VLAN doesn't have internet access

xrishn · March 28, 2018, 4:33pm

I created a VLAN to mimic a different location when I am at my office, but that specific VLAN is not getting internet traffic, I am able to get an IP, but no internet traffic, here my export

mar/28/2018 10:03:00 by RouterOS 6.41.3

software id = 5Q8K-34NU

model = CCR1009-8G-1S-1S+

serial number = 606905C0D167

/interface bridge
add disabled=yes fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Barbareta Pass Through"
set [ find default-name=ether3 ] disabled=yes
/interface vlan
add comment="Barbareta Mimic" interface=ether4 name=Barbareta vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.150.101-192.168.150.199
add name=dhcp_pool2 ranges=192.168.150.101-192.168.150.200
add name=Barbareta1 ranges=192.168.36.2-192.168.36.254
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=ether4 lease-time=1d name=dhcp1
add address-pool=Barbareta1 interface=Barbareta name=Barbareta
add address-pool=Barbareta1 disabled=no interface=Barbareta name=Barbareta1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 hw=no interface=Barbareta
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.150.1/24 interface=ether4 network=192.168.150.0
add address=190.92.22.90/29 interface=ether1 network=190.92.22.88
add address=192.168.38.1/24 disabled=yes interface=Barbareta network=192.168.38.0
add address=192.168.36.1/24 comment="Barbareta 1" interface=Barbareta network=192.168.36.0
/ip dhcp-server lease
add address=192.168.150.12 always-broadcast=yes comment="dolphin Plex Server" mac-address=B8:97:5A:D2:94:02 server=dhcp1
/ip dhcp-server network
add address=192.168.36.0/24 comment="Barbareta Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.36.1
add address=192.168.150.0/24 gateway=192.168.150.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter

p2p matcher is obsolete please use layer7 matcher instead

add action=drop chain=forward comment="Todo P2P" p2p=all-p2p

bridge1 not ready

add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" content=d1:ad2:id20: dst-port=1025-65535 in-interface=bridge1
packet-size=95-190 protocol=udp

bridge1 not ready

add action=drop chain=forward comment="torrent /announce..." content="info_hash=" dst-port=2710,80 in-interface=bridge1 protocol=tcp
add action=drop chain=forward comment=".torrent
\nContent-Type...." content="Content-Type: application/x-bittorrent" out-interface=ether1 protocol=tcp src-port=80

p2p matcher is obsolete please use layer7 matcher instead

add action=drop chain=forward comment="Todo P2P" p2p=all-p2p

bridge1 not ready

add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" content=d1:ad2:id20: dst-port=1025-65535 in-interface=bridge1
packet-size=95-190 protocol=udp

bridge1 not ready

add action=drop chain=forward comment="torrent /announce..." content="info_hash=" dst-port=2710,80 in-interface=bridge1 protocol=tcp
add action=drop chain=forward comment=".torrent
\nContent-Type...." content="Content-Type: application/x-bittorrent" out-interface=ether1 protocol=tcp src-port=80

p2p matcher is obsolete please use layer7 matcher instead

add action=drop chain=forward comment="Todo P2P" p2p=all-p2p

bridge1 not ready

add action=drop chain=forward comment="torrent-DHT-Out-Magnet d1:ad2:id20:" content=d1:ad2:id20: dst-port=1025-65535 in-interface=bridge1
packet-size=95-190 protocol=udp

bridge1 not ready

add action=drop chain=forward comment="torrent /announce..." content="info_hash=" dst-port=2710,80 in-interface=bridge1 protocol=tcp
add action=drop chain=forward comment=".torrent
\nContent-Type...." content="Content-Type: application/x-bittorrent" out-interface=ether1 protocol=tcp src-port=80
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.150.0/24 to-addresses=190.92.22.90
add action=masquerade chain=srcnat disabled=yes src-address=192.168.36.0/24
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.150.117 src-port=34567 to-addresses=190.92.22.90 to-ports=34567
add action=src-nat chain=srcnat protocol=tcp src-address=192.168.150.117 src-port=80 to-addresses=190.92.22.90 to-ports=80
add action=src-nat chain=srcnat protocol=udp src-address=192.168.150.117 src-port=34567 to-addresses=190.92.22.90 to-ports=34567
add action=src-nat chain=srcnat protocol=udp src-address=192.168.150.117 src-port=80 to-addresses=190.92.22.90 to-ports=80
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=34567 protocol=tcp to-addresses=192.168.150.117 to-ports=34567
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=34567 protocol=udp to-addresses=192.168.150.117 to-ports=34567
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=80 protocol=tcp to-addresses=192.168.150.117 to-ports=80
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=80 protocol=udp to-addresses=192.168.150.117 to-ports=80
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=5060-5080 protocol=udp to-addresses=192.168.150.3 to-ports=5060-5080
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=10000-15000 protocol=udp to-addresses=192.168.150.3 to-ports=10000-15000
add action=dst-nat chain=dstnat dst-address=190.92.22.90 dst-port=8089 protocol=tcp to-addresses=192.168.150.3 to-ports=8089
/ip route
add distance=1 gateway=190.92.22.89
/lcd
set color-scheme=dark
/ppp secret
add local-address=192.168.150.89 name=BarbaretaVPN password=macaw2017 remote-address=192.168.150.75
/system clock
set time-zone-name=America/Tegucigalpa
/system identity
set name=MitchMain
/system leds
set 0 interface=sfp-sfpplus1
set 1 interface=sfp-sfpplus1
set 2 interface=sfp1
/system logging
set 3 action=disk

sindy · March 29, 2018, 8:06pm

I can see the masquerade rule in ****

/ip firewall na

t for

src-address

matching the Barbareta subnet (192.168.36.0/24) to be disabled and no other rule to provide the src-nat functionality to source addresses from that subnet, so the packets leave to internet with source address unchanged and the devices in the internet thus send their responses to these private addresses rather than sending them to the public IP of your CCR (190.92.22.90), so the packets never reach the CCR.

xrishn · March 30, 2018, 5:49pm

So if I enable that masquerade the vlan should have internet access?

sindy · March 30, 2018, 5:56pm

I haven’t found anything else preventing devices in that VLAN from accessing internet, yes.

I don’t like your firewall rules or rather their absence (they restrict your users but do not restrict access to your Mikrotik’s management from anywhere), but I suppose there is another firewall between this device and the internet.