Router with VLANs and NAT - Please help, where i messed...

mishu · March 19, 2022, 3:07am

Guys,
I’m not old in mikrotik, using it for many times but mostly did standard NAT with one subnet only. But this time I am doing a bit different things, and truly stuckup. Let me explain the scenario first.

We will have 4 individual VLANS, OfficeLAN, IPT, CCTV, Management. The names are self explanatory. Management VLAN is for network equipment like switch, router, WiFi Controller, even AP. All these VLANs are published in a switch as L2.
We need to provide Internet to OfficeLAN, as well as we also need to provide Internet to CCTV and IPT too.
We need inter-VLAN routing.
The router will have one MANAGEMENT port (which will be an untagged member of management VLAN, i mean connected to the switch’s management VLAN port. I know I can directly hook a winbox but please dont want to go for a debate here)
The router will have WAN port as a standard port connected to ISP, but there will be a LAN port which will TRUNK all VLANs (if not separated for some other reason) to switch.
I wish to make a inbound NAT (dst-nat) for IPT server and WLC (residing in two different subnets, aka VLANs).
My IPT is on a untagged VLAN at switch. My WLC is on a both tagged and untagged VLAN on a switch. (I mean port). This is because APs initially registered using management port untagged, but then they use the tagged port for regular operation.
In future there may be a DMZ kind of thing on a different physical port.

This whole setup is perfectly working in my another setup using a full Cisco L3 switch and cisco routers. But as I’m shifting to mikrotik, here I messed few things up.

I made a fancy way initially and that kinda worked. But can’t do DST-NAT, and don’t know if NAT is “at all working”. My conf is given below:

# mar/19/2022 02:21:48 by RouterOS 6.49.5

# model = RB2011UiAS

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=LAN1
set [ find default-name=ether6 ] comment=WAN1
set [ find default-name=ether9 ] comment=management
/interface vlan
add interface=bridge1 name=CCTV_VLAN vlan-id=17
add interface=bridge1 name=IPT_VLAN vlan-id=12
add interface=bridge1 name=Office_VLAN vlan-id=14
add interface=bridge1 name=mgmt_VLAN vlan-id=5
/interface list
add name=VLANS
/ip pool
add name=dhpc_pool_OfficeLAN ranges=192.168.0.51-192.168.0.200
/ip dhcp-server
add address-pool=dhpc_pool_OfficeLAN disabled=no interface=Office_VLAN name=server1
/interface bridge port
add bridge=bridge1 interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether9 vlan-ids=5
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=12
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=14
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=17
/interface list member
add interface=mgmt_VLAN list=VLANS
add interface=IPT_VLAN list=VLANS
add interface=Office_VLAN list=VLANS
add interface=CCTV_VLAN list=VLANS
/ip address
add address=172.16.20.253/25 comment="ISP WAN IP" interface=ether6 network=172.16.20.128
add address=192.168.1.1/24 interface=mgmt_VLAN network=192.168.1.0
add address=192.168.0.1/24 interface=Office_VLAN network=192.168.0.0
add address=192.168.2.1/24 interface=IPT_VLAN network=192.168.2.0
add address=192.168.3.1/24 interface=CCTV_VLAN network=192.168.3.0
add address=172.16.20.252/25 comment="test WAN IP for IPT" interface=ether6 network=172.16.20.128
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=ether6 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether6 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=ether6 src-address=192.168.3.0/24
add action=dst-nat chain=dstnat dst-address=172.16.20.252 to-addresses=192.168.2.10
add action=src-nat chain=srcnat src-address=192.168.2.10 to-addresses=172.16.20.252
/ip route
add distance=1 gateway=172.16.20.129
/system clock
set time-zone-name=Asia/Dhaka

Note: I followed miktorik wiki and another post. Link given…
https://help.mikrotik.com/docs/display/ROS/NAT#NAT-DestinationNAT
http://forum.mikrotik.com/t/struggling-with-bridge-vlan-configuration/154446/1

I also have another question… Do I really have to make these bridge? I need to make the subnets, assign them to physical ports and surely to some VLANs too… I’m confused…

mkx · March 19, 2022, 7:02am

I suggest you to study this very good tutorial about proper configuration of VLANs on Mikrotik.
I’m not sure what exactly doesn’t work for you …

mishu · March 19, 2022, 10:31am

Indeed a great one looks.

Well, I have setup it without ANY bridge and still i was able to make it working. The issue was somewhere different. But still that needs more check. [Since initially it worked without bridge, I really dont know why we need that bridge there :-p ]

anav · March 19, 2022, 11:49am

If its working for you then no need for further assistance.
However your MT has no firewall rules and no WAN or LAN interface list, so either the config is incomplete and not really safe,
or this is really acting as a switch behind another router.

miankamran7100 · March 19, 2022, 12:00pm

I want to this configuration.
I have to sites
router A & router B
email server on router B site

I have connected with site A&B with PPtP VPN.

I’m on router A side I want with public IP I can access email server anywhere (request goes to router A and it will sent it to over PPtP vpn) which is locally connected with router B

how public ip arrive at router b?

thanks you!

mishu · March 19, 2022, 1:29pm

Well, if you ask me, then technically it’s kind of complete here for me now. Except that I dont know why then that bridge was needed. I deleted the bridge and found that it’s still working.
However, I think if I wanted to have a management port for the same router’s management IP (say 192.168.1.1) which to be available both on a physical port (untagged port) and also accessible via the trunk port, then I would need that bridge as found else an ether port will do nothing at all (other than winbox’s mac addr based login). Anyway, so far so good for me. That was an issue from the IPT.

The VLANs are actually on a switch and router is ONLY to make interVLAN routing and NAT purpose. (apart from firewalling).

Yes! I havent setup ANY firewall and surely it’s a TOTAL insecure now. But that’s a different story…

anav · March 19, 2022, 2:22pm

Then your priorities are all wrong. First get the firewall setup if connected to the internet, then change the basic config to your requirements.
I will let others assist, I personally dont assist unsecure setups.

miankamran7100 · March 19, 2022, 4:55pm

anav

I need some help from you
I want to this configuration.
I have to sites
router A & router B
email server on router B site

I have connected with site A&B with PPtP VPN.

I’m on router A side I want with public IP I can access email server anywhere (request goes to router A and it will sent it to over PPtP vpn) which is locally connected with router B

how public ip arrive at router b?

thanks you!

anav · March 19, 2022, 6:08pm

Start your own thread.. this is someone elses thread.
When you do, add a network diagram, which routers, ISP connections per router (do they give public or private IPs etc).
What have you configurated so far??