Hello everyone,

I have a small network comprised of an ISP provided device, one RB5009 for routing, and two hAP ax2 performing access point duties, configured with three VLANs, one management, one guest, one VIP. While most of the devices connected to the network get internet access, I recently discovered I cannot ping devices across the same VLAN (or from the RB5009 router to any device on the network), or SSH from my PC to a Raspberry PI I added recently, with the Raspberry PI also not getting an internet connection.

I have tried adding some NAT rules to the hAP devices, to no avail, I have also tried connecting the Raspberry PI to the main router and to one of the APs, without being able to ping or SSH into it in both cases. Thus, I arrived here, with no more ideas, and I am hoping someone here can help me out. Hell, I'll even pay for the tech support. I have attached the config exports for the main router and one of the APs (the config is the same for both, and they are provisioned via CAPsMAN).

Would this be caused by VLAN and ingress filtering being turned on? What am I missing?

Why does pi have two connections to the network?

Set this to none, its known to cause issues
/interface detect-internet
set detect-interface-list=WAN

Remove old default static ip dns setting
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

I dont care about ping, what user traffic is not working??

I tried to show in the diagram that I tried connecting it via ethernet to both the hAP ax2 and the RB5009, both not working.

The issue is that I cannot SSH between devices, and the Pi does not get internet access when connected via ethernet.

IM confused, why are you trying to SSH between internal devices and do you mean to configure devices? What is the nature of the ssh traffic?

bridge config on hAP ax2 says:

/interface bridge port
add bridge=bridge interface=ether1 pvid=33
add bridge=bridge interface=ether2 pvid=33
add bridge=bridge interface=ether3 pvid=33
add bridge=bridge interface=ether4 pvid=33
add bridge=bridge interface=ether5 pvid=33
...
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5 vlan-ids=33

So basically you configured ether ports as hybrid ports on ingress (untagged frame, entering port from wire, will get tagged with VID 33) and tagged on egress (taged frame with VID 33 will keep its VLAN tag on way out to frame).
This kind of mismatch is often "tollerated" if connected device runs Windows OS (because many NIC drivers strip VLAN headers on ingress if NIC is not configured to work with VLANs), but linux-based devices (including ROS devices and rPIs) don't tollerate such blunder ... and discard frames which carry VLAN tag with unconfigured VID.

The solution: remove ether ports from list of tagged members of VLAN 33 (ROS will add them as untagged members due to pvid setting).

And a suggestion (my personal POV): set ports, which connect LAN infrastructure (router and APs), as full trunk ports (i.e. all VLANs tagged). Currently they are set as hybrid/access ports. Yes, this means that configuration of ports will vary depending on device connected (LAN infrastructure v.s. end device), but in principle it does add to security of the network. And to me it also adds to "readability" of config (but this is subjective).

IM confused, why are you trying to SSH between internal devices ...

Why not? ssh is legitimate protocol to use inside a LAN, I'm using it to configure all my MT gear.

And, BTW, @anav: the problem is in L2 config, non-working L6 is only a symptom/illustration.

Okay, I simply use winbox to config my gear?? why the bother of SSH?

On my tablet I have SSH client. There is no winbox for android. And I don't particularly like new webfig layout. Copy-paste works great in CLI (over ssh), it takes to run terminal window from inside winbox to do the same in winbox (and terminal features of terminal of winbox don't reach the ankles of a decent ssh client, e.g. putty or mobaXterm, not to mention native linux terminals).

I also have a linux server on my LAN (file server, DLNA server, DHCP server, primary DNS server for my own domain, web server) and using ssh to manage it is the most natural way.

So if winbox was on your tablet, it would be viable............good to know, SSH is a work around ;-PPP

First of all, I would like to thank both of you for the input, the tips from anav solved my issue, and I learned a new thing. Lemme know where I should send that coffee!

Now, I want to know a bit more about what you said regarding setting ports which connect the infrastructure with all VLANs tagged. On the RB5009 all of them are currently set with all VLANs tagged. Should I change that so just the ones carrying data to the ax2 devices are fully tagged and configure the rest to only have one VLAN tagged? Also, if I choose to revert this change, should I instead try and configure the NIC on the rPI to tag its traffic with the VID that I need?

viewtopic.php?t=143620

On the 5009, port with traffic will either be:
a. access ports going to dumb devices, untagged for the vlan associated with that device.
b. trunk port going to smart devices (that can read vlan tags) carrying all the vlans that the device is responsible for forwarding ( AP over wifi, Switch on its other ports access or trunk as appropriate )
c. trunk port should also carry the trusted or managment vlan ( used at the minimum to provide smart devices with their IP address on that vlan and perhaps also data (trusted vlan).

If you have unifi APs, then hybrid ports are probably required (at least if the default setup on unifi is not changed ).

Thank you for the hints, I'll get to studying. We can consider this matter closed, you have been very helpful!