Ok @mkx.. i see…
Well I celebrated to soon.
Got everything working (or so I thought), but as soon as I connected directly to the Internet, everything started messing up again, and data simple won’t get through.
Have been scratching my head, trying to figure out what is actually going on.
Have reverted to the test setup below, where I’m creating a “public IP” on the outside of the RB4011, which cause my configuration to fail.
As soon as the IP on the outside of the RB4011 is changed to an IP in the the private range, everything works.
Have tried to read up on documentation, but not been able to find something which address what I’m trying to do.
The basic purpose of my setup is to create a DMZ for my mail & web servers, by placing them in a separate network (VLAN), and then direct traffic from the outside, through nat & firewall to the servers.
Again this works when the outside IP is a “private” IP, but not when it’s public, which simply doesn’t make sense to me, since all my IP’s on the inside are in the 10.x.x.x ranges, while the IP’s I use on the outside are in the 192.168.x.x (private) or 84.x.x.x (public), with the latter not working.
Have tried to reset several times, downgraded firmware, upgraded firmware and recreate the setup using WinBox and using SSH, in various combinations.
My latest attempt was to add ether10 to the WAN to try another physical port, but same result.
Still see both my nat rule and firewall rule being hit, but data is simply not returned to the client, when I use a public IP on the outside.
Is there a way to track the data going through the router, to see where it’s getting stuck when it’s not working?
Have enabled logging on all the “drop” rules in the firewall, but they are not being hit when I test the connection.
Could this be a hardware fault?
Please post your latest config on router and on RB4011.
Here’s the latest config files from the RB4011 and the RB750.
Currently RB4011 is configured with ether1 and ether10 being part of the “WAN” group, which was done just for testing if another physical port would solve the issue.
Doing the testing of “private” vs. “public” IP’s, the setup is as follows.
ether3 (“dmz2”) on RB750 is connected to ether1 (“outside”) (or ether10) on the RB4011
ether2 (“dmz1”) on RB750 is connected to the PC I use for testing access, doing a “curl http://[ip of RB4011]:80” to fetch a simple HTML page on the PC with the private IP 10.2.0.10 in the DMZ_VLAN on the RB4011.
To make the switch between “public” and “private” IP’s on the RB750 I have created the following
Two DHCP pools:
/ip pool
add name=DMZ_POOL ranges=84.238.109.10-84.238.109.250
add name=DMZ1_pool ranges=192.168.10.10-192.168.10.250
two IP addresses:
/ip address
add address=84.238.109.1/24 disabled=no interface=DMZ_VLAN network=84.238.109.0
add address=192.168.10.1/24 disabled=yes interface=DMZ_VLAN network=192.168.10.0
and two DHCP networks:
/ip dhcp-server network
add address=84.238.109.0/24 comment=“DMZ Network” dns-server=8.8.8.8 gateway=84.238.109.1
add address=192.168.10.0/24 comment=“DMZ Network1” dns-server=8.8.8.8 gateway=192.168.10.1
So I simply switch between the two setups on the DHCP server on the RB750, and renew IP addresses on the RB4011 and the PC, to get either the public IP or private IP, before running the curl command to try to fetch the data.
Below the current RB4011 config (also attached):
# apr/22/2021 17:54:01 by RouterOS 6.48.2
# software id = IJJI-4YGG
#
# model = RB4011iGS+
# serial number =
/interface bridge
add name=MainBridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=admin
set [ find default-name=ether3 ] name=dmz1
set [ find default-name=ether4 ] name=dmz2
set [ find default-name=ether5 ] name=iot1
set [ find default-name=ether6 ] name=lan1
set [ find default-name=ether7 ] name=lan2
set [ find default-name=ether8 ] name=lan3
set [ find default-name=ether9 ] name=lan4
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx name=outside
set [ find default-name=ether10 ] name=wan2 poe-out=off
/interface vlan
add interface=MainBridge name=ADM_VLAN vlan-id=99
add interface=MainBridge name=DMZ_VLAN vlan-id=20
add interface=MainBridge name=IOT_VLAN vlan-id=30
add interface=MainBridge name=LAN_VLAN vlan-id=50
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=VLAN
add name=ADMIN
add name=IOT
add name=DMZ
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.5.0.100-10.5.0.250
add name=DMZ_POOL ranges=10.2.0.100-10.2.0.250
add name=IOT_POOL ranges=10.3.0.100-10.3.0.250
add name=ADM_POOL ranges=10.4.0.100-10.4.0.250
/ip dhcp-server
add address-pool=LAN_POOL disabled=no interface=LAN_VLAN name=LAN_DHCP
add address-pool=DMZ_POOL disabled=no interface=DMZ_VLAN name=DMZ_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=ADM_POOL disabled=no interface=admin name=ADM_DHCP
/interface bridge port
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=dmz1 pvid=20
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=dmz2 pvid=20
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=iot1 pvid=30
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=lan1 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=lan2 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=lan3 pvid=50
add bridge=MainBridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=lan4 pvid=50
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=MainBridge tagged=MainBridge untagged=dmz1,dmz2 vlan-ids=20
add bridge=MainBridge tagged=MainBridge untagged=iot1 vlan-ids=30
add bridge=MainBridge tagged=MainBridge untagged=lan1,lan2,lan3,lan4 \
vlan-ids=50
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=outside list=WAN
add interface=ADM_VLAN list=ADMIN
add interface=DMZ_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=LAN_VLAN list=VLAN
add interface=LAN_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=IOT_VLAN list=LAN
add interface=ADM_VLAN list=LAN
add interface=wan2 list=WAN
/ip address
add address=10.5.0.1/24 interface=LAN_VLAN network=10.5.0.0
add address=10.4.0.1/24 interface=ADM_VLAN network=10.4.0.0
add address=10.3.0.1/24 interface=IOT_VLAN network=10.3.0.0
add address=10.2.0.1/24 interface=DMZ_VLAN network=10.2.0.0
/ip dhcp-client
add disabled=no interface=outside
add disabled=no interface=wan2
/ip dhcp-server network
add address=10.2.0.0/24 comment="DMZ Network" dns-server=192.168.0.18 \
gateway=10.2.0.1
add address=10.3.0.0/24 comment="IOT Network" dns-server=192.168.0.18 \
gateway=10.3.0.1
add address=10.4.0.0/24 comment="ADM Network" dns-server=192.168.0.18 \
gateway=10.4.0.1
add address=10.5.0.0/24 comment="LAN Network" dns-server=192.168.0.18 \
gateway=10.5.0.1
/ip firewall filter
add action=accept chain=input comment=\
"Accept established, related & untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=\
invalid
add action=accept chain=input comment="Allow Admin_VLAN full access" \
in-interface=ADM_VLAN
add action=accept chain=input comment="Allow access on admin port" \
in-interface=admin
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop everything else"
add action=fasttrack-connection chain=forward comment="Fasttrack Forward" \
connection-state=established,related
add action=accept chain=forward comment=\
"Accept established, related & untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid forward" \
connection-state=invalid
add action=accept chain=forward comment="DNS to DMZ (udp)" dst-port=53 \
in-interface-list=VLAN out-interface=DMZ_VLAN protocol=udp
add action=accept chain=forward comment="DNS to DMZ (tcp)" dst-port=53 \
in-interface-list=VLAN out-interface=DMZ_VLAN protocol=tcp
add action=accept chain=forward comment="HTTP 80" dst-address=10.2.0.10 \
dst-port=80 in-interface-list=WAN log=yes log-prefix="(fw80)" protocol=\
tcp
add action=accept chain=forward comment="HTTPS 443" dst-address=10.2.0.10 \
dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop invalid forward" log-prefix=\
"(invfwd)"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTP 80" dst-port=80 \
in-interface-list=WAN log=yes log-prefix="(nat80)" protocol=tcp \
to-addresses=10.2.0.10
add action=dst-nat chain=dstnat comment="HTTPS 443" dst-port=443 \
in-interface-list=WAN protocol=tcp to-addresses=10.2.0.10
/system clock
set time-zone-autodetect=no time-zone-name=UTC
/system identity
set name=fldMTRB4011
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=20210422_port80_3.pcap filter-port=http
20210422_RB750.rsc (5.58 KB)
20210422_RB4011_2.rsc (6.75 KB)
Well thats your problem you have to decide which router is doing the routing?
Why not just dump the RB750 and run everything from the RB4011.
If for some reason you need a switch at any spot in the setup then setup the RB750 as a Switch using ROS.
Basically just run a bridge on the switch, identify the vlans and setup the bridge port and bridge vlans and thats basically it.
This is only to test the setup.
The RB750 will be nowhere near the setup once I’ve confirmed everything is working, but as long as everything fails on the RB4011 as soon as it sees a public IP on the outside, I need a way to test and confirm, before replacing my existing setup.
This setup recreate the issue I see when connecting the RB4011 directly to my Internet provider.
You should do a netinstall instead of just a reset. There sometimes is weirdness that can’t be fixed with a reset or upgrade/downgrade.
Have done a netinstall as suggested, and for now all appears to be working as intended.
Once again thanks for all your inputs on this.