NAT stops after enablink VLANs

tdeak · February 1, 2023, 6:23pm

Dear Forum Members,

I try to understand the Mikrotik VLANning and I made a phisical setup for myself.
(the final goal is VLANs with Microsoft DHCP server multiple SCOPEs and VLANs)

The Base config is here:

# feb/01/2023 19:08:17 by RouterOS 7.7
#
# model = CRS109-8G-1S-2HnD
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=hungary disabled=no \
    frequency=auto mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=wlan1 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=30
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=Europe/Budapest

My problem is when I enable VLAN Filtering on bridge1 I imemdiately loose NAT:

# feb/01/2023 19:10:44 by RouterOS 7.7
#
# model = CRS109-8G-1S-2HnD
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge1 pvid=10 vlan-filtering=\
    yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=hungary disabled=no \
    frequency=auto mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=wlan1 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=30
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=Europe/Budapest

Can somebody help me understand why I do not have NAT and what should I configure?

Many Thanks,

anav · February 1, 2023, 6:27pm

Sure, Hint your IP address to a bridge is WRONG!! There shouldnt be one>
You are missing the IP addresses for all the vlans, their IP pools, their ip dhcp-server and ip dhcp-server network settings!!

Missing firewall rules too. Your masquerade rule is not complete for sourcnat.

Who qualified you to work on this config LOL…
Dont try and work on configs on an empty stomach (hungary) ;–)

tdeak · February 1, 2023, 8:40pm

Thank you for your help.
I might miss to attach the second config:

# model = CRS109-8G-1S-2HnD
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge1 pvid=10 vlan-filtering=\
    yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=hungary disabled=no \
    frequency=auto mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=10
add bridge=bridge1 interface=ether4 pvid=20
add bridge=bridge1 interface=wlan1 pvid=30
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=20
add bridge=bridge1 tagged=bridge1 untagged=wlan1 vlan-ids=30
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.1.254/24 interface=vlan10 network=192.168.1.0
add address=192.168.2.254/24 interface=vlan20 network=192.168.2.0
add address=192.168.3.254/24 interface=vlan30 network=192.168.3.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.1.2 disabled=no interface=vlan10 local-address=\
    192.168.1.254 name=relay10
add dhcp-server=192.168.1.2 disabled=no interface=vlan20 local-address=\
    192.168.2.254 name=relay20
add dhcp-server=192.168.1.2 disabled=no interface=vlan30 local-address=\
    192.168.3.254 name=relay30

/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=Europe/Budapest

Where should I put the router LAN address instead of bridge1?
What firewalls hould be done and what masquerade?

Is there any samle config where I can have a look such setup?

Thank you.

AidanAus · February 1, 2023, 11:10pm

for the nat I think what they are refuring to is that you dont have anything filtering out what traffic you would like to hit with this rule, currently all you have set is the chain so all traffic going through the src-nat chain will be hit with this rule.
One of the most common settings for this is to specify the WAN interface as the out-interface so that it does not process all traffic through this rule and only the traffic going out to your ISP.
The easiest way to thing about the firewall is that everything outside of the action tab is just a filter, without setting anything all traffic will be hit in the specified chain.

For security Mikrotik has a great wiki and help page regarding this and even has some basic firewall rules: https://help.mikrotik.com/docs/display/ROS/Securing+your+router
The other option is to use the default firewall, to view the default configuration stored on a device you can use the following command in the terminal: system default-configuration print

anav · February 2, 2023, 12:53pm

Aidan, this has nothing to do with security at the moment.
It has everything to do with not understanding networking basics even before providing a configuration.

anav · February 2, 2023, 1:01pm

Okay, once you have vlans, there is no need to keep the bridge ( default ) to provide dhcp or any subnet, if you want a 192.168.88 subnet then make another vlan…
Also DONT get fancy with bridge remove any pvid on it. NOt required!!!

Start HERE;;;;;;
https://forum.mikrotik.com/viewtopic.php?p=908118

Post a network diagram of what you would like to accomplish. Include where you are getting your internet and devices router is connected to and the vlans running out of the router ports going to which devices.
Identify
a. your users/devices, or groups of users/devices.
b. what your users or groups should be able to do (traffic required)
c. what your users or groups should not be able to do
d. include yourself as the admin as a special user with unique requirements such as to be able to configure the router securely.

Dont worry about the config for now as you need to communicate your network concept or plan and equipment you have to provide context.
Once known then a configuration will fall out naturally.

tdeak · February 2, 2023, 3:45pm

Hello Gents,
as I mentioned this is just a playground to understand the Mikrotik VLANs.

I set up a few machines and basic devices.
Here below you can see the plan:

and here how I planned to connect:

anav · February 2, 2023, 3:55pm

Not conversant with vlans and a separate PC based dhcp service… Im sure others are though.