Hi,
Over the past few days I factory reset my Mikrotik and set it up to cater for VLANS. I require 2 (SOHO and GUEST). The thread related to this topic is at http://forum.mikrotik.com/t/different-dhcp-ranges-with-mikrotik-with-cisco-aironet/145557/1 Thank you to everyone esp tdw who hand held me through the process.
Everything seems to be operating as expect with the exception of Hairpin Nat.
I have a web page which I can surf to from outside my network but not from within my network (VLAN ID = 10),
# dec/29/2020 11:04:23 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow OpenVPN (OVPN)" dst-port=1194 \
protocol=tcp
add action=drop chain=input comment=Drop
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
ether1
add action=accept chain=forward comment=HTTP dst-address=192.168.16.4 \
dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=HTTPS dst-address=192.168.16.4 \
dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=SFTP dst-address=192.168.16.5 \
dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 log=yes log-prefix="[HP]" src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
Thanks
I followed the guide at https://wiki.mikrotik.com/wiki/Hairpin_NAT . In my case I do not have a LAN out-interface so I used the bridge BR1 . This was defined by the VLAN tutorial.
I still am not able to read the web server from my internal network.
I am posting the complete configuration as it stands now.
# dec/29/2020 12:21:17 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=VPN_POOL ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
add address=192.168.89.0/24 comment="VPN Subnet" dns-server=192.168.0.1 \
gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow OpenVPN (OVPN)" dst-port=1194 \
protocol=tcp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=HTTP disabled=yes dst-address=\
192.168.16.4 dst-port=80 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=yes dst-address=\
192.168.16.4 dst-port=443 in-interface=ether1 protocol=tcp
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
ether1
add action=accept chain=forward comment=SFTP dst-address=192.168.16.5 \
dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes \
dst-address=192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.4 dst-port=80 \
out-interface=BR1 protocol=tcp src-address=192.168.16.0/24
add action=masquerade chain=srcnat dst-address=192.168.16.4 dst-port=443 \
out-interface=BR1 protocol=tcp src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" name=chribonn service=ovpn
add name=connie service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
mkx
December 29, 2020, 1:45pm
3
When using VLANs, the in-interface (or out-interface) is rather VLAN interface, such as BASE_VLAN or GUEST_VLAN … actually any interface which has IP address configured. But then, you’re using IP addresses in the NAT rules, so you’ll have to explain the non-working case a bit better: which client (which LAN IP address, connected to which physical interface), how does it connect to service, etc.
BTW, your config export still has un-obfuscated WAN IP address listed, you might want to change it.
Hi,
I have a web server on my SOHO_VLAN (VLAN ID = 10, Network: 192.168.16.0/24). The computer that serves the pages has a fixed IP of 192.168.16.4.
When I access the site (ports 80, 443) from outside my network every works as expect.
When I access the site from within my network (I am on the SOHO_VLAN) the page does not come up. In Firefox I am presented with the Router OS Web Login Page (Mikrotik is on 192.168.16.1)
When I access the site from the GUEST VLAN (VLAN ID = 20, Network 10.0.20.0/24) the page does not come up and what I see is identical to the SOHO_VLAN.
This is the current version of the config that gives the outcome I’ve just described:
# dec/29/2020 15:21:37 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=\
wlan1-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=GUEST-AP
add disabled=no mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=\
wlan2-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add comment="IP Range Assigned to VPN Clients" name=VPN_POOL ranges=\
192.168.88.10-192.168.88.20
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
add local-address=192.168.88.1 name=VPN_PROFILE remote-address=VPN_POOL
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
add address=192.168.89.0/24 comment="VPN Subnet" dns-server=192.168.0.1 \
gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN (OVPN)" disabled=yes \
dst-port=1194 protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
ether1
add action=accept chain=forward comment=SFTP disabled=yes dst-address=\
192.168.16.5 dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=ether1 \
protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" name=chribonn profile=VPN_PROFILE \
service=ovpn
add name=connie profile=VPN_PROFILE service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Sob
December 29, 2020, 2:44pm
5
You have dstnat rules with in-interface=ether1, so they only work for connections from internet. Two basic options are:
a) Replace in-interface=ether1 with dst-address=
If you have static public address, choose a), otherwise b).
Hello,
My public IP is fixed.
Is did the changes but the issue remains. I noticed (don’t know whether this was the case before) that even though the page does not get served, there is activity on the 80 and 443 NAT entries (Bytes / Packets). The Hairpin NAT entry at the top does not register traffic.
Thanks
# dec/29/2020 15:52:46 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=\
wlan1-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=GUEST-AP
add disabled=no mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=\
wlan2-admin security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add comment="IP Range Assigned to VPN Clients" name=VPN_POOL ranges=\
192.168.88.10-192.168.88.20
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
add local-address=192.168.88.1 name=VPN_PROFILE remote-address=VPN_POOL
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
add address=192.168.89.0/24 comment="VPN Subnet" dns-server=192.168.0.1 \
gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN (OVPN)" disabled=yes \
dst-port=1194 protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
ether1
add action=accept chain=forward comment=SFTP disabled=yes dst-address=\
192.168.16.5 dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex dst-address=192.168.16.8 \
dst-port=32400 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-port=5552 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-port=52400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" name=chribonn profile=VPN_PROFILE \
service=ovpn
add name=connie profile=VPN_PROFILE service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
mkx
December 29, 2020, 5:05pm
7
Your firewall filter rule regarding dst-nat is limiting access as well:
add action=accept chain=forward connection-nat-state=dstnat > in-interface=ether1
You should probably omit the in-interface completely, the connection-nat-state=dstnat should be enough.
The following rule at filter table is not allowing your hairpinned-nat traffic:
add action=accept chain=forward connection-nat-state=dstnat in-interface=ether1
You may need to unset the in-interface parameter.
EDIT: mkx had the same observation
Hello,
I can confirm that removing the in-interface=ether1 entry has resolved the problem.
I had a power failure and since restarting the machine with the web service is non reactive (Remote Desktop to the server, copying across the network, …).
Tomorrow I will be updating this thread and will share the configuration that worked for me.
Hello,
I am posting the configuration that addresses the following scenario (what I have understood). I base script is from this thread http://forum.mikrotik.com/t/different-dhcp-ranges-with-mikrotik-with-cisco-aironet/145557/4
A SOHO network on VLAN 10 having 2.4 and 5 Ghz Wifi. All ports are assigned to this VLAN
A GUEST network on VLAN 20 having 2.4 and 5 GHz Wifi. As guests will only access the network via Wifi no ports are assigned to this VLAN
An Admin network on VLAN 99. This is not used and Wifi functions, while defined are disabled.
The Mikrotik is connected to a Third Party AP that supports 802.1q on one port and a switch on another.
All the networks reference a common DNS server on 192.168.0.1
A number of devices on VLAN 10 have services (80, 443, etc) that need to be accessed from outside as well as from within the local network. Firewall NAT rules handle this with a Hairpin NAT entry at the very top to route internal traffic through the Mikrotik (there is a Wiki on the topic)
What is not working yet is the OpenVPN functionality. Some entries related to this subject are either disabled or are simply to be ignored.
A big thank you to everyone who helped me.
# dec/30/2020 08:52:17 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add comment="IP Range Assigned to VPN Clients" name=VPN_POOL ranges=\
192.168.88.10-192.168.88.20
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
add local-address=192.168.88.1 name=VPN_PROFILE remote-address=VPN_POOL
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
gateway=192.168.16.1
add address=192.168.89.0/24 comment="VPN Subnet" dns-server=192.168.0.1 \
gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN (OVPN)" disabled=yes \
dst-port=1194 protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
"Allow Establised and Related Connections" connection-state=\
established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=SFTP disabled=yes dst-address=\
192.168.16.5 dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex disabled=yes dst-address=\
192.168.16.8 dst-port=32400 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" name=chribonn profile=VPN_PROFILE \
service=ovpn
add name=connie profile=VPN_PROFILE service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
(too fast 