VLAN - SrcNat needed for some devices. Why?

Juan01 · August 9, 2024, 10:47pm

Hi,

I have multiple VLANs in my network.

Domotic VLAN
HomeLab VLAN

In resume I have following rules related to this VLANs in the firewall.

fw: Accept Stablished and related
fw: Drop Invalid
fw: Accept from HomeLab Vlan to Domotic Vlan
fw: Drop all

In theory this rules have to be enought to access from HomeLab Vlan to Domotic Vlan. But in some situations this doesn’t work..
I have HomeAssistant in HomeLab VLan and HomeAssistant is working without problems with devices on DomoticVlan.

Two Examples that doesn’t work.
In DomoticVlan I have shelly devices, which have a WebUI page for configuration. From HomeLab Vlan I can’t access to this WebUi using web browser.
In DomitcVlan I have Reolink IP camera with RTSP enabled. From HomeLab Vlan I can’t open VLC to the RTSP Stream URL.

I have tryed to see whats being blocked by the firewall but I don’t see anything…
I have configured SrcNat with masquerade action from HomeLab Vlan to Domotic Vlan and it works perfectly. But I’m very stranged about this, I don’t understand why this configuration have to be done.

RTSP and HTTP are at the top of the stack, and they aren’t aware of VLANs and IPAddresses. Why they are being affected because of having different IP Address range.

With regards,

pe1chl · August 10, 2024, 10:10am

It means that the client devices in your networks do not have the correct configuration.
(subnet mask, default gateway)

These should normally be obtained via DHCP so it looks like there is an error in your DHCP configuration.

When you enable src nat, the access appears to come from a local address, and this mistake no longer affects the connection.

Alternatively, it can also be that the NAT rule you use for internet access is incorrect, and affects the traffic between VLANs.
(i.e. not correct output-interface or output-interface-list in the rule)

Juan01 · August 10, 2024, 3:50pm

I can see that my devices are correctly configured via DHCP. This is how I have my DHCP Server networks.
Take also in consideration that HomeAssistant integration with my Shelly devices are working without problems. So for some protocol seems to be working.

/ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DNS-SERVER, DOMAIN
# ADDRESS           GATEWAY        DNS-SERVER      DOMAIN
;;; LanNetHomeLab_Network
2 192.168.120.0/24  192.168.120.1  192.168.120.20        
                                   192.168.120.21        
;;; LanGuest_Network
7 192.168.190.0/24  192.168.190.1  192.168.120.20        
                                   192.168.120.21

I supose this is correct because I can access to Internet without problems. How can affect the Internet SrcNat to malfunction of internal LAN?
This is my SrcNat for Internet

chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix=""

Thanks for your help. With regards,

pe1chl · August 10, 2024, 4:01pm

You must make sure that the internet interface is the only interface in list WAN, and that the VLAN interfaces are in list LAN.
It can also be that there is a firewall in the devices itself that limits access to the web interface to devices on the same network.