Hairpin NAT is not an issue if the server and the users are on different subnets behind the router.
Therefore its not likely a sourcenat issue.
One will have to review the dst nat rules most likely and perhaps firewall rules.
(1) What is the purpose of this rule, it looks confused to me??
It appears as though you wish to allow direct access to a LAN device from the internet. Any port forwarding rules should be in the Destination NAT rule area and thus this needs to be removed.
add action=accept chain=forward comment="Torfinn SSH" dst-address=10.11.10.11 in-interface-list=WAN protocol=tcp
If on the other hand you wanted to SSH in to manage the router, that is not recommended (VPN is recommended).
(3) What is the purpose of this rule.............
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Seeing as you already have an ALLOW port forwarding rule in place
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface-list=WAN
(4) I absolutely detest configs where the people have mixed up the input chain with forward chain rules............keep them separated, much cleaner and easier to see such duplications.
(5) OKay I see the problem you have a mix of default rules and some better ones cleaned up for you.....
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other FORWARD traffic" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Torfinn SSH" dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=10.11.10.11
(1) I added the "Allow Port forwarding" rule later, I first had this to enable port forwarding to that server.
(3) No idea, defconf so it was there
Thank you, I have now this config:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Torfinn SSH" dst-port=22 in-interface-list=WAN protocol=tcp to-addresses=10.11.10.11
Unfortunately, port forwarding still only works from outside the network. But I cannot connect from other VLANs using the external IP/Domain. And I just don't understand what else to change... I have also tried to setup a webserver on port 80, just to check that the ssh server config is not the problem. But I got the exact same behaviour.
Now for the config of the rest of the router, review.
(1) You have identified 7 VLANS but your config is incomplete as
you only have 4 DHCP Servers ????
?? Okay there is another set of them WHY effing separated LOL.!!
So you have 7 matching DHCP servers
but you only have 4 IP pools ???
Missing IP pools for vlans, 10, 11, 100,
(2) suggest set this to LAN.
/ip neighbor discovery-settings
set discover-interface-list=!none
(3) You should not have to list all the VLANS as part of LAN as their parent interface is the Bridge.
(4) For the dhcp server networks, confirm each has a dns-server
ex. /ip dhcp-server network
add address=10.11.10.0/24 dns-server= 10.11.10.1 gateway=10.11.10.1
(5) If one is using SSH to the server AND NOT TO the router (remember to the router is not a secure method for managing the config from exteranal to the network).
then these should be and normally are disabled.. They have nothing to do with SSH into a server.
set www address=10.11.10.0/24
set ssh address=10.11.10.0/24
set www-ssl address=10.11.10.0/24 disabled=no
(6) Winbox addresses I see you have two LAN sunbets identified, VLAN 10 Managment and VLAN30?
Why would you allow a devices network access to the router??
If legit then I would I suggest the following changes..
a.
/interface list
add name=LAN
add name=WAN
add name=manage
b.
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=manage
add interface=VLAN30 list=manage
c.
/tool mac-server mac-winbox
set allowed-interface-list=manage
d. (replace the last rule with four rules, the first new rule allows only the managed networks full access to the router instead of all users on all the vlans.
(the users still need access to DNS services and thus we need dns rules)
(the last drop all rule drops all other traffic to and fro the router itself that is not authorized by the admin - CAUTION: only add this when the other rules are in place)
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin networks" in-interface-list=manage {***optional source-address firewall list}
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input
*** You can put all the IPs of admin devices into a firewall list (static fixed subnet IPs) and thus reduce access to the router to specific IPs within the two vlans in the management interface.
(7) Okay lets look at bridge ports next! - You are defining 4 of the ports.
It appears that ether2 is probably a hybrid port but not sure, it looks like an access port due to PVID but since you didnt stipulate only untagged and priority tagged packets I am assuming its a hybrid port and thus both tagged and one untagged vlan may running through ether2. This begs the question what device is on the other end of eth2 ???
In any case you could add ingress filtering to the bridge ports.
What is the purpose of tag stacking here??
(8) bridge vlan settings......... - 0kay see those and reviewing.
Allright the picture is a bit clearer.
You wish to run ether2 as a TRUNK port and run every vlan tagged through it.
(9) Therefore find below a revamp of these settings
/interface bridge port
add bridge=bridge hw=no interface=ether2 admit-only-tagged-frames ingress-flitering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3 pvid=11 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether4 pvid=30 ingress-filtering=yes
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether5 pvid=10 ingress-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 untagged=ether3 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120
add bridge=bridge tagged=bridge,ether2 untagged=ether4 vlan-ids=30
note, the router automatically creates the untagged bridge vlan settings based on the bridge port pvid settings, so they
are not required to be hard entered like I have above. I prefer the hard entry to match my bride port with what I intended on vlan filter as a cross-check.
Its also easy to read and understand this way.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20,100,110,120
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
what I am not sure about is if this would also work automagically for the untagged vlans ??
add bridge=bridge tagged=bridge,ether2 vlan-ids=10,11,20,30,100,110,120
I have updated most of these things as well now.
(1) The plan was to on those networks without pools only assign static addresses, I now added some small pools to them anyway.
I have no idea why they were separated, i just did
/export hide-sensitive.
(2) Did that.
(3) I tried to only have the bridge in that list, but then the firewall rules with LAN and !LAN didn't work as expected anymore...
(4) I didn't do this, i added the router as dns for all the networks (the gateway address), but I guess the DNS server is not setup correctly.
(5) I wanted to use www and ssh from the manage vlan. But disabled them for now.
(6) VLAN30 being allowed to access winbox is only temporary, when things work as they should it will only be VLAN10.
(7) It was meant to be a hybrid port for testing, a trunk port when a switch or vlan aware device is connected, and a access port when other devices are connected.
I have removed tag stacking, that was there because it was active in some of the guides/tutorials I read. I have now disabled it after reading up on what it is.
# aug/27/2021 13:34:35 by RouterOS 6.48.4
# software id = 6JIK-BB6Q
#
# model = RB760iGS
# serial number = D4500D910DB4
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface vlan
add comment=Management interface=bridge name=VLAN10 vlan-id=10
add comment=Management/BMC interface=bridge name=VLAN11 vlan-id=11
add comment="Remote Access" interface=bridge name=VLAN20 vlan-id=20
add comment=Devices interface=bridge name=VLAN30 vlan-id=30
add comment=Storage interface=bridge name=VLAN100 vlan-id=100
add comment=Auth interface=bridge name=VLAN110 vlan-id=110
add comment=DMZ interface=bridge name=VLAN120 vlan-id=120
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN30-POOL ranges=10.11.30.50-10.11.30.254
add name=VLAN120-POOL ranges=10.11.120.100-10.11.120.254
add name=VLAN20-POOL ranges=10.11.20.50-10.11.20.254
add name=VLAN10-POOL ranges=10.11.10.100-10.11.10.254
add name=VLAN11-POOL ranges=10.11.11.200-10.11.11.254
add name=VLAN100-POOL ranges=10.11.100.154-10.11.100.200
add name=VLAN110-POOL ranges=10.11.110.200-10.11.110.254
/ip dhcp-server
add address-pool=VLAN20-POOL disabled=no interface=VLAN20 name=VLAN20-DHCP
add address-pool=VLAN11-POOL disabled=no interface=VLAN11 name=VLAN11-DHCP
add address-pool=VLAN100-POOL disabled=no interface=VLAN100 name=VLAN100-DHCP
add address-pool=VLAN110-POOL disabled=no interface=VLAN110 name=VLAN110-DHCP
add address-pool=VLAN30-POOL disabled=no interface=VLAN30 name=VLAN30-DHCP
add address-pool=VLAN120-POOL disabled=no interface=VLAN120 name=VLAN120-DHCP
add address-pool=VLAN10-POOL disabled=no interface=VLAN10 name=VLAN10-DHCP
/ppp profile
set *FFFFFFFE local-address=10.11.20.1 remote-address=VLAN20-POOL
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no ingress-filtering=yes interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether3 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether4 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 untagged=ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=11
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=100
add bridge=bridge tagged=bridge,ether2 vlan-ids=110
add bridge=bridge tagged=bridge,ether2 vlan-ids=120
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN10 list=LAN
add interface=VLAN11 list=LAN
add interface=VLAN20 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN110 list=LAN
add interface=VLAN120 list=LAN
add interface=VLAN30 list=LAN
/ip address
add address=10.11.30.1/24 interface=VLAN30 network=10.11.30.0
add address=10.11.10.1/24 interface=VLAN10 network=10.11.10.0
add address=10.11.120.1/24 interface=VLAN120 network=10.11.120.0
add address=10.11.11.1/24 interface=VLAN11 network=10.11.11.0
add address=10.11.20.1/24 interface=VLAN20 network=10.11.20.0
add address=10.11.100.1/24 interface=VLAN100 network=10.11.100.0
add address=10.11.110.1/24 interface=VLAN110 network=10.11.110.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.11.30.10 client-id=1:8c:3b:ad:e4:97:e8 comment="Netgear Router" mac-address=8C:3B:AD:E4:97:E8 server=VLAN30-DHCP
add address=10.11.10.11 client-id=1:dc:a6:32:e:3f:2d comment=Torfinn mac-address=DC:A6:32:0E:3F:2D server=VLAN10-DHCP
add address=10.11.11.10 client-id=1:84:2b:2b:47:c0:f1 comment="Frank BMC" mac-address=84:2B:2B:47:C0:F1 server=VLAN11-DHCP
/ip dhcp-server network
add address=10.11.10.0/24 gateway=10.11.10.1
add address=10.11.11.0/24 gateway=10.11.11.1
add address=10.11.20.0/24 gateway=10.11.20.1
add address=10.11.30.0/24 gateway=10.11.30.1
add address=10.11.100.0/24 gateway=10.11.100.1
add address=10.11.110.0/24 gateway=10.11.110.1
add address=10.11.120.0/24 gateway=10.11.120.1
/ip firewall address-list
add address=10.11.10.0/24 list=LANs
add address=192.168.30.0/24 list=LANs
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.11.10.0/24
set ssh address=10.11.10.0/24 disabled=yes
set www-ssl address=10.11.10.0/24 disabled=no
set api disabled=yes
set winbox address=10.11.10.0/24,10.11.30.0/24
set api-ssl address=10.11.10.0/24 disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=...
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Victor
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thank you for the answers! Still no luck in solving this tho