Community discussions

 
taylorjonl
just joined
Topic Author
Posts: 1
Joined: Thu Jan 03, 2019 6:41 am

Route traffic to a different route based on bridge

Thu Jan 03, 2019 4:20 pm

I am trying to route traffic to two different interfaces based on the bridge the traffic came from and I am having major issues. Here are the relevant parts of my config(I will post my full config later):
/interface bridge
add name=br-vlan-dmz
add name=br-vlan-management
add name=br-vlan-trusted
add name=br-vlan-untrusted
add name=br-wan
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=br-wan
/interface l2tp-client
add allow-fast-path=yes connect-to=******************* disabled=no ipsec-secret=******* name=vpn password=********** use-ipsec=yes user=********
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=br-wan
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=vpn
/ip route
add distance=1 gateway=vpn routing-mark=dmz
/ip route rule
add disabled=yes dst-address=0.0.0.0/0 interface=br-vlan-dmz table=dmz
I am trying to route traffic from the DMZ to the VPN, the rest of the traffic I want routed to my WAN. The disabled route rule was supposed to accomplish this goal, which it partially does. If I enable this rule traffic from the DMZ goes to the VPN but so does traffic to the DMZ from other networks, e.g. TRUSTED. To test I have a ping from the DMZ to 8.8.8.8 and a ping from a TRUSTED box to my DMZ box, with the rule disabled the DMZ ping goes to the WAN, and the TRUSTED box ping works fine, when I enable it the DMZ ping goes to the VPN and so does the TRUSTED box ping.

Here is my route list:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          vpn                       1
 1 ADS  0.0.0.0/0                          199.192.X.X               1
 2 ADC  1.0.0.1/32         10.0.1.71       vpn                       0
 3 ADC  10.0.0.0/8         10.0.0.1        br-vlan-management        0
 4 ADC  172.20.0.0/16      172.20.0.1      br-vlan-trusted           0
 5 ADC  192.168.0.0/24     192.168.0.1     br-vlan-dmz               0
 6 ADC  192.168.1.0/24     192.168.1.1     br-vlan-untrusted         0
 7 ADC  199.192.X.0/21     199.192.X.X     br-wan                    0
What am I missing?

Here is my full config:
/interface bridge
add name=br-vlan-dmz
add name=br-vlan-management
add name=br-vlan-trusted
add name=br-vlan-untrusted
add name=br-wan
/interface l2tp-client
add allow-fast-path=yes connect-to=******************* disabled=no ipsec-secret=******* name=vpn password=********** use-ipsec=yes user=********
/interface vlan
add interface=sfp-sfpplus2 name=vlan-dmz vlan-id=10
add interface=sfp-sfpplus2 name=vlan-management vlan-id=1000
add interface=sfp-sfpplus2 name=vlan-trusted vlan-id=100
add interface=sfp-sfpplus2 name=vlan-untrusted vlan-id=50
/ip pool
add name=ip-pool-dmz ranges=192.168.0.100-192.168.0.254
add name=ip-pool-management ranges=10.0.0.100-10.0.0.254
add name=ip-pool-trusted ranges=172.20.100.1-172.20.199.254
add name=ip-pool-untrusted ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=ip-pool-dmz disabled=no interface=br-vlan-dmz name=dhcp-dmz
add address-pool=ip-pool-management disabled=no interface=br-vlan-management name=dhcp-management
add address-pool=ip-pool-trusted disabled=no interface=br-vlan-trusted name=dhcp-trusted
add address-pool=ip-pool-untrusted disabled=no interface=br-vlan-untrusted name=dhcp-untrusted
/interface bridge port
add bridge=br-vlan-dmz interface=vlan-dmz
add bridge=br-vlan-management interface=vlan-management
add bridge=br-vlan-trusted interface=vlan-trusted
add bridge=br-vlan-untrusted interface=vlan-untrusted
add bridge=br-wan interface=sfp-sfpplus1
/ip address
add address=192.168.0.1/24 interface=br-vlan-dmz network=192.168.0.0
add address=192.168.1.1/24 interface=br-vlan-untrusted network=192.168.1.0
add address=172.20.0.1/16 interface=br-vlan-trusted network=172.20.0.0
add address=10.0.0.1/8 interface=br-vlan-management network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=br-wan
/ip dhcp-server network
add address=10.0.0.0/8 dns-server=10.0.0.1 gateway=10.0.0.1
add address=172.20.0.0/16 dns-server=172.20.0.1 gateway=172.20.0.1
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip firewall filter
add action=accept chain=input comment="Accept established, related, and untracked traffic" connection-state=established,related,untracked
add action=drop chain=input in-interface=vpn log=yes log-prefix=VPN
add action=drop chain=input comment="Drop traffic from port-scanner address list" src-address-list=address-list-port-scanner
add action=add-src-to-address-list address-list=address-list-port-scanner address-list-timeout=1w chain=input comment="Add Port Scanner to the port-scanner address list" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop traffic from syn-flooder address list" src-address-list=address-list-syn-flooder
add action=add-src-to-address-list address-list=address-list-syn-flooder address-list-timeout=30m chain=input comment="Add SYN flooder to the syn-flooder address list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop invalid traffic" connection-state=invalid log=yes log-prefix=invalid
add action=jump chain=input in-interface=br-vlan-dmz jump-target=input-dmz
add action=jump chain=input in-interface=br-vlan-untrusted jump-target=input-untrusted
add action=jump chain=input in-interface=br-vlan-trusted jump-target=input-trusted
add action=jump chain=input in-interface=br-vlan-management jump-target=input-management
add action=accept chain=input comment="Accept DHCP traffic not coming from WAN" dst-port=67 in-interface=!br-wan protocol=udp src-port=68
add action=drop chain=input comment="Drop all other traffic" log=yes
add action=accept chain=input-dmz comment="Accept ICMP traffic" dst-address=192.168.0.1 protocol=icmp
add action=return chain=input-dmz
add action=drop chain=input-untrusted comment="Drop broadcast UDP packets" dst-address=192.168.1.255 protocol=udp
add action=accept chain=input-untrusted comment="Accept DNS requests for TCP protocol" dst-address=192.168.1.1 dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input-untrusted comment="Accept DNS requests for UDP protocol" dst-address=192.168.1.1 dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=input-untrusted comment="Accept ICMP traffic" dst-address=192.168.1.1 protocol=icmp
add action=return chain=input-untrusted
add action=drop chain=input-trusted comment="Drop broadcast UDP packets" dst-address=172.20.255.255 protocol=udp
add action=accept chain=input-trusted comment="Accept DNS requests for UDP protocol" dst-address=172.20.0.1 dst-port=53 protocol=udp src-address=172.20.0.0/16
add action=accept chain=input-trusted comment="Accept DNS requests for TCP protocol" dst-address=172.20.0.1 dst-port=53 protocol=tcp src-address=172.20.0.0/16
add action=accept chain=input-trusted comment="Accept ICMP traffic" dst-address=172.20.0.1 protocol=icmp
add action=return chain=input-trusted
add action=accept chain=input-management comment="Accept all other traffic"
add action=return chain=input-management
add action=fasttrack-connection chain=forward comment="Accept established, related, and untracked traffic" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept established, related, and untracked traffic" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept src-nat traffic" connection-nat-state=srcnat
add action=drop chain=forward comment="Drop invalid traffic" connection-state=invalid log=yes log-prefix=invalid
add action=jump chain=forward in-interface=br-vlan-dmz jump-target=forward-dmz log=yes
add action=jump chain=forward in-interface=br-vlan-untrusted jump-target=forward-untrusted
add action=jump chain=forward in-interface=br-vlan-trusted jump-target=forward-trusted
add action=jump chain=forward in-interface=br-vlan-management jump-target=forward-management
add action=accept chain=forward comment="Accept all other traffic"
add action=drop chain=forward-dmz comment="Drop traffic originating from a different network" log=yes log-prefix=origin src-address=!192.168.0.0/24
add action=drop chain=forward-dmz comment="Drop traffic with destination other than VPN" log=yes log-prefix=dmz out-interface=!vpn
add action=return chain=forward-dmz
add action=drop chain=forward-untrusted comment="Drop traffic originating from a different network" log=yes log-prefix=origin src-address=!192.168.1.0/24
add action=drop chain=forward-untrusted log=yes out-interface=br-vlan-dmz
add action=drop chain=forward-untrusted log=yes out-interface=br-vlan-management
add action=drop chain=forward-untrusted log=yes out-interface=br-vlan-trusted
add action=return chain=forward-untrusted
add action=drop chain=forward-trusted comment="Drop traffic originating from a different network" log=yes log-prefix=origin src-address=!172.20.0.0/16
add action=drop chain=forward-trusted log=yes out-interface=br-vlan-management
add action=return chain=forward-trusted
add action=drop chain=forward-management comment="Drop traffic originating from a different network" log=yes log-prefix=origin src-address=!10.0.0.0/8
add action=return chain=forward-management
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=br-wan
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=vpn
/ip route
add distance=1 gateway=vpn routing-mark=dmz
/ip route rule
add disabled=yes dst-address=0.0.0.0/0 interface=br-vlan-dmz table=dmz

Who is online

Users browsing this forum: Pea and 52 guests