Hi all
As part of my learning curve, and, why not, to have a bit of fun, I deployed another routerboard in my home network with the intention of create certain level of redundancy for some services (e.g. secondary DNS, secodnary DHCP, etc) but I stumbled upon a courious behaviour.
This is the topology
The RB951G (on 7.11.2) is the second routerboard and I’m passing VLAN99 and 255 and I created two VLAN interfaces to assign one IP from each VLAN. no FW rules on this device.
All the following things works
- both VLAN interfaces get an IP if set up as DHCP client
- I can connect to the routerboard via SSH and FTP using both IP addresses
- webfig works using both IP addresses as target
- DNS works using both IP as DNS sever IP
So, all looks like ok but Winbox.
I can connect using the IP coming from VLAN99 but not the one from VLAN255
If I try to use winbox usng the IP from VLAN255 I get the error “router does not support secure connection. please enable legacy mode”
Now I know that what is blocking this connection is the rule number 10 of the FW rules deployed on the HEX (below I omitted the first rules as those are in INPUT chain).
If I disable rule 10 all works fine and Winbox connect.
If only assign one IP to either VLAN99 or VLAN255 interface of the RB951G, I can connect.
Of course both subnets behind VLAN99 and VLAN255 are part of the list “alist_trusted_subnets” used in rule 13
What I don’t understand is why only Winbox is affected and not any other type of traffic.
Of course I can easily fix this with an allow rule in forward chain to accept the traffic from VLAN99 to the IP of the RB951G on VLAN255, but I feel this is a bit like cheating 
Does anybody have a clue why Winbox is marked as invalid?
6 ;;; Fast track all the intra vlan to route wire speed (only established,related)
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related,untracked
src-address-list=alist_all_SUBNETs dst-address-list=alist_all_SUBNETs
log=no log-prefix=""
7 ;;; prevent internet from target ip when using backup line (to save subscription data plan)
chain=forward action=drop
src-address-list=alist_not_allowed_over_bkp-wan
out-interface-list=list_WAN-BKP log=no log-prefix=""
8 ;;; fast track connection for established/related when using the bakup line (no queue applied)
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related
src-address-list=alist-lan+mgmt+semitrusted
out-interface-list=list_WAN-BKP log=no log-prefix=""
9 ;;; Accept forwarding for any established/related/untracked packets
chain=forward action=accept
connection-state=established,related,untracked log=no log-prefix=""
10 ;;; drop invalid packets
chain=forward action=drop connection-state=invalid log=no
log-prefix=""
11 ;;; allow port forwarding (new packets only if DSTNATed)
chain=forward action=accept connection-state=new
connection-nat-state=dstnat in-interface-list=list_WAN log=no
log-prefix=""
12 ;;; Allow traffic to internet from any subnet
chain=forward action=accept src-address-list=alist_all_SUBNETs
out-interface-list=list_WAN log=no log-prefix=""
13 ;;; Accept intra VLANs forward between trusted subnets
chain=forward action=accept src-address-list=alist_trusted_subnets
dst-address-list=alist_trusted_subnets log=no log-prefix=""
14 ;;; Allow traffic between IOT and NAS (SMB only)
chain=forward action=accept protocol=tcp src-address=<ip hidden for privacy>
dst-address=<ip hidden for privacy> dst-port=445 log=no log-prefix=""
15 ;;; Allow Forward traffic from NeT-OfficE to printer
chain=forward action=accept connection-state=new
src-address=<ip hidden for privacy> dst-address=<ip hidden for privacy> log=no
log-prefix=""
16 ;;; Allow outgoing traffic from LAN and Management network lans to semitrusted (IoT + modem)
chain=forward action=accept src-address-list=alist_LAN+MGMT
dst-address-list=alist_Semi-Trusted log=no log-prefix=""
17 X ;;; FOR TEST ONLY - DO NOT ENABLE - allow interVLAN routing
chain=forward action=accept src-address-list=alist_all_SUBNETs
dst-address-list=alist_all_SUBNETs log=no log-prefix=""
18 ;;; Default catch all rule - block any forward not defined
chain=forward action=drop log=no log-prefix=""