Hello everyone! I’m new here, I created VLANs on Mikrotik router but they don’t ping, I tried adding firewall rules or disabling them all but it doesn’t help, but RDP work. Help me please
from winbox terminal selection. copy and paste
/export hide-sensitive file=anynameyouwish
I did it, send to you, or only part of them?
If you’ve done the “hide-sensitive” thing, just anonimise any public IPs and post the whole thing here inside code tags.
Here is
config.rsc (48.9 KB)
(1) First point is firmware, at least upgrade to latest 6 stable version 6.49.
(2) Second point cannot help with some of the config because I despise Capsman and refuse to use it learn it, waste one second on it..
(3) Your configuration for Vlans, bridges, ethernet ports is all wrong.
Lots of options.
Suggest, one bridge,
attach all 4 vlans to the bridge (when created)
all vlans still require IP address, IP pool, dhcp server, dhcp server network
all vlans are interface list members for LAN
interface Bridge settings port still remains one port ether3 (ingress filtering=yes allow only tagged frames)
interface Bridge settings vlans
add bridge=bridge tagged=bridge,ether3 vlan-ids=3,5,6,7
I see you need one more subnet, best to simply create another vlan lets say vlan11 and attach it to bridge as well.
(4) You may want to reconsider this setting…
/interface bridge settings
set use-ip-firewall-for-vlan=yes
Rarely used and can cause problems if you dont understand its purpose… best to use regular firewall rules in most cases.
(5) You have a conflict for dhcp-server…
/ip dhcp-server
add authoritative=after-2sec-delay interface=ether4 name=lan4
add interface=VLAN3 lease-time=1h name=vlan3
/ip dhcp-server
add address-pool=VLAN3 disabled=no interface=VLAN3 name=VLAN3
I know the case is different but vlan3 is associated with ether3 and thus creating a server named lan4 with internet ether4 makes NO sense.
(6) Firewall rules are full of crap… simplify… and you are missing stuff on the forward chain???
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: allow LAN access” in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related time=
19h-9h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
??? WHERE ARE THE REST…
**- allow LAN to WAN traffic - ( add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN )
- allow port forwarding -** (add chain=forward action=accept connection-nat-state=dstnat connection-state=new in-interface-list=WAN)
- anything else -
then
add chain=forward action=drop comment=“drop all else”
(7) Interface list member INTERNET ( why did you create this one, it is no different from WAN and thus serves no purpose that I can tell??)
(8) Duplicate entries ?? (perhaps you meant one to be UDP ??
add action=dst-nat chain=dstnat comment=shuk-pc dst-port=35359
in-interface-list=Internet protocol=tcp to-addresses=192.168.100.114
to-ports=3389
add action=dst-nat chain=dstnat comment=shuk-pc dst-port=35359
in-interface-list=Internet protocol=tcp to-addresses=192.168.100.114
to-ports=3389
(9) Okay I see all these rules in raw as well for SSH…
Not sure of the benefit either.
(10) Overall fix the setup regarding vlans, ports and bridges as the primary concern.
Secondarily is the gazillion SSH rules you have going.
Is this normal, What is the use case that you need so many RDP rules INBOUND ???
The only time I Used RDP it was outbound and thus no port forwarding required?
Are you saying that you have users that need to access their PC?
If that is the case, tell them to use
Teamviewer
Logmein
Gotomypc
Anydesk etc…