Community discussions

MikroTik App
 
Martin90
just joined
Topic Author
Posts: 1
Joined: Sat May 29, 2021 10:29 am

No internet access from second birdge/vLan

Sat May 29, 2021 10:36 am

Hi All,

Having an issue where I cannot access the internet from my 2nd bridge that I have set up. Devices can connect to the bridge and obtain an ip from the DHCP server, but no internet access. Internet is provided by my ISP's router (192.168.178.1) and is accessible from bridge1. I'm sure I have missed a route or firewall rule but I am at a loss.

Any help would be greatly appreciated.
# may/29/2021 19:32:05 by RouterOS 6.48.3
# software id = 5EX9-JBRW
#
# model = CRS326-24G-2S+
# serial number = DA750C2D3BEF
/interface bridge
add name=Sales_Bridge
add admin-mac=48:8F:5A:B3:E0:D3 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=Sales_Bridge name=Sales_Vlan vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=Sales_Bridge lease-time=1h \
    name=dhcp2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=Sales_Bridge comment=defconf interface=ether5
add bridge=Sales_Bridge comment=defconf interface=ether6
add bridge=Sales_Bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=Sales_Vlan list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.178.151/24 interface=ether1 network=192.168.178.0
add address=192.168.100.0/24 interface=Sales_Bridge network=192.168.100.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set servers=192.168.178.1,8.8.8.8
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
/ip firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established
add action=drop chain=input
add action=accept chain=forward connection-state=new src-address-list=LAN
add action=accept chain=forward connection-state=related
add action=accept chain=input src-address-list=LAN
add action=accept chain=forward connection-state=established
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward in-interface=bridge out-interface-list=WAN \
    src-address=192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.88.0/24
/ip route
add distance=1 gateway=192.168.178.1
/system clock
set time-zone-name=Pacific/Auckland
/system routerboard settings
set boot-os=router-os
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No internet access from second birdge/vLan

Tue Jun 01, 2021 10:57 pm

Sure,
(1) My first question is why bother with vlan100, since you are using two bridges, you dont need a vlan.
However I would only use one bridge and then the vlan for separation purposes makes sense.

(2) In any case I think one of your issue is with IP addresses. Change ether2 to the bridge.
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
TO
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0

3) Your source-nat config looks incorrect, well its should work but no need to be specific and normally source address is not used.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.88.0/24
Change to
add action=masquerade chain=srcnat out-interface-list=WAN

Also if our WANIP is fixed/static, wont change then technically one should use a different format.
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=fixedwanip


4. Finally you have clearly mucked about with the firewall rules. THIS IS THE MAIN ISSUE.
You only provide internet to the bridge!!
{add action=accept chain=forward in-interface=bridge out-interface-list=WAN \
src-address=192.168.88.0/24
}
The order of rules within a chain is critical, and most people like to keep the chains together with Input chain first.
Here is what it could look like.

/ip firewall filter
add action=accept chain=input connection-state=established
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=LAN **
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN ***
add action=drop chain=forward

Note **: Make sure this rule is in place before putting in the drop all else rule at the end of the input chain otherwise you will lock yourself out of the router. I prefer to narrrow this rule down by making a firewall address list for all computers I would use to access the router as this should be for the admin NOT all LAN users, (like desktop, smartphone, ipad, laptop etc.............. anything that I can give a static IP too).

Note ***: You can see I added the drop all rule at the end of the forward chain, which automatically stops any bridge to bridge routing at L3. Also it was not clear if the sales team had access to the internet if not then change the rule back to
add action=accept chain=forward src-address-list=LAN out-interface-list=WAN **

I personally would not use confusing nomenclature (aka my firewall address list would not have the same name as the LAN interface)
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
instead
add address=192.168.88.0/24 list=home_subnet

You can also (my preference) create a separate INTERFACE called INTERNET (or call the firewall address list, home_subnet etc.....

/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=bridge list=Internet
add interface=Sales_Vlan list=LAN

and then your rule could look like
add action=accept chain=forward in-interface-list=Internet out-interface-list=WAN **

Who is online

Users browsing this forum: No registered users and 32 guests