Help with VLAN firewall rules and SMB transfer speed.

keitacat · August 9, 2024, 11:00am

Hi!

This is my first time configuring any kind of VLANs. (Router: RBD52G-5HacD2HnD)

Started with default router config and was following example from this post http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 to set up VLANs.

Goals:
Since I’m always living on BASE_VLAN, BASE_VLAN should have access to any VLANs and internet.
All other VLANs should only be able to access the internet and machines that are within the same VLAN.
Basic security.

VLANs:
BASE_VLAN - used only by my personal devices
SERVERS_VLAN - used by hypervisor
GUESTS_VLAN - used by work pc, IOT devices and AP

I’ve run into two issues so far:

Time sync on windows hosts isn’t working. Had to set up NTP client and server on the router and manually configure windows hosts to target the router as their NTP server.
During SMB file transfers between VLANs/ports, router CPU usage peaks at 30% and transfer speed is limited to 50mb/s. However, file transfers within the same VLAN are 10x faster. Wired connection is used when transferring files.

Can anyone experienced take a look at my firewall rules and give some recommendations?

Firewall rules:

/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE access any VLAN" in-interface-list=BASE out-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN"

holvoetn · August 9, 2024, 11:47am

First one may be related to firewall rules but second one most likely to VLAN setup.
First guess: your VLANs are being routed through CPU instead of HW offloaded.
If you look at bridge ports, do the related ports have H in front of them or not ?

So we may have to take a look at your full config (minus serial and other private info).

keitacat · August 9, 2024, 12:00pm

All ports have Hardware Offload enabled.

Here is the config:

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=5G wireless-protocol=802.11
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUESTS_VLAN vlan-id=200
add interface=BR1 name=SERVERS_VLAN vlan-id=100
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=SERVERS_POOL ranges=192.168.100.10-192.168.100.254
add name=GUESTS_POOL ranges=192.168.200.10-192.168.200.254
add name=BASE_POOL ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=SERVERS_POOL disabled=no interface=SERVERS_VLAN name=SERVERS_DHCP
add address-pool=GUESTS_POOL disabled=no interface=GUESTS_VLAN name=GUESTS_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=200
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=100
add bridge=BR1 tagged=BR1 vlan-ids=200
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SERVERS_VLAN list=VLAN
add interface=GUESTS_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.89.1/24 interface=BASE_VLAN network=192.168.89.0
add address=192.168.100.1/24 interface=SERVERS_VLAN network=192.168.100.0
add address=192.168.200.1/24 interface=GUESTS_VLAN network=192.168.200.0
/ip arp
add address=192.168.100.10 interface=SERVERS_VLAN mac-address=70:85:C2:93:88:64
add address=192.168.100.11 interface=SERVERS_VLAN mac-address=5E:6D:73:13:B0:D7
add address=192.168.100.100 interface=SERVERS_VLAN mac-address=A6:E7:4C:74:C1:32
add address=192.168.100.102 interface=SERVERS_VLAN mac-address=96:66:CA:85:6E:97
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.11 client-id=1:5e:6d:73:13:b0:d7 mac-address=5E:6D:73:13:B0:D7 server=SERVERS_DHCP
add address=192.168.100.10 mac-address=70:85:C2:93:88:64 server=SERVERS_DHCP
add address=192.168.100.102 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:2f:b8:1b:3c:f4:79:a0:ce mac-address=96:66:CA:85:6E:97 server=SERVERS_DHCP
add address=192.168.100.100 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:d2:9:f8:54:78:24:ce:1e mac-address=A6:E7:4C:74:C1:32 server=SERVERS_DHCP
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
add address=192.168.100.0/24 dns-server=192.168.89.1 gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=192.168.89.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE access any VLAN" in-interface-list=BASE out-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system ntp client
set enabled=yes primary-ntp=89.111.54.85 secondary-ntp=94.100.3.214
/system ntp server
set broadcast=yes enabled=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

holvoetn · August 9, 2024, 12:15pm

About this part:

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=100
add bridge=BR1 tagged=BR1 vlan-ids=200
add bridge=BR1 tagged=BR1 vlan-ids=99

Where are the interface ports being added to their respective VLAN as untagged members ?

Shouldn’t that be like this (I know, happens auto but I prefer manual so I know what it is) ?
(unsure about ether5 …)

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2 vlan-ids=100
add bridge=BR1 tagged=BR1 untagged=ether4,ether5 vlan-ids=200
add bridge=BR1 tagged=BR1 untagged=ether3,wlan2,wlan1 vlan-ids=99

Between which interfaces does the SMB transfer happen ?

keitacat · August 9, 2024, 12:46pm

Where are the interface ports being added to their respective VLAN as untagged members ?

In here I think:

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=100
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=200
add bridge=BR1 ingress-filtering=yes interface=ether5 pvid=200
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=99

(unsure about ether5 …)

It is to prevent guests from taking all network bandwidth.

Between which interfaces does the SMB transfer happen ?

ether2 and ether3

neki · August 9, 2024, 1:02pm

Order of entries in firewall is crucial. It starts at top and goes down…

For the input
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=drop chain=input comment=“defconf: drop all not coming from VLAN” in-interface-list=!VLAN
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=BASE_VLAN
add action=drop chain=input comment=Drop

Nothing that is not in the list VLAN gets past that rule, even your BASE_VLAN. That entry should be removed.

And for the forward order should look like this
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“VLAN Internet Access only” connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow BASE access any VLAN” in-interface-list=BASE out-interface-list=VLAN
add action=drop chain=forward comment=“Drop”

DanMos79 · August 9, 2024, 1:30pm

Enabled doesn’t mean that it is active.

RBD52G-5HacD2HnD (hAP ac²) has the AR8327 switch chip, which doesn’t support hardware offloading on a VLAN enabled bridge.
https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeHardwareOffloading

All data traffic, even if in the same VLAN, goes via the CPU.

keitacat · August 9, 2024, 1:56pm

I see.
So, when using VLANs on this router, does it mean that the SMB transfer speed will be limited to what single CPU core can process?

loloski · August 9, 2024, 2:02pm

Configure VLAN in switch menu since this is not CRS3XX series to utilize switch chip

holvoetn · August 9, 2024, 2:03pm

Rats, I did check on the switch chip support but failed to see it couldn’t handle VLAN offloading …

You could leave the default bridge/Vlan path and see if something can be done using switch chip features on that device.
Not a standard approach but still possible.
See here for some pointers:
http://forum.mikrotik.com/t/hap-ac2-switch-chip-vlan-and-wifi-setup-with-remote-capsman/173557/1

anav · August 9, 2024, 6:54pm

To work on neki’s input to a more logical endpoint. Only the trusted subnet should have access to the router config.

/ip firewall { input chain }
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“allow icmp” protocol=icmp
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=BASE_VLAN
add action=accept chain=input comment=“users to services” in-interface-list=VLAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all Else”

And for the forward order should look like this
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“Internet Access” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow BASE access any VLAN” in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“Drop all Else”

keitacat · August 10, 2024, 9:48am

After couple attempts, I finally moved VLANs to the switch chip.
Each machine is acquiring its correct IP address from the respective VLAN’s DHCP service as with the previous configuration.

However, I’m now experiencing issues:

I’m unable to ping between machines in different VLANs.
Pinging between machines within the same VLAN results in timeouts.
The router’s ping tool also times out.
Internet access is unavailable from within the VLANs.
Some machines can’t be remotely accessed while on the same VLAN. This might be related to cache issues maybe…
When connected to Wifi, it doesn’t assign IP, but I didn’t tried to configure it yet.

Any ideas?

Here is updated config:

/interface bridge
add name=BR1
/interface ethernet
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=2G \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=5G \
    wireless-protocol=802.11
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUESTS_VLAN vlan-id=200
add interface=BR1 name=SERVERS_VLAN vlan-id=100
/interface ethernet switch port
set 1 default-vlan-id=100 vlan-mode=secure
set 2 default-vlan-id=99 vlan-mode=secure
set 3 default-vlan-id=200 vlan-mode=secure
set 4 default-vlan-id=200 vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=SERVERS_POOL ranges=192.168.100.10-192.168.100.254
add name=GUESTS_POOL ranges=192.168.200.10-192.168.200.254
add name=BASE_POOL ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=SERVERS_POOL disabled=no interface=SERVERS_VLAN name=SERVERS_DHCP
add address-pool=GUESTS_POOL disabled=no interface=GUESTS_VLAN name=GUESTS_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface ethernet switch vlan
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=100
add independent-learning=no ports=ether3,switch1-cpu switch=switch1 vlan-id=99
add independent-learning=no ports=ether5,switch1-cpu switch=switch1 vlan-id=200
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SERVERS_VLAN list=VLAN
add interface=GUESTS_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.200.1/24 interface=GUESTS_VLAN network=192.168.200.0
add address=192.168.100.1/24 interface=SERVERS_VLAN network=192.168.100.0
add address=192.168.89.1/24 interface=BASE_VLAN network=192.168.89.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.100.11 client-id=1:5e:6d:73:13:b0:d7 mac-address=5E:6D:73:13:B0:D7 server=SERVERS_DHCP
add address=192.168.100.10 mac-address=70:85:C2:93:88:64 server=SERVERS_DHCP
add address=192.168.100.102 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:2f:b8:1b:3c:f4:79:a0:ce mac-address=96:66:CA:85:6E:97 server=SERVERS_DHCP
add address=192.168.100.100 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:d2:9:f8:54:78:24:ce:1e mac-address=A6:E7:4C:74:C1:32 server=SERVERS_DHCP
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from VLAN" in-interface-list=!VLAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE access any VLAN" in-interface-list=BASE out-interface-list=VLAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system ntp client
set enabled=yes primary-ntp=89.111.54.85 secondary-ntp=94.100.3.214
/system ntp server
set broadcast=yes enabled=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE