Additional bridge interfaces can't access WAN

lcd · March 7, 2019, 11:11am

Hello, I’ve tried to configure a router so that it would have 3 different sub-nets:

192.168.50.0/24 - (LAN_SERVERS_1,2) - Does not route to WAN
192.168.100.0/24 (LAN_OFFICE_1,2) - Does not route to WAN
192.168.88.0/24 - Routes to WAN (part of the defconf that came with the router)

WAN_TELIA: ISP No.1 (for security I replaced IP address in config to: 111.111.111.)
WAN_BALTNETA: ISP No.2 (for security I replaced IP address in config to: 222.222.222.)

I can confirm that DHCP and address pools for bridged interfaces (LAN_OFFICE_BRIDGE, LAN_OFFICE_SERVERS) are working correctly.
This
I have tried disabling all firewall rules to rule out the possibility of it being a firewall issue, still no WAN connection.

Could anyone tell me what I am missing and why only the defconf bridge interface does WAN routing while others two bridges fail to do so?

# mar/07/2019 10:50:34 by RouterOS 6.42.10
# software id = AY2G-6688
#
# model = 2011UiAS-2HnD
# serial number = 91E10A6BCC51
/interface bridge
add name=LAN_OFFICE_BRIDGE
add name=LAN_SERVERS_BRIDGE
add admin-mac=74:4D:28:24:90:7B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] name=LAN_OFFICE_1
set [ find default-name=ether6 ] name=LAN_OFFICE_2
set [ find default-name=ether3 ] name=LAN_SERVERS_1
set [ find default-name=ether4 ] name=LAN_SERVERS_2
set [ find default-name=ether2 ] name=WAN_BALTNETA
set [ find default-name=ether1 ] name=WAN_TELIA
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=lithuania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge name=WLAN ssid=MC-MOB-AP wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="interface list for all wans" name=WANs
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=LAN_SERVERS_DHCP_POOL ranges=192.168.50.200-192.168.50.254
add name=LAN_OFFICE_DHCP_POOL_2 ranges=192.168.100.120-192.168.100.254
add comment="Pools where splitted due to old cisco config this may be removed \
    in the future" name=LAN_OFFICE_DHCP_POOL_1 next-pool=\
    LAN_OFFICE_DHCP_POOL_2 ranges=192.168.100.2-192.168.100.80
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=LAN_SERVERS_DHCP_POOL disabled=no interface=\
    LAN_SERVERS_BRIDGE name=LAN_SERVERS_DHCP
add address-pool=LAN_OFFICE_DHCP_POOL_1 disabled=no interface=\
    LAN_OFFICE_BRIDGE name=LAN_OFFICE_DHCP
/interface bridge port
add bridge=LAN_SERVERS_BRIDGE comment=defconf interface=LAN_SERVERS_1
add bridge=LAN_SERVERS_BRIDGE comment=defconf interface=LAN_SERVERS_2
add bridge=LAN_OFFICE_BRIDGE comment=defconf interface=LAN_OFFICE_2
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=LAN_OFFICE_BRIDGE comment=defconf interface=WLAN
add bridge=LAN_OFFICE_BRIDGE interface=LAN_OFFICE_1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN_TELIA list=WAN
add interface=WAN_TELIA list=WANs
add interface=WAN_BALTNETA list=WANs
add interface=LAN_SERVERS_BRIDGE list=LAN
add interface=LAN_OFFICE_BRIDGE list=LAN
/ip address
add address=111.111.111.80/24 interface=WAN_TELIA network=111.111.111.0
add address=192.168.88.1/24 interface=ether9 network=192.168.88.0
add address=192.168.88.1/24 interface=ether10 network=192.168.88.0
add address=192.168.50.1/24 interface=LAN_SERVERS_1 network=192.168.50.0
add address=192.168.50.1/24 interface=LAN_SERVERS_2 network=192.168.50.0
add address=192.168.100.1/24 interface=LAN_OFFICE_BRIDGE network=\
    192.168.100.0
add address=222.222.222.130/30 interface=WAN_BALTNETA network=222.222.222.128
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN_TELIA
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=222.222.222.130 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=WANs
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WANs
/ip firewall mangle
add action=accept chain=prerouting dst-address=222.222.222.128/30 \
    in-interface=LAN_OFFICE_BRIDGE
add action=accept chain=prerouting dst-address=111.111.111.0/24 in-interface=\
    LAN_OFFICE_BRIDGE
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_TELIA new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN_BALTNETA new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN_OFFICE_BRIDGE \
    new-connection-mark=WAN1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=LAN_OFFICE_BRIDGE \
    new-connection-mark=WAN2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=output connection-mark=WAN1_conn \
    new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
    new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN_TELIA
add action=masquerade chain=srcnat out-interface=WAN_BALTNETA
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WANs
/ip route
add check-gateway=ping distance=1 gateway=111.111.111.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=222.222.222.129 routing-mark=\
    to_WAN2
add distance=1 gateway=111.111.111.1
add check-gateway=ping distance=1 gateway=111.111.111.1
add check-gateway=ping distance=2 gateway=222.222.222.129
/system clock
set time-zone-name=Europe/Vilnius
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · March 7, 2019, 11:53am

I find your LAN OFFICE and SERVER structure very confusing and I would get rid of it and figure out what is required by deciding what you are trying to accomplish in words.
Then a design can be found that fits your needs. What is the functionality that is driving you to have two pools but same subnet for example.
What is so unique about these four entities you have decided are needed?

/ip address
add address=111.111.111.80/24 interface=WAN_TELIA network=111.111.111.0
add address=192.168.88.1/24 interface=ether9 network=192.168.88.0
add address=192.168.88.1/24 interface=ether10 network=192.168.88.0
add address=192.168.50.1/24 interface=LAN_SERVERS_1 network=192.168.50.0
add address=192.168.50.1/24 interface=LAN_SERVERS_2 network=192.168.50.0
add address=192.168.100.1/24 interface=LAN_OFFICE_BRIDGE network=\

replace the part above in red with
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
Where is dns???
add address=192.168.88.0/24 comment=defconf dns=192.168.88.1 gateway=192.168.88.1

Missing dhcp-server network for your lan server and lan office ???

lcd · March 7, 2019, 12:20pm

anav thank you for your reply.

I find your LAN OFFICE and SERVER structure very confusing and I would get rid of it and figure out what is required by deciding what you are trying to accomplish in words.

Those two sub-nets are meant to replace 2 physical routers in our network. Due to legacy issues we have to keep two separate sub-nets .50 and .100. Basically all SERVERS were running under .50 and all employee computers under .100

add address=192.168.88.1/24 interface=ether9 network=192.168.88.0
add address=192.168.88.1/24 interface=ether10 network=192.168.88.0

These two entries are a backups if accidentally remove a bridge named bridge. So that I will not lock myself out of router admin panel. I will clean this up later.

anav · March 7, 2019, 2:04pm

access to router (via winbox is handled in input rules (access to router) and ip services I think not by backup confusing and wrong bridgeport settings.

What I am saying is that I really dont care how many routers were used previously, one office pool should be good for all office workers, one server pool should be good for all servers etc…
If they need to be segregated for security reasons, create different vlans or subnets.