MikroTik

Community discussions
https://forum.mikrotik.com/

PING an IP address assigned to a VLAN interface on an RB1200

https://forum.mikrotik.com/viewtopic.php?t=68914

Page 1 of 1

PING an IP address assigned to a VLAN interface on an RB1200

Posted: Fri Jan 11, 2013 7:45 pm
by libove
On an RB1200 (RouterOS 5.21):
/int vlan add name=VLAN101 vlan-id=101 arp=enabled disabled=no interface=ether8 use-service-tag=no
/ip address add address=192.168.17.1/24 interface=VLAN101 disabled=no

There is an Ethernet cable plugged into ether8 which goes to a trunk port on a Dell PowerConnect 2848 switch. VLAN ID 101 (among others) is configured to go out, tagged, from that port on the PowerConnect switch.

I plug a notebook computer into another PowerConnect port, configured in Access mode for VLAN 101 (untagged). The notebook has IP 192.168.17.99.

On the RB1200, I try /ping 192.168.17.99

Sniffing on the notebook's Ethernet port with Wireshark, I see ARP who-has coming from the RB1200, and I see ARP replies coming from the notebook ... but the RB1200 apparently does not see (or does not like and ignores) the ARP replies because I never see actual PING packets from the RB1200 to the notebook, nor do PINGs work from the notebook to the RB's 192.168.17.1 address.


Separately, I have successfully bridged VLAN trunk ports to untagged physical interfaces, but that's not what I need in this case. I need the RB1200 to respond to IP addresses configured on VLAN interfaces just as it would to IP addresses configured on physical Ethernet interfaces.

What more is needed to get the RB1200 to respond to PINGs or to see the notebook's ARP replies, coming in, tagged, on the trunk port on ether8?
(In other words, what boneheaded thing am I doing wrong?)

Thanks...

Re: PING an IP address assigned to a VLAN interface on an RB

Posted: Sat Jan 12, 2013 1:15 am
by jazier
Hi. I have tested this scenario and it works. PC-------switch (HP)---------Mikrotik (RB435G)
PC is connected to a switch through an untagged port. Switch is connected to Mikrotik via a trunk port. Mikrotik is connected to swith through a tagged port. PC is in vlan 2. Switch trunk port is tagged on vlan 2, vlan 3 and untagged on vlan 4. Mikrotik interfaces has vlan 2 tagged. PC ip address is 13.13.13.102/24, vlan 2 switch ip address is 13.13.13.2/24 and Mikrotik Vlan2 IP address is 13.13.13.1/24. I have success when I PING from PC to switch, from PC to Mikrotik, from Mikrotik to switch and from Mikrotik to PC. Maybe you have set up a filter rule that is blocking Pings. Good Luck.

Re: PING an IP address assigned to a VLAN interface on an RB

Posted: Sat Jan 12, 2013 2:02 am
by libove
Hi. I have tested this scenario and it works. PC-------switch (HP)---------Mikrotik (RB435G)
PC is connected to a switch through an untagged port. Switch is connected to Mikrotik via a trunk port. Mikrotik is connected to swith through a tagged port. PC is in vlan 2. Switch trunk port is tagged on vlan 2, vlan 3 and untagged on vlan 4. Mikrotik interfaces has vlan 2 tagged. PC ip address is 13.13.13.102/24, vlan 2 switch ip address is 13.13.13.2/24 and Mikrotik Vlan2 IP address is 13.13.13.1/24. I have success when I PING from PC to switch, from PC to Mikrotik, from Mikrotik to switch and from Mikrotik to PC. Maybe you have set up a filter rule that is blocking Pings. Good Luck.
Thanks for your reply jazier.
As for filters, I checked that none of my filter rules would interfere, and even put in a rule 0 "chain=input action=accept" action (in short, allow anything at all). No help.

There is one really key difference in your setup from the one I'm trying to make work: in yours, you have two different IP addresses, one of which is untagged. Which IP address(es) can you ping from the PC?
Anyway, could you please post the relevant excerpts of your configuration?

Thanks!

Re: PING an IP address assigned to a VLAN interface on an RB

Posted: Mon Jan 14, 2013 4:42 pm
by jazier
Hi again. PC belongs to vlan 2 and all devices have only one IP address (PC, switch, and Mikrotik). PC can ping IP address of switch vlan 2 and IP address of Mikrotik's vlan 2. Regarding to my configuration, I only created vlan 2 and I assigned IP addres to this vlan 2 on Mikrotik. Good luck.

Re: PING an IP address assigned to a VLAN interface on an RB

Posted: Mon Jan 14, 2013 7:00 pm
by CelticComms
What does the routing table look like on the RB1200? Have you only tried pinging from the command line? Any difference if you use the tool in Winbox and explicitly state the interface?

Re: PING an IP address assigned to a VLAN interface on an RB

Posted: Mon Jan 14, 2013 9:40 pm
by libove
What does the routing table look like on the RB1200? Have you only tried pinging from the command line? Any difference if you use the tool in Winbox and explicitly state the interface?
The network in question here is 192.168.16.0/24, which should be on VLAN254, which is physically connected on ether8 on two MikroTik RB1200 routers, each running RouterOS 5.21.

ether8 on each MikroTik is a Gigabit Ethernet trunk cable connecting to a trunk port on a Dell switch. (Two Dell switches; both PowerConnect 28xx series).
Here is the Dell switch port configuration applied to each of those two port-switch combinations:

Frame type: Admit Tagged Only
Ingress Filtering: Enable
VLAN IDs configured (tagged): 101, 102, 254

So, these trunk ports, which have Ethernet cables connecting the MikroTik routers, will accept only tagged VLAN packets, and only on VLAN IDs 101, 102 and 254.


On MikroTik1:
[jlibove@SP-MikroTik1] /ip firewall nat> /ip addr print #n.b. I removed lines for disabled addresses
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; MikroTik1's real IP address
192.168.1.3/21 192.168.0.0 ether5
3 ;;; Private subnet between the MikroTiks for fallback cross-routing
192.168.8.3/29 192.168.8.0 ether9
5 ;;; Internal LAN VRRP virtual router IP address shared by the two MikroTiks
192.168.1.1/32 192.168.1.1 vrrp1
9 ;;; ONO fiber static IP address for when we are not using VRRP
84.124.127.10/29 84.124.127.8 ether4
10 ;;; Orange ISP static IP address for when we are not using VRRP
88.87.214.210/30 88.87.214.208 ether6
12 ;;; Wi-Fi Management VLAN router
192.168.17.2/24 192.168.17.0 ether1
13 192.168.17.1/32 192.168.17.1 vrrp4
14 ;;; Wi-Fi Internal Users VLAN virtual router IP address
192.168.12.1/32 192.168.12.1 vrrp5
15 ;;; Wi-Fi Internal Users VLAN physical IP address for this MikroTik router
192.168.12.3/22 192.168.12.0 ether2
17 ;;; Wi-Fi Guest VLAN physical interface of this Mikrotik
192.168.16.2/24 192.168.16.0 VLAN254

[jlibove@SP-MikroTik1] /ip firewall nat> /ip route print #n.b. I removed lines for disabled routes
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
3 A S ;;; One of two shared Default Internet connections, ONO (no mark considerations)
0.0.0.0/0 84.124.127.9 1
4 S ;;; Fallback cross-route to the other MikroTik
0.0.0.0/0 192.168.8.2 110
7 ADC 84.124.127.8/29 84.124.127.10 ether4 0
8 ADC 88.87.214.208/30 88.87.214.210 ether6 0
9 ADC 192.168.0.0/21 192.168.1.3 ether5 0
10 ADC 192.168.1.1/32 192.168.1.1 vrrp1 0
11 ADC 192.168.8.0/29 192.168.8.3 ether9 0
12 ADC 192.168.12.0/22 192.168.12.3 ether2 0
13 ADC 192.168.12.1/32 192.168.12.1 vrrp5 0
14 ADC 192.168.16.0/24 192.168.16.2 VLAN254 0
15 ADC 192.168.17.0/24 192.168.17.2 ether1 0
16 ADC 192.168.17.1/32 192.168.17.1 vrrp4 0
On MikroTik2:
[jlibove@SP-MikroTik2] /ip firewall nat> /ip addr print #n.b. I removed lines for disabled addresses
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; MikroTik2's real IP address
192.168.1.2/21 192.168.0.0 ether5
3 ;;; Private subnet between the MikroTiks for fallback cross-routing
192.168.8.2/29 192.168.8.0 ether9
5 ;;; Internal LAN VRRP virtual router IP address shared by the two MikroTiks
192.168.1.1/32 192.168.1.1 vrrp1
12 ;;; Wi-Fi Management VLAN router NEED TO SET UP VRRP OR SIMILAR FOR THIS. DISABLED ON THIS PARTICULAR MIKROTIK FOR NOW.
192.168.17.1/32 192.168.17.0 vrrp4
13 192.168.17.3/24 192.168.17.0 ether1
14 ;;; Wi-Fi Internal Users VLAN virtual router IP address
192.168.12.1/32 192.168.12.1 vrrp5
15 ;;; Wi-Fi Internal Users VLAN physical IP address for this MikroTik router
192.168.12.2/22 192.168.12.0 ether2
17 ;;; Wi-Fi Guest VLAN physical interface of this Mikrotik
192.168.16.3/24 192.168.16.0 VLAN254

[jlibove@SP-MikroTik2] /ip firewall nat> /ip route print #n.b. I removed lines for disabled routes
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
3 S ;;; One of two shared Default Internet connections, ONO (no mark considerations)
0.0.0.0/0 84.124.127.9 1
4 A S ;;; Fallback cross-route to the other MikroTik
0.0.0.0/0 192.168.8.3 110
7 ADC 192.168.0.0/21 192.168.1.2 ether5 0
8 DC 192.168.1.1/32 192.168.1.1 vrrp1 0
9 ADC 192.168.8.0/29 192.168.8.2 ether9 0
10 ADC 192.168.12.0/22 192.168.12.2 ether2 0
11 DC 192.168.12.1/32 192.168.12.1 vrrp5 0
12 ADC 192.168.16.0/24 192.168.16.3 VLAN254 0
13 ADC 192.168.17.0/24 192.168.17.3 ether1 0
14 DC 192.168.17.0/32 192.168.17.1 vrrp4 0

Now, on MikroTik1, I try to ping 192.168.16.2 and 192.168.16.3:
[jlibove@SP-MikroTik1] /ip route> /ping 192.168.16.3
HOST SIZE TTL TIME STATUS
192.168.16.3 timeout
192.168.16.3 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik1] /ip route> /ping 192.168.16.3 interface=ether8
HOST SIZE TTL TIME STATUS
192.168.16.3 timeout
192.168.16.3 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik1] /ip route> /ping 192.168.16.3 interface=VLAN254
HOST SIZE TTL TIME STATUS
192.168.16.3 timeout
192.168.16.3 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik1] /ip route> /ping 192.168.16.2
HOST SIZE TTL TIME STATUS
192.168.16.2 56 64 5ms
192.168.16.2 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=2ms max-rtt=5ms
.. and the same on MikroTik2:
[jlibove@SP-MikroTik2] /ip firewall nat> /ping 192.168.16.2
HOST SIZE TTL TIME STATUS
192.168.16.2 timeout
192.168.16.2 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik2] /ip firewall nat> /ping 192.168.16.2 interface=ether8
HOST SIZE TTL TIME STATUS
192.168.16.2 timeout
192.168.16.2 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik2] /ip firewall nat> /ping 192.168.16.2 interface=VLAN254
HOST SIZE TTL TIME STATUS
192.168.16.2 timeout
192.168.16.2 timeout
sent=2 received=0 packet-loss=100%

[jlibove@SP-MikroTik2] /ip firewall nat> /ping 192.168.16.3
HOST SIZE TTL TIME STATUS
192.168.16.3 56 64 4ms
192.168.16.3 56 64 0ms
sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=2ms max-rtt=4ms
Why doesn't 'the other' MikroTik reply across the VLAN trunk in each case?
(I have tested, by the way, that VLAN trunking between the two Dell PowerConnect switches works correctly; we have VLANs crossing them in production. For example, if I configure a port on one of the two Dell PowerConnect switches in Access mode for VLAN 254, and another port on the other Dell PowerConnect switch in Access mode for VLAN 254, and plug in normal PCs on those two ports, then they can see each other, with their packets being tagged for VLAN 254 on entering their respective switch, and the tagged packets successfully crossing a trunk between the two Dell switches, and then the packets being untagged and sent out the other PC's port on its switch. So I assume that I have the whole port/ VLAN/ tagging/ mode thing right on the Dell switches. I am not at all so sure about my MikroTik configurations...).


Am I missing something in the MikroTik configuration for it to really be sending and expecting to receive only tagged packets over ether8?

Is there some additional step required for a MikroTik to respond to a PING coming in over a VLAN on a physical Ethernet port? I think that bridging is only needed if I want packets arriving on a VLAN to go _untagged_ out a physical port on the MikroTik.

Thanks,
-Jay
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/