Inter VLAN routing problem

GrimDemon · March 18, 2019, 8:34am

First, the config:

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-lan speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface vlan
add interface=ether2-lan name=vlan4 vlan-id=4
add interface=ether2-lan name=vlan15 vlan-id=15
add interface=ether2-lan name=vlan99 vlan-id=99
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=ether2-lan list=discover
/interface ovpn-server server
set certificate=MikroTik cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=Accept-IPSec-ISAKMP dst-port=500,4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment=Accept-IPSec-ESP in-interface=ether1-gateway protocol=ipsec-esp
add action=accept chain=input comment=Accept-OpenVPN dst-port=1194 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=ether1-gateway
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-address=10.5.4.0/24 src-address=192.168.8.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-Internet ipsec-policy=out,none out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=185.24.201.100 dst-port=8777 protocol=tcp to-addresses=192.168.8.2
add action=dst-nat chain=dstnat dst-address=185.24.201.101 dst-port=3389 protocol=tcp to-addresses=192.168.8.2
add action=dst-nat chain=dstnat dst-address=185.24.201.102 dst-port=3389 protocol=tcp to-addresses=192.168.8.6
add action=dst-nat chain=dstnat dst-address=185.24.201.103 dst-port=3389 protocol=tcp to-addresses=192.168.8.1
add action=dst-nat chain=dstnat dst-address=185.24.201.104 dst-port=80 protocol=tcp to-addresses=10.5.4.10 to-ports=81
add action=dst-nat chain=dstnat dst-address=185.24.201.104 dst-port=1433 protocol=tcp to-addresses=10.5.4.10
add action=dst-nat chain=dstnat dst-address=185.24.201.104 dst-port=45432 protocol=tcp to-addresses=192.168.8.4 to-ports=5432
/ip route
add distance=1 gateway=185.24.201.97

Router is hooked up to a switch where VLAN configuration is replicated. Inter VLAN routing doesn’t work and I had to add forwarding rule between private addresses to make it work. Without it everything between these networks was catched as invalid with repeatded lines in logs.

09:31:37 firewall,info 265645 forward: in:(unknown 7) out:vlan4, src-mac 78:45:c4:18:dc:64, proto TCP (ACK), 192.168.8.135:54077->10.5.4.10:80, len 40
09:31:37 firewall,info 265645 forward: in:(unknown 7) out:vlan4, src-mac 78:45:c4:18:dc:64, proto TCP (ACK), 192.168.8.135:54077->10.5.4.10:80, len 40
09:31:37 firewall,info 265645 forward: in:(unknown 7) out:vlan4, src-mac 78:45:c4:18:dc:64, proto TCP (ACK), 192.168.8.135:54077->10.5.4.10:80, len 40

mkx · March 18, 2019, 10:03am

Is the posted config complete? If yes, then your router lacks LAN addresses … on all 3 VLAN interfaces (vlan4, vlan15 and vlan99). Without them it’s not aware of subnets behind each VLAN interface and can not properly route/firewall traffic.

anav · March 18, 2019, 11:43am

post config complete
/export hide-sensitive file=yourconfigmar18