VLAN setup help

xian1sheng1 · Mon Feb 24, 2020 1:34 am

Here's part of my network layout:

Both router and switch are running RouterOS v6.45.7.

Currently the clients of the Guest SSID only have WAN access (no LAN access) by way of some internal firewall rules in the AP.
And AFAICT, there's no way for any machine on the LAN to connect to anything on the Guest SSID.
I'd like to allow connections be initiated from some of "Other LAN clients" to some of the clients in Guest SSID.

I figured out how to get the RT-AC68U to tag the Guest SSID's packets with a VLAN tag (I used 9).
However once I do that, the Guest SSID clients lose WAN connectivity entirely. I fiddled around a bit in the router trying to restore it but was unable to figure it out.

Note that both the Guest and Normal traffic are flowing over a single ethernet cable from the RT-AC68U AP to the CRS326 switch, and this would be very hard to change.

So my questions are:
1. What are the steps to give WAN access to the clients of Guest SSID (which I think amounts to the packets with VLAN tag 9)?
2. What are the steps to allow something in "other LAN clients" to initiate a connection to something VLAN 9, but not vice versa?

Thanks in advance for any help!

xian1sheng1 · Sun Mar 08, 2020 7:07 pm

Any hints would be appreciated, even if it's just a series of links to the documentation. I just don't know the overall steps or terminology involved.

Sob · Mon Mar 09, 2020 3:32 am

First, it's not clear how it works now. What addresses do guests get? Is there separate subnet only on AP? Also how the blocked access to LAN works would be interesting to know.

For new config you need to configure switch to allow tagged vlan 9 on ports connected to AP and router. You didn't even write if it has RouterOS or SwOS, so...

Once you have vlan 9 passing through switch, you need same vlan also on router. If there's only single port connected to switch (no bridge), then simply add vlan interface on top of this port. If you have something more complex there, you'll have to integrate it into that.

With vlan interface ready, add some new subnet to it, then configure DHCP server, and you'll have guest subnet. Depending on your current firewall, it may have access everywhere or nowhere or something in between, so you'll have to do something with that.

I mean, I know I'm not really helping, but it's difficult. You have nice image, but the fact is, pretty much everything about your current config is one big mystery.

xian1sheng1 · Mon Mar 16, 2020 2:24 am

Hi Sob,
Thanks so much for taking the time to read and reply.

First, it's not clear how it works now. What addresses do guests get? Is there separate subnet only on AP? Also how the blocked access to LAN works would be interesting to know.

There is no separate subnet for the guest WiFi or normal WiFi.
Everything gets addresses via DHCP from the router from 192.168.88.0/24.
I am fairly sure that *before* I set up any VLAN stuff, the blocking of guest access to LAN works through some firewall rules in the ASUS AP.
I think I'll need to implement a different solution as part of switching from the ASUS AP's default settings to using VLANs.

For new config you need to configure switch to allow tagged vlan 9 on ports connected to AP and router. You didn't even write if it has RouterOS or SwOS, so...

The router and the switch are both running RouterOS (which I did write in the first post, but no worries for missing it).
Is what I need to do covered in "Manual:Basic VLAN switching"?

Once you have vlan 9 passing through switch, you need same vlan also on router. If there's only single port connected to switch (no bridge), then simply add vlan interface on top of this port. If you have something more complex there, you'll have to integrate it into that.

With vlan interface ready, add some new subnet to it, then configure DHCP server, and you'll have guest subnet. Depending on your current firewall, it may have access everywhere or nowhere or something in between, so you'll have to do something with that.

I think I may have gotten this far last time but the firewall rules ended up with "access nowhere". How do I provide access to the WAN but not the LAN to that subnet?

anav · Mon Mar 16, 2020 3:55 am

This is the gold standard reference you should be using....... at least for the hex router. The switch is a different beast altogether and I am not qualified to even look at it............
viewtopic.php?f=13&t=143620

Sob · Thu Mar 19, 2020 3:04 am

Same kind of config is also for switch, when it runs RouterOS (right, now I see it). And this CRS should even support automatic HW offloading.

If you have basic config working, i.e. you have vlan interface on router, with dhcp server and clients connected to AP are getting addresses, the rest is just firewall. I can be blocked by filter, you may be missing srcnat rule, etc. Add the endless amount of possible creative misconfigurations and we can be guessing until next Christmas. It's best to export this non-working config and post it here in code tags, then it should be clear what's wrong.

xian1sheng1 · Mon Mar 23, 2020 7:18 am

Thanks for linking to "Using RouterOS to VLAN your network". I followed those examples and got things mostly working, but the clients on the guest SSID (now VLAN 20) don't seem to get IP addresses assigned.

I've uploaded my switch, router, and access point configs (access point is a shell script for the ASUS):
https://gist.github.com/garymm/50f15500 ... 0abc665ef

Any ideas what's wrong?

Zacharias · Mon Mar 23, 2020 12:43 pm

I followed those examples and got things mostly working, but the clients on the guest SSID (now VLAN 20) don't seem to get IP addresses assigned.

Any ideas what's wrong?

Sounds like there is no access to CPU, so you are isolated from your Router. Is your Bridge and Trunk added to the tagged ports ?

tdw · Mon Mar 23, 2020 2:11 pm

Assuming the AP is plugged into the CRS as shown in the picture, there is no /interface bridge vlan configuration for VLAN 20 on the CRS

anav · Mon Mar 23, 2020 2:11 pm

Summary, see nothing wrong with hex setup except the following rule........

add action=masquerade chain=srcnat comment=\
"hairpin NAT so LAN can access hass using WAN IP" dst-address=10.0.10.2 \
dst-port=8023 out-interface=BR1 protocol=tcp src-address=192.168.88.0/24

For hairpin NAT, this ONLY applies to the same subnet that the server is within.
If you are accessing the server from a different subnet then a hairpin nat rule is not required.
In this case it appears as though you wish to access servers from the 192.168.0 subnet while the servers are are on the 10.0.10. subnet
In which case you do not need an extra source nat rule at all!!

IF the server was also on the 192.168.0.0 subnet the sourcenat rule you need to add (xtra rule) is as follows.
add chain=srcnat action=masquerade comment="HairpinNAT" src-address=192.168.0.0/24 dst-address=192.168.0.0/24
Note: This assumes that your server is the .0.0 subnet and you want PCs from the same subnet to access the server using the WANIP address of the router.

What is not clear is if the WANIP is dynamic or static, since you use masquerade as action in the standard source nat rule one could assume dynamic.
If that is the case, then the associated dstnat rule (for hairpin nat - server in same subnet) for that server gets complicated............. No need to bring it up here as it appears you just need to get rid of the interfering source nat rule.....

Hold................. WTF is 192.168.88.0 There is no subnet on the config lol...........

anav · Mon Mar 23, 2020 2:54 pm

also noted this on hex......
add action=dst-nat chain=dstnat comment="home assistant" dst-port=8023 \
protocol=tcp to-addresses=10.0.10.2 to-ports=8023
add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \
dst-port=80 protocol=tcp to-addresses=10.0.10.2 to-ports=80

should be
add action=dst-nat chain=dstnat comment="home assistant" dst-port=8023 \
protocol=tcp in-interface=WAN to-addresses=10.0.10.2
add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \
dst-port=80 protocol=tcp in-interface=WAN to-addresses=10.0.10.2

Note: Dont need to ports if no different from dest ports.

xian1sheng1 · Tue Mar 24, 2020 6:43 am

anav: Thanks for pointing out the bugs in the hairpin NAT rules. They had been copy pasted from my previous configuration without having been updated for the new IP subnets and addresses. I will fix soon.

Assuming the AP is plugged into the CRS as shown in the picture, there is no /interface bridge vlan configuration for VLAN 20 on the CRS

The AP is plugged into ether1 of the CRS. I thought it had to be plugged into a trunk port because the packets coming from it are already tagged (with either 10 or 20)?

So I thought this code was all that was needed, but please let me know if it's wrong:

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=10]
set bridge=BR1 tagged=ether1,ether2 [find vlan-ids=20]

I think I have some issue with my DHCP and / or VLAN configs I'm struggling to figure out. Symptoms:
[*] The access point main network works if I statically assign an IP address to the access point itself (10.0.10.4). At that point the clients on the main SSID get assigned IP addresses on the blue VLAN + subnet. But when I changed the access point to receive an IP over DHCP, it seems to not get an IP address and it basically stops working entirely (clients lose DHCP as well).
[*] The guest SSID was never getting IP addresses assigned to clients.
[*] Machines plugged directly into Switch do get an IP address assigned and have internet access.

Thanks again for all the help.

Zacharias · Tue Mar 24, 2020 9:40 am

A nice page in the wiki for common Layer 2 Mistakes, the symptoms and resolutions...
https://wiki.mikrotik.com/wiki/Manual:L ... _interface

Joni · Tue Mar 24, 2020 10:23 am

viewtopic.php?f=13&t=143620

xian1sheng1 · Mon Mar 30, 2020 3:53 am

Thanks for all the help so far.

I made some large changes to the ASUS Access Point script, and I added this to the switch config:

add bridge=BR1 tagged=ether1,ether2 vlan-ids=20 comment="GREEN_VLAN"

(thanks @tdw!)

Now clients on the guest WiFi network (VLAN 20, GREEN_VLAN) do get IP addresses assigned by the GREEN_POOL DHCP server!

But, it seems for clients on both, there are frequent connection interruptions, even for connections between two clients on the same VLAN. E.g. SSH'ing from the WiFi to a wired client gets interrupted frequently, as does internet access. So I think something must still be misconfigured.

This has been updated to match what I'm running now:
https://gist.github.com/garymm/50f15500 ... a0abc665ef

Anybody see anything wrong there?

Thanks for any additional help.

anav · Mon Mar 30, 2020 3:51 pm

You didnt fix your mess here,
(1) the dst nat rules need an in-interface-list=WAN for a dynamic WANIP (except any server where you wish to use hairpin nat - then do not use in-interface-list=wan)
(2) Dont need too ports if same as destination ports
(3) Other issue is your second srcnat rule for hairpin.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="home assistant" dst-port=8023 \
protocol=tcp to-addresses=10.0.10.3 to-ports=8023
add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \
dst-port=80 protocol=tcp to-addresses=10.0.10.3 to-ports=80
add action=masquerade chain=srcnat comment=\
"hairpin NAT so LAN can access hass using WAN IP" dst-address=10.0.10.3 \
dst-port=8023 out-interface-list=VLAN protocol=tcp src-address=\
10.0.10.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=15088 protocol=tcp \
to-addresses=10.0.10.3 to-ports=32400
add action=dst-nat chain=dstnat comment="deluge torrents" dst-port=65267 \
protocol=tcp to-addresses=10.0.10.3 to-ports=65267
add action=dst-nat chain=dstnat comment="deluge torrents" dst-port=65268 \
protocol=tcp to-addresses=10.0.10.3 to-ports=65268

3. It appears that you wish to be able to access servers in the 10.0.10. network via your WANIP address from the 192.168.0 network?
If so it should work without an additional sourcnat hairpin rule. It is only required when accessing the server from the same network, ie pcS in the 10.0.10 network trying to reach a server in the 10.0.10 network via the WANIP of the router.

A question for Sob and Mkx, as I didnt think of this before....... When accessing a server from a different subnet it would appear this may be a unique method for bypassing normal layer 2 restrictions but am curious about L3 (firewall rules). For example, normally, a user on vlan10 would not be able to access a server on VLAN20 due to basic layer 2 separation, however we also need to prevent the router from routing between the two so we add in either a drop vlan10 to vlan 20 rule, or add in a drop all else rule at the end of the forward chain etc......

So with vlan separation and a firewall setup that prevents vlan cross talk, Q - Does the router allow vlan10 user to bypass vlan and firewall restrictions to vlan 20 when the user enters the WANIP of the router and server port to access the server?

Sob · Mon Mar 30, 2020 5:05 pm

It depends on order of rules. If you allow all dstnatted ports first and then block access between vlans, it will work. If you swap these rules, then it won't.

xian1sheng1 · Mon Mar 30, 2020 6:53 pm

Thanks anav. I am trying to access the server 10.0.10.3 using its WAN IP from the same network (10.0.10.0/24).
How would I accomplish this?

xian1sheng1 · Mon Mar 30, 2020 7:24 pm

And I just changed all the dst-nat rules to have in-interface-list=WAN and disabled the hairpin NAT rule but I think I'm still seeing intermittent internet connectivity issues.

anav · Mon Mar 30, 2020 9:17 pm

Thanks anav. I am trying to access the server 10.0.10.3 using its WAN IP from the same network (10.0.10.0/24).
How would I accomplish this?

Just add the following rule
add chain=srcnat action=masquerate src-address=10.0.10.0.24 dst-address=10.0.10.0/24

This is the associated dst nat rule ?
add action=dst-nat chain=dstnat comment="home assistant" in-interface-list=WAN dst-port=8023 \
protocol=tcp to-addresses=10.0.10.3

The above rule for destination nat is for dynamic WANIPs, and should also work if you have a static WANIP. although its better to stat the destination nat rule as this for static wanips..
add action=dst-nat chain=dstnat comment="home assistant" dst-port=8023 dst-address=x.x.x.x \
protocol=tcp to-addresses=10.0.10.3

If you have a dynamic WANIP AND a Hairpin issue, then one has to modify the destination nat rule for hairpin situations..........you need to change that destination nat rule to this..........
add chain=dstnat action=dst-nat dst-port=8023 protocol=tcp dst-address=!10.0.10.1 \
dst-address-type=local to-addresses=10.0.10.3

Zacharias · Tue Mar 31, 2020 1:10 pm

@anav i do not understand that not "!" on your dst-nat rule...
In case as you state there is a dynamic WAN IP and lets say i use the cloud dns of the Mikrotik Device that points to 10.0.10.1 when resolved within the LAN, then your dst-nat rule without the "!" would work just fine...

anav · Tue Mar 31, 2020 1:22 pm

Hi Zach, I blame everything I know on Sob and Mkx, but i will give it a go.......
Since we do not know what the WANIP is, we use the dst-address type-local local.
This tells the router, the packet is going to an interface on the router, could be LAN, could be WAN

But when we define the dst-address we say, destination is anywhere EXCEPT the local LAN.
That leaves only the WAN left.........
So the destination is the WAN interface and thus the WANIP.

Or something like that.
Where it falls apart for me, is what happens when there are three LAN subnets 192.168.0.1, 192.168.1.1, and 192.168.2.1 (and the server is 192.168.0.10).
In this case I am lost as the router has two other interfaces to consider.
What If Had the subnet and 5 vlans, what would the router do??

Zacharias · Tue Mar 31, 2020 3:25 pm

@anv everything is understood...
However, could you give me an actual example so that i understand the logic behind that ?
You say there is a Public WAN IP, so what do i hit inside my LAN so that i access my device? Do i use a DNS service ? If yes, is that resolved to my routers Local IP or the Public one ? If no DNS is used what address will i make use of ?
I do approach a little differently cases like this thats why i ask.. so that i test your case in real...

anav · Tue Mar 31, 2020 3:29 pm

This is straight forward case when you have users that need to access the server via its WANIP address and not directly through the LANIP of the server.
If you mean how do the users access the server, I would say the same way I would set it up for external users, DYNDNS name for example (yes resolves to Wan IP).
Thats what I do for mine as I have my septic panel available to servicing folks locally and in the US, so I have them on a source address list and I give them a dyndns that I setup so they dont have to get the current wan IP number from me.

xian1sheng1 · Tue Mar 31, 2020 7:12 pm

I have a dynamic WAN IP and use Dynamic DNS. Clients get the WAN IP address via DNS.

Tried all of these, none of them seems to work for hairpin NAT:

;;; Seems closest to example in https://wiki.mikrotik.com/wiki/Hairpin_NAT
chain=srcnat action=masquerade protocol=tcp 
      src-address=10.0.10.0/24 dst-address=10.0.10.3 
      out-interface=BLUE_VLAN dst-port=8023 

;;; no out-interface
chain=srcnat action=masquerade protocol=tcp 
src-address=10.0.10.0/24 dst-address=10.0.10.3 dst-port=8023

;;; dst-address is whole subnet
chain=srcnat action=masquerade protocol=tcp 
src-address=10.0.10.0/24 dst-address=10.0.10.0/24 dst-port=8023

;;; no dst-port
chain=srcnat action=masquerade protocol=tcp 
src-address=10.0.10.0/24 dst-address=10.0.10.0/24

;;; no protocol
chain=srcnat action=masquerade src-address=10.0.10.0/24 
dst-address=10.0.10.0/24

Updated this with my current config:
https://gist.github.com/garymm/50f15500 ... a0abc665ef
(hairpin NAT rule is disabled there b/c it wasn't working)

Additionally DNS seems to be flaky on my VLAN 10 WiFi clients (haven't checked wired yet). Any ideas what's going on with that?

Thanks again for all the help y'all.

Zacharias · Tue Mar 31, 2020 8:00 pm

In your case @xian1sheng1 all three rules would work just fine for you... I start to think that you might have something else missing and thats why you cant access your device... wrong ports ? wrong IP? Who knows.. only you

@anav i tested your case, which as you remember i had a little disaggreement, with all the respect ofcorse , about the dst-address=10.0.10.1...
My conclusion is that i found none cases where is should in particular !10.0.10.1 ....which was and my question since the beginning... why in particular the Router's address...
We can just use dst-address-type invert local... or just !10.0.10.0/24... So maybe i miss a specific case why the routers address must be exluded... ?

anav · Tue Mar 31, 2020 8:46 pm

moved to viewtopic.php?f=13&t=159386

anav · Tue Mar 31, 2020 9:00 pm

Looked at your config and all looks good to me.
Not sure if it makes a difference but put this rule before the dst nat rules in case it makes a difference........

chain=srcnat action=masquerade src-address=10.0.10.0/24
dst-address=10.0.10.0/24

Sob · Wed Apr 01, 2020 12:35 am

Why does everyone keep making the same mistake? Hairpin NAT means that connections will be coming from LAN. Guess what will happen when dstnat rule has in-interface-list=WAN. Right, nothing.

anav · Wed Apr 01, 2020 4:20 am

Why does everyone keep making the same mistake? Hairpin NAT means that connections will be coming from LAN. Guess what will happen when dstnat rule has in-interface-list=WAN. Right, nothing.

Please take your meds, no one here is saying anything different.
Not every destination nat rule in a config needs hairpin if the OP doesnt want it.............

So a config can have a combination of both regular dst NAT rules WITH in-interface-list=WAN, and the ones requiring hairpin nat will NOT.
What is also true is that if there is at least one hairpin dst nat rule, then one will have to have at least two src nat rules.

Sob · Wed Apr 01, 2020 5:42 pm

OP's last post suggests that it's wanted. And linked config has all dstnat rules in-interface-list=WAN. So I thought it wouldn't hurt to mention in.

VLAN setup help

VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Re: VLAN setup help

Who is online