Community discussions

MikroTik App
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Mon Sep 13, 2021 12:45 pm

Hello all

I have a huge request, I don't know what to change, make my firewall listen to me

I used the guide https://itmikrotik.blogspot.com/2019/06 ... using.html

to break 3 Wan networks into Vlan

basically everything works however firewall won't even pass icmp between vlan10 and vlan20.

configuration below
# sep/12/2021 07:46:22 by RouterOS 6.46.4
# software id = KTHH-8ZXT
#
# model = 2011UiAS
# serial number = 69BB06456CE1
/interface bridge
add fast-forward=no name=bridge-VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-WAN3
set [ find default-name=ether4 ] comment="# LAN"
/interface vlan
add interface=bridge-VLAN name=vlan10 vlan-id=10
add interface=bridge-VLAN name=vlan11 vlan-id=11
add interface=bridge-VLAN name=vlan12 vlan-id=12
add interface=bridge-VLAN name=vlan20 vlan-id=20
add interface=bridge-VLAN name=vlan21 vlan-id=21
add interface=bridge-VLAN name=vlan22 vlan-id=22
add interface=bridge-VLAN name=vlan30 vlan-id=30
add interface=bridge-VLAN name=vlan31 vlan-id=31
add interface=bridge-VLAN name=vlan32 vlan-id=32
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.10.11.2-10.10.11.254
add name=dhcp_pool2 ranges=10.10.12.2-10.10.12.254
add name=dhcp_pool3 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool4 ranges=10.10.21.2-10.10.21.254
add name=dhcp_pool5 ranges=10.10.22.2-10.10.22.254
add name=dhcp_pool6 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool7 ranges=10.10.31.2-10.10.31.254
add name=dhcp_pool8 ranges=10.10.32.2-10.10.32.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=1d name=\
    dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan11 lease-time=1d name=\
    dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan12 lease-time=1d name=\
    dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan20 lease-time=1d name=\
    dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan21 lease-time=1d name=\
    dhcp5
add address-pool=dhcp_pool5 disabled=no interface=vlan22 lease-time=1d name=\
    dhcp6
add address-pool=dhcp_pool6 disabled=no interface=vlan30 lease-time=1d name=\
    dhcp7
add address-pool=dhcp_pool7 disabled=no interface=vlan31 lease-time=1d name=\
    dhcp8
add address-pool=dhcp_pool8 disabled=no interface=vlan32 lease-time=1d name=\
    dhcp9
/interface bridge port
add bridge=bridge-VLAN hw=no interface=ether4
add bridge=bridge-VLAN hw=no interface=ether5
/ip address
add address=10.0.10.2/24 interface=ether1-WAN1 network=10.0.10.0
add address=10.0.20.2/24 interface=ether2-WAN2 network=10.0.20.0
add address=10.0.30.2/24 interface=ether3-WAN3 network=10.0.30.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.21.1/24 interface=vlan21 network=10.10.21.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.31.1/24 interface=vlan31 network=10.10.31.0
add address=10.10.32.1/24 interface=vlan32 network=10.10.32.0
/ip dhcp-server lease
add address=10.10.10.254 mac-address=74:AC:B9:AB:1E:99 server=dhcp1
add address=10.10.10.50 mac-address=B4:B5:2F:F7:5D:68 server=dhcp1
add address=10.10.20.100 client-id=1:3e:2e:82:6:d1:7a mac-address=\
    3E:2E:82:06:D1:7A server=dhcp4
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.11.0/24 gateway=10.10.11.1
add address=10.10.12.0/24 gateway=10.10.12.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.21.0/24 gateway=10.10.21.1
add address=10.10.22.0/24 gateway=10.10.22.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.31.0/24 gateway=10.10.31.1
add address=10.10.32.0/24 gateway=10.10.32.1
/ip dns
set servers=10.10.10.100,1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.10.10.0/24 list=TO-WAN1
add address=10.10.11.0/24 list=TO-WAN1
add address=10.10.12.0/24 list=TO-WAN1
add address=10.10.20.0/24 list=TO-WAN2
add address=10.10.21.0/24 list=TO-WAN2
add address=10.10.22.0/24 list=TO-WAN2
add address=10.10.30.0/24 list=TO-WAN3
add address=10.10.31.0/24 list=TO-WAN3
add address=10.10.32.0/24 list=TO-WAN3
/ip firewall filter
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20 \
    protocol=icmp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN1 passthrough=\
    yes src-address-list=TO-WAN1
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN2 passthrough=\
    yes src-address-list=TO-WAN2
add action=mark-routing chain=prerouting new-routing-mark=TO-WAN3 passthrough=\
    yes src-address-list=TO-WAN3
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
add action=masquerade chain=srcnat out-interface=ether3-WAN3
/ip route
add check-gateway=ping distance=1 gateway=10.0.10.1 routing-mark=TO-WAN1
add check-gateway=ping distance=1 gateway=10.0.20.1 routing-mark=TO-WAN2
add check-gateway=ping distance=1 gateway=10.0.30.1 routing-mark=TO-WAN3
add check-gateway=ping distance=1 gateway=10.0.10.1
add check-gateway=ping distance=1 gateway=10.0.20.1
add check-gateway=ping distance=1 gateway=10.0.30.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=HomeKit
I would like to ask for at least one working rule, I will open the rest to myself.

Thank you for your help
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Mon Sep 13, 2021 5:44 pm

In summary, the internet be it youtube or blog post can be a minefield and should be ignored unless you have experience under your belt.
The default rule set will start you in a good and happy place.
This is a reference worth reading on vlans.
viewtopic.php?f=23&t=143620


(1) You have no interface bridge vlan rules??
Assuming etherports 4,5 are trunk ports potentially carrying one or more vlans but not delineated.

(2) Why mangle?

(3) Where are your default firewall or ANY firewall rules.
Is the router not your firewall?
According to what you have any vlan should talk to any vlan at layer 3 for any protocol

(4) You probably should provide a network diagram.

(5) Are the WANIPs fixed IP addresses??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Mon Sep 13, 2021 6:57 pm

Thank you for your answer

(4) You probably should provide a network diagram.
Image

(1) You have no interface bridge vlan rules??
I have no rules, I have nothing that goes beyond the guide from the link above

(2) Why mangle?
I buy LTE internet 3 times with a limited package, Each package is for something else:
a) work
b) school
c) entertainment

Not that the packets get mixed up (they are of a different size)

(3) Where are your default firewall or ANY firewall rules.
Is the router not your firewall?
According to what you have any vlan should talk to any vlan at layer 3 for any protocol

There is no firewall configured, I wanted to do it on mikrotik, but it doesn't work.

(5) Are the WANIPs fixed IP addresses??
WAN (modem LANs are fixed) WAN addresses LTE modems are from DHCP ISP

If there is such a need, I can put the mikrotika outside (without access to my devices)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Mon Sep 13, 2021 9:11 pm

Changes made where applicable!!!

/interface bridge
add fast-forward=no name=bridge-VLAN vlan-filtering=yes (make this the last config change)
/interface bridge port
add bridge=bridge-VLAN hw=no interface=ether4 allow only tagged frames ingress-filtering=yes
add bridge=bridge-VLAN hw=no interface=ether5

/interface bridge vlan
add bridge=bridge-VLAN tagged=bridge-VLAN,ether4 vlan-ids=10,11,12,20,21,22,30,31,32


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=ether3-WAN3 list=WAN
add interface=LIST EACH VLAN list=LAN
here too lazy to do it myself.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
/ip firewall filter -input chain
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface=VLANXX *** Where XX = vlan you use to admin the router.
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else" *** Caution do not put this rule in until the vlan you use to config the router is entered above!!



/ip firewall filter -forward chain
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"


ALL traffic wan to lan, lan to wan and lan to lan is now effectively blocked.
If you want to allow all the VLAN access to the internet then place this rule where the +++++ symbols are in the order.
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

If you wan to allow vlan10 to access vlan20 users
add action=accept in-interface=vlan10 out-interface=vlan20

/ip firewall mangle - REMOVE MANGLING RULES, not required.

/ip firewall nat (replaces the ones you had which are okay but meant for dynamic wanips, these are better for fixed ips)
add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=10.0.10.1
add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=10.0.20.1
add action=src-nat chain=srcnat out-interface=ether3-WAN3 to-addresses=10.0.30.1


/ip route {keep this}
add check-gateway=ping distance=1 gateway=10.0.10.1 routing-mark=TO-WAN1
add check-gateway=ping distance=1 gateway=10.0.20.1 routing-mark=TO-WAN2
add check-gateway=ping distance=1 gateway=10.0.30.1 routing-mark=TO-WAN3
add check-gateway=ping distance=1 gateway=10.0.10.1
add check-gateway=ping distance=1 gateway=10.0.20.1
add check-gateway=ping distance=1 gateway=10.0.30.1

{Route rules to be added}
/ip route rule
add action=lookup-only-in-table interface=vlan10 table=TO-WAN1
add action=lookup-only-in-table interface=vlan11 table=TO-WAN1
add action=lookup-only-in-table interface=vlan12 table=TO-WAN1
add action=lookup-only-in-table interface=vlan20 table=TO-WAN2
add action=lookup-only-in-table interface=vlan21 table=TO-WAN2
add action=lookup-only-in-table interface=vlan22 table=TO-WAN2
add action=lookup-only-in-table interface=vlan30 table=TO-WAN3
add action=lookup-only-in-table interface=vlan31 table=TO-WAN3
add action=lookup-only-in-table interface=vlan32 table=TO-WAN3
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Tue Sep 14, 2021 12:04 am

When I have it set like this: there is no internet connection
/ip firewall nat (replaces the ones you had which are okay but meant for dynamic wanips, these are better for fixed ips)
add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=10.0.10.1
When I have it set like this: there is internet connection
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1

I
f you wan to allow vlan10 to access vlan20 users
add action=accept in-interface=vlan10 out-interface=vlan20
[Muminek@HomeKit] > ping 10.10.20.1
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 10.10.20.1                                 56  64 0ms  
    1 10.10.20.1                                 56  64 0ms  
    2 10.10.20.1                                 56  64 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 

[Muminek@HomeKit] > ping 10.10.20.8
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 10.10.20.8                                              timeout            
    1 10.10.20.8                                              timeout            
    2 10.10.20.1                                 84  64 985ms host unreachable   
    3 10.10.20.8                                              timeout            
    sent=4 received=0 packet-loss=100% 

[Muminek@HomeKit] > ping 10.10.20.7
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 10.10.20.7                                              timeout            
    1 10.10.20.7                                              timeout            
    2 10.10.20.7                                              timeout            
    sent=3 received=0 packet-loss=100% 
firewall:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=vlan10
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Tue Sep 14, 2021 2:09 am

(1) The latter is easy explainable.
Think about the order of these two rules....... the router processes.

add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20


The router drops all traffic, then you ask
please allow traffic from vlan10 to reach vlan 20 TOO LATE, you already blocked all the traffic LOL

Remember what I said......... any rules to allow traffic have to go where the +++++ symbols were in the example provided or more clearly BEFORE the last drop all rule.

(2) Why the sourcenat rules specific to fixed wanips is not working is a mystery to me?? (see below found it)
In any case then stick with the original ones, they are not wrong and as you noted also work.
Last edited by anav on Tue Sep 14, 2021 2:17 am, edited 2 times in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Tue Sep 14, 2021 2:15 am

Oh silly me, I made an assumption about your WANIP addresses 10.0.10.1, 10.0.20.1 and 10.0.30.1
( I put the gateway IPs by mistake)
Fixed: the TO ADDRESS should be the IP address!!!!

/ip address
add address=10.0.10.2/24 interface=ether1-WAN1 network=10.0.10.0
add address=10.0.20.2/24 interface=ether2-WAN2 network=10.0.20.0
add address=10.0.30.2/24 interface=ether3-WAN3 network=10.0.30.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.21.1/24 interface=vlan21 network=10.10.21.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.31.1/24 interface=vlan31 network=10.10.31.0
add address=10.10.32.1/24 interface=vlan32 network=10.10.32.0



/ip firewall nat (replaces the ones you had which are okay but meant for dynamic wanips, these are better for fixed ips)
CORRECTED
add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=10.0.10.2
add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=10.0.20.2
add action=src-nat chain=srcnat out-interface=ether3-WAN3 to-addresses=10.0.30.2
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Tue Sep 14, 2021 8:58 am

Hi, of course with
Fixed: the TO ADDRESS should be the IP address !!!!
you were right it works beautifully. Thank you.


mikrotika console
[Muminek@HomeKit] > ping 10.10.20.6
SEQ HOST SIZE TTL TIME STATUS
0 10.10.20.6 56 64 0ms
1 10.10.20.6 56 64 0ms
2 10.10.20.6 56 64 0ms
3 10.10.20.6 56 64 0ms
sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms
ping from the "PING" tool
Image
forward doesn't work, it looks like this:
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=vlan10
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=10.0.10.2
add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=10.0.20.2
add action=src-nat chain=srcnat out-interface=ether3-WAN3 to-addresses=10.0.30.2
Image

I test forward like this:

PC ping to PC --> did not work
PC ping to the printer --> did not work
ping the router to the PC --> console ok / ping tools did not work
ping the router to the printe r--> console ok / ping tools did not work
firewall turned off on PC,

ping between uniffi switches did not work,
port settings below

Image
or so it does not matter:
Image
[Muminek@HomeKit] > ip route print       
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.0.10.1                 1
 1 A S  0.0.0.0/0                          10.0.20.1                 1
 2 A S  0.0.0.0/0                          10.0.30.1                 1
 3 A S  0.0.0.0/0                          10.0.20.1                 1
 4   S  0.0.0.0/0                          10.0.10.1                 1
 5   S  0.0.0.0/0                          10.0.30.1                 1
 6 ADC  10.0.10.0/24       10.0.10.2       ether1-WAN1               0
 7 ADC  10.0.20.0/24       10.0.20.2       ether2-WAN2               0
 8 ADC  10.0.30.0/24       10.0.30.2       ether3-WAN3               0
 9 ADC  10.10.10.0/24      10.10.10.1      vlan10                    0
10 ADC  10.10.11.0/24      10.10.11.1      vlan11                    0
11 ADC  10.10.12.0/24      10.10.12.1      vlan12                    0
12 ADC  10.10.20.0/24      10.10.20.1      vlan20                    0
13 ADC  10.10.21.0/24      10.10.21.1      vlan21                    0
14 ADC  10.10.22.0/24      10.10.22.1      vlan22                    0
15 ADC  10.10.30.0/24      10.10.30.1      vlan30                    0
16 ADC  10.10.31.0/24      10.10.31.1      vlan31                    0
17 ADC  10.10.32.0/24      10.10.32.1      vlan32                    0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Tue Sep 14, 2021 4:38 pm

I cannot say it enough times,
FIRST - ORDER IS IMPORTANT!!
SECOND - Keep the chains separate normally Input chain followed by Forward chain

This is your current config.....
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=vlan10
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"

This is what is should look like:
/ip firewall
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=vlan10
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"


add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20

add action=drop chain=forward comment="DROP ALL other FORWARD traffic"


THIRDLY, when you make changes or are asked to make changes but fail to POST the new CONFIG,, I can only assume
there are still errors getting in the way of success.
For example I have no clue what you did or didnt do with interface lists and members!!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 7:52 am

Image



[Muminek@HomeKit] > export
# sep/15/2021 06:46:54 by RouterOS 6.46.4
# software id = KTHH-8ZXT
#
# model = 2011UiAS
# serial number = 69BB06456CE1
/interface bridge
add fast-forward=no name=bridge-VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-WAN3
set [ find default-name=ether4 ] comment="# LAN"
/interface vlan
add interface=bridge-VLAN name=vlan10 vlan-id=10
add interface=bridge-VLAN name=vlan11 vlan-id=11
add interface=bridge-VLAN name=vlan12 vlan-id=12
add interface=bridge-VLAN name=vlan20 vlan-id=20
add interface=bridge-VLAN name=vlan21 vlan-id=21
add interface=bridge-VLAN name=vlan22 vlan-id=22
add interface=bridge-VLAN name=vlan30 vlan-id=30
add interface=bridge-VLAN name=vlan31 vlan-id=31
add interface=bridge-VLAN name=vlan32 vlan-id=32
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.10.11.2-10.10.11.254
add name=dhcp_pool2 ranges=10.10.12.2-10.10.12.254
add name=dhcp_pool3 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool4 ranges=10.10.21.2-10.10.21.254
add name=dhcp_pool5 ranges=10.10.22.2-10.10.22.254
add name=dhcp_pool6 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool7 ranges=10.10.31.2-10.10.31.254
add name=dhcp_pool8 ranges=10.10.32.2-10.10.32.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan11 lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan12 lease-time=1d name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan20 lease-time=1d name=dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan21 lease-time=1d name=dhcp5
add address-pool=dhcp_pool5 disabled=no interface=vlan22 lease-time=1d name=dhcp6
add address-pool=dhcp_pool6 disabled=no interface=vlan30 lease-time=1d name=dhcp7
add address-pool=dhcp_pool7 disabled=no interface=vlan31 lease-time=1d name=dhcp8
add address-pool=dhcp_pool8 disabled=no interface=vlan32 lease-time=1d name=dhcp9
/interface bridge port
add bridge=bridge-VLAN hw=no interface=ether4
add bridge=bridge-VLAN hw=no interface=ether5
/interface bridge vlan
add bridge=bridge-VLAN tagged=bridge-VLAN,ether4 vlan-ids=10,11,12,20,21,22,30,31,32
/interface list member
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
add interface=ether3-WAN3 list=WAN
add interface=vlan10 list=LAN
add interface=vlan11 list=LAN
add interface=vlan12 list=LAN
add interface=vlan20 list=LAN
add interface=vlan21 list=LAN
add interface=vlan22 list=LAN
add interface=vlan30 list=LAN
add interface=vlan31 list=LAN
add interface=vlan32 list=LAN
/ip address
add address=10.0.10.2/24 interface=ether1-WAN1 network=10.0.10.0
add address=10.0.20.2/24 interface=ether2-WAN2 network=10.0.20.0
add address=10.0.30.2/24 interface=ether3-WAN3 network=10.0.30.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.11.1/24 interface=vlan11 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan12 network=10.10.12.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0
add address=10.10.21.1/24 interface=vlan21 network=10.10.21.0
add address=10.10.22.1/24 interface=vlan22 network=10.10.22.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.31.1/24 interface=vlan31 network=10.10.31.0
add address=10.10.32.1/24 interface=vlan32 network=10.10.32.0
/ip dhcp-server lease
add address=10.10.10.254 mac-address=74:AC:B9:AB:1E:99 server=dhcp1
add address=10.10.10.50 mac-address=B4:B5:2F:F7:5D:68 server=dhcp1
add address=10.10.20.100 client-id=1:3e:2e:82:6:d1:7a mac-address=3E:2E:82:06:D1:7A server=dhcp4
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.11.0/24 gateway=10.10.11.1
add address=10.10.12.0/24 gateway=10.10.12.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.21.0/24 gateway=10.10.21.1
add address=10.10.22.0/24 gateway=10.10.22.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.31.0/24 gateway=10.10.31.1
add address=10.10.32.0/24 gateway=10.10.32.1
/ip dns
set servers=10.10.10.100,1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.10.10.0/24 list=TO-WAN1
add address=10.10.11.0/24 list=TO-WAN1
add address=10.10.12.0/24 list=TO-WAN1
add address=10.10.20.0/24 list=TO-WAN2
add address=10.10.21.0/24 list=TO-WAN2
add address=10.10.22.0/24 list=TO-WAN2
add address=10.10.30.0/24 list=TO-WAN3
add address=10.10.31.0/24 list=TO-WAN3
add address=10.10.32.0/24 list=TO-WAN3
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=vlan10
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=10.0.10.2
add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=10.0.20.2
add action=src-nat chain=srcnat out-interface=ether3-WAN3 to-addresses=10.0.30.2
/ip route
add check-gateway=ping distance=1 gateway=10.0.10.1 routing-mark=TO-WAN1
add check-gateway=ping distance=1 gateway=10.0.20.1 routing-mark=TO-WAN2
add check-gateway=ping distance=1 gateway=10.0.30.1 routing-mark=TO-WAN3
add check-gateway=ping distance=1 gateway=10.0.10.1
add check-gateway=ping distance=1 gateway=10.0.20.1
add check-gateway=ping distance=1 gateway=10.0.30.1
/ip route rule
add action=lookup-only-in-table interface=vlan10 table=TO-WAN1
add action=lookup-only-in-table interface=vlan11 table=TO-WAN1
add action=lookup-only-in-table interface=vlan12 table=TO-WAN1
add action=lookup-only-in-table interface=vlan20 table=TO-WAN2
add action=lookup-only-in-table interface=vlan21 table=TO-WAN2
add action=lookup-only-in-table interface=vlan22 table=TO-WAN2
add action=lookup-only-in-table interface=vlan30 table=TO-WAN3
add action=lookup-only-in-table interface=vlan31 table=TO-WAN3
add action=lookup-only-in-table interface=vlan32 table=TO-WAN3
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=HomeKit
[Muminek@HomeKit] > 
Thank you for the advice, I am attaching cfg mikrotika.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 3:26 pm

The config looks good!
Are you
a. pinging a computer in vlan20 from a computer in vlan10??

Try the following.
a. from computer in vlan10 from the PC (not from the router) ping the gateway of its own gateway.
b. from a computer in vlan10 ping the gateway of VLAN20
c. from a computer in vlan10 ping a computer on VLAN20

(in part C. make sure the computer on VLAN20 doesnt block with a firewall etc.)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 6:36 pm

The config looks good!
Are you
a. pinging a computer in vlan20 from a computer in vlan10??
YES

Try the following.
a. from computer in vlan10 from the PC (not from the router) ping the gateway of its own gateway.
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64

b. from a computer in vlan10 ping the gateway of VLAN20
Pinging 10.10.20.1 with 32 bytes of data:
Reply from 10.10.20.1: bytes=32 time<1ms TTL=64
Reply from 10.10.20.1: bytes=32 time<1ms TTL=64
Reply from 10.10.20.1: bytes=32 time<1ms TTL=64
Reply from 10.10.20.1: bytes=32 time<1ms TTL=64
c. from a computer in vlan10 ping a computer on VLAN20
Image

(in part C. make sure the computer on VLAN20 doesnt block with a firewall etc.)
Image

translator tested on pure windows 10 without doing anything the same.

Adds cfg from switch
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 7:45 pm

Well LOL, you have me stumped?
What vlan is the switch on ( meaning what is the IP address of the managed switch)?
VLAN#1 should be the default on the switch trunk port (the one the MT is connected to)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 8:41 pm

What vlan is the switch on ( meaning what is the IP address of the managed switch)?
Image



VLAN#1 should be the default on the switch trunk port (the one the MT is connected to)
Switch port 24 set VLAN:
ID VLAN 1 default --> Untagged
ID VLAN 10,11,12,20,21,22,30,31,32 --> Tagged
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 9:01 pm

I am hoping someone else chimes in because I am all outta ideas.
You seem to be bang on with your config :-((
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
ptasznik91
just joined
Topic Author
Posts: 8
Joined: Mon Sep 13, 2021 12:32 pm

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Wed Sep 15, 2021 9:10 pm

Thank you for your great contribution :) and I will also look for knowledge. Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8392
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forward doesn't work --> Sharing 3 WAN and 9 LAN by using Vlan

Thu Sep 16, 2021 12:51 am

/interface bridge
add fast-forward=no name=bridge-VLAN

Should be
add fast-forward=no name=bridge-VLAN vlan-filtering=yes

Remember the advice?
read this refernce.....................
viewtopic.php?f=23&t=143620

In EVERY bridge example you see the following at the start of the configuration:
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

In EVERY bridge example you see the following at the end of the configuration:
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Bing [Bot] and 109 guests