VLAN & NAT Configuration

Hi all,

I’ve been beating my head for a few days now over this, I’m really confused. I’ve read through the documentation and forums, google searching, chatgpt, etc. I can’t seem to configure this in a way that works.

I have 3 devices:

• CCR2004-16G-2S+
• CRS326-24S+2Q+
• CR2116-12G-4S+

The goal is to configure the following:

VLAN4 - MGMT 10.10.4.0/24
VLAN5 - 10.10.5.0/24
VLAN10 - 10.10.10.0/24
VLAN11 - 10.10.11.0/24
VLAN12 - 10.10.12.0/24

All IPs are static

CCR2004-16G-2S+

ether1 - VLAN10 - Single Device - 10.10.10.5
ether2 - VLAN10 - 192.168.1.0/24 network bidirectional NAT to 10.10.10.0/24

• 192.168.1.10 → 10.10.10.10
• 192.168.1.11 → 10.10.10.11
• (etc. there are only a couple IPs but perhaps can be 1:1 translation from 192.168.1.10 and up)

ether3 - VLAN11 - Single Device - 10.10.11.5
ether2 - VLAN11 - 192.168.1.0/24 network bidirectional NAT to 10.10.11.0/24

• 192.168.1.10 → 10.10.11.10
• 192.168.1.11 → 10.10.11.11
• (etc. there are only a couple IPs but perhaps can be 1:1 translation from 192.168.1.10 and up)

ether3 - VLAN12 - Single Device - 10.10.12.5
ether2 - VLAN12 - 192.168.1.0/24 network bidirectional NAT to 10.10.12.0/24

• 192.168.1.10 → 10.10.12.10
• 192.168.1.11 → 10.10.12.11
• (etc. there are only a couple IPs but perhaps can be 1:1 translation from 192.168.1.10 and up)

ether15 - VLAN4 - MGMT Port
SFP+1 - Trunkline (Bonded with SFP+2) 802.3ad (Connected to CRS326 SFP+1/SFP+2 bonded)
SFP+2 - Trunkline (Bonded with SFP+1) 802.3ad (Connected to CRS326 SFP+1/SFP+2 bonded)

CRS326-24S+2Q+
ether1 - VLAN4 - MGMT Port
SFP+1 - Trunkline (Bonded with SFP+2) 802.3ad (Connected to CCR2004 SFP+1/SFP+2 bonded)
SFP+2 - Trunkline (Bonded with SFP+1) 802.3ad (Connected to CCR2004 SFP+1/SFP+2 bonded)
SFP+3 - Trunkline (Bonded with SFP+4) 802.3ad (Connected to CCR2116 SFP+1/SFP+2 bonded)
SFP+4 - Trunkline (Bonded with SFP+3) 802.3ad (Connected to CCR2116 SFP+1/SFP+2 bonded)

CR2116-12G-4S+
ether1 - VLAN5 - Proxmox Hypervisor (Bonded with ether2) 802.3ad 10.10.5.20 (Hypervisor), 10.10.5.21 (VM1), 10.10.5.22 (VM2)
ether2 - VLAN5 - Proxmox Hypervisor (Bonded with ether1) 802.3ad 10.10.5.20 (Hypervisor), 10.10.5.21 (VM1), 10.10.5.22 (VM2)
ether13 - VLAN4 - MGMT Port
SFP+1 - Trunkline (Bonded with SFP+2) 802.3ad (Connected to CRS326 SFP+3/SFP+4 bonded)
SFP+2 - Trunkline (Bonded with SFP+1) 802.3ad (Connected to CRS326 SFP+3/SFP+4 bonded)

• I need the VLANs to be able to communicate with eachother (5,10.11.12)
• I felt I was really close at one point and then buggered up all the configuration which is now messy, I’m not super savvy at networking but it doesn’t seek overly complex what I’m trying to achieve.

Here is what I have:

CCR2004-16G-2S+

# model = CCR2004-16G-2S+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bridge vlan-ids=4
add bridge=bridge tagged=bondingSFP1SFP2 vlan-ids=10
add bridge=bridge tagged=bondingSFP1SFP2 vlan-ids=11
add bridge=bridge tagged=bondingSFP1SFP2 vlan-ids=12
/ip address
add address=10.10.4.40/24 interface=vlan4 network=10.10.4.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0

CRS326-24S+2Q+

# model = CRS326-24S+2Q+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface bonding
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name=bondingSFP3SFP4 slaves=sfp-sfpplus3,sfp-sfpplus4
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP3SFP4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=4
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge untagged=ether1 vlan-ids=4
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4 vlan-ids=10
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4 vlan-ids=11
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4 vlan-ids=12
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4 vlan-ids=5
/ip address
add address=10.10.4.20/24 interface=vlan4 network=10.10.4.0

CR2116-12G-4S+

# model = CCR2116-12G-4S+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingEther1Ether2 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=bondingEther1Ether2 pvid=5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=4
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bridge untagged=bondingEther1Ether2 vlan-ids=5
add bridge=bridge tagged=bondingSFP1SFP2,bridge untagged=ether13 vlan-ids=4
/ip address
add address=10.10.4.30/24 interface=vlan4 network=10.10.4.0
add address=10.10.5.1/24 interface=vlan5 network=10.10.5.0

I can add additional context as needed, but essentially I should be able to ping from the server vm 10.10.5.21 to any 10.10.<vlan10,11,12>.0/24 IP address and vice versa. The challenges I’m facing is there is several different ways to configure the interfaces and vlans while layering the NAT translations on top. I appreciate any guidance and assistance provided.

I’ve reached to the point where i can communicate across the VLANs from 10.10.10.5 to 10.10.5.21. Here are my update configs:

# model = CCR2004-16G-2S+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge protocol-mode=mstp \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether15 pvid=4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bridge vlan-ids=11
add bridge=bridge tagged=bondingSFP1SFP2,bridge vlan-ids=4
add bridge=bridge tagged=bondingSFP1SFP2,bridge vlan-ids=12
add bridge=bridge tagged=bondingSFP1SFP2,bridge vlan-ids=10
/ip address
add address=10.10.4.40/24 interface=vlan4 network=10.10.4.0
/system identity
set name="Mikrotik Level 2 Switch - 1"

# model = CRS326-24S+2Q+
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge protocol-mode=mstp vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name=bondingSFP3SFP4 slaves=sfp-sfpplus3,sfp-sfpplus4
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP3SFP4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=4
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge untagged=ether1 \
    vlan-ids=4
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=10
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=11
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=12
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=5
/ip address
add address=10.10.4.20/24 interface=vlan4 network=10.10.4.0
add address=10.10.5.1/24 interface=vlan5 network=10.10.5.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
/system identity
set name="Mikrotik Level 3 Fiber Router Switch"

# model = CCR2116-12G-4S+
# serial number = HFD098A175V
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge protocol-mode=mstp \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingEther1Ether2 slaves=ether1,ether2 \
    transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface list
add name=MGMT
add name=LAN
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=bondingEther1Ether2 pvid=5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=4
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bridge untagged=bondingEther1Ether2 vlan-ids=5
add bridge=bridge tagged=bondingSFP1SFP2,bridge untagged=ether13 vlan-ids=4
/interface list member
add interface=vlan4 list=MGMT
/ip address
add address=10.10.4.30/24 interface=vlan4 network=10.10.4.0
/system identity
set name="Mikrotik Level 3 Router - Servers"

I believe what I need to do next is get the NAT translations working for the 192.168.1.0/24 addresses on each ether2,4,6. Currently I’ve tried adding the NAT rules on that same device:

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.10.10.10 to-addresses=\
    192.168.1.1
add action=src-nat chain=srcnat src-address=192.168.1.1 to-addresses=\
    10.10.10.10

I’m still trying to troubleshoot this one and follow the traffic through torch and sniffer

Made some more progess, I’m able to get the NAT translation to work so that 10.10.5.21 can ping 10.10.10.10. I think I found my misunderstanding, I was assuming the NAT translations src/dst addresses were being “replaced” by the to-address, but what it actually does is forwards the traffic to the to-address. Makes so much more sense to why things weren’t working. I’m still having some issues. Here are my updated configs:

# model = CRS326-24S+2Q+
/interface bridge
add frame-types=\
    admit-only-vlan-tagged name=bridge protocol-mode=mstp vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan4 vlan-id=4
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan12 vlan-id=12
/interface bonding
add mode=802.3ad name=bondingSFP1SFP2 slaves=sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name=bondingSFP3SFP4 slaves=sfp-sfpplus3,sfp-sfpplus4
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP1SFP2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bondingSFP3SFP4
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge untagged=ether1 \
    vlan-ids=4
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=10
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=11
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=12
add bridge=bridge tagged=bondingSFP1SFP2,bondingSFP3SFP4,bridge vlan-ids=5
/interface list member
add interface=vlan5 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan4 list=VLAN
add interface=vlan11 list=VLAN
add interface=vlan12 list=VLAN
add interface=vlan4 list=MGMT
/ip address
add address=10.10.4.20/24 interface=vlan4 network=10.10.4.0
add address=10.10.5.1/24 interface=vlan5 network=10.10.5.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
add address=192.168.1.254/24 interface=vlan10 network=192.168.1.0
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.10.10.10 log=yes to-addresses=192.168.1.1
/system identity
set name="Mikrotik Level 3 Fiber Router Switch"

I need to limit the traffic and NAT translations so that 192 addresses are only accessible within the VLAN10 and not from outside. I can ping 192.168.1.1 from 10.10.5.21 which I don’t want. I also want to assign 192.168.1.254/24 to vlan11 and again to vlan12 but I imagine it will cause issues with duplicate IPs even though I think they should be able to be isolated.