Allowing traffic between switches within router

kbergmanis · Fri Aug 10, 2018 2:22 pm

Hello,
I'm new to network things and am trying to learn hard way - by watching video tutorials and reading documentation. As our company is rather small and I'm all-in-one IT solution, courses most likely aren't an option anytime soon.

We have RB2011UiAS-2HnD-IN device, containing two built in switches, configuration done before my time and by external 3rd party technician. On switch2 we have one subnet with four devices connected, and on switch1 - two HP unmanaged 1420 devices connecting our office network (computers, laptops, WiFi routers etc.). I want to implement VNC remoting between these two switches, as well as make printer in Office network available to one machine in switch2 network.
I also have two bridges there - LAN-bridge-local, connecting sfp1, wlan1 and ether2-master-local (where our office network HP switch is connected). Other is DMZ-bridge-ext, to which, as far as I can tell, only DMZ-ether6-master-ext is joined. I checked this by going to

/interface bridge port> print

.
In regard of interfaces, ether2 is master to 3, 4 and 5; and ether6 is master to 7, 8, 9 and 10. This is, as I understand, standard configuration. Suggested solution from here was to add bridge between ether2 and ether6. I added new bridge from WinBox GUI (as I'm learning, I'm switching between GUI and terminal, based on what tutorial suggests), and then tried:

/interface bridge port> add bridge test-bridge1 interface=ether2
failure: device already added as bridge port.

Unsure, if this helps, but there are no VLANs configured, as far as I can tell, from checking Interface\VLAN or Switch\VLAN. Furthermore, Switch\Port shows VLAN Mode as "Disabled" for all interfaces. Unsure if this is correct configuration or not.

Question 1: Can an interface be a part of multiple bridges?
Question 2: How to allow access between those two switches only on certain ports/addresses (for example, from ether2, 192.168.0.100 I'd like to access every device on switch2, ether6-9, and I'd like device on ether6, 192.168.15.100 to access printer on ether2, 192.168.0.20).

bramwittendorp · Sat Aug 11, 2018 4:40 pm

I don't think you need a bridge at all, but to answers your questions:

Question 1: Can an interface be a part of multiple bridges?

I'm not sure, my logic says no. The error you posted also points to this, please read the Wiki-page for more information on bridges https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

Question 2: How to allow access between those two switches only on certain ports/addresses (for example, from ether2, 192.168.0.100 I'd like to access every device on switch2, ether6-9, and I'd like device on ether6, 192.168.15.100 to access printer on ether2, 192.168.0.20).

You need to use the Firewall for this, you can find it under IP > Firewall. In most cases you'll need to make use of the forward chain. The packets are being forwarded through your Router.

Example: for the printer you need something like this

/ip firewall filter 
add action=accept chain=forward src-address=192.168.15.100 dst-address=192.168.0.20 comment="Allow ether6 to access printer"

You should make sure the router knows the IP-ranges on each side of the netwerk. You can verify it under

/ip routes

. But since they are directly attached I don't expect any issues

kbergmanis · Mon Aug 13, 2018 7:50 am

Hmm, tried adding that firewall rule, still can't ping, traceroute or just connect printer from that machine.
In regard of routing, here is result that I get:

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          78.28.209.249             1
 1 ADC  78.28.209.248/30   78.28.209.250   WAN-ether1                0
 2 ADC  80.233.170.40/29   80.233.170.41   DMZ-bridge-ext            0
 3 ADC  192.168.0.0/24     192.168.0.1     LAN-bridge-local          0

So route number 0 means that from every IP, unless specified otherwise, traffic should go to 78.28.209.249, and then in route 1 it's moved to our public IP.
Route 2, as I understand, moves all traffic from one part of network (these IPs are those that are connected to ether6-9) to gateway address 80.22.170.41.
Route 3 deals in same way with other part of router. How do I know if those both parts know about each other?

Upon finding this, I also tried

add action=accept chain=forward src-address 80.233.170.41 dst-address 192.168.0.19 comment="Access to printer"

, but it didn't help.

Also tried exporting configuration as your signature suggests - available here, hope it helps.
I also guess I'll have to get and read a book about this, otherwise this is shooting in dark.

bramwittendorp · Mon Aug 13, 2018 4:53 pm

Hi,

First of all, in your export I see you're running 6.33.3, please consider upgrading to at least the latest bugfix release, as this version of RouterOS is vulnerable to an attack that can exploit Winbox. You can read more about it here: https://blog.mikrotik.com/security/winb ... ility.html

Route number 0 is your default route, all traffic that hasn't been captured by the other, more specific routes, will be send to your ISP-gateway (78.28.209.249). So this will be true for any internet-traffic.

Route number 1 is used by your router, and it's a direct attached route, so your Router knows which IPs it can reach directly on the WAN-ether1.

Route number 2 is a direct attached route pointing you router toward the DMZ-bridge-ext for the IPs in the 80.233.170.40/29 subnet. The IP-address you see here is the IP-address that has been assigned to the router on the DMZ-bridge-ext interface. You won't want to use this for your firewall rule.

The route number 3 is similar, but for the LAN-bridge-local.

It seems to me there is something wrong with both the NAT-configuration and the IP-configuration on the host attached to ether6. Based on the config you've provided the device on ether6 should have an IP in the 80.233.170.40/29 network, having 80.233.170.41 as default gateway.

kbergmanis · Tue Aug 14, 2018 2:06 pm

Hello,

upgrade of router is planned for this Thursday, so, yes, this is one of things I wish to do.

Devices connected to ether6-9 indeed have IPs 80.233.170.42-45, that is correct. That confused me even more when trying to set up VNC initially - the usual problem is to get connection to private IP, not to public one.

Any ideas on what to try/test?

bramwittendorp · Tue Aug 14, 2018 2:17 pm

Let me try to understand you correctly: The devices on ether6 - ether9 have an IP-address in the 80.233.170.42-45 range. But also private IP's? Where are the networkadapters providing these private-IPs connected to?

kbergmanis · Tue Aug 14, 2018 2:54 pm

Sorry, my first post might have been misleading as I tried to generalize.

Ether1 - incoming signal.
Ether2 and Ether3 - unmanaged HP switches to which our office network connects, working in 192.168.0.0/16.
Ether6-Ether9 - machines which have public IPs, 80.233.170.42-45.

Two connections that I want to make, are:
192.168.0.100 to any of 80.233.170.42-45 machine, to use VNC.
80.233.170.45 to printer on 192.168.0.19.

I hope this is better description.

bramwittendorp · Tue Aug 14, 2018 7:52 pm

Hi,

That enlightens your question and gives me a better opportunity to help you in a good way.

Let's start with the printer, you've already got a proper firewall rule for it in your config:

add chain=forward comment="Trainer access to printer" dst-address=192.168.0.19 src-address=80.233.170.45

The issue however is that it's at the bottom of the chain. Place it more to the top, above the DEFAULT: DROP FORWARD: DMZ -> LAN rule you've got in your config.

With regards to your VNC issue, you'll need a similar rule, also at the top of your filters for the forward chain. Allowing new connections from your PC towards the DMZ. The reply's should be accepted, because established and related connection get fast-tracked in the current config.

At last, judging from your config, please have a look at the Wiki-page regarding the firewall function (https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter), especially the following paragraph is good to keep in mind:

input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

In your current set-up there a number of firewall rules that should be applied to the forward chain rather than on the input chain. Same goes for some of the NAT-policies, there are DST-NAT rules applied in your config where they won't be needed, because the IPs already are public, so a rule in the forward-chain would catch that traffic.

A possible suggestion is to find and hire a MikroTik consultant in your area (I don't know where you're from, but if you're from The Netherlands, think of me

). It might be good for you to go through the entire setup with someone who is more experienced with RouterOS and can explain certain aspects to you, you'll gain knowledge without attending training and your problems are also resolved or you have some good directives to follow.

kbergmanis · Thu Aug 16, 2018 11:04 am

Great many thanks!
Your advice to move printer rule up solved issue immediately.

Not so much luck with VNC for now, but I'll think I will leave this for now, order a book and then get back to this when I know a bit more about Firewalls.

1    ;;; DEFAULT: FASTTRACK - SYSTEM FEATURE (ENABLED)
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

 2    ;;; Trainer access to printer.
      chain=forward action=accept src-address=80.233.170.45 
      dst-address=192.168.0.19 log=no log-prefix="" 

 3    ;;; VNC-TrainingBJ
      chain=input action=accept src-address=192.168.0.100 
      dst-address=80.233.170.42 log=no log-prefix="" 

 4    ;;; DEFAULT: DROP FORWARD: DMZ -> LAN (log)
      chain=forward action=drop src-address-list=DMZ-NET 
      dst-address-list=LAN-NET log=yes log-prefix="DROP DMZ"

Also tried that with specifying tcp and port 5901 (default is 5900, but I updated it on client and server, to see if that helps), no luck there.

I agree that hiring someone with proper skills would be better, but at this time that is not an option and I certainly don't want to call guys who did initial setup. And I'm from Latvia, so, pity, can't ask for your help with this onsite.

Again, thanks for bearing with me!

mkx · Thu Aug 16, 2018 12:03 pm

Not so much luck with VNC for now, but I'll think I will leave this for now, order a book and then get back to this when I know a bit more about Firewalls.
Code: Select all
 3    ;;; VNC-TrainingBJ
      chain=input action=accept src-address=192.168.0.100 
      dst-address=80.233.170.42 log=no log-prefix="" 

The VNC rule is in wrong chain ... should be in chain=forward ...

kbergmanis · Thu Aug 16, 2018 1:07 pm

Not so much luck with VNC for now, but I'll think I will leave this for now, order a book and then get back to this when I know a bit more about Firewalls.
Code: Select all
 3    ;;; VNC-TrainingBJ
      chain=input action=accept src-address=192.168.0.100 
      dst-address=80.233.170.42 log=no log-prefix="" 
The VNC rule is in wrong chain ... should be in chain=forward ...

Tried that initially, yes, didn't work out.

mkx · Thu Aug 16, 2018 1:58 pm

The VNC rule is in wrong chain ... should be in chain=forward ...
Tried that initially, yes, didn't work out.

Perhaps it didn't work due to ordering of filter rules as @bramwittendorp already pointed out and you fixed for printer access.

bramwittendorp · Thu Aug 16, 2018 8:31 pm

As I've said before, use the forward chain for packets passing through the router. Place the rule allowing VNC-traffic above any drop-rules in your firewall configuration.

You could try to add the following two firewall rules, add them and place them at the top of the firewall chain, after the "DEFAULT: FASTTRACK - SYSTEM FEATURE (ENABLED)" but before any other firewall rules.

/ip firewall filter
add chain=forward comment="VNC from IT > DMZ" dst-address=80.233.170.42 src-address=192.168.0.100
add chain=forward comment="VNC from DMZ > IT" dst-address=192.168.0.100 src-address=80.233.170.42

These rules will allow any traffic from the specified DMZ-host to and from your PC. If these work, you could try it with a connection-state=established,related added on the VNC from DMZ > IT rule. In that way, only established and related connections from the DMZ-host to your PC are allowed and you gain security back.

Also, remove the following NAT-rules, they are pointless and could be causing trouble.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=80.233.170.42 dst-port=5900 protocol=tcp to-addresses=80.233.170.42 to-ports=5900
add chain=srcnat dst-address=80.233.170.42 dst-port=5900 protocol=tcp
add action=dst-nat chain=dstnat dst-port=5900 protocol=tcp to-addresses=80.233.170.42 to-ports=5900
add action=dst-nat chain=dstnat dst-port=5900 in-interface=all-ethernet protocol=tcp to-addresses=80.233.170.42

kbergmanis · Tue Aug 21, 2018 11:59 am

bramwittendorp, Thank you, you did magic!

I'll note these examples so in future I have starting point and can try to tweak existing things if something else is needed.

Allowing traffic between switches within router

Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Re: Allowing traffic between switches within router

Who is online