Community discussions

MikroTik App
  4. RouterOS
  5. General

Cannot ping from console VETH interface in containers bridge

Post Reply
 
lpetrov
just joined
Topic Author
Posts: 22
Joined: Sun Apr 28, 2024 8:19 pm

Cannot ping from console VETH interface in containers bridge

Sun Sep 15, 2024 10:13 am

I can't figure out why I cannot ping VETH interface attached to containers bridge.
Here is my configuration:
Code: Select all
# 2024-09-14 22:30:29 by RouterOS 7.14.3
# software id =  [REMOVED]
#
# model = RB5009UG+S+
# serial number =  [REMOVED]
/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
add name=containers
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
    ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
    10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
    vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
    dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
    "dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/container
add interface=veth1 logging=yes root-dir=/Adguard start-on-boot=yes workdir=\
    /opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe" interface=\
    ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
    30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=\
    10
add bridge=containers interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=\
    ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
    ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid \
    vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
    ether2-LAN-Hybrid vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add disabled=yes interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
add interface="Smart Home-30" list=LAN
add interface=vlan20-Servers list=LAN
/interface wireguard peers
add allowed-address=10.10.20.2/32 comment= [REMOVED] interface=wireguard1 \
    public-key= [REMOVED]
add allowed-address=10.10.20.3/32 client-dns=172.17.0.2 comment=\
     [REMOVED] interface=wireguard1 public-key=[REMOVED]
add allowed-address=10.10.20.4/32 client-dns=172.17.0.2 interface=wireguard1 \
    public-key= [REMOVED]
/ip address
add address= [REMOVED] interface=ether8-WAN-Static network= [REMOVED]
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0
/ip dhcp-server lease
add address=192.168.10.250 client-id= [REMOVED] comment=\
     [REMOVED] mac-address= [REMOVED] server=dhcp-management
add address=192.168.10.6 client-id= [REMOVED] comment=\
    "TP Link EAP 615 Bedroom" mac-address= [REMOVED] server=\
    dhcp-management
add address=192.168.10.5 client-id= [REMOVED] comment=\
    "TP Link EAP 615 Living Room" mac-address= [REMOVED] server=\
    dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
    mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
    "iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
    mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
    "Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
    "Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
    "dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
    00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
    mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
    "Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
    "dhcp-smart home"
add address=192.168.12.244 client-id=1:3c:2a:f4:4c:81:e8 comment=\
    "Brother HL-3170CDW Printer" mac-address=3C:2A:F4:4C:81:E8 server=\
    dhcp-servers
add address=192.168.30.251 client-id=1:e2:2e:15:51:59:4e comment=\
    "Lubo Ipad Pro" mac-address=E2:2E:15:51:59:4E server="dhcp-smart home"
add address=192.168.100.251 client-id=1:9a:62:bd:95:32:39 comment=\
    "Lubo IPhone 15 Pro" mac-address=9A:62:BD:95:32:39 server=dhcp-users
add address=192.168.30.252 client-id=1:36:aa:c:fc:82:7d comment=\
    "Lubo IPhone 15 Pro" mac-address=36:AA:0C:FC:82:7D server=\
    "dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt dns-server=172.17.0.2,8.8.8.8 \
    gateway=192.168.10.1
add address=192.168.12.0/24 comment=servers dns-server=172.17.0.2,8.8.8.8 \
    gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" dns-server=\
    172.17.0.2,8.8.8.8 gateway=192.168.30.1
add address=192.168.100.0/24 comment=users dns-server=172.17.0.2,8.8.8.8 \
    gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=172.17.0.2,8.8.8.8
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
add address=192.168.100.251 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.4 comment="admin remote ios wireguard" list=Authorized
add address=10.10.20.0/24 list=LAN
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
    dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
    LAN
add action=accept chain=forward comment=\
    "allow access from LAN to Home Assistant" dst-address=192.168.30.2 \
    dst-port=8123 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment="LAN to Adguard" dst-address=\
    172.17.0.2 src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "allow access for containers to internet" in-interface=containers \
    out-interface=ether8-WAN-Static
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
    protocol=udp
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
    MGMT src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
    443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
    192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
    in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
    to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway= [REMOVED] routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name= [REMOVED]
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether2-LAN-Hybrid
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11481
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cannot ping from console VETH interface in containers bridge

Sun Sep 15, 2024 5:15 pm

I would expect that the address you define for vethN only responds if the container linked to that veth is up and listening on that address, but on 7.12.1, the address linked to a veth responds even if no container has ever been using it, let alone being currently attached to it. On 7.15.3, it doesn't, and I haven't gone as far as to install a container to check. What surprises me is that whilst both /interface/print shows the interface as running and /interface/bridge/port monitor shows forwarding: yes, sniffing on the veth interface does not show any traffic when pinging the address (not even the ARP requests) whereas sniffing on the bridge interface does.

So I would conclude it is a bug of 7.15.3 or some radical change of approach. But since you did attach a container to the veth and the outcome is the same like in my case, I am inclined to the former.
Top
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1691
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Cannot ping from console VETH interface in containers bridge

Mon Sep 16, 2024 7:39 am

it is a bug of 7.15.3 or some radical change of approach

It sounds like you're describing a change coming in 7.16:

Code: Select all
*) container - clear VETH address on container exit and mark interface as running only when VETH is in use;

It's an intentional answer to a few complaints from people about containers that responded to pings while down, resulting in false "up" results from monitoring tools unable to make more intelligent distinctions based on API health-check connections well above the ICMP level.

(I tried pointing out that a server with no running services still pings, but they didn't listen to me.)
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11481
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cannot ping from console VETH interface in containers bridge

Mon Sep 16, 2024 10:54 am

This (address not responding while container is down) was the first thing to come to my mind when @lpetrov posted the question, because it would be a logical behavior as you've pointed out. But the behavior I observe in 7.15.3 is not logical - the veth interface is "running", the /interface/bridge/port/monitor shows it as forwarding, but not even incoming broadcast pakets can be sniffed on it - dead silence. Hence I've assumed it was a bug. But I admit it could be a "half baked" 7.16 change that has somehow leaked to 7.15.3.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4696
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:
Contact Amm0

Re: Cannot ping from console VETH interface in containers bridge

Mon Sep 16, 2024 7:25 pm

Hence I've assumed it was a bug. But I admit it could be a "half baked" 7.16 change that has somehow leaked to 7.15.3.
Entirely possible. I created/use a netinstall container. I know this worked at some point in past with a VETH on a vlan-enabled=yes bridge. But stopped worked in ~7.15, and still does not seem to work in even in 7.16rc. Using VETH+ethernet port as a separate non-VLAN bridge did work. I didn't spend time troubleshooting it yet, since well, we needed netinstall working at that time. I'll take a look at the sniffer/etc this week, since that has, historically, worked.

My concern with VETH for a while has been Mikrotik docs always show V6-style of separate bridges for containers. Even when a non-bridge VETH would make more sense (i.e. PiHole which is a TCP service so it just need to be routable, and a standalone VETH would make more sense than adding a "unneeded" bridge). And they never show/document anything about vlan-enabled=yes with VETH in docs either. Perhaps MT just to followed "Docker networking style" with a non-VLAN bridge for docs... but I also suspect that's how MT tests it too... And some unrelated change in bridging could affect VETHs without VETH changing...
Top
Post Reply
  4. RouterOS
  5. General