VLAN TAGGED NAT

Pier · March 16, 2018, 8:51am

Hello everybody,

I’ve got this RB750 which I’m trying to get to work.
I have 1 VLAN (ID 10) and the rest of the traffic is untagged. I set up the ether 2 as a trunk (so VLAN 10 and untagged traffic comes in) and ether 3 as output for the VLAN10.
In local (connecting to the router locally) I get no problems, if I connect to the ether3 I can enter the MNG VLAN (VLAN10) even if it is in a different subnet and if I connect to ether 4 / 5 I can “talk” with the other clients that use untagged traffic.
What I need to do is theorically simple, connecting via internet (public IP) I need to get port-forwarded to the VLAN10, I can’t find a solution to do that… can someone please help me?
I’m running RouterOS 6.41.3.

EDIT: vlan 10 subnet 192.168.150.x and untagged traffic 10.10.10.x (255.255.255.0) RB750 is set as bridge.

solar77 · March 16, 2018, 9:29am

Did you try dst-nat to the VLAN IP that you need?
For example:

add action=dst-nat chain=dstnat comment="Port forwarding VNC" dst-port=5900 protocol=tcp to-addresses=10.10.1.5 to-ports=5900

Not sure if you need to add dst address as your public and out interace as you VLAN, but give it a try.

Pier · March 16, 2018, 10:18am

Did you try dst-nat to the VLAN IP that you need?
For example:
add action=dst-nat chain=dstnat comment="Port forwarding VNC" dst-port=5900 protocol=tcp to-addresses=10.10.1.5 to-ports=5900
Not sure if you need to add dst address as your public and out interace as you VLAN, but give it a try.

Thanks for the answer, yes I tried but it is not working like this.

add action=dst-nat chain=dstnat src-address="public ip"  src-port=5051 protocol=tcp to-addresses=192.168.150.72

mkx · March 16, 2018, 12:21pm

Are you sure you have IP addresses and routing set-up correctly? I fear that bridging IP subnets 192.168.150.0/24 and 10.10.10.0/24 without having routing instance for both of them (either on your RB or some other router) can have some questionable side-effects. I.e. if LAN side of your RB has only address 10.168.150.42, it doesn’t know how to reach host with IP 10.10.10.42 … and hence it can’t DST-NAT to it either.

It would help if you posted relevant part of your configuration … /ip firewall export and /ip route print …

Pier · March 16, 2018, 3:09pm

I resetted the router to default to start from zero again.
I have no configuration at the moment but I can demonstrate what I would like to do with an image.
https://ibb.co/c656nx
Those radio repeaters are “transparent” on untagged traffic but their management is visible on the VLAN10.
I want to connect via the internet from another network to the MNG page of those repeaters. When I setup bridges on the RB750 it switches to “bridge” instead of “router”.

CZFan · March 16, 2018, 3:38pm

Create VPN connections, make one part of VLAN10 so you can manage that and other one no VLAN so you can access untagged devices if needed

Pier · March 16, 2018, 3:46pm

yes, that could be a solution but there is a problem. I can’t work with VPNs… I need a solution without them.

CZFan · March 16, 2018, 3:56pm

Change above to:

add action=dst-nat chain=dstnat in-interface=<Your WAN Interface>  dst-port=5051 protocol=tcp to-addresses=192.168.150.72

Pier · March 19, 2018, 10:12am

I tried to do what you suggested me but it is not working… I noticed that when I ping 192.168.150.72 (radio repeater MNG IP) which is under vlan tag it doesn’t answer back giving me a timeout.
I tried every interface… Is this normal?

sindy · March 19, 2018, 7:02pm

The verbal descriptions usually lack some important detail. Please paste here the result of ****

/export hide-sensitive

, if there are any public addresses in your configuration which you don’t want to publish, replace each of them systematically with a distinctive pattern such as

public.ip.address.A

before posting.