rb2004 problem with masquerade

RouterOS General
1

Hi, there… I have problem with firewall masquerade for 1 network. Topology Mikrotik 2004 —> cisco managed switch -----> unifi ap ----> vlan networks
vlan 50 - have internet, vlan 100 have internet, but vlan 150 has no internet… firewall nat masquerade rule has no hits.
I get ip from dhcp-server, can ping gateway but no ping to outside. No problem with other 2 vlans
interface/bridge export

# oct/24/2022 13:45:43 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/interface bridge
add arp=proxy-arp name=br1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether13 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether14 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether15 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether16 pvid=100
add bridge=br1 interface=vlan49-mngmt pvid=49
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether11
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether12
add bridge=br1 interface=ether3 pvid=49
add bridge=br1 interface=ether4 multicast-router=disabled pvid=50
add bridge=br1 interface=ether2 pvid=50
/interface bridge vlan
add bridge=br1 tagged=br1,ether11,ether12,sfp-sfpplus2 vlan-ids=49
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=50
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=100
add bridge=br1 tagged=br1,ether12,ether11,sfp-sfpplus2 vlan-ids=150
add bridge=br1 tagged=br1,ether11,ether12 vlan-ids=200

ip/firewall/nat

# oct/24/2022 13:47:04 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number =
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.51.0/24
add action=masquerade chain=srcnat comment="Default masquerade admin network" \
    out-interface=ether1 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade security network" out-interface=ether1 src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.200.0/24
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.50.244 to-ports=\
    80
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=88 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-port=37777 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.100.50 to-ports=\
    37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 in-interface-list=WAN protocol=tcp \
    src-address=192.168.50.0/24 to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.100.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.49.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (admin network)" dst-address=\
    192.168.100.50 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (office network)" dst-address=\
    192.168.100.50 src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (security network)" dst-address=\
    192.168.100.50 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="port forwarding from local net (admin\
    \_network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.49.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (offic\
    e network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.50.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (secur\
    ity network) 192.168.100.50 - copy this rule for new device and change ip:\
    port" dst-address=!192.168.100.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.49.3 to-ports=8443
add action=dst-nat chain=dstnat dst-port=37779 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.100.51 to-ports=37777

ip/address export

# oct/24/2022 13:46:37 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip address
add address=192.168.49.1/24 interface=vlan49-mngmt network=192.168.49.0
add address=192.168.50.1/24 interface=vlan50_office network=192.168.50.0
add address=192.168.100.1/24 interface=vlan100-security network=192.168.100.0
add address=192.168.160.1/24 interface=vlan150_guest network=192.168.160.0
add address=192.168.1.1/24 interface=vlan100-security network=192.168.1.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0

ip/firewall/filter export

# oct/24/2022 13:47:20 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip firewall filter
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow admin_vlan Full Access" \
    in-interface-list=MGMT
add action=accept chain=input comment="allow ipsec nat" dst-port=4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow vpn" dst-port=500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="winbox allow from vpn" dst-port=22022 \
    in-interface-list=WAN protocol=tcp src-address=1.1.1.1
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=input comment="pptp vpn port" dst-port=1723 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="pptp vpn port" in-interface-list=WAN \
    protocol=gre
add action=accept chain=input comment="allow ping from - wan" \
    in-interface-list=WAN protocol=icmp
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=\
    "drop all to router from -  guest network" disabled=yes in-interface=\
    vlan150_guest
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=tcp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=udp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop all to router from - wan" disabled=\
    yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin to access vlans" \
    in-interface-list=MGMT out-interface-list=VLAN
add action=accept chain=forward comment="allow admin to access internet" \
    in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment="allow vpn ping internal networks" \
    in-interface=all-ppp out-interface-list=VLAN protocol=icmp
add action=accept chain=forward comment="allow vpn internet accesss" \
    in-interface=all-ppp out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.77
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.220 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.230 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.2 in-interface=all-ppp
add action=accept chain=forward dst-address=192.168.49.3 dst-port=8443 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-address=192.168.49.2 dst-port=22 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-port=37777 in-interface-list=WAN \
    out-interface-list=VLAN protocol=tcp
add action=drop chain=forward disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.50.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.49.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.50.0/24
add action=drop chain=forward comment=Drop

Any help will be appreciated
Thanks

2

You have masquerade rules for different source subnets, but none for 192.168.160.0/24 used on vlan150_guest.

3

Hi,
The exports are with the new vlan200, with this network is the same.Only first vlans have internet

4

Well, there’s masquerade rule for 192.168.200.0/24 used on vlan200, so that wouldn’t be a problem here. But since your export is incomplete, it’s not possible to tell for sure what is the problem. Perhaps there’s no vlan200 in “VLAN” interface list.

5

There is full export

6

And did you look in “/interface list member” section? You should. If you have only this:

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=sfp-sfpplus1 list=WAN
add interface=vlan49-mngmt list=VLAN
add interface=vlan50_office list=VLAN
add interface=vlan100-security list=VLAN
add interface=vlan49-mngmt list=MGMT
add interface=ether3 list=MGMT

Then neither of these:

/ip firewall filter
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin to access internet" in-interface-list=MGMT out-interface-list=WAN

can do much for vlan150_guest or vlan200.

7

Hi,
I cannot check right now, but if this maybe resolver thank you for now. Next work day I will check and give you feeback

8

Hi, that was the problem. Thank you