I have an ER-X running 1.9.0 stable. I'm migrating an existing flat network to a routed network. I have several VLANs defined. The ER is not routing between any of them. This should be working out of the box. I've checked the firewall and everything else I could come up with. The router has also been reset and reconfigured using the prior config as a template.
No matter what VLAN I have my workstation set to, pinging any hosts on any of the other VLANs/subnets times out (as does any other connection, HTTP, etc). This isn't an issue with my switches as it occurs even when directly connected to the eth ports on the ER-X. When doing a traceroute, the workstation will show the first hop as the ER-X, from there it times out.
eth1 is WAN. Ports eth0,eth2-eth4 are assigned to switch0. All have VLANs enabled and have their VIDs assigned to all existing VLANs. No ports on switch0 have a PVID defined. Each of the ports connect to an access point or switch with the VLANs configured as appropriate.
Hosts on any of the VLANs can talk to the router just fine. They get their DHCP leases if appropriate, can ping the router, and can access the internet.
The issue is the same if my workstation is plugged into a switch or the router.
Untagged - switch0 - 10.1.0.0/24
Servers VLAN - switch0.11 - 10.1.1.0/24
MGMT VLAN - switch0.12 - 10.1.2.0/24
Voice VLAN - switch0.13 - 10.1.3.0/24
Cust VLAN - switch0.110 - 10.1.10.0/24
Any ideas or pointers would be much appreciated.
firewall {
all-ping enable
broadcast-ping disable
group {
--- snip ---
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
rule 1 {
action accept
description "accept established, related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
rule 1 {
action drop
description "drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 2 {
action accept
description "accept established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 3 {
action accept
description "accept icmp"
log enable
protocol icmp
}
}
name WAN_OUT {
default-action accept
rule 1 {
action drop
description "drop invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 2 {
action accept
description "accept established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
}
ethernet eth1 {
address dhcp
address dhcpv6
description WAN
dhcp-options {
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
speed auto
}
ethernet eth2 {
duplex auto
mtu 1500
speed auto
}
ethernet eth3 {
duplex auto
mtu 1500
speed auto
}
ethernet eth4 {
duplex auto
mtu 1500
poe {
output pthru
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.1.0.1/24
mtu 1500
switch-port {
interface eth0 {
vlan {
vid 1
vid 110
vid 11
vid 12
vid 13
}
}
interface eth2 {
vlan {
vid 1
vid 110
vid 11
vid 12
vid 13
}
}
interface eth3 {
vlan {
vid 1
vid 110
vid 11
vid 12
vid 13
}
}
interface eth4 {
vlan {
vid 1
vid 110
vid 11
vid 12
vid 13
}
}
vlan-aware enable
}
vif 11 {
address 10.1.1.1/24
description SERVERS
mtu 1500
}
vif 12 {
address 10.1.2.1/24
description MGMT
mtu 1500
}
vif 13 {
address 10.1.3.1/24
description VOICE
mtu 1500
}
vif 110 {
address 10.1.10.1/24
description Terry-110
ip {
}
mtu 1500
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
lan-interface switch0.11
lan-interface switch0.12
lan-interface switch0.13
lan-interface switch0.110
--- snip ---
wan-interface eth1
}
service {
--- snip ---
nat {
rule 5001 {
description WAN
log disable
outbound-interface eth1
type masquerade
}
}
}
system {
--- snip ---
}