I’ve been pounding my head for the last few hours and seem to be just going around in circles. I have a customer with a CCR1009-7G-1C-1S+ running 6.43.8. The router is destined for a fairly large environment with mostly Cisco switches. I have a number of clients up and connected with full internet access. I configured some VLANs today and clients connected to the VLANs can piung the router, but can’t get out to the internet. Here are snippets from the configuration, let me know if I’ve missed anything important:
/interface bridge
add name=bridge1
...
/interface vlan
add interface="ether1-DHCP LAN" name=ether1-vlan11 vlan-id=11
add interface="ether1-DHCP LAN" name=ether1-vlan12 vlan-id=12
add interface="ether1-DHCP LAN" name=ether1-vlan13 vlan-id=13
add interface="ether1-DHCP LAN" name=ether1-vlan14 vlan-id=14
add interface="ether1-DHCP LAN" name=ether1-vlan15 vlan-id=15
add interface="ether1-DHCP LAN" name=ether1-vlan16 vlan-id=16
add interface="ether1-DHCP LAN" name=ether1-vlan17 vlan-id=17
add interface="ether1-DHCP LAN" name=ether1-vlan18 vlan-id=18
add interface="ether1-DHCP LAN" name=ether1-vlan19 vlan-id=19
add interface="ether1-DHCP LAN" name=ether1-vlan20 vlan-id=20
...
/ip address
add address=10.10.1.1/24 interface=ether1-vlan11 network=10.10.1.0
add address=10.10.2.1/24 interface=ether1-vlan12 network=10.10.2.0
add address=10.10.3.1/24 interface=ether1-vlan13 network=10.10.3.0
add address=10.10.4.1/24 interface=ether1-vlan14 network=10.10.4.0
add address=10.10.5.1/24 interface=ether1-vlan15 network=10.10.5.0
add address=10.10.6.1/24 interface=ether1-vlan16 network=10.10.6.0
add address=10.10.7.1/24 interface=ether1-vlan17 network=10.10.7.0
add address=10.10.8.1/24 interface=ether1-vlan18 network=10.10.8.0
add address=10.10.9.1/24 interface=ether1-vlan19 network=10.10.9.0
add address=10.10.10.1/24 interface=ether1-vlan20 network=10.10.10.0
...
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether7
In addition there’s the normal stuff for the WAN port, address, gateway, DNS servers. Has anyone any idea on what I’m missing? I can paste more of the code if there are sections I’ve left out.
mkx
March 23, 2019, 2:21pm
2
Post complete firewall config … only obfuscate plublic IP addresses …
[bill@MikroTik] > export
# mar/22/2019 15:04:32 by RouterOS 6.43.8
# software id = AN96-VD4M
#
# model = CCR1009-7G-1C-1S+
# serial number = 915008456B2E
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=combo1 ] name=ether0-MGMT
set [ find default-name=ether1 ] name="ether1-DHCP LAN"
set [ find default-name=ether7 ] name=ether7-WAN
/interface vlan
add interface="ether1-DHCP LAN" name=ether1-vlan11 vlan-id=11
add interface="ether1-DHCP LAN" name=ether1-vlan12 vlan-id=12
add interface="ether1-DHCP LAN" name=ether1-vlan13 vlan-id=13
add interface="ether1-DHCP LAN" name=ether1-vlan14 vlan-id=14
add interface="ether1-DHCP LAN" name=ether1-vlan15 vlan-id=15
add interface="ether1-DHCP LAN" name=ether1-vlan16 vlan-id=16
add interface="ether1-DHCP LAN" name=ether1-vlan17 vlan-id=17
add interface="ether1-DHCP LAN" name=ether1-vlan18 vlan-id=18
add interface="ether1-DHCP LAN" name=ether1-vlan19 vlan-id=19
add interface="ether1-DHCP LAN" name=ether1-vlan20 vlan-id=20
add interface="ether1-DHCP LAN" name=ether1-vlan21 vlan-id=21
add interface="ether1-DHCP LAN" name=ether1-vlan22 vlan-id=22
add interface="ether1-DHCP LAN" name=ether1-vlan23 vlan-id=23
add interface="ether1-DHCP LAN" name=ether1-vlan24 vlan-id=24
add interface="ether1-DHCP LAN" name=ether1-vlan25 vlan-id=25
add interface="ether1-DHCP LAN" name=ether1-vlan26 vlan-id=26
add interface="ether1-DHCP LAN" name=ether1-vlan27 vlan-id=27
add interface="ether1-DHCP LAN" name=ether1-vlan28 vlan-id=28
add interface="ether1-DHCP LAN" name=ether1-vlan29 vlan-id=29
add interface="ether1-DHCP LAN" name=ether1-vlan30 vlan-id=30
add interface="ether1-DHCP LAN" name=ether1-vlan31 vlan-id=31
add interface="ether1-DHCP LAN" name=ether1-vlan32 vlan-id=32
add interface="ether1-DHCP LAN" name=ether1-vlan33 vlan-id=33
add interface="ether1-DHCP LAN" name=ether1-vlan34 vlan-id=34
add interface="ether1-DHCP LAN" name=ether1-vlan35 vlan-id=35
add disabled=yes interface=ether5 name=ether5-vlan5 vlan-id=5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=ether1-vlan10 ranges=10.0.10.2-10.0.10.254
add name=ether1-vlan11 ranges=10.0.11.2-10.0.11.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=ether1-vlan12 ranges=10.0.12.2-10.0.12.254
add name=ether5-vlan5 ranges=10.0.5.2-10.0.5.254
add name=ether1-vlan13 ranges=10.0.13.2-10.0.13.254
add name=VPN-POOL ranges=10.10.150.11-10.10.150.254
/ip dhcp-server
add address-pool=ether1-vlan10 disabled=no interface="ether1-DHCP LAN" name="DHCP V10"
add address-pool=ether5-vlan5 disabled=no interface=ether5 name="DHCP V5"
add address-pool=ether1-vlan11 disabled=no interface=ether1-vlan11 name="DHCP V11"
/ppp profile
add dns-server=10.10.150.10 local-address=10.10.150.10 name=VPN-PROFILE remote-address=VPN-POOL use-encryption=yes
set *FFFFFFFE dns-server=192.168.1.2 local-address=192.168.89.1 remote-address=vpn
/interface l2tp-server server
set ipsec-secret=Slapstick9 use-ipsec=yes
/interface list member
add interface="ether1-DHCP LAN" list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server@MikroTik cipher=aes128,aes192,aes256 default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.0.10.1/24 interface="ether1-DHCP LAN" network=10.0.10.0
add address=10.10.1.1/24 interface=ether1-vlan11 network=10.10.1.0
add address=redacted comment="staging static IP " interface=ether7-WAN network=redacted
add address=10.10.2.1/24 interface=ether1-vlan12 network=10.10.2.0
add address=10.10.3.1/24 interface=ether1-vlan13 network=10.10.3.0
add address=10.0.5.1/24 interface=ether5 network=10.0.5.0
add address=10.10.4.1/24 interface=ether1-vlan14 network=10.10.4.0
add address=10.10.5.1/24 interface=ether1-vlan15 network=10.10.5.0
add address=10.10.6.1/24 interface=ether1-vlan16 network=10.10.6.0
add address=10.10.7.1/24 interface=ether1-vlan17 network=10.10.7.0
add address=10.10.8.1/24 interface=ether1-vlan18 network=10.10.8.0
add address=10.10.9.1/24 interface=ether1-vlan19 network=10.10.9.0
add address=10.10.10.1/24 interface=ether1-vlan20 network=10.10.10.0
add address=10.10.11.1/24 interface=ether1-vlan21 network=10.10.11.0
add address=10.10.12.1/24 interface=ether1-vlan22 network=10.10.12.0
add address=10.10.13.1/24 interface=ether1-vlan23 network=10.10.13.0
add address=10.10.14.1/24 interface=ether1-vlan24 network=10.10.14.0
add address=10.10.15.1/24 interface=ether1-vlan25 network=10.10.15.0
add address=10.10.16.1/24 interface=ether1-vlan26 network=10.10.16.0
add address=10.10.17.1/24 interface=ether1-vlan27 network=10.10.17.0
add address=10.10.18.1/24 interface=ether1-vlan28 network=10.10.18.0
add address=10.10.19.1/24 interface=ether1-vlan29 network=10.10.19.0
add address=10.10.20.1/24 interface=ether1-vlan30 network=10.10.20.0
add address=10.10.21.1/24 interface=ether1-vlan31 network=10.10.21.0
add address=10.10.22.1/24 interface=ether1-vlan32 network=10.10.22.0
add address=10.10.23.1/24 interface=ether1-vlan33 network=10.10.23.0
add address=10.10.24.1/24 interface=ether1-vlan34 network=10.10.24.0
add address=10.10.25.1/24 interface=ether1-vlan35 network=10.10.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.0.10.254 client-id=1:58:8a:5a:3f:3e:35 comment="redacted" mac-address=58:8A:5A:3F:3E:35 server="DHCP V10"
add address=10.0.10.21 mac-address=30:9C:23:5F:71:CC server="DHCP V10"
add address=10.0.10.23 allow-dual-stack-queue=no mac-address=30:9C:23:22:6B:CA server="DHCP V10"
add address=10.0.10.25 mac-address=30:9C:23:5F:73:CA server="DHCP V10"
add address=10.0.10.24 allow-dual-stack-queue=no mac-address=30:9C:23:5F:71:E8 server="DHCP V10"
add address=10.0.10.22 mac-address=30:9C:23:5F:71:4B server="DHCP V10"
add address=10.0.10.26 mac-address=4C:CC:6A:CD:7B:A4 server="DHCP V10"
add address=10.0.10.27 mac-address=30:9C:23:5F:59:37 server="DHCP V10"
add address=10.0.10.28 mac-address=30:9C:23:3E:47:71 server="DHCP V10"
add address=10.0.10.29 mac-address=30:9C:23:5F:6B:6C server="DHCP V10"
add address=10.0.10.30 mac-address=30:9C:23:24:BC:53 server="DHCP V10"
add address=10.0.10.32 mac-address=4C:CC:6A:CD:7D:77 server="DHCP V10"
add address=10.0.10.31 mac-address=30:9C:23:5F:6E:C0 server="DHCP V10"
add address=10.0.10.34 mac-address=30:9C:23:5F:74:82 server="DHCP V10"
add address=10.0.10.33 mac-address=30:9C:23:24:CC:64 server="DHCP V10"
add address=10.0.10.35 mac-address=30:9C:23:3E:50:2F server="DHCP V10"
add address=10.0.10.36 mac-address=30:9C:23:3E:38:A6 server="DHCP V10"
add address=10.0.10.37 mac-address=30:9C:23:24:79:2F server="DHCP V10"
add address=10.0.10.38 mac-address=30:9C:23:24:CD:7E server="DHCP V10"
add address=10.0.10.39 mac-address=4C:CC:6A:D6:23:98 server="DHCP V10"
add address=10.0.10.40 mac-address=30:9C:23:27:D1:42 server="DHCP V10"
add address=10.0.10.11 mac-address=30:9C:23:5F:6E:BC server="DHCP V10"
add address=10.0.10.15 mac-address=30:9C:23:29:13:5B server="DHCP V10"
add address=10.0.10.12 mac-address=30:9C:23:22:6D:67 server="DHCP V10"
add address=10.0.10.14 mac-address=30:9C:23:5F:6E:F0 server="DHCP V10"
add address=10.0.10.16 mac-address=30:9C:23:24:98:BA server="DHCP V10"
add address=10.0.10.19 mac-address=30:9C:23:5F:6E:D7 server="DHCP V10"
add address=10.0.10.13 mac-address=4C:CC:6A:D8:50:35 server="DHCP V10"
add address=10.0.10.18 mac-address=30:9C:23:3E:52:A6 server="DHCP V10"
add address=10.0.10.17 mac-address=30:9C:23:3E:3B:F1 server="DHCP V10"
add address=10.0.10.20 mac-address=30:9C:23:5F:6A:B3 server="DHCP V10"
add address=10.0.10.63 mac-address=4C:CC:6A:F4:5F:12 server="DHCP V10"
add address=10.0.5.12 mac-address=30:9C:23:22:6E:5C server="DHCP V5"
add address=10.0.10.62 mac-address=30:9C:23:22:6E:5C server="DHCP V10"
add address=10.0.5.11 mac-address=30:9C:23:44:1C:7D server="DHCP V5"
/ip dhcp-server network
add address=10.0.5.0/24 gateway=10.0.5.1
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.11.0/24 gateway=10.0.11.1
add address=10.0.12.0/24 gateway=10.0.12.1
add address=10.0.13.0/24 gateway=10.0.13.1
add address=10.10.1.0/24 gateway=10.10.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=redacted,redacted
/ip dns static
add address=redacted name="DNS 1"
add address=redacted name="DNS 2"
/ip firewall filter
add action=accept chain=forward in-interface=ether7-WAN out-interface=ether2
add action=accept chain=input in-interface=ether0-MGMT
add action=accept chain=input connection-state=established,related
add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether7-WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=17790 in-interface=ether7-WAN protocol=tcp to-addresses=10.0.10.254 to-ports=17790
/ip route
add distance=1 gateway=209.216.165.1
/ip service
set telnet disabled=yes
set ftp address=10.10.150.0/24,10.0.10.0/24
set www address=10.0.10.0/24,10.10.150.0/24
set ssh address=10.10.150.0/24,10.0.10.0/24,redacted
set api address=10.0.10.0/24,10.10.150.0/24
set winbox address=10.0.10.0/24,10.10.150.0/24
set api-ssl address=10.0.10.0/24,10.10.150.0/24
/ppp secret
add name=redacted password=redacted
add name=redacted password=redactedprofile=VPN-PROFILE service=ovpn
add name=redacted password=redacted profile=VPN-PROFILE service=ovpn
add name=redacted password=redacted profile=VPN-PROFILE service=ovpn
/system clock
set time-zone-name=America/Los_Angeles
The clients who have static leases shown here work, as do dynamic leases in the same subnets. Addresses for the clients on VLAN 11 and up are being provided by the Cisco switches they are attached to. They are using the Mikrotik at 10.10.x.1 as the default gateway and DNS server. They are unable to get past the Mikrotik, though that can successfully ping it.
mkx
March 23, 2019, 4:22pm
4
The firewall rules don’t explain why clients from some VLANs aren’t able to connect internet. Try to add additional masquerade rule with in-interface set to one of non-working VLANs and move it to the top of NAT rule list (optionally add log=yes) and check if it gets triggered.
The firewall rules, BTW, don’t protect router from being accessed from internet or “normal” subnets. At least it lacks of a rule like this:
add chain=input action=drop
at the very end of rules for input chain. Preceede this rule with rules which accept some connections if needed (perhaps to UDP port 53 from VLAN interfaces if this router acts as DNS server for clients).
From the WebFig interface, Firewall; NAT when I Add New a srcnat with In. Interface of one of the VLANs (ether1-vlan16) and action Masquerade I get error “Couldn’t add New NAT Rule - incoming interface matching not possible in output and post routing chains”.
mkx
March 23, 2019, 6:46pm
6
Ah, right. So put src-address=/24 …
OK, I added that using vlan6, 10.10.6.0/24 (or should it have been a specific address instead of the subnet?). It entered it as the last item on the list however. Is there a way to move them from WebFig? It’s still not working, a vlan6 client can ping the router, but not the DNS server sitting at the ISP.
mkx
March 23, 2019, 7:23pm
8
You can move rules in webfig simply by drag&drop …
Thanks, it’s now the top entry but still no access.
OK, temporarily I’ve changed that address to 10.10.0.0/19 in order to match everything from 10.10.0.0 to 10.10.31.255, which covers all my VLAN subnets. No joy yet, I’m still not able to get past the router from any of the clients.
Is there a chance I’ve got the Interface Lists wrong? I see that currently the list named WAN uses ether1-DHCP LAN as the Interface and LAN uses bridge1. Maybe bridge1 is incorrect, or I should add another entry for the VLANs?
