Probably firewall misconfig?

RouterOS Beginner Basics
1

Hi!

Can you help me to undertsand what is wrong? Many thanks in advance!

I have one lan and one vlan
On my regular LAN - 192.168.100.1/24 I have set up dns server to my clients 192.168.100.1 so I can use cache of DNS to be faster.
And everything works!
But when I do the same to my VLAN 192.168.35.1/24, when I setup 192.168.35.1 my clients can’t surf on the internet… the only way I can get working is to setup 1.1.1.1 / 8.8.8.8.

Here are my configs…

Any help please?

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge port-cost-mode=short \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-eap670
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] comment="EAP outdoor"
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] comment="Management port" poe-out=off
set [ find default-name=ether8 ] name=ether8-WAN poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-switch
/interface wireguard
add listen-port=31231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=bridge.110 vlan-id=110
add interface=bridge name=bridge.192 vlan-id=192
/ip pool
add name=pool.192 ranges=192.168.35.2-192.168.35.254
add name=pool.110 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=pool.192 interface=bridge.192 lease-time=6h name=dhcp.192
add address-pool=pool.110 interface=bridge.110 lease-time=1d name=dhcp.110
/interface bridge port
add bridge=bridge interface=ether1-eap670 internal-path-cost=10 path-cost=10 \
    pvid=110
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=sfp-sfpplus1-switch internal-path-cost=10 \
    path-cost=10 pvid=110
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10 pvid=\
    110
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10 pvid=\
    110
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged="bridge,ether1-eap670,ether2,ether3,ether4,ether5,eth\
    er6,sfp-sfpplus1-switch" vlan-ids=192
add bridge=bridge tagged=bridge vlan-ids=110
/ip address
add address=192.168.100.1/24 interface=bridge.110 network=192.168.100.0
add address=192.168.35.1/24 interface=bridge.192 network=192.168.35.0
add address=172.29.1.1/24 interface=ether7 network=172.29.1.0
add address=172.27.10.1/24 interface=wireguard1 network=172.27.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether8-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.35.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.35.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.100.0/24 list="rede suporte"
add address=172.29.1.0/24 list="rede suporte"
add address=172.27.10.0/24 list="rede suporte"
/ip firewall filter
add action=drop chain=forward connection-state=new dst-address=\
    192.168.100.0/24 src-address=192.168.35.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=31231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    172.27.10.0/24
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address-list="rede suporte"
add action=accept chain=input limit=50,5:packet protocol=icmp
add action=add-src-to-address-list address-list="rede suporte" \
    address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward dst-port=53 hw-offload=yes \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN
/ip firewall service-port
set ftp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Lisbon
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=2.pt.pool.ntp.org
add address=0.pt.pool.ntp.org
add address=1.pt.pool.ntp.org
add address=3.pt.pool.ntp.org
/system routerboard settings
set cpu-frequency=1400MHz
/tool romon
set enabled=yes
2

Start with default firewall filter rules, your current rules are…creative. Did you configure the router? Is it public facing?

Also, your VLAN config is creative, have a very good look at this very good topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

3

Yes, was me that setup the router.

Is it public facing - VLAN 192 it's for guests

4

YOu have every port an as access port to the home or trusted vlan 110 according to /interface bridge ports and no access ports for guest and no trunk ports it seems.
YET
You have in /interface bridge vlans EVERY PORT tagged for guests…

Therefore you need to be honest about what each port is going to.
a. dumb device like PC ( and to home or guest )
b. smart device that can handle vlans ( managed switch or smart access point )

The conclusion from the config is that you ACTUALLY have all HYBRID PORTS going to smart devices that can handle vlans.
Which is actually only a niche case for special devices and in your case NOT required.

So without a diagram or better explanation we are left guessing.
My educated guess is you have one smart switch for both vlans on sfpplus1 and a smart AP on ether3 and ether1 so will config as per that.

5

  1. Used at /interface bridge ports normally
    From:
    /interface bridge
    add frame-types=admit-only-vlan-tagged name=bridge port-cost-mode=short
    vlan-filtering=yes
    TO:
    /interface bridge
    add name=bridge port-cost-mode=short vlan-filtering=yes

  2. SO…
    /interface bridge port
    add bridge=bridge ingress-filtering=yes frame-types=only-vlan-tagged interface=ether1-eap670
    add bridge=bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether2 pvid=110
    add bridge=bridge ingress-filtering=yes frame-types=only-vlan-tagged interface=ether3
    add bridge=bridge ingress-filtering=yes frame-types=only-vlan-tagged interface=sfp-sfpplus1-switch
    add bridge=bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether4 pvid=110
    add bridge=bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether5 pvid=110
    add bridge=bridge ingress-filtering=yes frame-types=priority-and-untagged interface=ether6 pvid=110

  3. SO
    /interface bridge vlan
    add bridge=bridge tagged=bridge,ether1,ether3,sfp-sfpplus1-switch untagged=ether2,ether4,ether5,ether6 vlan-ids=110
    add bridge=bridge tagged=bridge,ether1,ether3,sfp-sfpplus1-switch vlan-ids=192

  4. Slight mods to fw rules
    /ip firewall filter
    add action=accept chain=input connection-state=established,related
    add action=drop chain=input connection-state=invalid
    add action=accept chain=input protocol=icmp
    add action=accept chain=input comment=“wg handshake” dst-port=31231 protocol=udp
    add action=accept chain=input src-address-list=“rede suporte”
    add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53,123 protocol=udp
    add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
    add action=drop chain=input
    add action=fasttrack-connection chain=forward connection-state=established,connected
    add action=accept chain=forward connection-state=established,connected,untracked
    add action=drop chain=forward connection-state=invalid
    add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
    add action=accept chain=forward comment=“wg to subnet” in-interface-list=wireguard dst-address=192.168.100.0/24
    add action=drop chain=forward comment=“Drop all else”

Discussion:
-There was no way for LAN users to get internet as no access to DNS
-Note: this rule removed because the src address list rule rede support, already included it!
add action=accept chain=input comment=“allow WireGuard traffic” src-address=
172.27.10.0/24

  • The bastardization of good default rules fixed.

  1. Missing interface info
    /interface list
    add name=WAN
    add name=LAN
    /interface list members
    add interface=ether8 list=WAN
    add interface=interface=bridge.110 list=LAN
    add interface=interface=bridge.192 list=LAN

  2. You can add the router as NTP server and the TP link and other devices can pick it up;

6

Many thanks for your kind answer!

All the acess points broadcast SSID with VLAN 192 and 110. That config on SSID with VLAN are made on omada controller.

Attach the diagram.
diagram.jpg

7

Results not guaranteed by using dumb switch to carry vlans to smart devices.
I have provided my feedback…
I have several TP Link APs myself, I found the OMADA controller to be less than useful and manage my TPs each manually.
With only two its a better approach IMHO…

8

So you have them as stand alone?
But for that I have to remove them from the controller?

9

Yup, I much prefer the granular control of direct access. I use that for all my TP switches and APs.
I would only use the controller in a corporate setting.
By the way good luck trying to remove the controller settings and move to stand alone, I found it really hard
to remove all the crap the controller did. Best bet was to reload firmware and remove controller from the network