Masquerade with VLANs

geelenio · September 29, 2024, 1:54pm

Hi there,

I have 4 VLANs:

VLAN10 - General
VLAN20 - Project TRNG
VLAN99 - Management
VLAN100 - Guest

I want them to be connected to the internet. I was unable to make it work. My approach was to make sure that my firewall wasn’t blocking anything and enabling NAT (srcnat, to ether-port 1).

My first step and question is: What am I doing wrong?
In future, I want to go a lot further, and I would like to use 2 WAN ports, to increase traffic. Moreover, I would like to use 1, or if possible, multiple WireGuard connections, through which I would like to provide internet on my VLANs. If there any examples or resolved issues in this forum, I would love to see them.

My current config is:

# 2024-09-29 15:46:56 by RouterOS 7.15.2
# software id = #########
#
# model = RB5009UPr+S+
# serial number = #######
/interface bridge
add mtu=1420 name=Bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] l2mtu=1500 name=ether2-WAN
set [ find default-name=ether3 ] name=ether3-L009
set [ find default-name=ether4 ] name=ether4-L009
set [ find default-name=ether5 ] name=ether5-hAPX2
set [ find default-name=ether6 ] name="ether6-[TRNG]ESP32PoE"
set [ find default-name=ether7 ] name=ether7-test
set [ find default-name=ether8 ] name=ether8-ManagementPort
set [ find default-name=sfp-sfpplus1 ] disabled=yes l2mtu=1500 name=sfp1
/interface wireguard
add listen-port=51820 mtu=1420 name=Mullvad
/interface vlan
add interface=Bridge mtu=1420 name=VLAN10-General vlan-id=10
add interface=Bridge mtu=1420 name=VLAN20-TRNG vlan-id=20
add interface=Bridge mtu=1420 name=VLAN99-Management vlan-id=99
add interface=Bridge mtu=1420 name=VLAN100-Guest vlan-id=100
/interface bonding
add mode=802.3ad name=Bond-L009 slaves=ether3-L009,ether4-L009 \
    transmit-hash-policy=layer-3-and-4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool5 ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool6 ranges=10.0.99.2-10.0.99.254
add name=dhcp_pool7 ranges=10.0.1.2-10.0.1.254
add name=dhcp_pool8 ranges=10.0.2.2-10.0.2.254
/interface bridge port
add bridge=Bridge interface=ether8-ManagementPort internal-path-cost=10 \
    path-cost=10 pvid=99
add bridge=Bridge interface=Bond-L009
add bridge=Bridge interface=ether5-hAPX2
add bridge=Bridge interface="ether6-[TRNG]ESP32PoE" pvid=20
add bridge=Bridge interface=ether7-test pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=Bridge comment=Main tagged=Bond-L009,Bridge,ether5-hAPX2 untagged=\
    ether7-test vlan-ids=10
add bridge=Bridge comment="Project - TRNG" tagged=\
    Bond-L009,Bridge,ether5-hAPX2 untagged="ether6-[TRNG]ESP32PoE" vlan-ids=\
    20
add bridge=Bridge comment=Guest tagged=Bond-L009,Bridge vlan-ids=100
add bridge=Bridge comment=Management tagged=Bridge,Bond-L009,ether5-hAPX2 \
    untagged=ether8-ManagementPort vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.71.87.119/32 client-dns=\
    10.64.0.1 client-endpoint=185.254.75.3 endpoint-address=185.254.75.3 \
    endpoint-port=51820 interface=Mullvad name=peer1 private-key=\
    "AIou1WWzjBUifq9ozgoEZYAbUrz9Sz2mK/GA6yt33m8=" public-key=\
    "Rc23KyES+XjzzYtsjTfHcQlcFd0NM5nVB6s9JFSrLHc="
/ip address
add address=10.0.0.1/24 interface=VLAN10-General network=10.0.0.0
add address=10.0.1.1/24 interface=VLAN20-TRNG network=10.0.1.0
add address=10.0.2.1/24 interface=VLAN100-Guest network=10.0.2.0
add address=10.0.99.1/24 interface=VLAN99-Management network=10.0.99.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server
add address-pool=dhcp_pool5 interface=VLAN10-General lease-time=1m name=dhcp1
add address-pool=dhcp_pool6 interface=VLAN99-Management lease-time=1m name=\
    dhcp2
add address-pool=dhcp_pool7 interface=VLAN20-TRNG lease-time=1m name=dhcp3
add address-pool=dhcp_pool8 interface=VLAN100-Guest lease-time=1m name=dhcp4
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=10.0.1.0/24 gateway=10.0.1.1
add address=10.0.2.0/24 gateway=10.0.2.1
add address=10.0.99.0/24 gateway=10.0.99.1
/ip dns
set servers=8.8.8.8,4.4.4.4
/ip firewall filter
add action=accept chain=forward connection-state=established,related,new \
    connection-type="" in-interface=Bridge out-interface=ether1-WAN
add action=accept chain=forward connection-state=established,related,new
add action=accept chain=forward connection-state=established,related \
    dst-address=10.0.1.0/24 src-address=10.0.99.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=10.0.2.0/24 src-address=10.0.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system upgrade mirror
set enabled=yes

Thanks for your time!

mkx · September 29, 2024, 2:12pm

A few things:

do yourself a favour and disable detect internet feature (set detect-internet-list=none)
Why MTU on LAN set to odd value of 1420? It’s going to hurt all LAN communication … possibly to make wireguard a bit faster. It may make sense, but really depends on ratio between wireguard and LAN data volume
if you insist on having the odd MTU value, you have to make all LAN clients aware of it (and ditto on the wireguard peer side). One possibility is to configure DHCP server with option 26, but it seems that some DHCP clients don’t want to use it? (See this thread: http://forum.mikrotik.com/t/dhcp-option-26-mtu-size/98261/1 )
I’ll write this again: don’t go into non-standard MTU value if you don’t know what you’re doing (my feeling is that you don’t know exactly)
completely unset “connection-type” property of the first firewall filter rule. Setting it to empty value is very much different than not setting the property at all.

But the good news is: your masquerade rule is fine for traffic leaving through ether1-WAN interface … for any source VLAN (src-nat doesn’t care about src-address unless it’s used as matcher criteria).

And a general suggestion: have a look at default setup, specially firewall rules. They are pretty good, they are both safe and quite flexible. Probably they’re not flexible enough for your ultimate goal, but you may learn something from them.

anav · September 29, 2024, 4:09pm

(1) I will add dont mix apples and oranges. Once you go vlans, ensure all subnets are vlans, and thus the bridge does no DHCP etc, just bridging.
Okay I see, that is what you have done, bridge ports was misleading…
Prefer… clarity

/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether8-ManagementPort pvid=99
add bridge=Bridge ingress-filtering=yes frame-type=admit-vlan-tagged interface=Bond-L009
add bridge=Bridge ingress-filtering=yes frame-type=admit-vlan-tagged interface=ether5-hAPX2
add bridge=Bridge ingress-filtering=yes frame-type=admit-priority-and-untagged interface=“ether6-[TRNG]ESP32PoE” pvid=20
add bridge=Bridge ingress-filtering=yes frame-type=admit-priority-and-untagged interface=ether7-test pvid=10

(2) Besides the ether8 management port access I would consider taking an unused port and making it an off-bridge access for config purposes.
Easy to make changes to the bridge and not be affected by any errors that may occur. Food for thought if interested.

(3**) MISSING,** the wireguard address??
/ip address
add address=10.0.0.1/24 interface=VLAN10-General network=10.0.0.0
add address=10.0.1.1/24 interface=VLAN20-TRNG network=10.0.1.0
add address=10.0.2.1/24 interface=VLAN100-Guest network=10.0.2.0
add address=10.0.99.1/24 interface=VLAN99-Management network=10.0.99.0
add address=10.71.87.119/24 interface=wireguard-mullvad network=10.71.87.0

No idea what the purpose of this route is???
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main
suppress-hw-offload=no
Your config is incomplete:
a. as alluded to above, missing firewall rules.
b. sourcenat rule out wireguard as mullvad only expects to see the single IP assigned to you coming from your device
c. any methods to identify what users should go out wireguard and how to force that traffic.

geelenio · October 2, 2024, 3:29pm

Hi there, thank you soooo much for the feedback. I am still learning all of this and your support is invaluable to me!

So let me answer the point by point, starting with the points made by mkx:

I have disabled that feature now
What is the default? I have used 1500, with no avail.
I don’t insist, but you are right, the idea was to have consistent packet-sizing to improve throughput. I first want to get connectivity out though. I feel that the WireGuard we can always add later.
This is correct, it was a hunge and I am only realizing how “dangerous” it is to play with such settings.
Done!

A question I have to you, mkx, is what do you mean by default setup. Do you mean the default setup as provided by mikrotik when setting up the device?

In regards to the feedback from Anav:

Are you saying that the Bridge itself shouldn’t have a DHCP server or IP address in and on itself? I have removed the IP-Address and DHCP server, and I hope this was correct. Just to validate: is your point that you should setup a default network with Subnets/DHCP, when you actually want to split it out in VLANs? So in this case I would only have DHCP Servers running on my VLAN virtual interfaces?
Excellent point. I was thinking that I should do this with a VLAN too, to ensure that I can also access the other routers that I will have in my network in the future. Should I use a separate Bridge for that?
Lets skip the WireGuard for now, as I think we can start with simply having internet within the VLANs, as I think this would be essential starting point. What do you think?
Consider it removed
5.A. What firewall rules am I missing?
5.B. Lets skip for now
5.C. Lets skip for now

geelenio · October 2, 2024, 3:31pm

@mkx, this was the issue:

completely unset “connection-type” property of the first firewall filter rule. Setting it to empty value is very much different than not setting the property at all.

We have Internet on the VLANs!!! I guess we are already at the stage that we should discuss the VPN that I want to set up. Should I create a new post? Or can I stick with this one? I will be testing the rest now, to be sure that everything works as it should

mkx · October 2, 2024, 7:39pm

Yes, I was talking about config which is available if device is “reset to factory default”.
You can always see it if you open terminal window, log in as administrator and execute /system/default-configuration/print (make that terminal window as wide as possible).

Regarding MTU size: industry standard is 1500 … which happens to be default on ROS as well. Don’t mix this with L2MTU which is maximum ethernet frame size admitted. L2MTU has to be larger than MTU, by how much depends on exact features used in your network (e.g. using VLANs adds some overhead to “usual” ethernet frames).