Hi, I am installing a new CCR1009 to replace a RB4011 (don’t ask why, there is a story).
So far going reasonably well.
We have two ISP connections, four trunks to four AP (each with four wifi plus some hardwired ports) and two server ports to two hardware servers each with a number of virtual servers.
From the outside world we can connect to the ISP1 port and connect to each of the three IPv4 addresses and the dstnat servers.
WE CANNOT connect to the ISP2 port for anything other than ping. i.e. SSH to the IP address just times out.
We can connect to the target server 192.168.129.248 from the internal network servers, but not from WAN - dstnat appears correct.
Please ignore the IPv6 at this point, I haven’t got around to sorting that bit our yet.
I have spent all night tracing the packets - see the SYN come in to the /ip firewall connections tab but no further.
I am using mangle to mark connections and mark routing, in various combinations, including disable of them all, and still no joy.
Sure it is something simple, it just evades me …
Any help or ideas appreciated.
CCR1009.rsc (32.5 KB)
Oops, just another detail that may help narrow it down.
Also cannot connect from 192.168.129.248 to the mailservers 192.168.128.232 and 192.168.128.242 - get connection refused messages in thunderbird.
Before digging any deeper, what’s your reason for setting use-ip-firewall under /interface bridge settings to yes?
Based on the rest of the config…read something on youtube and copied it…
What intrigues me is the fact that he as five vlans (besides one dedicated for WAN) but only four dhcp pools etc…
Also in bridge ports he has made a hot mess of things…
Such as inventing the fact that the CCR1009 has WLANs…
Or using too many interface lists… why have discovery when you have a management vlan where all the smart devices should get their IP from…
No clue as to what this means in IP addresses, above my head.
add address=ISP1v4-IP3 interface=SRV_VLAN network=ISP1v4-IP3
add address=ISP1v4-IP2 interface=SRV_VLAN network=ISP1v4-IP2
As far as firewall rules go, KISS, a big bloated affair that is based on fear and not focused on required user functionality.
Seems like using IPV6 as well so definitely outta my league.
@sindy
I plan to establish queues on two of the vlans / subnets. I just read the definition for use and have removed this setting in the interim - no impact on my issues.
@anav
No I don’t read from youtube, I do watch and listen though, but not usually about mikrotik stuff as most of the ones I have looked at are not very helpful.
Yes I only need four dhcp pools as the server vlan / subnet uses only static IP address assignment. The WAN vlan (x2) are imposed on me by my two ISP companies.
I have tried to follow the vlan filtering setup that was suggested on this forum and posted and commented upon by yourself !!
No idea how you think that I assume the CCR1009 has wifi??? I simply setup a vlan and subnet for wifi devices that connect via the 4 RB962UiGS-5HacT2HnT used primarily as Access Points (AP) that are connected by 4 separate trunk ports to the router. However sometimes the wifi client needs to connect to our web servers or email servers - thus I started with using routerOS IP DNS static for those domains, however the routerOS dns is not a proper dns and once you have a single domain with an A record, it doesn’t deal with the rest of the domain records, i.e. TXT records needed for proper functioning, not to mention the massive duplication involved. So onto plan B, use the WAN accessible DNS records and get WAN addresses back that need to be handled internally.
Discovery in the interface lists is just a trial to see if I can get to see the Access Points devices on WinBox now that I have them on the MGMT vlan - doesn’t work so this will go. I just haven’t found a way to be able to use WinBox when it is on a PC workstation that lives on the LAN_VLAN (192.168.129.0/24) and thus can only route to connect to the MGMT devices…on 10.10.100.0/24 and then you get a message about how they cannot connect securely etc.
IP addresses - these are simply two WAN address assignments to allow me to ping the two additional IP addresses that I have from ISP1 from the WAN space - if there is another way - happy to hear about it. I do want my WAN IP addresses in the IPv4 space to only make it to the router - they do not get to traverse my internal network.
Please feel free to offer a more concise IP firewall filter. It may have a few duplicates in place as I have been trying to resolve the issue I posted about.
As mentioned, please ignore the IPv6 - I will sort that out separately. It has no impact on the problem I am trying to solve here.
I deliberately posted the entire export as this forum repeatedly gives those that edit the export for anything other than making the IP addresses anonymous, a rough time …
So my question remains - how do I get routing to happen properly between the vlans / subnets?
I can connect from the WAN to my servers in the SRV_VLAN on the ports I open up in IP firewall filter.
I have one external IP address (ISP2) that I wish to use port 22 for SSH access to a workstation on the LAN_VLAN - and that does not work - I see the initial connection happen but it stalls on TCP(syn) - not sure, but suspect the reply is not getting back to the WAN…
BTW, this system is mostly working just fine - it serves multiple GB to our clients every day - access from the WAN to the servers - web and email for multiple domains, just works!
It is trying to deal with access internally from segregated vlans / subnets, to the servers that has me stumped. I wanted to avoid hairpin NAT as the number of different (many to many) clients / servers involved make this unworkable - yes I have read through all the many pages of ranting and some very helpful posts on this subject, multiple times. It is because of these posts that I have moved the servers to a separate vlan / subnet - the promise was that hairpin would not be required …? Just simple routing … really?
Still hoping someone can see what I am so far missing.
What I’ve seen in the export was that the default route in the WAN2 routing table was disabled, is that a debug setting or the cause of your issue?
If it doesn’t work even with that route enabled, you’ll have to run /tool sniffer quick ip-address=a.a.a.a port=22 while trying to connect from remote address a.a.a.a to the server, in order to see how far the request gets and if any response is sent, where that response is routed. The mangle rules seem fine to me, translation of in-interface to connection-mark in prerouting for connections from the internet as well as selective translation of connection-mark to routing-mark for LAN->WAN traffic are in place.
As for queues for vlans, so you plan to shape bandwidth while bridging traffic between devices in the same VLAN, correct?
@sindy
you asked
As for queues for vlans, so you plan to shape bandwidth while bridging traffic between devices in the same VLAN, correct?
No I don’t believe so, most of the vlan clients only need access to the internet, thus while they are on a vlan filtered bridge, they will get their packets marked and bandwidth shaped, I do not bridge traffic between the clients (only one or two exceptions). This, if I recall correctly is why I set up the second bridge for the servers, so it should be simple to route from vlan to servers … yet to be done, as is the bandwidth shaping.
My saga continues - unfortunately had a server fail and had to import a new one from over the ditch in Australia, rebuild etc… fun never stops, but quite a lot of time spent on this.
Also my second ISP provider cannot restore service to my business VDSL link for the next two weeks (unbelievable story), thus I am scrambling to get my MX server that used that link, hooked up on my fibre ISP link on a IPv6 address - this is where I am now stumped.
My original post issue is still a problem but then the VDSL link went AWOL, so I need to park it and get service restored for my email MX.
As expected from the router I can ping all server IPv6 addresses. <ISP1_prefix_delegation>::1>, ::232, ::234, ::235, ::240, ::242, ::244 - these are accessed via ether2-SRV and ether3-SRV, both on BRSRV bridge
Externally I can ping only half of them - the ::240, ::242, ::244 that happen to reside on ether2-SRV link (been over all the ether2-SRV and ether3-SRV configs and see no difference … that could account for this problem)
from each of the 6 servers I can ping all the other servers, plus the router.
I have tried disabling all the IPv6 firewall mangle rules - no difference
The IPv6 route rule for the delegated prefix uses BRSRV thus no help there.
Where do I look now?
Any pointers appreciated
TIA Rob
CCR1009_expunged.rsc (33.1 KB)
thought I would also show what the ipv6 route fib looks like
ipv6_route_print.txt (2.13 KB)