Home Lab, Hairpin NAT situation(?) not working (with vlans)

RouterOS Beginner Basics
1

Hi! I have setup VLANS and some port forwarding, everything works as it is supposed to. But I cannot connect to the ssh server using the external IP address (ssh server is in VLAN10 and the device I am connecting from is in VLAN30). When I disable the last firewall rule, I can connect using it’s local address.
I have attempted to setup a Hairpin Nat rule, but that didn’t help it seemed. Also, since they are on different subnets, and vlans, I thought that this should “just work”.
Does anyone have any tips?

Firewall settings

/ip firewall address-list
add address=10.11.10.0/24 list=LANs
add address=192.168.30.0/24 list=LANs
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward comment="Torfinn SSH" dst-address=10.11.10.11 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other FORWARD traffic" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Torfinn SSH" dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=10.11.10.11

Rest of config:

# aug/24/2021 17:36:05 by RouterOS 6.48.4
# software id = 6JIK-BB6Q
#
# model = RB760iGS
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface vlan
add comment=Management interface=bridge name=VLAN10 vlan-id=10
add comment=Management/BMC interface=bridge name=VLAN11 vlan-id=11
add comment="Remote Access" interface=bridge name=VLAN20 vlan-id=20
add comment=Devices interface=bridge name=VLAN30 vlan-id=30
add comment=Storage interface=bridge name=VLAN100 vlan-id=100
add comment=Auth interface=bridge name=VLAN110 vlan-id=110
add comment=DMZ interface=bridge name=VLAN120 vlan-id=120
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=VLAN20 name=VLAN20-DHCP
add disabled=no interface=VLAN11 name=VLAN11-DHCP
add disabled=no interface=VLAN100 name=VLAN100-DHCP
add disabled=no interface=VLAN110 name=VLAN110-DHCP
/ip pool
add name=VLAN30-POOL ranges=10.11.30.50-10.11.30.254
add name=VLAN120-POOL ranges=10.11.120.100-10.11.120.254
add name=VLAN20-POOL ranges=10.11.20.50-10.11.20.254
add name=VLAN10-POOL ranges=10.11.10.100-10.11.10.254
/ip dhcp-server
add address-pool=VLAN30-POOL disabled=no interface=VLAN30 name=VLAN30-DHCP
add address-pool=VLAN120-POOL disabled=no interface=VLAN120 name=VLAN120-DHCP
add address-pool=VLAN10-POOL disabled=no interface=VLAN10 name=VLAN10-DHCP
/ppp profile
set *FFFFFFFE local-address=10.11.20.1 remote-address=VLAN20-POOL
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether5 pvid=10 tag-stacking=yes
add bridge=bridge hw=no interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3 pvid=11 tag-stacking=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether4 pvid=30 tag-stacking=yes
/ip neighbor discovery-settings
set discover-interface-list=!none
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=100
add bridge=bridge tagged=bridge,ether2 vlan-ids=110
add bridge=bridge tagged=bridge,ether2 vlan-ids=120
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN30 list=LAN
add interface=VLAN20 list=LAN
add interface=VLAN11 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
/ip address
add address=10.11.30.1/24 interface=VLAN30 network=10.11.30.0
add address=10.11.10.1/24 interface=VLAN10 network=10.11.10.0
add address=10.11.120.1/24 interface=VLAN120 network=10.11.120.0
add address=10.11.11.1/24 interface=VLAN11 network=10.11.11.0
add address=10.11.20.1/24 interface=VLAN20 network=10.11.20.0
add address=10.11.100.1/24 interface=VLAN100 network=10.11.100.0
add address=10.11.110.1/24 interface=VLAN110 network=10.11.110.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.11.10.11 client-id=... comment=Torfinn mac-address=... server=VLAN10-DHCP
/ip dhcp-server network
add address=10.11.10.0/24 gateway=10.11.10.1
add address=10.11.11.0/24 gateway=10.11.11.1
add address=10.11.20.0/24 gateway=10.11.20.1
add address=10.11.30.0/24 gateway=10.11.30.1
add address=10.11.100.0/24 gateway=10.11.100.1
add address=10.11.110.0/24 gateway=10.11.110.1
add address=10.11.120.0/24 gateway=10.11.120.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.11.10.0/24
set ssh address=10.11.10.0/24
set www-ssl address=10.11.10.0/24 disabled=no
set api disabled=yes
set winbox address=10.11.10.0/24,10.11.30.0/24
set api-ssl address=10.11.10.0/24 disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=...
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Victor
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Also, I am a bit confused on VLANS yet, I don’t understand why i can connect to devices on different vlans, and that it only stops when I add the

action=drop chain=forward

rule. Could anyone clarify that for me?

Thanks!

Hairpin nat & 2 Vlans
2

Hairpin NAT is not an issue if the server and the users are on different subnets behind the router.
Therefore its not likely a sourcenat issue.
One will have to review the dst nat rules most likely and perhaps firewall rules.

(1) What is the purpose of this rule, it looks confused to me??
It appears as though you wish to allow direct access to a LAN device from the internet. Any port forwarding rules should be in the Destination NAT rule area and thus this needs to be removed.
add action=accept chain=forward comment=“Torfinn SSH” dst-address=10.11.10.11 in-interface-list=WAN protocol=tcp

If on the other hand you wanted to SSH in to manage the router, that is not recommended (VPN is recommended).

(3) What is the purpose of this rule…
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Seeing as you already have an ALLOW port forwarding rule in place
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat in-interface-list=WAN

(4) I absolutely detest configs where the people have mixed up the input chain with forward chain rules…keep them separated, much cleaner and easier to see such duplications.

(5) OKay I see the problem you have a mix of default rules and some better ones cleaned up for you…

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“ENABLE LAN to WAN” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment=“DROP ALL other FORWARD traffic” disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Torfinn SSH” dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=10.11.10.11

3

  1. You have no HairPin NAT configured… You only have a dst-nat rule and nothing more…
    For the HairPin NAT you will need a src-nat rule ,out-interface=VLAN10, src-address=the Source address, dst-address=the destination address and action=masquerade…

  2. VLANs work on Layer 2 of the OSI level… They are used for network segmentation and they do create different broadcast domains…
    They do not operate on Layer 3, so when you try to reach another VLAN through the Network Layer 3 ofcorse you can…

4

Now for the config of the rest of the router, review.

(1) You have identified 7 VLANS but your config is incomplete as
you only have 4 DHCP Servers ???
?? Okay there is another set of them WHY effing separated LOL.!!
So you have 7 matching DHCP servers
but you only have 4 IP pools ???
Missing IP pools for vlans, 10, 11, 100,

(2) suggest set this to LAN.
/ip neighbor discovery-settings
set discover-interface-list=!none

(3) You should not have to list all the VLANS as part of LAN as their parent interface is the Bridge.

(4) For the dhcp server networks, confirm each has a dns-server
ex. /ip dhcp-server network
add address=10.11.10.0/24 dns-server= 10.11.10.1 gateway=10.11.10.1

(5) If one is using SSH to the server AND NOT TO the router (remember to the router is not a secure method for managing the config from exteranal to the network).
then these should be and normally are disabled.. They have nothing to do with SSH into a server.
set www address=10.11.10.0/24
set ssh address=10.11.10.0/24
set www-ssl address=10.11.10.0/24 disabled=no

(6) Winbox addresses I see you have two LAN sunbets identified, VLAN 10 Managment and VLAN30?
Why would you allow a devices network access to the router??
If legit then I would I suggest the following changes..
a.
/interface list
add name=LAN
add name=WAN
add name=manage
b.
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=manage
add interface=VLAN30 list=manage
c.
/tool mac-server mac-winbox
set allowed-interface-list=manage
d. (replace the last rule with four rules, the first new rule allows only the managed networks full access to the router instead of all users on all the vlans.
(the users still need access to DNS services and thus we need dns rules)
(the last drop all rule drops all other traffic to and fro the router itself that is not authorized by the admin - CAUTION: only add this when the other rules are in place)
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“allow admin networks” in-interface-list=manage {***optional source-address firewall list}
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input

*** You can put all the IPs of admin devices into a firewall list (static fixed subnet IPs) and thus reduce access to the router to specific IPs within the two vlans in the management interface.

(7) Okay lets look at bridge ports next! - You are defining 4 of the ports.
It appears that ether2 is probably a hybrid port but not sure, it looks like an access port due to PVID but since you didnt stipulate only untagged and priority tagged packets I am assuming its a hybrid port and thus both tagged and one untagged vlan may running through ether2. This begs the question what device is on the other end of eth2 ???
In any case you could add ingress filtering to the bridge ports.

What is the purpose of tag stacking here??

(8) bridge vlan settings… - 0kay see those and reviewing.
Allright the picture is a bit clearer.
You wish to run ether2 as a TRUNK port and run every vlan tagged through it.

(9) Therefore find below a revamp of these settings

/interface bridge port
add bridge=bridge hw=no interface=ether2 admit-only-tagged-frames ingress-flitering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3 pvid=11 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether4 pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether5 pvid=10 ingress-filtering=yes

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 untagged=ether3 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120
add bridge=bridge tagged=bridge,ether2 untagged=ether4 vlan-ids=30

note, the router automatically creates the untagged bridge vlan settings based on the bridge port pvid settings, so they
are not required to be hard entered like I have above. I prefer the hard entry to match my bride port with what I intended on vlan filter as a cross-check.
Its also easy to read and understand this way.

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120
add bridge=bridge tagged=bridge,ether2 vlan-ids=30

what I am not sure about is if this would also work automagically for the untagged vlans ??
add bridge=bridge tagged=bridge,ether2 vlan-ids=10,11,20,30,100,110,120

5

(1) I added the “Allow Port forwarding” rule later, I first had this to enable port forwarding to that server.
(3) No idea, defconf so it was there
Thank you, I have now this config:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Torfinn SSH" dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=10.11.10.11

Unfortunately, port forwarding still only works from outside the network. But I cannot connect from other VLANs using the external IP/Domain. And I just don’t understand what else to change… I have also tried to setup a webserver on port 80, just to check that the ssh server config is not the problem. But I got the exact same behaviour.

I have updated most of these things as well now.
(1) The plan was to on those networks without pools only assign static addresses, I now added some small pools to them anyway.
I have no idea why they were separated, i just did /export hide-sensitive.
(2) Did that.
(3) I tried to only have the bridge in that list, but then the firewall rules with LAN and !LAN didn’t work as expected anymore…
(4) I didn’t do this, i added the router as dns for all the networks (the gateway address), but I guess the DNS server is not setup correctly.
(5) I wanted to use www and ssh from the manage vlan. But disabled them for now.
(6) VLAN30 being allowed to access winbox is only temporary, when things work as they should it will only be VLAN10.
(7) It was meant to be a hybrid port for testing, a trunk port when a switch or vlan aware device is connected, and a access port when other devices are connected.
I have removed tag stacking, that was there because it was active in some of the guides/tutorials I read. I have now disabled it after reading up on what it is.

# aug/27/2021 13:34:35 by RouterOS 6.48.4
# software id = 6JIK-BB6Q
#
# model = RB760iGS
# serial number = D4500D910DB4
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface vlan
add comment=Management interface=bridge name=VLAN10 vlan-id=10
add comment=Management/BMC interface=bridge name=VLAN11 vlan-id=11
add comment="Remote Access" interface=bridge name=VLAN20 vlan-id=20
add comment=Devices interface=bridge name=VLAN30 vlan-id=30
add comment=Storage interface=bridge name=VLAN100 vlan-id=100
add comment=Auth interface=bridge name=VLAN110 vlan-id=110
add comment=DMZ interface=bridge name=VLAN120 vlan-id=120
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN30-POOL ranges=10.11.30.50-10.11.30.254
add name=VLAN120-POOL ranges=10.11.120.100-10.11.120.254
add name=VLAN20-POOL ranges=10.11.20.50-10.11.20.254
add name=VLAN10-POOL ranges=10.11.10.100-10.11.10.254
add name=VLAN11-POOL ranges=10.11.11.200-10.11.11.254
add name=VLAN100-POOL ranges=10.11.100.154-10.11.100.200
add name=VLAN110-POOL ranges=10.11.110.200-10.11.110.254
/ip dhcp-server
add address-pool=VLAN20-POOL disabled=no interface=VLAN20 name=VLAN20-DHCP
add address-pool=VLAN11-POOL disabled=no interface=VLAN11 name=VLAN11-DHCP
add address-pool=VLAN100-POOL disabled=no interface=VLAN100 name=VLAN100-DHCP
add address-pool=VLAN110-POOL disabled=no interface=VLAN110 name=VLAN110-DHCP
add address-pool=VLAN30-POOL disabled=no interface=VLAN30 name=VLAN30-DHCP
add address-pool=VLAN120-POOL disabled=no interface=VLAN120 name=VLAN120-DHCP
add address-pool=VLAN10-POOL disabled=no interface=VLAN10 name=VLAN10-DHCP
/ppp profile
set *FFFFFFFE local-address=10.11.20.1 remote-address=VLAN20-POOL
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no ingress-filtering=yes interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether3 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether4 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=100
add bridge=bridge tagged=bridge,ether2 vlan-ids=110
add bridge=bridge tagged=bridge,ether2 vlan-ids=120
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN11 list=LAN
add interface=VLAN20 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
add interface=VLAN30 list=LAN
/ip address
add address=10.11.30.1/24 interface=VLAN30 network=10.11.30.0
add address=10.11.10.1/24 interface=VLAN10 network=10.11.10.0
add address=10.11.120.1/24 interface=VLAN120 network=10.11.120.0
add address=10.11.11.1/24 interface=VLAN11 network=10.11.11.0
add address=10.11.20.1/24 interface=VLAN20 network=10.11.20.0
add address=10.11.100.1/24 interface=VLAN100 network=10.11.100.0
add address=10.11.110.1/24 interface=VLAN110 network=10.11.110.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.11.30.10 client-id=1:8c:3b:ad:e4:97:e8 comment="Netgear Router" mac-address=8C:3B:AD:E4:97:E8 server=VLAN30-DHCP
add address=10.11.10.11 client-id=1:dc:a6:32:e:3f:2d comment=Torfinn mac-address=DC:A6:32:0E:3F:2D server=VLAN10-DHCP
add address=10.11.11.10 client-id=1:84:2b:2b:47:c0:f1 comment="Frank BMC" mac-address=84:2B:2B:47:C0:F1 server=VLAN11-DHCP
/ip dhcp-server network
add address=10.11.10.0/24 gateway=10.11.10.1
add address=10.11.11.0/24 gateway=10.11.11.1
add address=10.11.20.0/24 gateway=10.11.20.1
add address=10.11.30.0/24 gateway=10.11.30.1
add address=10.11.100.0/24 gateway=10.11.100.1
add address=10.11.110.0/24 gateway=10.11.110.1
add address=10.11.120.0/24 gateway=10.11.120.1
/ip firewall address-list
add address=10.11.10.0/24 list=LANs
add address=192.168.30.0/24 list=LANs
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.11.10.0/24
set ssh address=10.11.10.0/24 disabled=yes
set www-ssl address=10.11.10.0/24 disabled=no
set api disabled=yes
set winbox address=10.11.10.0/24,10.11.30.0/24
set api-ssl address=10.11.10.0/24 disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=...
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Victor
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thank you for the answers! Still no luck in solving this tho

6

Your dst-nat rule is what is limiting you to outside connections only. Local traffic does not come in on WAN, so you can not use in-interface or in-interface-list. Instead, use dst-address with either external ip address (static address) or ddns (dynamic address). You can also set dst-address-type=local and exclude all of the routers LAN addresses (dynamic address).

7

Have no idea what 2frogs is talking about but assume I will see it as going through the config.

(1) bridge vlan filtering rules are not quite there if you prefer POSITIVE indications of what is untagged otherwise you can leave it as is. Just trying to be consistent as you have ether5 untagged in the setup, so you can have them not all noted (automatically applied but not visible if not being used and not visible on a config export) or as I prefer all noted and all visible all the time..

Finally for straight vlans IDs with no other conflicts or interest in other ports (no untagging) you can combine on one line…
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 untagged=ether3 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120

(2) This has been known in the past to potentially cause issues and unless using the MT APP on smartphone, best to set to none.
/interface detect-internet
set detect-interface-list=all

(3) For security reasons, normally WWW is disabled, dont know anybody who uses it…
/ip service
set www address=10.11.10.0/24

(4) Missing, any route information which informs the router how traffic will egress the router???

(5) This should be set to LAN for now.
/tool mac-server mac-winbox
set allowed-interface-list=none

(6) Missing: FIREWALL RULES NAT RULES ???

8

2frogs answer:

helped me solve this, I added a address and used that as the destination address for the nat rule, instead of using any in-interface or such.

/ip cloud
set ddns-enables=yes
/ip firewall address-list
add address=<CLOUD-DDNS-ADDRESS> list=WANs
/ip firewall NAT
add action=dst-nat chain=dstnat dst-address-list=WANs dst-port=22 protocol=TCP to-address=10.11.10.11
/ip firewall filter
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface=ether1
add action=accept chain=forward comment="Allow Port forwarding from LAN" connection-nat-state=dstnat in-interface-list=LAN

Thank you for all comments!

This is the config now for anyone interested:

# sep/18/2021 17:07:47 by RouterOS 6.48.4
# software id = 6JIK-BB6Q
#
# model = RB760iGS
# serial number = ...
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface vlan
add comment=Management interface=bridge name=VLAN10 vlan-id=10
add comment=Management/BMC interface=bridge name=VLAN11 vlan-id=11
add comment="Remote Access" interface=bridge name=VLAN20 vlan-id=20
add comment=Devices interface=bridge name=VLAN30 vlan-id=30
add comment=Storage interface=bridge name=VLAN100 vlan-id=100
add comment=Auth interface=bridge name=VLAN110 vlan-id=110
add comment=DMZ interface=bridge name=VLAN120 vlan-id=120
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN30-POOL ranges=10.11.30.50-10.11.30.254
add name=VLAN120-POOL ranges=10.11.120.100-10.11.120.254
add name=VLAN20-POOL ranges=10.11.20.50-10.11.20.254
add name=VLAN10-POOL ranges=10.11.10.100-10.11.10.254
add name=VLAN11-POOL ranges=10.11.11.200-10.11.11.254
add name=VLAN100-POOL ranges=10.11.100.154-10.11.100.200
add name=VLAN110-POOL ranges=10.11.110.200-10.11.110.254
/ip dhcp-server
add address-pool=VLAN20-POOL disabled=no interface=VLAN20 name=VLAN20-DHCP
add address-pool=VLAN11-POOL disabled=no interface=VLAN11 name=VLAN11-DHCP
add address-pool=VLAN100-POOL disabled=no interface=VLAN100 name=VLAN100-DHCP
add address-pool=VLAN110-POOL disabled=no interface=VLAN110 name=VLAN110-DHCP
add address-pool=VLAN30-POOL disabled=no interface=VLAN30 name=VLAN30-DHCP
add address-pool=VLAN120-POOL disabled=no interface=VLAN120 name=VLAN120-DHCP
add address-pool=VLAN10-POOL disabled=no interface=VLAN10 name=VLAN10-DHCP
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge hw=no ingress-filtering=yes interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether3 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether4 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=100
add bridge=bridge tagged=bridge,ether2 vlan-ids=110
add bridge=bridge tagged=bridge,ether2 vlan-ids=120
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN11 list=LAN
add interface=VLAN20 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
add interface=VLAN30 list=LAN
/ip address
add address=10.11.30.1/24 interface=VLAN30 network=10.11.30.0
add address=10.11.10.1/24 interface=VLAN10 network=10.11.10.0
add address=10.11.120.1/24 interface=VLAN120 network=10.11.120.0
add address=10.11.11.1/24 interface=VLAN11 network=10.11.11.0
add address=10.11.20.1/24 interface=VLAN20 network=10.11.20.0
add address=10.11.100.1/24 interface=VLAN100 network=10.11.100.0
add address=10.11.110.1/24 interface=VLAN110 network=10.11.110.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.11.30.10 client-id=1:8c:3b:ad:e4:97:e8 comment="Netgear Router" mac-address=... server=VLAN30-DHCP
add address=10.11.10.11 client-id=1:dc:a6:32:e:3f:2d comment=... mac-address=... server=VLAN10-DHCP
add address=10.11.11.10 client-id=1:84:2b:2b:47:c0:f1 comment="... BMC" mac-address=... server=VLAN11-DHCP
add address=10.11.10.10 comment=Frank mac-address=... server=VLAN10-DHCP
/ip dhcp-server network
add address=10.11.10.0/24 gateway=10.11.10.1
add address=10.11.11.0/24 gateway=10.11.11.1
add address=10.11.20.0/24 gateway=10.11.20.1
add address=10.11.30.0/24 gateway=10.11.30.1
add address=10.11.100.0/24 gateway=10.11.100.1
add address=10.11.110.0/24 gateway=10.11.110.1
add address=10.11.120.0/24 gateway=10.11.120.1
/ip firewall address-list
add address=10.11.10.0/24 list=LANs
add address=192.168.30.0/24 list=LANs
add address=....sn.mynetname.net list=WANs
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface=ether1
add action=accept chain=forward comment="Allow Port Forwarding from LAN" connection-nat-state=dstnat in-interface-list=LAN
add action=accept chain=forward comment="Allow BMC access from VLAN10" dst-port=22,443 in-interface=VLAN10 out-interface=VLAN11 protocol=tcp
add action=accept chain=forward comment="Allow SSH to all networks from VLAN10" dst-port=22 in-interface=VLAN10 protocol=tcp
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Traefik HTTPS ingress" disabled=yes dst-address-list=WANs dst-port=443 protocol=tcp to-addresses=10.11.120.100
add action=dst-nat chain=dstnat comment="Torfinn SSH" dst-address-list=WANs dst-port=22 protocol=tcp to-addresses=10.11.10.11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.11.10.0/24 disabled=yes
set ssh address=10.11.10.0/24 disabled=yes
set www-ssl address=10.11.10.0/24
set api disabled=yes
set winbox address=10.11.10.0/24
set api-ssl address=10.11.10.0/24 disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Victor
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thank you for all you input to improve my setup Anav! I am a bit unsure about what you are talking about on point (4) there :stuck_out_tongue:

9

Glad everything is up and running.
If you are talking about the discussion of Interface bridge vlan settings…

Basically for access ports you define them on the bridge port settings (untagged frames pvid=XX)

The router dynamically (automatically based on the bridge port settings) assigns the interface bridge vlan settings when traffic starts flowing.
Therefore technically one does not have to put the rules into the interface bridge vlan settings.

However, that means they wont show up when you print a config or when you look at your config.
I prefer to see them when opening up the config or exporting the config as it shows that the user understands what he/she has configured vice making the assumption.
In other words a pro MT guy like MKX would probably not manually config this and I would never cough cough question his judgement.
However for new folks on MT, its best to see what they really understand vice just copying a youtube config.
I also like consistency and method!!


So your config is neither LOL.
You have used the manual rule for ether5 but not for the other access ports with PVID assigned,
So your config If I was doing it would be
FROM

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=100
add bridge=bridge tagged=bridge,ether2 vlan-ids=110


TO

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 untagged=ether3  vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether4  vlan-ids=30
add bridge=bridge tagged=bridge,ether2  vlan-ids=20,100,110,120

If you were to be consistent and ordered in your config and prefer not to see untagged settings it would be…

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2  vlan-ids=10
add bridge=bridge tagged=bridge,ether2  vlan-ids=11
add bridge=bridge tagged=bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120

(Note: vlan30 does not go through ether2 like all other vlans.)

So, now look at the middle example. Crystal clear to read each line.
The first line, VLAN 10 is on the trunk port ether 2 and is going to a dumb device on ether5
The second line, VLAN11 is on the trunk port ether2 and is going to a dumb device on ether4
The third line, Vlan 30 is going to a dumb device on ether3
The fourth line, the rest of the vlans are going on the trunk port ether2
VERY EASY TO CHECK WITH BRIDGE PORT SETTINGS as double check to confirm the config matches up nicely.

10

Lets take a look at your firewall forward chain…

add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface=ether1
add action=accept chain=forward comment="Allow Port Forwarding from LAN" connection-nat-state=dstnat in-interface-list=LAN
add action=accept chain=forward comment="Allow BMC access from VLAN10" dst-port=22,443 in-interface=VLAN10 out-interface=VLAN11 protocol=tcp

First Rule: Looks good!
Second and Third Rule, frankly a mess!! : Modify to a single RULE!!
add action=accept chain=forward comment=Allow Port Forwarding"
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

Perhaps I am out in left field but I have never seen a port forwarding rule in the forward chain from the LAN. Perhaps if you explained the reasoning it would penetrate through my thick skull!!

Last Rule: You want to allow all users from VLAN10 access to VLAN20 but only on ports 22 and 443 (assuming ssh and https) on protocol TCP.
Is that an accurate reflection of the requirement.
or is it?
Allow admin person only (using vlan10) full access to vlan 20 from vlan10?
etc…

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Then we have the next confusing rule…
add action=accept chain=forward comment=“Allow SSH to all networks from VLAN10” dst-port=22 in-interface=VLAN10 protocol=tcp

You just had a rule allowing vlan10 both SSH and HTTPS to vlan11 and now you are allowing all of VLAN 10 SSH to everwhere?
In other words your first rule should only be HTTPS AS, SSH is covered here in the second rule.

It tells me you are not clear in your requirements!!
Do you really mean all users on vlan 10 should be able to SSH everywhere?
Or did you mean the admin person should have full access to all vlans.
add chain=forward action=accept in-interface=vlan10 out-interface-list=LAN source-address-list=adminaccess