VLAN-Internet Access from WAN

Gitarex · February 1, 2024, 7:16am

Hello Everyone !

I have a fundamental problem… I created two vlan ports (vlan 17 and vlan 89) and I have a DHCP server set up separately for VLANs. For vlan17, the network address is 10.0.17.0/24, and for vlan89 it is 10.0.89.0/24. Both have a range of 100-150 and both vlans are located on port number 1 in the microtic RouterBOARD 750GL router. The WAN port, in turn, is on port number 5 and has network addresses of 10.109.3.0/24. I have a question… How to do it so that were these vlans somehow connected to the WAN port and had access to the network from this port? I set NAT rules for these addresses and used the “masquerade” form, but it didn’t help much, unfortunately. Could any of you help me or help me develop a configuration file for this?

mkx · February 1, 2024, 9:52am

After VLAN is “terminated” on a router (by assigning router an IP address on appropriate VLAN interface), packets don’t have VLAN association any more. It’s up to routing and firewall rules to properly pass packets in any direction (including proper SRC NAT and DST NAT if needed).
Default setup (firewall section in particular) heavily relies on interface list membership (LAN and WAN). These two lists are nothing magical, membership has to be maintained manually. If you didn’t do it, then this may be cause for your problems (but might not be the only one).

It’s impossible to say what your setup might be missing based on your description, we’d need to see the config. Open terminal window, execute /export file=anynameyouwish (add hide-sensitive if your device is running ROS v6), fetch resulting file to your PC, open it with text editor, redact any remaining sensitive data (serial number, any public IP addresses - 10.x.y.z are not, wifi passwords, …). Please keep the comment section on the top of file, it includes exact model name of device you’re using (it may be important). Then copy-paste the config inside [__code] [/code] environment (the in the button bar of forum post editor).

Gitarex · February 1, 2024, 10:16am

So that’s my configuration:

# feb/01/2024 11:09:36 by RouterOS 6.39.2
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=ether1 name=vlan17 vlan-id=17
add interface=ether1 name=vlan89 vlan-id=89
/interface ethernet
set [ find default-name=ether5 ] master-port=ether2-master name=WAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.17.100-10.0.17.150
add name=dhcp_pool2 ranges=10.0.89.100-10.0.89.150
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master name=\
    defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan17 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan89 name=dhcp2
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
add address=10.109.3.80/24 interface=WAN network=10.109.3.0
add address=10.0.17.1/24 interface=vlan17 network=10.0.17.0
add address=10.0.89.1/24 interface=vlan89 network=10.0.89.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=10.0.17.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.17.1
add address=10.0.89.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.89.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=forward dst-address-list=vlan89 src-address-list=\
    vlan17
add action=accept chain=forward dst-address-list=vlan17 src-address-list=\
    vlan89
add action=accept chain=forward dst-address-list=10.0.89.0/24 src-address=\
    10.0.17.0/24
add action=accept chain=forward dst-address-list=10.0.17.0/24 src-address=\
    10.0.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=ether1
add action=masquerade chain=srcnat out-interface=vlan17 src-address=\
    10.0.17.0/24
add action=masquerade chain=srcnat out-interface=vlan89 src-address=\
    10.0.89.0/24
add action=dst-nat chain=dstnat dst-address=10.109.3.0/24 dst-port=80 \
    protocol=tcp to-addresses=10.109.3.83 to-ports=80
add action=masquerade chain=srcnat out-interface=vlan17
add action=masquerade chain=srcnat out-interface=vlan89
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=10.109.3.254
add distance=1 gateway=10.109.3.254
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master

Mesquite · February 1, 2024, 11:17am

Your firmware is out of date, suggesting 6.49.10 longterm is the better firmware (safe and stable) for V6: https://mikrotik.com/download/archive#show02132aaa0fd6c93975be12c3ea119165a9270d93_0100

Ensure you choose the correct one for your model.MIPSBE

The other alternative is a two step process, to 7.12 and then to 7.13.3 if you want to use version 7 firmware.
One of the main advantages of vers7 is the ability to use wireguard vpn natively. If that’s not a concern than nothing wrong with 6.4.9.10

https://mikrotik.com/download
7.12.2 - https://mikrotik.com/download/archive#show44d6a93909892b6b0fc6c09a6bc927ef5e8cbde5_0100

For Vlans on the router read through: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

mkx · February 1, 2024, 11:56am

You didn’t include info about particular device model.

Anyway, as @Mesquite noted, RSO running is awfully old. So it’s really essential to get up to 6.49.10. Config is based on ancient defaults, so it’s actually sub-optimal in the area I mentioned previously (routing, firewalling). The best would be to install recent ROS version and reconfigure device from scratch, based on modern defaults. And only perform minor adjustments, necessary for multiple VLANs.

Currently you’re using ether1 as WAN interface … any you’re adding two VLANs on that port. The question is how should these VLANs be treated (from security point of view)? Since they are transported over interface, which connects to upstream (and should probably not be trusted), how about VLANs?

Your config of NAT doesn’t make much sense to me. It might be OK, but one would have to know the context much better.