Hi,
Is masquerading required for routing to work across interfaces in a bridge?
I have two interfaces ap9 and ap10 part of the bridge, and devices on ap9 cannot access devices on ap10 (they can access the internet).
My NAT is set only on my WAN interface, but if I enable NAT with at source IP address range of 192.168.0.0/16 regardless of the interface, then the devices on ap9 can access devices on ap10.
What else can be done to fix this problem, or is NAT required?
Here is my routing:
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 pope 1
1 ADC 192.168.0.0/24 192.168.0.2 bridge 0
2 ADC 192.168.1.0/24 192.168.1.2 bridge-ap9 0
3 ADC 192.168.2.0/24 192.168.2.2 bridge-ap10 0
Routing between bridge interfaces - masquerade required or not?
Last edited by WayneF on Sat Dec 19, 2020 6:17 am, edited 1 time in total.
Re: Routing between interfaces - masquerade required or not?
I noticed my bridge is set ARP enabled. Perhaps proxy-arp will work?
The docs located here mentions this, but my router has an option not mentioned "local-proxy-arp"
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Address Resolution Protocol setting
disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the IP/ARP table. No dynamic entries will be automatically stored in the IP/ARP table. Therefore for communications to be successful, a valid static entry must already exist.
The docs located here mentions this, but my router has an option not mentioned "local-proxy-arp"
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
Address Resolution Protocol setting
disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the IP/ARP table. No dynamic entries will be automatically stored in the IP/ARP table. Therefore for communications to be successful, a valid static entry must already exist.
Re: Routing between interfaces - masquerade required or not?
I tried the arp settings, and it had no effect. (I did not reboot, or re-connect. I made the change and did a test).
Re: Routing between bridge interfaces - masquerade required or not?
Your firewall must have been configured to block the traffic between VLANs, given your description. The factory default MikroTik firewall should not do this, but you might have modified it.What else can be done to fix this problem, or is NAT required?
Re: Routing between bridge interfaces - masquerade required or not?
Here are my interface IP addresses:
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
1 ;;; lan
192.168.0.2/24 192.168.0.0 bridge
2 ;;; ap9
192.168.1.2/24 192.168.1.0 bridge-ap9
3 ;;; ap10
192.168.2.2/24 192.168.2.0 bridge-ap10
Ping Results:
I am connected to ap10 and cannot ping a device on ap9, e.g. 192.168.1.3.
I can ping the ap9 interface though (192.168.1.2.2).
[admin@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
1 ;;; lan
192.168.0.2/24 192.168.0.0 bridge
2 ;;; ap9
192.168.1.2/24 192.168.1.0 bridge-ap9
3 ;;; ap10
192.168.2.2/24 192.168.2.0 bridge-ap10
Ping Results:
I am connected to ap10 and cannot ping a device on ap9, e.g. 192.168.1.3.
I can ping the ap9 interface though (192.168.1.2.2).
Re: Routing between bridge interfaces - masquerade required or not?
This behavior will be normal with the default firewall. You'll have to add the other two bridges to the Interface List named "LAN" if you want to be able to ping that router interface.I am connected to ap10 and cannot ping a device on ap9, e.g. 192.168.1.3.
I can ping the ap9 interface though (192.168.1.2.2).
Re: Routing between bridge interfaces - masquerade required or not?
Here is my Firewall rules: I do not see anything wrong with it?
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
8 ;;; 1: defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
9 ;;; 2: defconf: drop invalid
chain=input action=drop connection-state=invalid log=yes log-prefix=""
10 X ;;; 3: defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
11 ;;; 4: defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
12 ;;; 5: defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=yes log-prefix=""
13 ;;; 6: protection - 139 and 445 : SMB
chain=input action=drop protocol=tcp src-address-list=!addr-list-local dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop"
14 ;;; 7: protection
chain=input action=drop protocol=udp src-address-list=!addr-list-local dst-port=53,137-138 log=yes log-prefix="firewall drop"
15 ;;; 8: defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
16 ;;; 9: defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
8 ;;; 1: defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
9 ;;; 2: defconf: drop invalid
chain=input action=drop connection-state=invalid log=yes log-prefix=""
10 X ;;; 3: defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
11 ;;; 4: defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
12 ;;; 5: defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=yes log-prefix=""
13 ;;; 6: protection - 139 and 445 : SMB
chain=input action=drop protocol=tcp src-address-list=!addr-list-local dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop"
14 ;;; 7: protection
chain=input action=drop protocol=udp src-address-list=!addr-list-local dst-port=53,137-138 log=yes log-prefix="firewall drop"
15 ;;; 8: defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
16 ;;; 9: defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
Re: Routing between bridge interfaces - masquerade required or not?
I just checked and my interfaces are in the correct "LIST".
Both ap9 and ap10, are in the list named "LAN";
"I tried to print it out but that did not work, interface list print did not work for me, it showed the list names but dit not print the interface names."
Starting to wonder that since my Firewall is referring to "LAN", then possibly my Firewall rules are ok.
Both ap9 and ap10, are in the list named "LAN";
"I tried to print it out but that did not work, interface list print did not work for me, it showed the list names but dit not print the interface names."
Starting to wonder that since my Firewall is referring to "LAN", then possibly my Firewall rules are ok.
Re: Routing between bridge interfaces - masquerade required or not?
You need to run "interface list member print" to see the memberships."I tried to print it out but that did not work, interface list print did not work for me, it showed the list names but dit not print the interface names."
Re: Routing between bridge interfaces - masquerade required or not?
Thanks for helping out!!
That worked perfect... "interface list member print"
Flags: X - disabled, D - dynamic
# LIST INTERFACE
0 ;;; defconf
LAN bridge
1 ;;; defconf
WAN ether1
2 WAN pppoe
3 LAN bridge-ap9
4 LAN bridge-ap10
That worked perfect... "interface list member print"
Flags: X - disabled, D - dynamic
# LIST INTERFACE
0 ;;; defconf
LAN bridge
1 ;;; defconf
WAN ether1
2 WAN pppoe
3 LAN bridge-ap9
4 LAN bridge-ap10
Re: Routing between bridge interfaces - masquerade required or not?
and my bridge config:
lags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C6:AD:xx:xx:xx:F6 protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=no
admin-mac=C6:AD:xx:xx:xx:F6 ageing-time=5m vlan-filtering=no dhcp-snooping=no
1 R ;;; bridge access point 9
name="bridge-ap9" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:xx:xx:xx:FD protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
2 R name="bridge-ap10" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:xx:xx:xx:FE protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
lags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C6:AD:xx:xx:xx:F6 protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=no
admin-mac=C6:AD:xx:xx:xx:F6 ageing-time=5m vlan-filtering=no dhcp-snooping=no
1 R ;;; bridge access point 9
name="bridge-ap9" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:xx:xx:xx:FD protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
2 R name="bridge-ap10" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:xx:xx:xx:FE protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
Re: Routing between bridge interfaces - masquerade required or not?
Can you export your full config with export hide-sensitive?and my bridge config:
Re: Routing between bridge interfaces - masquerade required or not?
export hide-sensitive
# dec/19/2020 22:43:02 by RouterOS 6.45.9
# software id =
#
# model = RB4011iGS+
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
add comment="bridge access point 9 - upstairs" name=bridge-ap9
add name=bridge-ap10
/interface vlan
add comment="eth1 not part of the bridge" interface=ether1 loop-protect=on name=vlan-isp vlan-id=10
/interface pppoe-client
add add-default-route=yes comment=isp disabled=no interface=vlan-isp keepalive-timeout=disabled name=pppoe-isp use-peer-dns=yes user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.199
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.253
add name=ipsec ranges=192.168.30.2-192.168.30.253
add name=pool-ap9 ranges=192.168.1.200-192.168.1.253
add name=pool-ap10 ranges=192.168.2.200-192.168.2.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-ap9 disabled=no interface=bridge-ap9 name=dhcp-ap9
add address-pool=pool-ap10 disabled=no interface=bridge-ap10 name=dhcp-ap10
/queue tree
add max-limit=450M name=AP9 parent=bridge-ap9
add bucket-size=0.01 max-limit=450M name=AP10 parent=bridge-ap10
add name=DNS-AP10 packet-mark=dns-ap10 parent=AP10 priority=1
/queue type
set 0 kind=sfq
add kind=red name=redCustom red-avg-packet=1514
/queue tree
add max-limit=450M name=iNetEgress parent=pppoe-isp queue=default
add name=DNS packet-mark=dns parent=iNetEgress priority=1 queue=default
add name="TCP SYN,ACK" packet-mark=tcp-syn-ack parent=iNetEgress priority=2 queue=default
add name=VoIP packet-mark=voip parent=iNetEgress priority=3 queue=default
add name="Google Hangouts" packet-mark=gvc parent=iNetEgress priority=4 queue=default
add name=Interactive packet-mark=interactive parent=iNetEgress priority=5 queue=default
add name="HTTP, HTTPS" packet-mark=http-https parent=iNetEgress priority=6 queue=pcq-upload-default
add name=Default packet-mark=no-mark parent=iNetEgress priority=7 queue=pcq-upload-default
add bucket-size=0.01 max-limit=440M name=no-mark packet-mark=no-mark parent=AP10 queue=pcq-download-default
add name=no-mark-ap9 packet-mark=no-mark parent=AP9 queue=pcq-download-default
add name="TCP SYN,ACK-AP10" packet-mark=tcp-syn-ack-ap10 parent=AP10 priority=2 queue=default
add name="HTTP, HTTPS-AP10" packet-mark=http-https-ap10 parent=AP10 priority=6 queue=pcq-upload-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge-ap9 comment=defconf interface=ether9
add bridge=bridge-ap10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-isp list=WAN
add interface=bridge-ap9 list=LAN
add interface=bridge-ap10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.0.2/24 comment=lan interface=bridge network=192.168.0.0
add address=192.168.1.2/24 comment=ap9 interface=bridge-ap9 network=192.168.1.0
add address=192.168.2.2/24 comment=ap10 interface=bridge-ap10 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.10 mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.2.253 address-lists=WF client-id= comment="x" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-ap10
add address=192.168.2.230 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.211 client-id=x mac-address= server=dhcp-ap9
add address=192.168.2.209 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.207 address-lists=WF client-id= mac-address= server=dhcp-ap9
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.168.0.2 gateway=192.168.0.2 netmask=16
add address=192.168.1.0/24 comment=ap-9 dns-server=192.168.0.2 gateway=192.168.1.2 netmask=24
add address=192.168.1.211/32 comment="" dns-server=192.168.0.2 gateway=192.168.1.2
add address=192.168.2.0/24 comment=ap-10 dns-server=192.168.0.2 gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=8.8.8.8 comment=Google1 name=Google1
add address=8.8.4.4 comment=Google2 name=Google2
add address=192.168.0.2 name=router
add address=208.67.222.222 comment=OpenDNS1 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2
add address=9.9.9.9 comment="Quad9 DNS" name=Quad9
add address=1.1.1.1 comment="Cloud Flair DNS server" name=cloudflair
add address=192.168.1.207 regexp=googlesyndication* ttl=1m
add address=192.168.1.207 comment=double-click.net regexp=doubleclick* ttl=1m
add address=192.168.2.253 regexp=securepubads* ttl=1m
add address=192.168.2.253 regexp="amazon\\\\-adsystem*" ttl=1m
add address=192.168.2.253 regexp=moatads* ttl=1m
add address=192.168.2.253 regexp=responsiveads* ttl=1m
add address=192.168.2.253 regexp=buysellads* ttl=1m
add address=192.168.2.253 regexp=taboola* ttl=1m
add address=192.168.2.253 regexp=outbrain* ttl=1m
add address=192.168.2.253 regexp=outbrainimg* ttl=1m
add address=192.168.1.207 regexp=gravytrain5* ttl=1m
add address=127.0.0.1 disabled=yes name=gravytrain5.live
add address=127.0.0.1 disabled=yes regexp=facebook*
/ip firewall address-list
add address=192.168.1.200-192.168.1.253 list=addr-list-ap9
add address=192.168.0.10-192.168.0.199 list=addr-list-lan
add address=192.168.2.200-192.168.2.253 list=addr-list-ap10
add address=192.168.0.0/16 list=addr-list-local
/ip firewall filter
add action=accept chain=input comment="1: defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="2: defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="3: defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="4: defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop" protocol=tcp src-address-list=\
!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix="firewall drop" protocol=udp src-address-list=!addr-list-local
add action=accept chain=forward comment="8: defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="9: defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="10: defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="11: defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="12: defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=pppoe-isp passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-connection chain=output comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=output comment=" DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Generic Voice Traffic, DSCP EF 46" connection-state=new dscp=46 new-connection-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts Audio/Video, DSCP 40" connection-state=new dscp=40 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts, UDP DstPort" connection-state=new dst-port=19302-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Google Hangouts, TCP DstPort" connection-state=new dst-port=19305-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=SSH connection-state=new dst-port=22 new-connection-mark=ssh out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="HTTP, HTTPS" connection-state=new dst-port=80,443 new-connection-mark=http-https out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https connection-state=new dst-port=80,443 new-connection-mark=http-https-ap10 passthrough=no protocol=tcp \
src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="btsync targeted TCP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=tcp
add action=mark-connection chain=forward comment="btsync targeted UDP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=udp
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns new-packet-mark=dns out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns-ap10 dst-address-list=addr-list-ap10 new-packet-mark=dns-ap10 passthrough=no
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=VoIP connection-mark=voip new-packet-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="Google Hangouts" connection-mark=gvc new-packet-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment=SSH connection-mark=ssh new-packet-mark=interactive out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="HTTP, HTTPS" connection-mark=http-https new-packet-mark=http-https out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https-ap10 new-packet-mark=http-https-ap10 out-interface=bridge-ap10 passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=icmp-ap10 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=icmp passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp new-packet-mark=icmp passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade - wrong also need nat between interfaces" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16,0.0.0.0/0
set ssh address=192.168.0.0/16,0.0.0.0/0
set www-ssl certificate=RB4011 disabled=no
set api address=192.168.0.0/16,0.0.0.0/0
set winbox address=192.168.0.0/16,0.0.0.0/0
set api-ssl address=192.168.0.0/16,0.0.0.0/0
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=196.10.54.57 secondary-ntp=196.26.5.10
/system package update
set channel=long-term
/system scheduler
add comment="Reboot at 4AM every day" interval=1d name="schedule reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 \
start-time=06:00:00
add disabled=yes interval=1d name=D0 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=00:30:00
add disabled=yes interval=1d name=D1 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=01:00:00
add disabled=yes interval=1d name="PPPoE Enable" on-event="/system script run EnablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=\
06:10:00
add disabled=yes interval=1d name=D2 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:00:00
add disabled=yes interval=1d name=D3 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:30:00
add disabled=yes interval=1d name=D4 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:00:00
add disabled=yes interval=1d name=D5 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:30:00
add disabled=yes interval=1d name=D6 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:00:00
add disabled=yes interval=1d name=D7 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:30:00
add disabled=yes interval=1d name=D8 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:00:00
add disabled=yes interval=1d name=D9 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:30:00
/system script
add comment="Enable the Internet" dont-require-permissions=no name=EnablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client enable pppoe-isp"
add comment="Disable the Internet" dont-require-permissions=no name=DisablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client disable pppoe-isp"
/tool graphing interface
add interface=pppoe-isp
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=50000KiB file-name=dup.pcap filter-interface=pppoe-isp streaming-server=192.168.2.253
# dec/19/2020 22:43:02 by RouterOS 6.45.9
# software id =
#
# model = RB4011iGS+
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
add comment="bridge access point 9 - upstairs" name=bridge-ap9
add name=bridge-ap10
/interface vlan
add comment="eth1 not part of the bridge" interface=ether1 loop-protect=on name=vlan-isp vlan-id=10
/interface pppoe-client
add add-default-route=yes comment=isp disabled=no interface=vlan-isp keepalive-timeout=disabled name=pppoe-isp use-peer-dns=yes user=
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.199
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.253
add name=ipsec ranges=192.168.30.2-192.168.30.253
add name=pool-ap9 ranges=192.168.1.200-192.168.1.253
add name=pool-ap10 ranges=192.168.2.200-192.168.2.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-ap9 disabled=no interface=bridge-ap9 name=dhcp-ap9
add address-pool=pool-ap10 disabled=no interface=bridge-ap10 name=dhcp-ap10
/queue tree
add max-limit=450M name=AP9 parent=bridge-ap9
add bucket-size=0.01 max-limit=450M name=AP10 parent=bridge-ap10
add name=DNS-AP10 packet-mark=dns-ap10 parent=AP10 priority=1
/queue type
set 0 kind=sfq
add kind=red name=redCustom red-avg-packet=1514
/queue tree
add max-limit=450M name=iNetEgress parent=pppoe-isp queue=default
add name=DNS packet-mark=dns parent=iNetEgress priority=1 queue=default
add name="TCP SYN,ACK" packet-mark=tcp-syn-ack parent=iNetEgress priority=2 queue=default
add name=VoIP packet-mark=voip parent=iNetEgress priority=3 queue=default
add name="Google Hangouts" packet-mark=gvc parent=iNetEgress priority=4 queue=default
add name=Interactive packet-mark=interactive parent=iNetEgress priority=5 queue=default
add name="HTTP, HTTPS" packet-mark=http-https parent=iNetEgress priority=6 queue=pcq-upload-default
add name=Default packet-mark=no-mark parent=iNetEgress priority=7 queue=pcq-upload-default
add bucket-size=0.01 max-limit=440M name=no-mark packet-mark=no-mark parent=AP10 queue=pcq-download-default
add name=no-mark-ap9 packet-mark=no-mark parent=AP9 queue=pcq-download-default
add name="TCP SYN,ACK-AP10" packet-mark=tcp-syn-ack-ap10 parent=AP10 priority=2 queue=default
add name="HTTP, HTTPS-AP10" packet-mark=http-https-ap10 parent=AP10 priority=6 queue=pcq-upload-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge-ap9 comment=defconf interface=ether9
add bridge=bridge-ap10 comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-isp list=WAN
add interface=bridge-ap9 list=LAN
add interface=bridge-ap10 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.0.2/24 comment=lan interface=bridge network=192.168.0.0
add address=192.168.1.2/24 comment=ap9 interface=bridge-ap9 network=192.168.1.0
add address=192.168.2.2/24 comment=ap10 interface=bridge-ap10 network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.0.10 mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.2.253 address-lists=WF client-id= comment="x" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-ap10
add address=192.168.2.230 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.211 client-id=x mac-address= server=dhcp-ap9
add address=192.168.2.209 client-id=x mac-address= server=dhcp-ap10
add address=192.168.1.207 address-lists=WF client-id= mac-address= server=dhcp-ap9
/ip dhcp-server network
add address=192.168.0.0/24 comment="default configuration" dns-server=192.168.0.2 gateway=192.168.0.2 netmask=16
add address=192.168.1.0/24 comment=ap-9 dns-server=192.168.0.2 gateway=192.168.1.2 netmask=24
add address=192.168.1.211/32 comment="" dns-server=192.168.0.2 gateway=192.168.1.2
add address=192.168.2.0/24 comment=ap-10 dns-server=192.168.0.2 gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=8.8.8.8 comment=Google1 name=Google1
add address=8.8.4.4 comment=Google2 name=Google2
add address=192.168.0.2 name=router
add address=208.67.222.222 comment=OpenDNS1 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2
add address=9.9.9.9 comment="Quad9 DNS" name=Quad9
add address=1.1.1.1 comment="Cloud Flair DNS server" name=cloudflair
add address=192.168.1.207 regexp=googlesyndication* ttl=1m
add address=192.168.1.207 comment=double-click.net regexp=doubleclick* ttl=1m
add address=192.168.2.253 regexp=securepubads* ttl=1m
add address=192.168.2.253 regexp="amazon\\\\-adsystem*" ttl=1m
add address=192.168.2.253 regexp=moatads* ttl=1m
add address=192.168.2.253 regexp=responsiveads* ttl=1m
add address=192.168.2.253 regexp=buysellads* ttl=1m
add address=192.168.2.253 regexp=taboola* ttl=1m
add address=192.168.2.253 regexp=outbrain* ttl=1m
add address=192.168.2.253 regexp=outbrainimg* ttl=1m
add address=192.168.1.207 regexp=gravytrain5* ttl=1m
add address=127.0.0.1 disabled=yes name=gravytrain5.live
add address=127.0.0.1 disabled=yes regexp=facebook*
/ip firewall address-list
add address=192.168.1.200-192.168.1.253 list=addr-list-ap9
add address=192.168.0.10-192.168.0.199 list=addr-list-lan
add address=192.168.2.200-192.168.2.253 list=addr-list-ap10
add address=192.168.0.0/16 list=addr-list-local
/ip firewall filter
add action=accept chain=input comment="1: defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="2: defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="3: defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="4: defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop" protocol=tcp src-address-list=\
!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix="firewall drop" protocol=udp src-address-list=!addr-list-local
add action=accept chain=forward comment="8: defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="9: defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="10: defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="11: defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="12: defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=pppoe-isp passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-connection chain=output comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=output comment=" DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="DNS, UDP" connection-state=new dst-port=53 new-connection-mark=dns-ap10 passthrough=no protocol=udp src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="DNS, TCP" connection-state=new dst-port=53 new-connection-mark=dns out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="Generic Voice Traffic, DSCP EF 46" connection-state=new dscp=46 new-connection-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts Audio/Video, DSCP 40" connection-state=new dscp=40 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-connection chain=forward comment="Google Hangouts, UDP DstPort" connection-state=new dst-port=19302-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=udp
add action=mark-connection chain=forward comment="Google Hangouts, TCP DstPort" connection-state=new dst-port=19305-19309 new-connection-mark=gvc out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment=SSH connection-state=new dst-port=22 new-connection-mark=ssh out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=forward comment="HTTP, HTTPS" connection-state=new dst-port=80,443 new-connection-mark=http-https out-interface=pppoe-isp passthrough=no protocol=tcp
add action=mark-connection chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https connection-state=new dst-port=80,443 new-connection-mark=http-https-ap10 passthrough=no protocol=tcp \
src-address-list=addr-list-ap10
add action=mark-connection chain=forward comment="btsync targeted TCP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=tcp
add action=mark-connection chain=forward comment="btsync targeted UDP traffic" connection-state=new new-connection-mark=p2p out-interface=pppoe-isp passthrough=no port=4242 protocol=udp
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns new-packet-mark=dns out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment=DNS connection-mark=dns-ap10 dst-address-list=addr-list-ap10 new-packet-mark=dns-ap10 passthrough=no
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP SYN" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack out-interface=pppoe-isp packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment="TCP ACK" new-packet-mark=tcp-syn-ack-ap10 out-interface=bridge-ap10 packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=forward comment=VoIP connection-mark=voip new-packet-mark=voip out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="Google Hangouts" connection-mark=gvc new-packet-mark=gvc out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment=SSH connection-mark=ssh new-packet-mark=interactive out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=forward comment="HTTP, HTTPS" connection-mark=http-https new-packet-mark=http-https out-interface=pppoe-isp passthrough=no
add action=mark-packet chain=postrouting comment="HTTP, HTTPS" connection-mark=http-https-ap10 new-packet-mark=http-https-ap10 out-interface=bridge-ap10 passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new new-connection-mark=icmp-ap10 passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=icmp new-packet-mark=icmp passthrough=no
add action=mark-connection chain=postrouting connection-state=new new-connection-mark=icmp passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=icmp new-packet-mark=icmp passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="defconf: masquerade - wrong also need nat between interfaces" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16,0.0.0.0/0
set ssh address=192.168.0.0/16,0.0.0.0/0
set www-ssl certificate=RB4011 disabled=no
set api address=192.168.0.0/16,0.0.0.0/0
set winbox address=192.168.0.0/16,0.0.0.0/0
set api-ssl address=192.168.0.0/16,0.0.0.0/0
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes primary-ntp=196.10.54.57 secondary-ntp=196.26.5.10
/system package update
set channel=long-term
/system scheduler
add comment="Reboot at 4AM every day" interval=1d name="schedule reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 \
start-time=06:00:00
add disabled=yes interval=1d name=D0 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=00:30:00
add disabled=yes interval=1d name=D1 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=01:00:00
add disabled=yes interval=1d name="PPPoE Enable" on-event="/system script run EnablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/10/2019 start-time=\
06:10:00
add disabled=yes interval=1d name=D2 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:00:00
add disabled=yes interval=1d name=D3 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=02:30:00
add disabled=yes interval=1d name=D4 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:00:00
add disabled=yes interval=1d name=D5 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=03:30:00
add disabled=yes interval=1d name=D6 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:00:00
add disabled=yes interval=1d name=D7 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=04:30:00
add disabled=yes interval=1d name=D8 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:00:00
add disabled=yes interval=1d name=D9 on-event="/system script run DisablePPPoE" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/16/2020 start-time=05:30:00
/system script
add comment="Enable the Internet" dont-require-permissions=no name=EnablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client enable pppoe-isp"
add comment="Disable the Internet" dont-require-permissions=no name=DisablePPPoE owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"interface pppoe-client disable pppoe-isp"
/tool graphing interface
add interface=pppoe-isp
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=50000KiB file-name=dup.pcap filter-interface=pppoe-isp streaming-server=192.168.2.253
Last edited by WayneF on Sat Dec 19, 2020 8:29 pm, edited 1 time in total.
Re: Routing between bridge interfaces - masquerade required or not?
The input chain is a bit weird with these two rules....
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop" protocol=tcp src-address-list=\
!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix="firewall drop" protocol=udp src-address-list=!addr-list-local
Why not get rid of three rules (the two above) and a third rule by adding two simple rules!
ADD
add chain=input action=accept src-address-list=addr-list-local
then
ADD at the bottom of the input chain
add chain=input action=drop comment="Drop All Else")
Then remove the two rules and this third rule as its no longer required.
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As for the forward chain I would get rid of this rule and replace it with one rule.
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
ADD at the bottom of the forward chain (normally its two rules but since you dont use port forwarding its not required.
add chain=forward action=accept "Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN {optional}
add chain=forward action=drop comment="drop all else"
If the above does not fix the issue perhaps its hidden in the mangle rules??
add action=drop chain=input comment="6: protection - 139 and 445 : SMB" dst-port=21-23,53,80,443,2000,6129,137-139,445,8291 log=yes log-prefix="firewall drop" protocol=tcp src-address-list=\
!addr-list-local
add action=drop chain=input comment="7: protection" dst-port=53,137-138 log=yes log-prefix="firewall drop" protocol=udp src-address-list=!addr-list-local
Why not get rid of three rules (the two above) and a third rule by adding two simple rules!
ADD
add chain=input action=accept src-address-list=addr-list-local
then
ADD at the bottom of the input chain
add chain=input action=drop comment="Drop All Else")
Then remove the two rules and this third rule as its no longer required.
add action=drop chain=input comment="5: defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As for the forward chain I would get rid of this rule and replace it with one rule.
add action=drop chain=forward comment="13: defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes
ADD at the bottom of the forward chain (normally its two rules but since you dont use port forwarding its not required.
add chain=forward action=accept "Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN {optional}
add chain=forward action=drop comment="drop all else"
If the above does not fix the issue perhaps its hidden in the mangle rules??
Re: Routing between bridge interfaces - masquerade required or not?
There is this bit:
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
If you don't need to have those set to "yes", I would recommend changing them to "no" (the default).
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
If you don't need to have those set to "yes", I would recommend changing them to "no" (the default).
Re: Routing between bridge interfaces - masquerade required or not?
Thanks for all the help, again.
I have made some progress, well I think so.
I have this wired/configuration (is it called topology).
TEST 1
When I connect to A, having an ip of 192.168.1.20x I can ping a device on B, 192.168.2.20x
TEST 2
When I connect to B, having an ip of 192.168.2.20x I can ping a device in 192.168.1.20x
TEST 3
Again I connect to B, having an ip of 192.168.2.20x; I cannot ping 192.168.1.3 !!!
The Router 192.168.1.3 is somehow not allowing access, yet if I masquerade the IP's then it is not a problem.
Is this and correct assumption to make?
The source IP seen by the router(B) still being seen as 192.168.2.20X, and the firewall on router(B) is blocking access. If masquerading is enabled,
then the source IP is changed to what is acceptable to the firewall and access is allowed.
I have made some progress, well I think so.
I have this wired/configuration (is it called topology).
Code: Select all
(ISP)<--------------->Mikrotik<------192.168.1.0/24--------->Router/Wifi(192.168.1.3)<*****A******>[some devices]
|(connects to Mikrotik)
|<----------192.168.2.0/24--------->WiFi Access Point<***********B******>[some devices]TEST 1
When I connect to A, having an ip of 192.168.1.20x I can ping a device on B, 192.168.2.20x
TEST 2
When I connect to B, having an ip of 192.168.2.20x I can ping a device in 192.168.1.20x
TEST 3
Again I connect to B, having an ip of 192.168.2.20x; I cannot ping 192.168.1.3 !!!
The Router 192.168.1.3 is somehow not allowing access, yet if I masquerade the IP's then it is not a problem.
Is this and correct assumption to make?
The source IP seen by the router(B) still being seen as 192.168.2.20X, and the firewall on router(B) is blocking access. If masquerading is enabled,
then the source IP is changed to what is acceptable to the firewall and access is allowed.
Re: Routing between bridge interfaces - masquerade required or not?
Have you told whatever the Router/Wifi device is about subnet 192.168.2.0/24 and how to get to it?
You haven't even mentioned it until now.
You haven't even mentioned it until now.
Re: Routing between bridge interfaces - masquerade required or not?
Hey @sid... I don't think I understand what you are saying clearly.
I did not mention the router at 192.169.1.3 as I did not think much of it; It is not a Mikrotik router and I did not realise that the routing was localised to the device itself.
I just check that "silly" router and it does not seem to have apparent "firewall" rules.
Isee the following:
It has a static ip 192.168.1.3/24
Firewall level: low => When the level is Low, all active packets from the LAN to WAN are allowed.
There is an option to allow icmp / http per network address range, I tried those but they did not work.
I added the networks one by one, 192.168.1.0/24 192.168.2.0/24 etc. it made no difference.
Also the router is not setup to hand out IP's - no DHCP but does have WiFi -- the main purpose of the router.
(Basically it is the router you get for free from the ISP, I just repurposed it as an access point) This all works fine
except for my "routing problem" .. which is no longer the real issue.
Does this answer your question?
I did not mention the router at 192.169.1.3 as I did not think much of it; It is not a Mikrotik router and I did not realise that the routing was localised to the device itself.
I just check that "silly" router and it does not seem to have apparent "firewall" rules.
Isee the following:
It has a static ip 192.168.1.3/24
Firewall level: low => When the level is Low, all active packets from the LAN to WAN are allowed.
There is an option to allow icmp / http per network address range, I tried those but they did not work.
I added the networks one by one, 192.168.1.0/24 192.168.2.0/24 etc. it made no difference.
Also the router is not setup to hand out IP's - no DHCP but does have WiFi -- the main purpose of the router.
(Basically it is the router you get for free from the ISP, I just repurposed it as an access point) This all works fine
except for my "routing problem" .. which is no longer the real issue.
Does this answer your question?
Who is online
Users browsing this forum: Bing [Bot], rplant and 69 guests