Clients get IP addresses from DHCP, but cannot access internet

adastein · December 2, 2015, 10:44am

Hello, I have a Mikrotik RB2011UiAS-RM, I configured 3 VLAN’s, my devices get IP addresses from my router, but cannot access Internet.
I can ping everything from the router (so the WAN is configured correctly, I removed the IP addreses form my config), so the problem is somewhere in the middle.

This is the config:

# jan/03/1970 03:17:38 by RouterOS 6.33.2
# software id = LJ3A-ZG8X
#
/interface bridge
add name=Bridge
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set ether4 discover=no
set ether5 discover=no
set ether6 discover=no
set ether7 discover=no
set ether8 discover=no
set ether9 discover=no
set ether10 discover=no
set sfp1 discover=no
set Bridge discover=no
/interface vlan
add interface=Bridge l2mtu=1594 name="VLAN - 50 (VOIP)" vlan-id=50
add interface=Bridge l2mtu=1594 name="VLAN - 100 (LAN)" vlan-id=100
add interface=Bridge l2mtu=1594 name="VLAN - 200 (WIFI)" vlan-id=200
/ip neighbor discovery
set "VLAN - 50 (VOIP)" discover=no
set "VLAN - 100 (LAN)" discover=no
set "VLAN - 200 (WIFI)" discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="LAN DHCP" ranges=192.168.100.11-192.168.100.35
add name="VOIP DHCP" ranges=192.168.50.1-192.168.50.25
add name="WiFi DHCP" ranges=192.168.200.1-192.168.200.25
/ip dhcp-server
add address-pool="LAN DHCP" disabled=no interface="VLAN - 100 (LAN)" \
    lease-time=3d name="LAN DHCP"
add address-pool="VOIP DHCP" disabled=no interface="VLAN - 50 (VOIP)" \
    lease-time=3d name="VOIP DHCP"
add address-pool="WiFi DHCP" disabled=no interface="VLAN - 200 (WIFI)" \
    lease-time=1h name="WiFi DHCP"
/interface bridge port
add bridge=Bridge interface=ether2
/ip address
add address=192.168.100.254/24 comment=LAN interface="VLAN - 100 (LAN)" \
    network=192.168.100.0
add address=192.168.50.254/24 comment=VOIP interface="VLAN - 50 (VOIP)" \
    network=192.168.50.0
add address=192.168.200.254/24 comment=WiFi interface="VLAN - 200 (WIFI)" \
    network=192.168.200.0

/ip dhcp-server network
add address=192.168.50.0/24 comment=VOIP dns-server=192.168.50.254 gateway=\
    192.168.50.254
add address=192.168.100.0/24 comment=LAN dns-server=192.168.100.254 gateway=\
    192.168.100.254
add address=192.168.200.0/24 comment=WiFi dns-server=192.168.200.254 gateway=\
    192.168.200.254

/ip firewall address-list
add address=192.168.100.0/24 list="Local LAN"
add address=192.168.50.0/24 list=VOIP
add address=192.168.200.0/24 list=WiFi
/ip firewall filter
add action=drop chain=forward comment="Drop Traffic from VOIP to LAN" \
    dst-address=192.168.100.0/24 src-address=192.168.50.0/24
add action=drop chain=forward comment="Drop Traffic from LAN to VOIP" \
    dst-address=192.168.50.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Drop Traffic from WiFi to LAN" \
    dst-address=192.168.100.0/24 src-address=192.168.200.0/24
add action=drop chain=forward comment="Drop Traffic from LAN to WiFi" \
    dst-address=192.168.200.0/24 src-address=192.168.100.0/24
add action=drop chain=forward comment="Drop Traffic from VOIP to WiFi" \
    dst-address=192.168.200.0/24 src-address=192.168.50.0/24
add action=drop chain=forward comment="Drop Traffic from WiFi to VOIP" \
    dst-address=192.168.50.0/24 src-address=192.168.200.0/24
add chain=input comment="Allow access to router from LAN using address list" \
    src-address-list="Local LAN"
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid
add chain=forward comment="Allow connections from LAN" connection-state=new \
    in-interface=Bridge
add chain=forward comment="Allow established connections" connection-state=\
    established
add chain=forward comment="Allow related connections" connection-state=\
    related
add action=drop chain=forward comment=\
    "Drop all other traffic trough the router"
add chain=input comment="Allow established connections to the router" \
    connection-state=established
add chain=input comment="Allow related connections to the router" \
    connection-state=related
add action=drop chain=input comment="Drop All other traffic to the router"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd pin
set pin-number=1557
/system clock
set time-zone-name=Europe/Riga

/system ntp client
set enabled=yes primary-ntp=89.111.54.85 secondary-ntp=89.111.15.218
/system routerboard settings
set protected-routerboot=disabled
/tool bandwidth-server
set enabled=no

Any suggestions where the problem might be?

Thanks in advance

adastein · December 3, 2015, 8:27am

This is what I am going for (used all of my MS Paint skillset):
setup.jpg
Any help is appreciated.
Thanks

skuykend · December 3, 2015, 6:00pm

I think your accept filter for new connections is incorrectly checking for in interface=bridge, but you’re comming in from the vlan interfaces at this point.

ZeroByte · December 3, 2015, 8:01pm

(quoted so you’ll get notified)

I agree with skuykend - your forwarding filter will never allow traffic because the IP packets are arriving on the VLAN interfaces and not the bridge interface.

Your forwarding chain could be very much simplified:
chain=forward action=allow connection-state=established,related
chain=forward action=allow out-interface=ether1
chain=forward action=drop

The input chain can be made simple as well:
chain=input action=allow connection-state=established,related
chain=input action=allow protocol=icmp
chain=input action=drop in-interface=ether1

Use interface names and not address ranges where possible. If you ever have to change the IP addressing of your networks, then you won’t need to remember to go fix it in the firewall. Also, this simple setup will not need to be changed if you ever add another LAN (such as guest vlan) because the logic fits your design: block inter-lan traffic. Allow outbound traffic. Drop new connections from WAN.

Blocking ICMP is a bad habit - it breaks some subtle things, and doesn’t really help your security.

adastein · December 4, 2015, 7:14am

Big thanks to both of you, You got this sorted out.
Thank you for your help.