Wireless AP + VLAN = No internet access

Zygote · August 5, 2015, 2:53pm

So, here’s a bit of a nutter.

I have a Mikrotik 2011UAS-2HnD. And Ive just created a second Virtual AP. I want all traffic on that Virtual AP to go through my pfsense VM which is running on a server connected to the Mikrotik. So what Ive done is as follows:

Created Virtual AP
Created VLAN and assigned it to the interface the pfsense VM is connected to
Created a bridge and assigned the virtual AP and vlan interface

This works, kinda. Clients connecting to the Virtual AP gets an IP assigned by the DHCP server from pfsense, and I can see traffic running through the VLAN Firewall on pfsense. The clients can ping any part of the network (that the pfsense firewall permits), however the clients can not get any internet access. A traceroute shows the following:

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  10.10.60.1 (10.10.60.1)  1.399 ms  1.163 ms  0.984 ms
 2  10.0.0.1 (10.0.0.1)  2.887 ms  1.298 ms  1.359 ms

10.10.60.1 is the pfsense vlan address, and 10.0.0.1 is on the Mikrotik side. The next jump should be to my ISP.

I’m assuming I’m missing something obvious here, but I cant figure out what it is.

Thanks!

Zygote · August 5, 2015, 8:53pm

I’ve been wrapping my head around this all day long. So frustrating as Im sure there’s something fundamental Im not getting. Clients can connect to the virtual AP, they get an IP from the pfsense DHCP, they pass the proper pfsense VLAN firewall, and reach the Mikrotik Gateway, but then it stops there instead of proceeding out the internet.

JB172 · August 5, 2015, 9:07pm

Put an export of your mikrotik configuration

Zygote · August 6, 2015, 8:21am

 #    INTERFACE                                     BRIDGE                                    PRIORITY  PATH-COST    HORIZON
 0    ether2                                        bridge-lan_trusted                            0x20         10       none
 1 I  ;;; Trusted WLAN
      wlan_clients                                  bridge-lan_trusted                            0x80         10       none
 2    wlan_untrusted                                bridge_untrusted                              0x80         10       none
 3 X  vlan-106                                      bridge_untrusted                              0x80         10       none
 4    ether6                                        bridge-lan_trusted                            0x80         10       none

 #    NAME                                           MTU ARP        VLAN-ID INTERFACE                                       
 0 R  ;;; VLAN 99 - pfSense WAN 
      vlan-99                                       1500 enabled         99 ether7                                                                
 6 R  ;;; VLAN 106 - Primary WiFi Network
      vlan-106                                      1500 enabled        106 ether7

#     NAME                                TYPE  
 0  R  ;;; WAN Interface
       ether1-gateway                      ether 
       ether2                              ether
       ether3                              ether
       ether4                              ether 
       ether5                              ether
       ether6                              ether 
       ether7                              ether
       ether8-slave-local                  ether 
       ether9-slave-local                  ether
       ether10-slave-local                 ether
10     sfp1                                ether  
       wlan_clients                        wlan 
       wlan_untrusted                      wlan 
       bridge-lan_trusted                  bridge
       bridge_untrusted                    bridge
15  R  ;;; VLAN 99 - pfSense WAN 
       vlan-99                             vlan
16  R  ;;; VLAN 106 - Primary WiFi Network
       vlan-106                            vlan

 #   ADDRESS            NETWORK         INTERFACE                                                                           
 0   ;;; mikrotik LAN
     192.168.xx.1/24    192.168.xx.0    bridge-lan_trusted                                                                                                                                  
 2   ;;; pfsense WAN
     10.0.0.1/24        10.0.0.0        vlan-99                                                                             
 3 D xx.xx.xx.xx/24     xx.xx.xx.xx      ether1-gateway

Any insight here would be much appreciated!

JB172 · August 6, 2015, 9:48am

Did you have any rule in IP - Routes for 0.0.0.0/0 going to Eth1-gateway ?

Zygote · August 6, 2015, 10:04am

Yep, it’s there. All other interfaces have a working internet connection, it’s just traffic on that Virtual AP that has this issue, and that issue is only there when using the vlan, routing it through pfsense.

JB172 · August 6, 2015, 10:18am

Please make an /ip firewall nat export.

Zygote · August 6, 2015, 10:22am

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="Guest network masquerade" out-interface=ether1-gateway src-address=\
    10.10.20.0/24

The Guest network masquerade is what I used for that Virtual AP before deciding to set up a vlan and route it through pfsense.

JB172 · August 6, 2015, 10:47am

Change to 10.0.0.0/24 and try it.

Zygote · August 6, 2015, 10:54am

Thanks for the suggestion, but do I really want to apply that masquerade to all traffic coming from 10.0.0.0/24? I have a bunch of other vlans on the pfsense box and they all go through the mikrotik on 10.0.0.1.

Zygote · August 6, 2015, 11:12am

And also, do I really need that masquerade rule there at all, given that I already have the default one on ether1?

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

JB172 · August 6, 2015, 8:10pm

Propably you don’t needed. Did you setup pfsense as transparent proxy?

Zygote · August 6, 2015, 8:26pm

No, it’s not a transparent proxy. But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?

add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?

JB172 · August 6, 2015, 9:03pm

Zygote:

But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?

Yes, all out traffic through eth1 is masquaraded. But the traffic from pfsense seems don’t go to eth1

Zygote · August 6, 2015, 9:07pm

JB172:

Zygote:
But again, since I have the following default masquerade rule, all traffic out through eth1 is masqueraded, no?
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
Adding masquerading for 10.0.0.0/24 wont have any effect as the above rule pre-empts. Or am I missing something here?
Yes, all out traffic through eth1 is masquaraded. But the traffic from pfsense seems don’t go to eth1

Yea, except all traffic apart from the wifi vlan traffic from pfsense goes to eth1 just fine. So I’m a bit at a loss here.

JB172 · August 6, 2015, 9:24pm

Put an export from IP - Routes

Zygote · August 6, 2015, 9:34pm

/ip route
add comment="Web Services Network" distance=1 dst-address=10.10.10.0/24 \
    gateway=10.0.0.10
add comment="Primary Wifi Network" distance=1 dst-address=10.10.60.0/24 \
    gateway=10.0.0.10

JB172 · August 7, 2015, 8:50am

What is 10.0.0.10 ip address ?

Zygote · August 7, 2015, 9:02am

pfsense WAN interface ip which is connected to the Microtik eth7 interface on vlan 99.

Zygote · August 10, 2015, 2:47pm

No one have any ideas? Just to clarify, this should work, right?