I was looking to connect/route a webserver in my network.
The network looks pretty simple.
[ ISP( e.g 80.30.0.30 ) >> MikroTik[Eth1] ]
All the Ethernet ports on the Mikrotik are used for LAN users. Therefore they all share the same bridge.
Now. the webserver is connected to one of the ports, Eth3. Several LAN users are connected to Eth3 as well. ( there’s a switch behind that whereof I think an unmanaged one.)
I created a VLAN from Mikrotik to the webserver to separate the server from the LAN users.
Weird things happen when I set up the NAT Rule, which can be seen in the export.
Then, a LOT of complaints about the network are heard. slow loading webpages/ overall slow loading etc.
But the webserver server has no purpose yet.
By looking at the statistics, a lot of traffic is routed to the webserver. Whilst no intentional external request are made.
The only explanation is that I set the wrong NAT rule.
But what would the correct Rule look like? and why behaves the network like that?
I am curious about that.
# 2023-07-15 11:48:38 by RouterOS 7.10.1
# software id = 8I7W-IKF7
#
# model = RB962UiGS-5HacT2HnT
# serial number = <edited>
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=300
add interface=ether3 name=vlan_server vlan-id=10
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=vlan_server_pool ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
add address-pool=vlan_server_pool interface=vlan_server name=vlan_server_dhcp
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan_server network=192.168.2.0
/ip dhcp-client
add interface=vlan1
/ip dhcp-server lease
add address=192.168.2.2 mac-address=10:60:4B:9B:22:46 server=vlan_server_dhcp
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan1
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
192.168.2.2 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
Your dst-nat rule is “greedy” and redirects any connection to port 80 (regardless dst-address) to your LAN server. You have to make the rule more “picky”, one way of doing it is to add property “in-interface=vlan1”. It’s abvious that you threw away default config which is IMO a pitty, default makes a very sound base for minor tweaking (such as adding dst-nat).
BTW, the way you’re dealing with vlan on LAN side is wrong. Conceptually it should be done according to this tutorial and reading about bridge personalities beforehand would help. Your hAP ac doesn’t support the way described in tutorial by offloading to switch chip (which means higher CPU load and lower performance), to make it hardware-friendly it’s necessary to configure some things in switch chip submenu. But basic concepts are very similar (and your current setup goes against these concepts).
Once you start introducing vlans, its better to use all vlans.
So in your case you need two vlans, one for everyone and one for the server so to speak.
The nice thing about this is that with the server on a separate subnet you dont have to worry about hairpin NAT.
In any case your concept as noted wont work as you are dealing with a dumb switch to server different sets of users. You would need a smart switch or the server connected directly to the router port.
the NAT “issue” is solved, and the explanation made very clear why and how.
however, I can’t wrap my head around the LAN side VLAN misconfiguration.
If one could point me in the right direction then I’ll hopefully understand why. Yes, I have read the other posts. but as said. there’s likely something I don’t quite understand.
If that relates to the issue. then it would make more sense. but yes. that switch would need to be replaced.
When an interface (ether3) is made a bridge port (the last two lines), it should not be directly used for anything else[*], in your case it’s used as anchor interface for vlan interface (the first two lines).
[*]When interface is made a bridge port, it becomes part of layer2 network (which includes both untagged and tagged traffic), consisting of other ports members of bridge and router-facing port (name taken from bridge personalities tutorial I linked in my previous post). And from this point forward one should only use the switch-facing interface of the router (another name from the mentioned tutorial) to communicate between router OS and anything beyond bridge (switch-like entity).