Using VLAN , works, but need help with tuning

ariux · August 17, 2022, 12:22pm

Hello, here is my diagram with VLAN :

Diagram.png

Here is my working config for main router and switch+AP attached

mainrouter.rsc
Everything works as I showed in diagram :
I have working VLAN 10 (PVID=10) main computers.
I have working VLAN 20 (PVID=20) cameras
I have working VLAN 30 (PVID=30) guest
Every VLAN have the right IP coming from main router.

But I have very stupid problem :
I can not access my switch AP normally by winbox: by typing IP address 192.168.44.2 and login name and password. This is my main problem at the moment. After typing it, winbox thinks 3- 5 seconds and put message “could not connect to 192.168.44.2 reason connection time out”

I can connect to the main router by winbox and then I can go to IP / Neigbours / then I see my switch AP and then I tap on it . Then table pops up there is Telnet. So using telnet by typing loging name and my password I can connect to my swich AP. This is the only way how I connect to switch AP .

Please help me to understand what is wrong in my config or firewall rules , that by using winbox I can not connect to my switch AP? Thanks

k6ccc · August 17, 2022, 4:13pm

Your firewall rules in the 4011 router do not allow access to the 192.168.44.0 LAN from any other LAN. Since the last rule in the forward chain is a drop all (as it should be), you need to specify who or what is allowed to access the 192.168.44.0 LAN (your “Base” VLAN) in an earlier forward rule.

BTW, strongly suggest that you re-order your firewall rules so that all of each chains rules are together. For example, all the input chain rules, then all the forward rules, then continue the concept for any other chains if you have them. This makes no difference to the router, but makes it FAR easier for us human beings to read.

anav · August 17, 2022, 5:09pm

The HAPAC (ap/switch) config is a thing of beauty.
The only change I would make is set this to NONE, MAC-SERVER by itself is not a secure method.
/tool mac-server
set allowed-interface-list=NONE { not secure }
/tool mac-server mac-winbox
set allowed-interface-list=BASE { secure }

I personally add the untagged to match up with the bridge ports in /interface settings but you have it well under control.

Looking at the RB4011
Same comment regarding mac-server!
Echo same comments about firewall rules .

Cleaned up the order and errors and confused config.

/ip firewall filter
{input chain}
add action=accept chain=input comment="Allow Estab, Related. Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid 
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface-list=BASE
add action=accept chain=input  in-interface-list=VLAN dst-port=53  protocol=tcp
add action=accept chain=input  in-interface-list=VLAN dst-port=53  protocol=udp
add action=drop chain=input comment="Drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"

…
Note: if you want to let access for a subnet of user or groups of users from vlan to another, you will have to add a forward rule before the drop rule.
Note: If you have a shared printer one vlan you can allow access to that via a forward chain rule as well.