Hi all.
I’m new to Mikrotik so please bear with me. With my current setup, basically everything works, but I cannot ping from any host on the Servers VLAN 100 to my Management VLAN, and i’m not sure exactly why. As far as I can tell there are no firewall rules that should prevent me from doing it.
I can access the webserver and media services hosted on the servers as well.
I am also able to ping the Gateway IP of the Management VLAN from any of the hosts on the Server VLAN
I had everything working fine until I decided to move the servers to their own VLAN (I kept the same subnet as there are a lot of services that have IPs configured and I didn’t want to have to change all of those). My main PC was moved to a separate Management VLAN.
# 2024-06-25 16:46:15 by RouterOS 7.15.1
# software id = 3WF7-CWJP
#
# model = RB5009UG+S+
# serial number = XXXXXXXX
/interface bridge
add admin-mac=78:9A:18:D9:17:FF auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] auto-negotiation=no
set [ find default-name=ether4 ] auto-negotiation=no
set [ find default-name=ether6 ] auto-negotiation=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=guest_vlan_20 vlan-id=20
add interface=bridge name=iot_vlan_30 vlan-id=30
add interface=bridge name=mgmt_vlan_99 vlan-id=99
add interface=bridge name=server_vlan_100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add comment=Management name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.99.199-192.168.99.254
add name=Guest_Pool ranges=10.0.20.2-199.0.20.254
add name=Management_Pool ranges=10.0.99.199-10.0.99.254
add name=Server_Pool ranges=192.168.0.199-192.168.0.254
add name=IOT_Pool ranges=10.0.30.2-10.0.30.254
add name=Wireless_Pool ranges=10.0.40.199-10.0.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge lease-time=10m name=dhcp1
add address-pool=Guest_Pool interface=guest_vlan_20 name=Guest_DHCP
add address-pool=Management_Pool interface=mgmt_vlan_99 name=Management_DHCP
add address-pool=Server_Pool interface=server_vlan_100 name=Server_DHCP
add address-pool=IOT_Pool interface=iot_vlan_30 name=IOT_DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10 pvid=99
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10 pvid=99
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10 pvid=100
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 \
internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 \
internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10 pvid=99
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 pvid=\
100
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Management_VLAN tagged=bridge untagged=\
ether2,ether3,ether5,ether6,ether7 vlan-ids=99
add bridge=bridge comment=Guest_VLAN tagged=bridge,ether7 vlan-ids=20
add bridge=bridge comment=IOT_VLAN tagged=bridge,ether7 vlan-ids=30
add bridge=bridge comment=Server_VLAN tagged=bridge untagged=ether1,ether4 \
vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=mgmt_vlan_99 list=LAN
add interface=guest_vlan_20 list=VLAN
add interface=iot_vlan_30 list=VLAN
add interface=mgmt_vlan_99 list=VLAN
add interface=server_vlan_100 list=LAN
add interface=server_vlan_100 list=VLAN
add comment=Wireguard interface=wireguard1 list=VLAN
add comment=Wireguard interface=wireguard1 list=LAN
add comment="Management VLAN" interface=mgmt_vlan_99 list=MGMT
add comment="Management WG" interface=wireguard1 list=MGMT
/interface wireguard peers
add allowed-address=192.168.69.2/32 comment=Client_2 endpoint-address=\
192.168.69.2 interface=wireguard1 name=peer7
add allowed-address=192.168.69.3/32 comment=Client_3 endpoint-address=\
192.168.69.3 interface=wireguard1 name=peer8
add allowed-address=192.168.69.4/32 comment=Client_4 endpoint-address=\
192.168.69.4 interface=wireguard1 name=peer9
add allowed-address=192.168.69.5/32 comment=Client_5 endpoint-address=\
192.168.69.5 interface=wireguard1 name=peer10
add allowed-address=192.168.69.6/32 comment=Client_6 endpoint-address=\
192.168.69.6 interface=wireguard1 name=peer11
add allowed-address=192.168.69.7/32 comment=Client_7 endpoint-address=\
192.168.69.7 interface=wireguard1 name=peer12
add allowed-address=192.168.69.8/32 comment=Client_8 endpoint-address=\
192.168.69.8 interface=wireguard1 name=peer13
add allowed-address=192.168.69.9/32 comment=Client_9 endpoint-address=\
192.168.69.9 interface=wireguard1 name=peer14
/ip address
add address=192.168.99.1/24 comment=defconf interface=bridge network=\
192.168.99.0
add address=192.168.69.1/24 interface=wireguard1 network=192.168.69.0
add address=10.0.99.1/24 interface=mgmt_vlan_99 network=10.0.99.0
add address=10.0.20.1/24 interface=guest_vlan_20 network=10.0.20.0
add address=10.0.30.1/24 interface=iot_vlan_30 network=10.0.30.0
add address=192.168.0.1/24 interface=server_vlan_100 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.20.0/24 list=Guest_List
add address=192.168.0.0/24 list=Servers_List
add address=10.0.99.0/24 list=MGMT_List
add address=10.0.30.0/24 list=IOT_List
add address=192.168.0.10 comment="HTPC PC" list=admin_ips
add address=10.10.10.0/24 list=LAN_list
add address=10.10.20.0/24 list=LAN_list
add address=10.10.30.0/24 list=LAN_list
add address=192.168.0.0/24 list=LAN_list
add address=10.0.99.99 comment="Josh PC" list=admin_ips
add address=192.168.69.7 comment="Work PC - WG" list=admin_ips
add address=192.168.69.2 comment="Phone - WG" list=admin_ips
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=192.168.69.0/24 list=LAN_list
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow admin IPs to Access Router" \
in-interface-list=MGMT src-address-list=admin_ips
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"# Allow incoming traffic to the wireguard service" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" \
dst-port=53 in-interface=wireguard1 protocol=udp
add action=drop chain=input comment="Drop Everything Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow Management VLAN access to ALL" \
connection-state=new in-interface-list=MGMT out-interface-list=LAN \
src-address-list=admin_ips
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Forwarded Ports" \
connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Everything Else" \
connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="Port Forward 80 to HTPC" dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="Port Forward 443 to HTPC" dst-port=\
443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 \
to-ports=443
add action=dst-nat chain=dstnat comment="Wireguard Unraid" dst-port=51820 \
in-interface-list=WAN protocol=udp to-addresses=192.168.0.69 to-ports=\
51820
add action=dst-nat chain=dstnat comment="Wireguard HTPC" dst-port=51822 \
in-interface-list=WAN protocol=udp to-addresses=192.168.0.10 to-ports=\
51822
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Australia/Melbourne
/system leds settings
set all-leds-off=after-1min
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN