Problem with port forwarding

trintrin · July 11, 2024, 11:21am

I did a PPC load balancing, and now I have problems with port forwarding.
My setup is that we have 3 GB uplink from the same ISP, 3bb01-eth1, 3bb02-eth2, 3bb03-eth3
Now the PPC load balancing is working well but the port forwarding is not, I am using the provided MT cloud ddns to access from outside. I have zero idea i am doing with the mangle rules.
The current state is that some device could connect to the web server and some cannot, and it says connection time out.
My hypothesis is that it is because return traffic gets returned through a different interface than it came from.

holvoetn · July 11, 2024, 11:23am

How do you expect anyone to answer/help if you do not show your config nor explain the context of the setup ?

trintrin · July 11, 2024, 11:45am

sorry my bad lol
current-config.rsc (24.3 KB)

anav · July 11, 2024, 12:55pm

Easy, because some clowns not to be named, dont understand the basic need for a first poster process.
Please stop taking it out on the posters and properly focus on the people that refuse to actually be forward thinking.

holvoetn · July 11, 2024, 1:06pm

I understand where you are going to but the base problem is and remains someone is asking a question and is not providing enough info.
True, that can be guided using a clear checklist what info should be provided but it doesn’t change the base problem.

Are you going to your garage simply saying “my car doesn’t work” ?
Or to a bakery saying “I need bread”.
I hope not … you’ll get similar responses like I gave.
= more info needed.

Let’s stop that discussion here, shall we ?
Wrong place, wrong context.

anav · July 11, 2024, 1:09pm

(1) You have seven pools and only 6 vlans.
This leads me to think that you are mixing apples and oranges, a bunch of vlan with interface bridge but still keeping the bridge doing DHCP for one subnet
Best to turn that last subnet also into a vlan and not involve the bridge in dhcp etc…

(2) Why are you not ingress filtering and stipulating frame types?

(3) This has to go… not required in most cases…
/interface bridge settings
set use-ip-firewall-for-vlan=yes

(4) Ethernet ports are generally not identified as LAN list members when they are part of a bridge.
Without vlans, only the bridge is required, and with vlans, only the vlans are required ( assuming one removes bridge from dhcp as they should for optimal config )/

(5) Your naming can be improved, for example keep the standard LAN and WAN as used in MT vice the lower case.
I see why you did it because you then later named address lists LAN and WAN which is never a good idea and more confusing than helpful.
For example I would use, “MyWAN” as the address list entry etc…

(6) What is the purpose of using your netname in your setup…

(7) You have monkeyed with firewall settings and they are not that good at all. Not sure what useless youtube video you watched…

(8) None of your mangle rules or dstnat rules or routes make any sense.

(9) Not sure what you are doing with cloudflare in script either.

Edit: adding (10) No /interface bridge vlan settings either !!!

anav · July 11, 2024, 1:14pm

No its exactly the right place, because you confronted the poster and I am saying there is no need for that, it should never happen.
Until you actually grasp the concept that there is a better way, then I have to keep hammering the point home. Dont worry, I will be dead before you
and then you wont hear it anymore.

PS - Your analogy is akin to to the posters firewall rules LOL.
We are talking about people attempting to bake their own bread not buying bread if you want to get technical

anav · July 11, 2024, 1:15pm

Trintrin, lots in your config I dont understand but will attempt to provide a cleaned up version, that gets you closer to success.

/interface vlan
add comment=B2 interface=bridge name=vlan2 vlan-id=2
add comment=B3 interface=bridge name=vlan3 vlan-id=3
add comment=B4 interface=bridge name=vlan4 vlan-id=4
add comment=B5 interface=bridge name=vlan5 vlan-id=5
add comment=B6 interface=bridge name=vlan6 vlan-id=6
add comment=DROM interface=bridge name=vlan10 vlan-id=10
add comment=“bridge subnet” interface=bridge name=vlan16 vlan-id=16

/interface list
add name=LAN
add name=WAN
add name=TRUSTED

ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan16 lease-time=10m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan2 lease-time=10m name=“dhcp2[B2]”
add address-pool=dhcp_pool3 interface=vlan3 lease-time=10m name=“dhcp3[B3]”
add address-pool=dhcp_pool5 interface=vlan5 lease-time=10m name=“dhcp5[B5]”
add address-pool=dhcp_pool6 interface=vlan6 lease-time=10m name=“dhcp6[B6]”
add address-pool=dhcp_pool10 interface=vlan10 lease-time=10m name=
“dhcp10[DORM]”
add address-pool=dhcp_pool4 interface=vlan4 lease-time=10m name=“dhcp4[B4]”

/routing table
add disabled=no fib name=to-wan1
add fib name=to-wan2
add fib name=to-wan3

/interface list member
add interface=“ether1(3bb01-eth1)” list=WAN
add interface=“ether2(3bb02-eth2)” list=WAN
add interface=“ether3(3bb03-eth3)” list=WAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan5 list=LAN
add interface=vlan6 list=LAN
add interface=vlan10 list=LAN
add interface=vlan16 list=LAN
add interface=vlan16 list=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/ip address
add address=172.16.1.1/24 interface=vlan16 network=172.16.1.0
add address=172.16.4.1/22 interface=vlan2 network=172.16.4.0
add address=172.16.8.1/22 interface=vlan3 network=172.16.8.0
add address=192.168.1.1/22 interface=vlan5 network=192.168.0.0
add address=192.168.4.1/22 interface=vlan6 network=192.168.4.0
add address=192.168.8.1/22 interface=vlan10 network=192.168.8.0
add address=172.16.12.1/22 interface=vlan4 network=172.16.12.0

trintrin · July 11, 2024, 1:17pm

LMFAO I know it sucks but like you have got to begin somewhere lol, will there be any resources av liable that will help then?

anav · July 11, 2024, 1:25pm

trintrin,
(1) can you tell me for each port on the router what its purpose is… as an example

1- to switch vlans x,y,z
2- to dumb device vlan x
3- etc…

ether1-3 are the wan ports
sfp1? sfp2? sfp4? ether10 switch but what vlans? ether11 switch but what vlans?
the rest?

(2) What is the trusted subnet, assuming for now its the new vlan16 using to replace bridge subnet, correct ???
( this is the subnet which will be used to supply IP addresses to any smart devices, think switch, attached to the router, could be APs as well. )

trintrin · July 11, 2024, 1:30pm

ether 1 to ether 3 which is the wan port

ether 10 and ether 11 is the core switch

sfp1 is to another lecture building
sfp2 is to another lecture building
sfp4 is to dorm and 2 more lecture building

yep trusted subnets is the VLAN 16

anav · July 11, 2024, 1:42pm

Thats a start but I also asked which vlans travel over those ports etc…

and why two connections to the same switch ?? only one is required.
More than one introduced the possibility of conflict, looping etc…

trintrin · July 11, 2024, 1:46pm

Sorry my bad
ether 10
we just need the trusted vlan (each of the port go to a switch and also connected to each other TBH I think this shows a possible treats of looping)
ether 11 will be removed

sfp1 just need only vlan 3 (switch in their respective building)
sfp2 just need only vlan 2 (switch in their respective building)
sfp4 just need only vlan 5 & vlan 6 & vlan10 (switch in their respective building)

Quick question, so we have in total 8 building in the campus and my setup is that I have each VLAN for each building, do you think this is optimal?
4 lecture building, one cafeteria building (this is where IT department is located therefore the server is located here), one auditorium building, one main office.

Btw a lot of making a lease static this is due to the fact that the scanner need these ip to send the file to right computer.

anav · July 11, 2024, 2:47pm

Hi trintrin,
I am not a licensed IT expert or a network design engineer but yes one VLAN per building is reasonable.
I am assuming the VLANs means these subnets should be kept separate from each other!
If for some reason a building requires additional separations, then create additional subnets.
If for some reason you have special groups of users that need their own subnet, then create additional vlans.

What you need though is a formal MANAGEMENT subnet for all t hese devices.
Can you confirm vlan16 ( the current bridge subnet ) is not used for data purposes or accessible by general users, and only the admins have access?
If yes, then its fine, if NOT then we need to create like vlan99 which only the admins have access to and
where all the switches get their IP address from and any smart Access points ( that are capable of reading vlan tags ).

For the three WANS pppoe, will probably suggest later that you do not select default route on them as we will do routes manually.

The management vlan goes to every switch (and thus every building )

trintrin · July 11, 2024, 2:55pm

Let’s go, I got some concept right,

and sadly, VLAN 16 is accessible by general users

Btw, what is a management subnet?
Subnet for all switches? And it increases security?

anav · July 11, 2024, 3:47pm

Yes, basically, one limits access to the configuration of routers and switches to those with access to the management vlan, I understand its common practice.

trintrin · July 11, 2024, 3:51pm

ahhh, what else need to be done?