Vlans - Ping between hosts fails

arisk · Thu Feb 07, 2019 6:00 pm

Hello there,
i'm not so much experienced in vlans yet.. so i have this problem:
When i try to ping from a vlan host to another, it just fails and gives me a "rejected" message. I can't even ping the vlan interface. No one pings no one under the same vlan.
It doesn't seem to be any of my firewall rules though.
Funny thing is that apart from this problem, everything else in this 3 vlan topology works as desired.

Here is my export:

/interface bridge
add fast-forward=no name=bridge.vlans vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-v10-office
set [ find default-name=ether3 ] name=ether3-v10-office
set [ find default-name=ether4 ] name=ether4-v10-office
set [ find default-name=ether5 ] name=ether5-v10-office
set [ find default-name=ether6 ] name=ether6-MS
set [ find default-name=ether7 ] name=ether7-AP0
set [ find default-name=ether8 ] name=ether8-AP1
set [ find default-name=sfp1 ] disabled=yes

/interface vlan
add arp=proxy-arp interface=bridge.vlans name="vlan10 - office" vlan-id=10
add arp=proxy-arp interface=bridge.vlans name="vlan20 - class" vlan-id=20
add arp=proxy-arp interface=bridge.vlans name="vlan30 - guest" vlan-id=30

/interface list
add name=WAN
add name=Local.LANs
add name=Trusted.LAN
add name=Special.LANs

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-onlyg comment=\
    "Office" country=australia disabled=no distance=indoors \
    frequency=2462 frequency-mode=regulatory-domain mode=ap-bridge \
    security-profile=office ssid="Office" tx-power-mode=\
    all-rates-fixed vlan-id=10 wireless-protocol=802.11 wps-mode=disabled
add comment="Guest" disabled=no keepalive-frames=disabled \
    mac-address=6E:3B:6B:DF:45:35 master-interface=wlan1 multicast-buffering=\
    disabled name=wlan2 security-profile=guest ssid="Guest" \
    vlan-id=30 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/ip pool
add name="pool - office" ranges=172.20.3.100-172.20.3.149
add name="pool - class" ranges=172.20.251.10-172.20.251.253
add name="pool - guest" ranges=172.20.250.10-172.20.250.253

/ip dhcp-server
add address-pool="pool - office" disabled=no interface="vlan10 - office" \
    lease-time=1d name="dhcp - office"
add address-pool="pool - class" disabled=no interface="vlan20 - class" \
    lease-time=1d name="dhcp - class"
add address-pool="pool - guest" disabled=no interface="vlan30 - guest" \
    lease-time=1d name="dhcp - guest"

/interface bridge port
add bridge=bridge.vlans interface=ether2-v10-office pvid=10 trusted=yes
add bridge=bridge.vlans interface=ether3-v10-office pvid=10 trusted=yes
add bridge=bridge.vlans interface=ether4-v10-office pvid=10 trusted=yes
add bridge=bridge.vlans interface=ether5-v10-office pvid=10 trusted=yes
add bridge=bridge.vlans interface=wlan1 pvid=10 trusted=yes
add bridge=bridge.vlans interface=wlan2 pvid=30 trusted=yes
add bridge=bridge.vlans interface=ether6-MS trusted=yes
add bridge=bridge.vlans interface=ether8-AP1 trusted=yes
add bridge=bridge.vlans interface=ether7-AP0 trusted=yes

/interface bridge settings
set use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge.vlans tagged=bridge.vlans,ether7-AP0,ether8-AP1,ether6-MS \
    vlan-ids=10
add bridge=bridge.vlans tagged=bridge.vlans,ether6-MS vlan-ids=20
add bridge=bridge.vlans tagged=bridge.vlans,ether7-AP0,ether8-AP1 vlan-ids=30

/interface list member
add interface="vlan10 - office" list=Local.LANs
add interface=ether1-WAN list=WAN
add interface="vlan20 - class" list=Local.LANs
add interface="vlan30 - guest" list=Local.LANs
add interface="vlan10 - office" list=Trusted.LAN
add interface="vlan20 - class" list=Special.LANs
add interface="vlan30 - guest" list=Special.LANs

/ip address
add address=172.20.3.254/24 interface="vlan10 - office" network=172.20.3.0
add address=172.20.251.254/24 interface="vlan20 - class" network=172.20.251.0
add address=172.20.250.254/24 interface="vlan30 - guest" network=172.20.250.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN

/ip dhcp-server network
add address=172.20.3.0/24 dns-server=192.168.68.254 gateway=172.20.3.254
add address=172.20.250.0/24 dns-server=172.20.250.254 gateway=172.20.250.254
add address=172.20.251.0/24 dns-server=172.20.251.254 gateway=172.20.251.254

/ip dns
set allow-remote-requests=yes servers=192.168.68.1

/ip firewall filter
add action=accept chain=input comment=\
    "Accept All Access From Router" src-address=*********
add action=accept chain=input comment="Accept PPTP VPN" dst-port=1723 \
    protocol=tcp src-address=*********
add action=accept chain=input comment="Accept DNS Request to Router (UDP)" \
    dst-port=53 in-interface-list=Local.LANs protocol=udp
add action=accept chain=input comment="Accept Inside Trusted Winbox Access" \
    dst-port=35653 in-interface-list=Trusted.LAN protocol=tcp
add action=accept chain=input comment="Accept Inside Trusted Web Access" \
    dst-port=7070 in-interface-list=Trusted.LAN protocol=tcp
add action=accept chain=input comment="Accept DHCP Requests" dst-port=67 \
    in-interface-list=Trusted.LAN protocol=udp
add action=accept chain=input comment=\
    "Allow Established & Related Connections to Router" connection-state=\
    established,related
add action=drop chain=input comment="Drop All Others to Router"
add action=accept chain=forward comment=\
    "Accept All Access From LAN" src-address=**********
add action=accept chain=forward comment="Accept NTP Requests from clients" \
    dst-port=123 in-interface-list=Local.LANs out-interface-list=WAN \
    protocol=udp
add action=accept chain=forward comment="Allow NTP Replies to clients" \
    in-interface-list=Local.LANs out-interface-list=WAN protocol=udp \
    src-port=123
add action=accept chain=forward comment=\
    "Allow Established & Related Connections to clients" connection-state=\
    established,related,new
add action=drop chain=forward comment="Drop All Other to LAN"
add action=accept chain=output comment="Allow all to Us" dst-address=\
   ******** out-interface-list=WAN
add action=accept chain=output comment=\
    "Allow DNS Requests to Remote DNS servers (UDP)" dst-port=53 \
    out-interface-list=WAN protocol=udp
add action=accept chain=output comment=\
    "Allow DNS Requests to Remote DNS servers (TCP)" dst-port=53 \
    out-interface-list=WAN protocol=tcp
add action=accept chain=output comment=\
    "Allow Established & Related Connections" connection-state=\
    established,related
add action=drop chain=output comment="Drop All Others from Router"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=dst-nat chain=dstnat disabled=yes dst-address=********* \
    in-interface="vlan10 - office" to-addresses=172.3.20.0/24

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no

Could anyone give me some help with this?

mkx · Thu Feb 07, 2019 6:33 pm

Any good reason for this setting?

/interface bridge settings
set use-ip-firewall-for-vlan=yes

I'd say it applies to intra-vlan communication (inter-vlan is L3 and subject to firewall without any special settings)

anav · Thu Feb 07, 2019 7:22 pm

Concur, I would avoid that rule and stick to normal /ip firewall filter rules.

(1) Perhaps something missing.............
/interface bridge vlan
add bridge=bridge.vlans untagged=eth2, eth3, eth4, eth5, vlan-ids=10

(2) Don't see how dns is resolved. You have no entries (1.1.1.1 or 8.8.8.8 for example) and you do not have use ISP dns indicated in your client rule??

(3) I dont like your firewall filter INPUT rules.........
Order is off, I would expect to see established related FIRST.

(4) Why do you have anything for PORT 67 in here??

(5) I would not personally put ANY ports in my input rule and post them publicly here and thus assuming they are false otherwise its clear what ports your winbox and I guess SSH are set to. You should only provide access to the ROUTER from specific IPs and or subnets and keep the ports out of the picture in filter rules as there are other places to put them, ie in services for example.

(6) Im assuming DNS is not being given to the other LANS because they will not have users that are going out to the internet???? Why just UDP dont we need both TCP and UDP?

FORWARD

(7) Same comment, established related should be first rule. I have not seen "NEW" as an argument on 99.99 percent filter rules, why is it included??

(8) This rule makes no sense and should be removed.
add action=accept chain=forward comment="Allow NTP Replies to clients" \
in-interface-list=Local.LANs out-interface-list=WAN protocol=udp \
src-port=123
The rule just above this with the correct format -> dst-port=123, will have return traffic which will be accepted as an established/related connection.

(9) You have some output rules, and by the way, I have never seen output rules used before, so ask again, Why are they necessary??

(10) What is the purpose of this rule? Is it basically what is allowed LAN to WAN (typically its done by subnet, by vlan etc, so this is confusing).
add action=accept chain=forward comment=\
"Accept All Access From LAN" src-address=**********

Normally it could look like.........
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
HomeBridge out-interface-list=WAN

NAT
(11) What is the functional purpose of this rule?? I cannot comment on its validity unless I understand what is attempting to be accomplished.
add action=dst-nat chain=dstnat disabled=yes dst-address=********* \
in-interface="vlan10 - office" to-addresses=172.3.20.0/24

arisk · Fri Feb 08, 2019 2:03 pm

Problem solved. Thank you so much for your aswers both.
Disabling vlan firewall did the thing.

Avav, i'm gratefull that you put the time to correct me and advice me in 11 points! I tried to reform my firewall following your advice.
Sorry for all the nonsense you saw, this was the first time i set a topology and firewall completely by my own.

Let me comment your points.
(1) I hadn't set any untagged because i read on wiki that it makes no difference. In case you don't set any untagged interfaces, they are set automatically untagged as traffic comes in.
(2) The ip of the ISP router - 192.168.68.1 - that connects to the Mikrotik is set as DNS server.
(3) I rearanged the order the way you recommented.
(4) I thought that it was nessecery to allow DHCP requests to the router. After your comment i serched a little about it, and i read that DHCP uses a raw socket and for that reason you don't need to make any rule.
What is a raw socket i don't know but i'll find out.
(5) You are right but these ports are fake. I use others.
(6) For some reason the other vlans had an internet connection with their interface as a DNS, but what you say seems better to me. So, i put as a DNS for all the vlans my WAN.
(7,8&10) I replaced

add action=accept chain=forward comment=\
    "Accept All Access From LAN" src-address=**********
add action=accept chain=forward comment="Accept NTP Requests from clients"

with

add action=accept chain=forward comment="Accept LAN traffic through WAN" out-interface=ether1-WAN
add action=accept chain=forward comment="Allow Established & Related Connections to clients" connection-state=\
    established,related

To emphasise the profit of this, in this way vlans are now isolated (cause with the previous rule, when i disabled VLAN firewal,l a vlan10 host could ping a vlan20 or vlan30 host) , and pings can only happen only between two hosts of the same vlan.

(9) I was not sure at all about that, i just thought that output rules may be needed for the router to initiate connections to the outside world or to authoritative DNS server.
Now that i think about it this is nonsense, cause the established/related rules on the other two chains covers this need. As for the DNS requests, thats why you set ISPs' router as a local DNS.

(11) I just forgot to erase this rule. I will not need it finally.

Again thanks a lot.

anav · Fri Feb 08, 2019 5:25 pm

No worries, feel free to post your config again and I till take out my red and blue and green pen.

Vlans - Ping between hosts fails [SOLVED]

Vlans - Ping between hosts fails

Re: Vlans - Ping between hosts fails

Re: Vlans - Ping between hosts fails [SOLVED]

Re: Vlans - Ping between hosts fails

Re: Vlans - Ping between hosts fails