Community discussions

MikroTik App
  4. RouterOS
  5. General

Problem with vlan subnet and lan subnet not communicating  [SOLVED]

Post Reply
 
Cooperdale
just joined
Topic Author
Posts: 10
Joined: Fri Feb 17, 2017 8:35 pm

Problem with vlan subnet and lan subnet not communicating

Sat Jan 18, 2020 10:36 pm

Hello, so I need to setup something like this: I have 2 RBs (6.44.6), one is controlling the whole network (M1), the other one (M2) should just work as a switch (of sorts) for a vlan inside the network.

The main network is 172.16.2.0/24, the vlan is 192.168.10.0/24. There's a dhcp server on each network: both are defined on M1.

The setup works almost completely: if I connect something to M2 it correctly gets an IP inside the vlan. Also I have internet on devices connected like that.

The problem is, I can't ping a device inside the lan from one inside the vlan, and viceversa.

I can ping anything from both RBs and I can ping all routers' IPs from any device in both subnets, but I can't ping a device in one subnet from a device in the other, and viceversa.

This happens with all filters disabled.

I'm kind of lost here, I'll paste the relevant code from both boars, hope you guys can help me.
Code: Select all
M1 (main routerboard, 172.16.2.1, 192.168.10.254)

/interface vlan
add interface=bridge-local name=vlan777 vlan-id=777
/ip pool
add name=dhcp_pool2 ranges=192.168.10.100-192.168.10.199
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-local lease-time=7h name=default
add address-pool=guest-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-guest lease-time=1h name=guest
add address-pool=vlan-dhcp disabled=no interface=vlan777 name=vlan
/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether3-local
/ip address
add address=192.168.10.254/24 interface=vlan777 network=192.168.10.0
add address=172.16.2.1/24 interface=bridge-local network=172.16.2.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.168.10.0/24 \
    new-routing-mark=VLAN passthrough=no src-address=172.16.2.0/24
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=vlan777 routing-mark=VLAN


M2 ("vlan" routerboard, 172.16.2.136 (dhcp), 192.168.10.198 (dhcp))

/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan777 vlan-id=777
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 interface=vlan777
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=172.16.2.0/24 \
    new-routing-mark=VLAN passthrough=no
/ip route
add distance=1 dst-address=172.16.2.0/24 gateway=172.16.2.1 routing-mark=VLAN
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12707
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problem with vlan subnet and lan subnet not communicating  [SOLVED]

Sun Jan 19, 2020 11:49 am

Depending on what kind of LAN devices we're talking about, it might be those devices blocking pings (because their firewalls don't allow ICMP from outside "home" subnet).

You can test this by running pings from M1 like this:

Code: Select all
/ping <LAN1 device IP>

Which will likely succeed as ROS will use appropriate "same subnet" IP address as source address. Next run command

Code: Select all
/ping <LAN1 device IP> src-address=<M1 address from the other subnet>

This test will likely fail. Not because the source address would be unaccessible for target device (it's router's other address), but because device's firewall will block incoming ICMP echo request ...
Top
 
Cooperdale
just joined
Topic Author
Posts: 10
Joined: Fri Feb 17, 2017 8:35 pm

Re: Problem with vlan subnet and lan subnet not communicating

Sun Jan 19, 2020 1:43 pm

Jesus, you are right. It's actually W10 PCs, had no idea the default firewall would block pings from other local subnets! Is it my impression or has it gotten more "picky" lately?

I have a reason to be sad - I was stupid not to think about this - and two reasons to be happy - I got the config right and I learned something, had no idea you could do that with the ping command on RouterOS.

Thanks a lot for the great help.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12707
Joined: Thu Mar 03, 2016 10:23 pm

Re: Problem with vlan subnet and lan subnet not communicating

Sun Jan 19, 2020 1:51 pm

Jesus, you are right. It's actually W10 PCs, had no idea the default firewall would block pings from other local subnets! Is it my impression or has it gotten more "picky" lately?
My experience is that this is the way windows firewall behaves ever since there's built-in firewall (could be it started with WinXP?).
And there's no way host could determine if some IP address outside own subnet is "yet another local subnet" versus some remote subnet (IP addresses from non-routable address range don't necessarily mean truly local subnet ... can be ISP's network in case of CGNAT or some remote subnet if there are some routers too willing to route in between). So the default setting of dropping anything outside own subnet is a very sane setting.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], GrayJay, sindy and 50 guests
  4. RouterOS
  5. General