No internet from bridge?

plexorange · July 12, 2022, 2:07am

I can ping 8.8.8.8 from the router. DHCP works. Connected devices can’t seem to access the internet.

All VLAN interfaces added to bridge1. bridge1 is part of the LAN interface list
Firewall allows LAN to access WAN

It feels like something is wrong with the bridge, something with gateway?
Devices on VLAN6 interface can access internet if the VLAN6 interface is added directly to LAN interface list (adding other VLAN interfaces doesn’t work)

This is basically what I got, sorry for the dumb questions.

# jul/11/2022 20:48:17 by RouterOS 7.2.3
# software id = E78J-UB21
#
# model = RB3011UiAS
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=VLAN6 vlan-id=6
add interface=bridge1 name=VLAN11 vlan-id=11
add interface=bridge1 name=VLAN21 vlan-id=21
add interface=bridge1 name=VLAN31 vlan-id=31
add interface=bridge1 name=VLAN41 vlan-id=41
/interface list
add comment=defconf name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DHCP_POOL21 ranges=192.168.21.16-192.168.21.254
add name=DHCP_POOL11 ranges=192.168.11.16-192.168.11.254
add name=DHCP_POOL6 ranges=192.168.6.16-192.168.6.254
add name=DHCP_POOL31 ranges=192.168.31.16-192.168.31.254
add name=DHCP_POOL41 ranges=192.168.41.16-192.168.41.254
/ip dhcp-server
add address-pool=DHCP_POOL6 interface=VLAN6 name=DHCP6
add address-pool=DHCP_POOL41 interface=VLAN41 name=DHCP41
add address-pool=DHCP_POOL21 interface=VLAN21 name=DHCP21
add address-pool=DHCP_POOL31 interface=VLAN31 name=DHCP31
add address-pool=DHCP_POOL11 interface=VLAN11 name=DHCP11
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2 pvid=6
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=6
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=41
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether3 vlan-ids=6
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether4 vlan-ids=11
add bridge=bridge1 tagged=ether2,bridge1 untagged=ether5 vlan-ids=41
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=31
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=21
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN6 list=MGMT
/ip address
add address=192.168.6.1/24 interface=VLAN6 network=192.168.6.0
add address=192.168.11.1/24 interface=VLAN11 network=192.168.11.0
add address=192.168.21.1/24 interface=VLAN21 network=192.168.21.0
add address=192.168.31.1/24 interface=VLAN31 network=192.168.31.0
add address=192.168.41.1/24 interface=VLAN41 network=192.168.41.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.6.2 mac-address=DC:2C:6E:E2:0A:C6 server=DHCP6
/ip dhcp-server network
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
add address=192.168.21.0/24 dns-server=192.168.21.1 gateway=192.168.21.1
add address=192.168.31.0/24 dns-server=192.168.31.1 gateway=192.168.31.1
add address=192.168.41.0/24 dns-server=192.168.41.1 gateway=192.168.41.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.6.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" comment="No want ping from WAN" in-interface-list=LAN protocol=icmp
add action=accept chain=input in-interface-list=MGMT
add action=drop chain=input comment="Default drop"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow access to internet" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Default drop" connection-nat-state="" connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

mkx · July 12, 2022, 5:27am

Adding bridge1 interface to LAN interface list doesn’t help, because all IP addresses of your router are set on vlan interfaces … these should be members of LAN interface list (or some other interface lsit if you want to further structure firewall rules):

/interface list member
add interface=VLAN6 list=LAN
add interface=VLAN11 list=LAN
add interface=VLAN21 list=LAN
add interface=VLAN31 list=LAN
add interface=VLAN41 list=LAN

Proper interface list membership will also make current FW rule

add action=accept chain=forward comment="Allow access to internet" in-interface-list=LAN out-interface-list=WAN

to pass LAN-initiated traffic towards internet (currently this rule blocks it all).

You configured DHCP servers to hand out respective router’s addresses as DNS servers to DHCP clients, but you don’t allow clients to us DNS server - firewall filter rule chain=input contains general drop rule, but doesn’t contain anything allowing VLANs to access DNS service. Something like this should be fine:

add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="Allow use of DNS service from LANs"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="Allow use of DNS service from LANs"

… and get these rules above the “Default drop” rule.

It seems you didn’t do anything to IPv6 firewall rules … which is just fine, with changes mentioned above also IPv6 will work. However, you did try to make IPv4 firewall quite more strict than it’s by default. If you want to follow that in IPv6 firewall, then you’ll have to work a bit on rules. My suggestion, though, is that you get acquainted with how firewall filter rules actually work, you seem to lack some understanding there …