dst-nat vs vlan

Gilforever · April 12, 2022, 8:39am

Hello all. I have 951Ui-2HnD vs RouterOS 7.1.5.
I have some config vs VLANs to make my IPTV device to work. And now I can’t publish some ports of some devices to internet.
I find some posts with those tematics, but no result for me…
Bellow is my config:

/interface bridge add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1

/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20

/interface ethernet switch vlan
add independent-learning=yes ports=ether1,ether2,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=20

/interface ethernet switch port
set 0 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure

/ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=VLAN10

/ip address add address=192.168.100.1/24 interface=VLAN20 network=192.168.100.0
/ip pool add name=pool-lan ranges=192.168.100.20-192.168.100.254
/ip dhcp-server add address-pool=pool-lan disabled=no interface=VLAN20 lease-time=1h name=dhcp-server
/ip dhcp-server network add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns set allow-remote-requests=yes

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=VLAN10 list=WAN
add interface=VLAN20 list=LAN

/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.100.249 to-ports=33 protocol=tcp in-interface=VLAN10 dst-port=33 log=no log-prefix=“”

/ip firewall address-list add address=192.168.100.0/24 list=ManageIP

/ip firewall filter
add action=accept chain=input comment=“Allow icmp” protocol=icmp
add action=accept chain=input comment=“Allow established & related” connection-state=established,related
add action=accept chain=input comment=“Allow access for ManageIP group” src-address-list=ManageIP
add action=drop chain=input comment=“All other drop”
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related
add action=accept chain=forward comment=“Allow established & related” connection-state=established,related,untracked
add action=drop chain=forward comment=“Drop invalid connection packets” connection-state=invalid
add action=accept chain=forward comment=“Allow Internet” in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“All other drop”

in process of decision i added those strings:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Sob · April 12, 2022, 1:44pm

You need to allow dstnatted connections through filter (put it before the last drop rule):

/ip firewall filter
add chain=filter connection-nat-state=dstnat action=accept

And you most likely don’t need the last thing (use-ip-firewall=yes use-ip-firewall-for-vlan=yes).

anav · April 12, 2022, 1:59pm

Also, do you expect users to get DNS via the router as your input chain rules as formulated may not permit it…

I would be more blunt than Soft Sob…
Use this at your own peril… Its for advanced users who know what they are doing, and not an afterthought as something fun to try…
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

So you are either a genius or a fool… ( correction ‘misguided’ by probably some youtube video )

Gilforever · April 13, 2022, 9:16am

Sob, thanks!
Now I have another problem, i make ip-tunnel and it’s work, i see, but no ping between network hosts.
Result is:
Dacha - Home hosts ping:
192.168.88.71 → 172.16.30.1: yes
192.168.88.71 → 192.168.100.1: yes
192.168.88.71 → 192.168.100.249: no

Home - Dacha hosts ping:
192.168.100.249 → 172.16.30.1: yes
192.168.100.249 → 172.16.30.2: no
192.168.100.249 → 192.168.88.1: no
192.168.100.249 → 192.168.88.71: no

Router1 Config:
/interface ipip
add name=dacha keepalive=10s,10 remote-address=10.1.200.1

/ip address
add address=172.16.30.1/30 interface=dacha

/ip route
add comment=“route to dacha” dst-address=192.168.88.0/24 gateway=172.16.30.2

Router2 Config:
/interface ipip
add name=Home keepalive=10s,10 remote-address=10.1.100.1

/ip address
add address=172.16.30.2/30 interface=Home

/ip route
add comment=“route to home” dst-address=192.168.100.0/24 gateway=172.16.30.1

Sob · April 13, 2022, 8:05pm

For Dacha->Home it looks like you didn’t allow traffic from IPIP tunnel to LAN (in chain=forward). For Home->Dacha it can be the same, plus it looks like remote router doesn’t accept icmp (that would be in chain=input). Additionally, there can be problem with firewalls on target devices, some (e.g. Windows) don’t accept traffic from non-local subnets by default.