help crossing subnets/vlans

markbreen · January 31, 2019, 10:23pm

Hi,

When I’ve setup different subnets and vlans I am having trouble talking across them. For example I have several vlans on different /24 networks and although the router can ping them and I can access them with my VPN, if I’m plugged into and getting an IP from one of the subnets I can’t reach IP’s outside of that /24

I’m using 172.16.0.0/12
My base vlan is 172.16.5.0/24
I have some other vlans in 172.17.5.0/24, 172.25.10.0/24, etc

Can I make a rule that lets me access everything in 172.16.0.0/12 as long as I’m getting an address anywhere in that range?

Thanks!

anav · January 31, 2019, 10:25pm

Please post your config
/export hide-sensitive file=myconfig

markbreen · February 1, 2019, 4:57am

Thanks for checking it out!

jan/31/2019 21:50:04 by RouterOS 6.43.8

software id = 9L9C-QQ19

model = RB4011iGS+

serial number =

/interface bridge
add admin-mac=B8:69:F4:BA:85:DE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-WAN speed=1Gbps
/interface vlan
add interface=bridge name=vlan17-servers vlan-id=17
add interface=bridge name=vlan101-T1Radios vlan-id=101
add interface=bridge name=vlan1001-T1Subs vlan-id=1001
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.5.100-172.16.5.200
add name=vpn ranges=172.16.0.100-172.16.0.200
add name=dhcp_pool2 ranges=172.17.5.100-172.17.5.254
add name=dhcp_pool3 ranges=172.25.10.200-172.25.10.250
add name=dhcp_pool4 ranges=10.10.10.201-10.10.10.250
add name=dhcp_pool5 ranges=172.25.10.200-172.25.10.250
add name=dhcp_pool6 ranges=10.10.10.200-10.10.10.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=vlan17-servers name=dhcp1
add address-pool=dhcp_pool5 disabled=no interface=vlan101-T1Radios name=dhcp2
add address-pool=dhcp_pool6 disabled=no interface=vlan1001-T1Subs name=dhcp3
/ppp profile
set *FFFFFFFE local-address=172.16.0.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1-WAN
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1-WAN list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=172.16.5.1/24 comment=defconf interface=ether1 network=172.16.5.0
add address=70.xxx.xxx.106/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104
add address=172.17.5.1/24 interface=vlan17-servers network=172.17.5.0
add address=172.25.10.1/24 interface=vlan101-T1Radios network=172.25.10.0
add address=10.10.10.1/24 interface=vlan1001-T1Subs network=10.10.10.0
add address=70.xxx.xxx.107/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104
add address=70.xxx.xxx.108/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=sfp-sfpplus1-WAN
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=172.16.5.0/24 comment=defconf gateway=172.16.5.1 netmask=24
add address=172.17.5.0/24 gateway=172.17.5.1
add address=172.25.10.0/24 gateway=172.25.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=172.16.5.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow any from inside/vpn"
src-address=172.16.0.0/12
add action=accept chain=input src-address=172.25.10.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=70.xxx.xxx.107 to-addresses=
172.17.5.253
add action=src-nat chain=srcnat dst-address=70.xxx.xxx.107 src-address=
172.17.5.253 to-addresses=70.xxx.xxx.107
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
172.16.0.0/12
add action=masquerade chain=srcnat src-address=172.25.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=172.17.5.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24
/ip route
add distance=1 gateway=70.xxx.xxx.105
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Phoenix
/system identity
set name=RW_Core
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · February 1, 2019, 6:12am

You need to make these src-nat rules more selective (e.g. use out-interface as well):

add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.0.0/12
add action=masquerade chain=srcnat src-address=172.25.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=172.17.5.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24

Probably you really only use the first one (with addition of out-interface being name of VPN interface), right now it overlaps the next two. The other 3 are (most probably) adequately covered by the preceeding

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

which src-nats everything going out to WAN. I don’t think you need src-nat for inter-VLAN connections.

You need to re-think the VPN masquerade rule as it doesn’t cover VLAN 10.10.10.0/24 … currently the last rule covers that but if you’ll rework NAT rules, take care of it as well.

markbreen · February 1, 2019, 2:36pm

You need to make these src-nat rules more selective (e.g. use out-interface as well):
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=172.16.0.0/12
add action=masquerade chain=srcnat src-address=172.25.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=172.17.5.0/24
add action=masquerade chain=srcnat src-address=10.10.10.0/24
Probably you really only use the first one (with addition of out-interface being name of VPN interface), right now it overlaps the next two. The other 3 are (most probably) adequately covered by the preceeding
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
which src-nats everything going out to WAN. I don’t think you need src-nat for inter-VLAN connections.

You need to re-think the VPN masquerade rule as it doesn’t cover VLAN 10.10.10.0/24 … currently the last rule covers that but if you’ll rework NAT rules, take care of it as well.

Thank you!

anav · February 1, 2019, 2:57pm

What is the purpose of identical or near identical pools??

add name=dhcp_pool3 ranges=172.25.10.200-172.25.10.250
add name=dhcp_pool5 ranges=172.25.10.200-172.25.10.250

add name=dhcp_pool4 ranges=10.10.10.201-10.10.10.250
add name=dhcp_pool6 ranges=10.10.10.200-10.10.10.250

I note that 2,5,6 pools are the ones actually noted in the applicable server entry.

This should not be on the bridge port rules but I see its disabled.
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1-WAN

The Interface for address of LAN should be interface=bridge
Plus Duplicate entry in address at the end???
/ip address
add address=172.16.5.1/24 comment=defconf interface=ether1 network=172.16.5.0
add address=70.xxx.xxx.106/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104
add address=172.17.5.1/24 interface=vlan17-servers network=172.17.5.0
add address=172.25.10.1/24 interface=vlan101-T1Radios network=172.25.10.0
add address=10.10.10.1/24 interface=vlan1001-T1Subs network=10.10.10.0
add address=70.xxx.xxx.107/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104
add address=70.xxx.xxx.108/29 interface=sfp-sfpplus1-WAN network=
70.xxx.xxx.104

You can get rid of the legacy/default dns static rule
/ip dns static
add address=172.16.5.1 name=router.lan

Besides mKX on only needing one properly formatted masquerade rule…

/ip firewall nat
add action=dst-nat chain=dstnat in-interface=wan to-addresses=serverIP
You need also protocol and destination port