridge settings, to have the switch hardware do the work.
Network is not all-star-topology any more, after changing the design to a backbone bus-topology . Using consistent split-horizon on that bus structure is not easy.
Now using VLANs starting from the internet connection router, to separate the users in 4 groups (200 per group). The off-branches from the backbone are again pure star-topology
Off branches are (SXT SA5 - (SXT sq 5 - CSS106- (hAP ac2 - wAP ac - cAP ac))).
Users can roam in their assigned VLAN over multiple hAP,wAP,cAP in multiple houses, without losing their internet session.
Losing HW offfload for wifi interfaces looks less impact, as the wifi interfaces are not serviced by the switch hardware, but via CPU anyway.
"Use IP firewall" is an option setting for the bridge, but that is not HW offloadable.
So in the AP, using bridge split-horizon should have minor performance impact, by losing the HW offload.
There is more than IP on a network, and the limitation of broadcast/multicast (based on MAC addresses) is what we are after with this.
The "default" default setting for the "Multicast Helper" equals "OFF" or "Disabled", so multicasts and broadcasts go for those slow basic rates in wifi.
AP's in a house in the resort are uplink connected via CSS106, with crosstalk among them disabled in SWOS.
So maybe it should also be handled in the switch settings of the Powerbox Pro, not in the bridge settings, to have the switch hardware do the work.
Network is not all-star-topology any more, after changing the design to a backbone bus-topology . Using consistent split-horizon on that bus structure is not easy.
Now using VLANs starting from the internet connection router, to separate the users in 4 groups (200 per group). The off-branches from the backbone are again pure star-topology
Off branches are (SXT SA5 - (SXT sq 5 - CSS106- (hAP ac2 - wAP ac - cAP ac))).
Users can roam in their assigned VLAN over multiple hAP,wAP,cAP in multiple houses, without losing their internet session.
Re: hEx not routing between hosts in same lan
...
Losing HW offfload for wifi interfaces looks less impact, as the wifi interfaces are not serviced by the switch hardware, but via CPU anyway.
"Use IP firewall" is an option setting for the bridge, but that is not HW offloadable.
So in the AP, using bridge split-horizon should have minor performance impact, by losing the HW offload.
There is more than IP on a network, and the limitation of broadcast/multicast (based on MAC addresses) is what we are after with this.
The "default" default setting for the "Multicast Helper" equals "OFF" or "Disabled", so multicasts and broadcasts go for those slow basic rates in wifi.
...
Now using VLANs starting from the internet connection router, to separate the users in 4 groups (200 per group). The off-branches from the backbone are again pure star-topology
Off branches are (SXT SA5 - (SXT sq 5 - CSS106- (hAP ac2 - wAP ac - cAP ac))).
Users can roam in their assigned VLAN over multiple hAP,wAP,cAP in multiple houses, without losing their internet session.
Thank you for the detailed explanation and the insight on your design. If I understand right bridge IGMP/MLD snooping without the bridge split-horizon would not help either since it is for IP and also because current mobile devices are quite chatty.