I have several vlans under a bridge in a trunk/access setup and working well. except that anything connected on a vlan cannot connect to our local exchange server on the main lan or email in outlook setup as ssl. I have internet, can ping each vlan and navigate to shared folders. Any help is appreciated. Attached is my config.
ROS1.rsc (40.1 KB)
If the server is on the same vlan then the users just need the VLANIP to gain access.
If the server is not on the same vlan, chances are there is no layer2 access.
If the server is on a different lan and depending upon firewall rules, there may not be layer3 access.
Is there a forward filter rule like VLANX has access to Server on VLANY??
Another case may be you want users to USE The public IP of the router to access the SERVER.
In that case you will hairpin NAT.
The server is on a different lan. I can successfully ping the server ip address, both private and public from the vlan.
I tried a forward filter rule, but it seems redundant since the vlans are bridged.
I tried a nat rule in-interface=allvlan dst-nat to internal server address port 25 and hairpin nat and neither would allow the connection.
If I add a rule for the vlans with the OWA port 443, it breaks the main lan internet.
You have “arp=proxy-arp” set on bridge … any good reason for that? Generally this shouldn’t be necessary …
Your firewall setup is quite complex … and at least in part seemingly wrong (e.g. add action=accept chain=forward comment=“Allow client LAN traffic out to WAN” connection-nat-state=dstnat out-interface=all-vlan src-address-list=Safe … either the comment is misleading or most of rule is wrong).
I don’t think you’ll get a definite answer about your problem. Probably your firewall (including mangling etc.) is overly complex. You might actually redesign firewall and make it way simpler (while it would still perform according to your needs). If you decide to do it, don’t take existing firewall as a baseline, only take high-level requirements and implement them in a simple manner.
The arp=proxy-arp, at one time I had a satellite location using dial-in and never changed that.
I’ve tried disabling everything from the entry you mention down in the filter and still no joy. The mangle entries are dynamic
Sounds like you have a MTU problem on your network
I thought about that and went down that path. I tried this with high hopes: https://stevedischer.com/pmtu-and-mss-discovery-issues-resolved-with-mikrotik/
but it did not solve my problem either.
Can you post an export hide-sensitive from the CLI directly in a code block?
MTU issues should come to light by forcing pings with the DF bit set at various sizes. The posts under my name should have some more details on how to do that.
Thanks for the recommendation idlemind, I will dive into that.
I actually got my issue solved this afternoon. The answer was to add a filter rule to forward “new” connections from the vlan (source) address.
Good yup firewall rules can be brutal.