Understanding/configuration problem switching/routing/NAT

RouterOS Beginner Basics
1

Hi,

I’m new with MikroTik and have a problem with NAT / Routing

My configuration is:

/interface bridge
add name=bridge fast-forward=no

/interface vlan
add interface=bridge vlan-id=12 name=VLAN2
add interface=bridge vlan-id=14 name=VLAN4

/interface bridge port
add bridge=bridge interface=ether1 pvid=12 hw=yes frame-types=admit-all
add bridge=bridge interface=ether2 pvid=12 hw=yes frame-types=admit-all
add bridge=bridge interface=ether3 pvid=12 hw=yes frame-types=admit-all

add bridge=bridge interface=ether11 pvid=14 hw=yes frame-types=admit-all
add bridge=bridge interface=ether12 pvid=14 hw=yes frame-types=admit-all
add bridge=bridge interface=ether24 pvid=14 hw=yes frame-types=admit-all

/ip address
add address=192.168.12.240/24 interface=VLAN2
add address=192.168.14.240/24 interface=VLAN4

/interface bridge vlan
add bridge=bridge vlan-ids=12 tagged="bridge,ether1,ether2" untagged="ether3"
add bridge=bridge vlan-ids=14 tagged="bridge,ether12" untagged="ether11,ether24"

/interface bridge 
set bridge vlan-filtering=yes protocol-mode=mstp

The input on port 11 are upd broadcast messages from a component with the ip 192.168.14.41
At the moment I see this broadcast messages and every thing else from this subnet on port 24

Now I want to have port 24 only as a output port to see only the boradcast messages.
And I want that this boradcast messages have the src ip 192.168.19.41.

If i add only

/ip firewall nat
add chain=srcnat src-address=192.168.14.41 action=src-nat to-addresses=192.168.19.41

it is not working.


I tried

/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=output_packages protocol=udp src-address=192.168.14.41 dst-address=255.255.255.255

and

/ip firewall nat
add chain=input packet-mark=output_packages action=src-nat to-addresses=192.168.19.41

and

/ip firewall filter
add chain=forward action=accept packet-mark=output_packages out-interface=ether24

but nothing works.


I also tried:


/interface bridge
add name=bridge fast-forward=no

/interface vlan
add interface=bridge vlan-id=12 name=VLAN2
add interface=bridge vlan-id=14 name=VLAN4

/interface bridge port
add bridge=bridge interface=ether1 pvid=12 hw=yes frame-types=admit-all
add bridge=bridge interface=ether2 pvid=12 hw=yes frame-types=admit-all
add bridge=bridge interface=ether3 pvid=12 hw=yes frame-types=admit-all

add bridge=bridge interface=ether11 pvid=14 hw=yes frame-types=admit-all
add bridge=bridge interface=ether12 pvid=14 hw=yes frame-types=admit-all

/ip address
add address=192.168.12.240/24 interface=VLAN2
add address=192.168.14.240/24 interface=VLAN4
add address=192.168.19.240/24 interface=ether24

/interface bridge vlan
add bridge=bridge vlan-ids=12 tagged="bridge,ether1,ether2" untagged="ether3"
add bridge=bridge vlan-ids=14 tagged="bridge,ether12" untagged="ether11"

/interface bridge 
set bridge vlan-filtering=yes protocol-mode=mstp

/interface list
add name=Output

/interface list member
add interface=ether24 list=Output

/ip firewall filter
add action=accept chain=forward connection-state=established,related

/ip firewall nat
add chain=srcnat src-address=192.168.14.41 action=src-nat to-addresses=192.168.19.41

/ip route
add dst-address=192.168.14.0/24 gateway 192.168.19.240 routing-table=main

But with this configuration, I don’t even see the original broadcasts.


Can you explain me, what I make wrong and how I can output all incomming broadcast upd packages from the ip 192.168.14.41 to port eter24 and change the source ip to 192.168.19.41?

Thank you very much.

2

May I inquire what the component is that is sending broadcast messages and why the broadcast messages should be limited only to a specific Ethernet port and, by that, src-natted?

3

A measurement unit (IP 192.168.14.41) is connected to port 11 and sends its measurement data via broadcast.
These data are also required on port 12.
Everything is okay so far.

On port 24, however, the data must be output under the IP 192.168.19.41, as the components unfortunately need this for further processing.

Yes, according to the documentation, I thought it worked with add chain=srcnat src-address=192.168.14.41 action=src-nat to-addresses=192.168.19.41.
But unfortunately that is not the case.
Apparently, the src-nat rule simply doesn’t run.

Or is there another solution instead of src-nat?

I have now also set hw=no under /interface bridge port, but unfortunately it was not successful either.

On port 24, I either see the broadcast from the IP 192.168.14.41 or not at all.
But unfortunately not at the required IP 192.168.19.14

I would be very grateful for your help.

4

The NAT rule won’t work because “Use IP Firewall for Bridge” should be enabled:

/interface bridge settings
use-ip-firewall=yes
use-ip-firewall-for-vlan=yes

After that, the src-nat rule should work:

/ip firewall nat
add action=src-nat chain=srcnat protocol=udp to-addresses=192.168.19.41 src-address=192.168.14.41 out-interface=ether24 dst-address-type=broadcast
5

Hi, thanks so much for your help.

“Use IP Firewall for Bridge” should be enabled was a very good tip.
I actually hadn’t chosen that.

For the NAT rule, I specified the bridge as out_interface because a slave port cannot be used.

I created a very simple configuration for testing.
A test_bridge, with the input port ether3 and the output port ether24.
The bridge has the IP 192.168.19.240

My NAT rule is therefore

add action=src-nat chain=srcnat protocol=udp to-addresses=192.168.19.41 src-address=192.168.14.41 out-interface=test_bridge dst-address-type=broadcast

At first glance, everything seems okay with this attitude.

When I activate the log in the NAT rule, I get the following log output:

srcnat: (unknown 0) (ether3) out:test_bridge (ether24), connection-state:new src-mac 00:35:ff:6c: 12:30, proto UDP, 192.168.14. 41:3000 ->255.255.255. 255:3000, len 100

In my opinion, this means that the messages are correctly recognized.

However, when I look at the output on port 24 in Wireshark, the source address is still 192.168.14.41. The 192.168.19.41 does not exist at all.

I’m still desperate with this Mikrotik configuration. I didn’t think it would be so difficult. I hope you have another tip for me as to what I’m doing wrong.
I’m on vacation for four days now. I would be very happy to receive further tips.

Thank you so much for your support.

6

I forgot about a selector called “out-bridge-port”. That could do the trick

7

Hi,

unfortunately, out-bridge-port did not bring any change either.

I’ve now tried several options.
Starting with out-bridge-port = ether24.
I’ve even tried adding a package-mark under bridge → NAT. (Which works.) And then use this mark to change the IP.

The log always looks relatively identical:

srcnat: (unknown 0) (ether3) out:test_bridge (ether24), packet-mark:test connection-state:new src-mac 00:35:ff:6c: 12:30, proto UDP, 192.168.14. 41:49154 ->255.255.255. 255:3003, len 110

But with Wireshark on port 24 I unfortunately only see the original IP.

Unfortunately I have no idea anymore what else I could try out.

Attached are images with torch of the two ports and the bridge.

I hope you find out what I’m doing wrong.

Thank you very much for your help.

ether3b.JPG
bridgeb.JPG
ether24b.JPG

8

Now that I think of it, the problem may be that ether24 is in the same broadcast group as the VLAN, yet it has a different IP from the rest of the subnet, of which the router couldn’t know, hence no src-nat. That’s why you should remove the port out of the bridge, assign it the 192.168.19.41 address and then the src-nat should start working as intended

9

I think I have a fundamental problem.
Since it didn’t work even after I removed the port from the bridge, I set up a very simple setup with a new switch (CRS326-24G-2S+IN).

PC with the IP 192.168.19.99 connected to port 3
A Netgear Switch (with a web page for configuration) with the IP 192.168.14.239 connected to port 2


Configuration from the MikroTik


/interface/ethernet/switch
set switch1 l3-hw-offloading=yes
# https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWFeatureSupport

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2

/interface/bridge/settings/ 
set use-ip-firewall=yes

/interface/ethernet/switch/port/ 
set ether3 l3-hw-offloading=no

/ip address
add address=192.168.14.250/24 interface=ether2
add address=192.168.19.250/24 interface=ether3

/ip route
add dst-address=192.168.19.0/24 gateway=192.168.14.250
add dst-address=192.168.14.0/24 gateway=192.168.19.250

/ip firewall filter
add chain=forward src-address=192.168.14.0/24 dst-address=192.168.19.0/24 action=accept
add chain=forward src-address=192.168.19.0/24 dst-address=192.168.14.0/24 action=accept

But now it is not possible from the PC with the IP 192.168.19.99 conntcted to port 3 to access a netgear switch with the IP 192.168.14.239 conntcted to port 2.
And it is not possible to connect from the PC to the MikroTik Switch about the IP 192.168.19.250. (Just from Port 2 it is possible)

I think I forgot something that the ether3 (without bridge connection) can work.

Maybe everything based on the same problem…?

I could despair.
I didn’t expect the MikroTik configuration to be so complicated.

10

In this case neither firewall rules and routes, nor use-ip-firewall=yes is needed because a blank firewall allows everything by default, dynamic routes are added when you add an address to an interface and the traffic is not between two bridged ports

11

I don’t understand your setup.
You first add an interface to a bridge (with only one port?) and then you add an IP address to the interface (and not to the bridge).

Try removing the IP address from the ether2 and add it to the bridge:

/ip address
add address=192.168.14.250/24 interface=bridge1

Then check your routes with:

/ip route print