Community discussions

MikroTik App
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 2:48 am

Been playing with this and reading all about VLANs for the last two hours and making no headway.

My ISP engages in CGNAT, so it will hand out as many IP addresses as I ask for. (I.e., if I swap my hEX for a plain-jane switch, all of my devices will get their own IP addresses handed out by my ISP's DHCP server.)

I'd like to keep my current set-up to isolate everything behind my own private NATted/firewalled network for security, of course, but I'd like the option to expose some clients to the ISP's network, outside my firewall (for testing purposes, or when I'm having connectivity issues due to double-NAT, etc.).

I was hoping I can achieve that by setting up a second wireless network on my UniFi AP AC that is tagged with a VLAN tag (say, VLAN 10), and then bridging VLAN 10 to my ether1 uplink to my ISP, to bypass the firewall and srcnat settings.

I have not, however, been successful in doing so. Trying all manner of permutations of setting it up in /interface bridge, things tagged with VLAN 10 simply won't communicate upstream. I can't tell if it's because I'm trying to set the VLAN up incorrectly (one issue is that the changes in 6.41 have obsoleted much of the existing VLAN discussion on the forums) or because the firewall/masquerading settings are still applying to the ether1 uplink and confusing things, and/or if I need to do something with proxy-arp so the clients on VLAN 10 can communicate arp info with the ISP gateway. (Testing/enabling/disabling all of those didn't seem to help, though.)

Any tips? I can post a network diagram if what I want is unclear, or I can post my config if what I currently have is unclear.

Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 5334
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 1:11 pm

First think of it as physical LANs rather than VLANs for a while, it will become much clearer. So the logcal topology you need is this one:

ascii-art code

                ISP
                 |
 ------------------------------------
    |        |        |          |
 pub.c1   pub.c2   pub.c3    MikroTik
                                 |
                           -------------
                            |         |
                         priv.c1   priv.c2
So if you convert it into bridge settings on Mikrotik, you'd best bridge together the ISP-facing interface and the AP-facing interface. To that bridge, you'll attach the WAN IP configuration (i.e. the DHCP-client) and would add an /interface vlan name=if-vlan10 vlan-id=10 interface=that-bridge; the LAN configuration of the Mikrotik would be attached to that /interface vlan.
In this case, the SSID for private clients would have to tag the traffic into vlan 10 and the SSID for public clients would send the traffic tagless.

If you insist on keeping the SSID for private clients tagless and tag the SSID for public clients, the topology inside Mikrotik would have look the following:

ascii-art code

                 ISP
                  |
               ether1
                  |
brg-wan  ------------------- 
           |              |
        tagless         WAN-IP
       if-vlan10   ...routing&NAT...
         tagged         LAN-IP
           |              |
brg-lan  -------------------
                  |
                ether2
                  |
                  AP
So the WAN IP configuration would be attached to /interface bridge name=brg-wan with a member port ether1 and LAN IP configuration would be attached to /interface bridge name=brg-lan with a member port ether2. The /interface vlan name=if-vlan10 would have a carrier interface=brg-lan and its tagless end woudl be made a member port of brg-wan using (/interface bridge port add bridge=brg-wan interface=if-vlan10).

If one physical interface is sufficient at LAN side, you can make ether2 the carrier interface of if-vlan10 directly and attach the LAN IP configuration to ether2 as well. So no need to modify your existing LAN side setup, whatever it is.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 1:58 pm

Another possibility would be to use single bridge and 2 VLANs:
  • VLAN=10: tagged by WAP for "public SSID", access (=taged by RB) for WAN and /interface vlan for WAN side of routing instance of RB
  • VLAN=20: LAN side - access ports(=tagged by RB) for wired LAN devices, tagged by WAP for "LAN SSID" and /interface vlan for LAN side of routing instance of RB (plus DHCP server etc.)
The VLAN ids, used above, are arbitrary. You can use any VLAN id between 2 and, say, 4000. Avoid using IDs 0 and 1 if you don't feel adventurous.
Compared to two-bridge solution this one has advantage of having all ports hardware accelerated.
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 5334
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 2:50 pm

What @mkx suggests is the best one from performance point of view (with just one little remark - the SSIDs for clients getting IP addresses from the Mikrotik need not be tagged). My only problem with this setup is that there are several variants of hEX and I am not sure whether all of them have switch chips which support hybrid ports in hardware, and such support is essential to have the hardware acceleration. Plus if yours does, I am not sure whether the /interface bridge port pvid setting connfigures the switch chip ports accordingly or whether you have to dive to the /interface ethernet switch menu to configure that.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 4:35 pm

If WAPs would tag all SSIDs as well as all ether ports, then there would be no hybrid ports in the setup. I really prefer either "no VLAN" or "all VLAN" solutions, I'm no fan of mixed solution.
BR,
Metod
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 8:17 pm

Wow, thanks for the replies. I was thinking nothing had happened because I hadn't gotten any email alerts from the forum, so I was surprised to log in today and see!

Right, and thanks for the ASCII art to help clarify what the set-up should be. I think I was conceptually close. A couple of points:

-My device is the 750Gr3. CPU shouldn't be a limiting factor, but I might as well take advantage of hardware acceleration if possible, so a mild preference for mkx's proposal.
-I don't mind making a fully trunked port for the WAP and having it tag both SSIDs (i.e. 10 for WAN-side public traffic and 20 for LAN-side NATted traffic). Didn't occur to me earlier but it's easy enough to do.

I'm struggling with how to implement it, though. Sort of grasping at straws here, I did:

/interface vlan add interface=bridge1 vlan-id=20 name=lan-if
/interface vlan add interface=ether1 vlan-id=10 name=wan-if
/interface bridge port set interface=ether1 pvid=10
/interface bridge port set interface=ether2-master pvid=20
/interface bridge port set interface=ether3 pvid=20

No go.

Just to try something in addition, I then also did:

/interface ethernet switch port edit ether1 default-vlan-id and set it to 10
/interface ethernet switch port edit ether2-master default-vlan-id and set it to 20
/interface ethernet switch port edit ether3-master default-vlan-id and set it to 20

After doing that, traffic tagged with VLAN 10 was not able to obtain an IP address from my ISP's DHCP server, so I presume I errored somewhere.

Also of note, my srcnat and firewall drop rules are currently applied to ether1, in case that needs to change. Also, I forgot (before undoing this configuration) to enable VLAN Filtering on bridge1 (which I had tried yesterday but to no avail), in case that matters. Also, do I need to strip VLAN headers on ether1 to avoid passing the VLAN 10 tag out to my ISP on that interface?

I'm probably very lost here, I know. :)

FWIW, here's my config after implementing the above:
[admin@MikroTik] > /export hide-sensitive terse
# jul/28/2018 12:12:33 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge add admin-mac=xx:xx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet set [ find default-name=ether2 ] name=ether2-master
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.56.10-192.168.56.254
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=defconf
/port set 0 name=usb1
/interface ppp-client add data-channel=1 default-route-distance=2 disabled=no info-channel=1 name=ppp-out1 port=usb1
/ppp profile set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings set discover-interface-list=discover
/interface l2tp-server server set enabled=yes use-ipsec=yes
/interface list member add interface=bridge1 list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=bridge1 list=mactel
/interface list member add interface=bridge1 list=mac-winbox
/interface pptp-server server set enabled=yes
/interface sstp-server server set default-profile=default-encryption enabled=yes
/ip address add address=192.168.56.1/24 comment=defconf interface=bridge1 network=192.168.56.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network add address=192.168.56.0/24 comment=defconf dhcp-option=ntp-server,tftp-server-host,tftp-server-host-polycom,time-offset,unifi gateway=192.168.56.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,9.9.9.10
/ip dns static add address=192.168.56.1 name=router
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
/ip firewall filter add action=drop chain=input in-interface=ppp-out1
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ppp-out1
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ppp-out1
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=isp-ipv6 request=address,prefix
/system clock set time-zone-name=America/Chicago
/system ntp client set enabled=yes server-dns-names=time.nist.gov,pool.ntp.org
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=mactel
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sat Jul 28, 2018 10:38 pm

My setup originates from pre-6.41 times so it's kinda mess when you look st it from post 6.42 perspective. Therefore I'm hesitant to post my config. Anyhow, I deal with VLANs in /interface ethernet switch (both in port and vlan). The only VLAN related stuff I do on bridge is creation of vlan interfaces. Othrr than that I'm considering bridge as dumb switch. If you go this way, don't forget to add switch1-cpu "port" to list of VLAN members or else that VLAN will not be seen by RB's CPU.

One day I'll have to re-do my setup for ROS 6.42 from scratch. I'm waiting for it to start itching ;-)

To return to your setup: it is quite complicated actually. It's got some ppp-client running over USB. And your setup was converted from pre-6.42 as well. Anyway, if you go full-VLAN path, then you'll have to rework most of setup except for firewall ... but you might want to revise it as well.
BR,
Metod
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sun Jul 29, 2018 12:57 am

My setup originates from pre-6.41 times so it's kinda mess when you look st it from post 6.42 perspective. Therefore I'm hesitant to post my config. Anyhow, I deal with VLANs in /interface ethernet switch (both in port and vlan). The only VLAN related stuff I do on bridge is creation of vlan interfaces. Othrr than that I'm considering bridge as dumb switch. If you go this way, don't forget to add switch1-cpu "port" to list of VLAN members or else that VLAN will not be seen by RB's CPU.

One day I'll have to re-do my setup for ROS 6.42 from scratch. I'm waiting for it to start itching ;-)

To return to your setup: it is quite complicated actually. It's got some ppp-client running over USB. And your setup was converted from pre-6.42 as well. Anyway, if you go full-VLAN path, then you'll have to rework most of setup except for firewall ... but you might want to revise it as well.
The ppp-over-USB thing is a cellular connection that's for primary-WAN-failover purposes but not in active use (I actually have it completely unplugged right now, since my WAN literally never goes down).

I'm still a bit confused at how to implement this but will keep trying different things...maybe it's just easier to go with sindy's set-up for now if that will work.

Anyway, thanks for continuing to help!
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sun Jul 29, 2018 1:42 am

OK, I'll just post my config after trying to implement sindy's suggestions here so you guys can all laugh at me. Of course it didn't work, but I just can't make heads or tails of it. I'm having trouble understanding how the /interface bridge vlan stuff plays with the /interface vlan stuff (and if it's necessary to also involve /interface ethernet switch stuff).

One thing that I think is missing from this config is telling the LAN ports to treat untagged traffic as part of VLAN 20 and to treat untagged traffic on ether1 (or bridge-wan) or whatever as VLAN 10.

But anyway, this is as far as I got before getting completely lost in the weeds:
# jul/28/2018 17:36:17 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xx
/interface bridge add fast-forward=no name=bridge-wan pvid=10 vlan-filtering=yes
/interface bridge add admin-mac=xx:xx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet set [ find default-name=ether2 ] name=ether2-master
/interface vlan add interface=bridge1 name=lan-if vlan-id=20
/interface vlan add interface=bridge-wan name=wan-if vlan-id=10
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.56.10-192.168.56.254
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 name=defconf
/port set 0 name=usb1
/interface ppp-client add data-channel=1 default-route-distance=2 disabled=no info-channel=1 name=ppp-out1 port=usb1
/ppp profile add name=openvpn-client use-compression=no use-encryption=yes use-ipv6=no use-mpls=no
/ppp profile set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port add bridge=bridge1 interface=ether3
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=ether2-master
/interface bridge port add bridge=bridge-wan interface=ether1 pvid=10
/interface bridge port add bridge=bridge-wan interface=wan-if
/ip neighbor discovery-settings set discover-interface-list=discover
/interface l2tp-server server set enabled=yes use-ipsec=yes
/interface list member add interface=bridge1 list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=bridge1 list=mactel
/interface list member add interface=bridge1 list=mac-winbox
/interface pptp-server server set enabled=yes
/interface sstp-server server set default-profile=default-encryption enabled=yes
/ip address add address=192.168.56.1/24 comment=defconf interface=bridge1 network=192.168.56.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge-wan use-peer-dns=no
/ip dhcp-server lease add address=192.168.56.2 client-id=1:9c:93:4e:22:93:4 mac-address=xx:xx server=defconf
/ip dhcp-server network add address=192.168.56.0/24 comment=defconf dhcp-option=ntp-server,tftp-server-host,tftp-server-host-polycom,time-offset,unifi gateway=192.168.56.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,9.9.9.10
/ip dns static add address=192.168.56.1 name=router
/ip dns static add address=68.235.32.116 name=unifi ttl=1m
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=bridge-wan
/ip firewall filter add action=drop chain=input in-interface=ppp-out1
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=bridge-wan
/ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ppp-out1
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=bridge-wan
/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip firewall nat add action=masquerade chain=srcnat out-interface=ppp-out1
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=isp-ipv6 request=address,prefix
/ppp secret add name=vpn
/system clock set time-zone-name=America/Chicago
/system ntp client set enabled=yes server-dns-names=time.nist.gov,pool.ntp.org
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=mactel
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox
 
sindy
Forum Guru
Forum Guru
Posts: 5334
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Sun Jul 29, 2018 1:05 pm

Referring to your last configuration, you have to decide between my configuration suggestion and Metod's, but you've somehow combined them both.
So with a single bridge and two VLANs (Metod's approach except that you want the wired LAN clients tagless so ether3 through to ether5 will be access ports to VLAN 20), and assuming that ether1 is connected to the ISP and to ether2 the WAP is connected, it looks as follows:

ascii art code

                 L2                    L3
            single-bridge      
           vlan10   vlan20
             |        |
            (T)-------+----if-vlan-wan
             |        |            dhcp-client
ether1 -----(A)------(T)                ^
             |        |                 |
ether2 -----(T)------(T)                |
             |        |              routing
ether3 -----(T)------(A)                |
             :        :                 |
             :        :                 v
ether5 -----(T)------(A)           dhcp-server
             |        |             static IP
             |       (T)---if-vlan-lan
             |        |

(A) - the port is an Access one for that VLAN:
        - tagless frames are tagged on ingress with that VLAN-ID,
        - frames with that VLAN-ID are untagged on egress
(T) - the port is a Trunk one for that VLAN:
        - frames from this VLAN are not untagged on egress
The corresponding configuration is
/interface bridge
add name=single-bridge pvid=1 vlan-filtering=no

/interface vlan
add name=if-vlan-wan interface=bridge-single vlan-id=10
add name=if-vlan-lan interface=bridge-single vlan-id=20

/interface bridge port
add bridge=bridge-single interface=ether1 pvid=10
add bridge=bridge-single interface=ether2 pvid=1
add bridge=bridge-single interface=ether3 pvid=20
add bridge=bridge-single interface=ether4 pvid=20
add bridge=bridge-single interface=ether5 pvid=20
The dhcp-client will be attached to if-vlan-wan, and this must also be the WAN interface in your firewall rules; if-vlan-lan is the LAN in your firewall rules and the static IP configuration and the dhcp-server for wired and wireless LAN clients is attached to it.

You don't need to set anything in /interface bridge vlan section unless you would decide to switch on vlan-filtering on the bridge; doing so would prevent the hardware accelerated L2 forwarding for sure (on this hardware, high end models behave different).

If you don't configure the machine using Winbox or serial console, it is highly recommended to remove one of the ports (like ether5) from the bridge to which it is currently connected, attach a static IP address from some subnet unused in the target configuration to it, and configure the rest while connected to that port. Once the new configuration is tested to work, you can remove the IP configuration from that interface and make it a member of bridge-single as in the configuration above.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Mon Jul 30, 2018 5:05 am

Combining the two methods certainly wasn't my intent! I was actually trying to follow yours...but like I said before, I'm just lost at how bridges and VLANs worth together. :)

Anyway, I decided to reset my config to factory default and then try to implement what you suggested in your latest post. Unfortunately, it didn't work...though what did end up happening is that all of the devices on my LAN ended up pulling IP addresses from my ISP, so somehow I must have ended up bridging the LAN and WAN together.

The other note: I'm going to have to go with a hybrid port on the WAP (which is on ether3) rather than a fully trunked port because the UniFi effectively requires its management interface to be on an untagged connection (there are some ways to partially work around that, but it's more hassle than it's worth). So I need ether3 to be an access port for VLAN20.

Here's the factory default config:
[admin@MikroTik] > /export hide-sensitive terse
# jan/02/1970 00:01:15 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge add admin-mac=xx:xx auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
[admin@MikroTik] >
Here's the config after applying
[admin@MikroTik] > /export hide-sensitive terse
# jul/29/2018 00:24:21 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge add admin-mac=xx:xx auto-mac=no comment=defconf name=bridge
/interface vlan add interface=bridge name=if-vlan-lan vlan-id=20
/interface vlan add interface=bridge name=if-vlan-wan vlan-id=10
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=if-vlan-lan name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2 pvid=20
/interface bridge port add bridge=bridge comment=defconf interface=ether3 pvid=20
/interface bridge port add bridge=bridge comment=defconf interface=ether4 pvid=20
/interface bridge port add bridge=bridge comment=defconf interface=ether5 pvid=20
/interface bridge port add bridge=bridge interface=ether1 pvid=10
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=if-vlan-wan
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=if-vlan-wan
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=if-vlan-wan
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall address-list add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
[admin@MikroTik] >
After applying that, my clients get new IP addresses issued directly by the ISP and can no longer communicate with the router, so I'm clearly screwing something up! I don't know how, though because the clients *should* all be on VLAN 20 (if-vlan-lan) and shouldn't be able to talk directly to VLAN 10. Again, I'm just missing a mental link somewhere with how the bridge plays with VLANs on the MT platform.

I really do appreciate your patience with my obvious stupidity, here!
 
sindy
Forum Guru
Forum Guru
Posts: 5334
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Mon Jul 30, 2018 10:30 am

While you have missed some points in the L3 part, the fact that the L2 one doesn't perform as expected is due to my stupidity, not yours. I was suspecting that the access/hybrid ports won't be that easy but I should have looked into it more.

So to fix the L2 (and to lose the hardware acceleration, unfortunately, as the switch chip of the 750Gr3 simply doesn't support VLANs), you'll have to add the following configuration:

/interface bridge vlan add vlan-ids=10 tagged=bridge untagged=ether1
/interface bridge vlan add vlan-ids=20 tagged=bridge untagged=ether2,ether3,ether4,ether5

/interface bridge set vlan-filtering=yes


After doing this, the tagless clients stop getting their DHCP addresses from the ISP, but won't get them from your 'Tik either due to some L3 misconfigurations.

So to fix it, do the following:
/ip address set interface=if-vlan-lan [find interface=bridge]
This is to attach the static LAN address to the proper interface - you have attached the DHCP server to it properly but not the 'Tik's own address.

Then, it is important to know that in the firewall rules, the parameters in-interface-list and out-interface-list do not hold a freely defined list of interfaces such as if1,if2,if3 but refer to an /interface list defined elsewhere in configuration and populated by /interface list member items. You can refer to a single interface directly in a firewall rule, but the relevant parameters are in-interface and out-interface; nevertheless, the use of interface lists allows you to use less, an better readable, rules once you grasp the concept.

So the next step will be
/ip firewall filter set in-interface-list=WAN [find in-interface-list=if-vlan-wan]
/ip firewall nat set out-interface-list=WAN [find out-interface-list=if-vlan-wan]
/interface member set interface=if-vlan-wan [find interface=ether1]

to revert the firewall to its default state regarding WAN and to assign the proper L3 interface (if-vlan-wan) to the WAN list - ether1 is not an L3 interface any more.
And the same for the LAN side:
/interface member set interface=if-vlan-lan [find interface=bridge]
as again, the if-vlan-lan is the L3 LAN interface, not the bridge.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Tue Jul 31, 2018 7:57 am

While you have missed some points in the L3 part, the fact that the L2 one doesn't perform as expected is due to my stupidity, not yours. I was suspecting that the access/hybrid ports won't be that easy but I should have looked into it more.
No worries! I'm just glad you're taking the time to help in a super-clear and super-helpful fashion. You're a credit to these forums.

Now we're getting somewhere!

The /interface bridge VLAN was the missing link--not just in the config for this device, but also in my mind for telling the Tik what interface to send untagged traffic to.

I adapted your suggestions to my existing config (rather than starting from the default) and it's working--for VLAN 20. So moving everything over to if-vlan-lan has worked--DHCP gives addresses out to (untagged) LAN devices, NAT works, I can ping and log in to the Tik, etc. That's an improvement from before, when everything would just die and become unreachable!

But the tagged VLAN (VLAN 10) won't pull an IP address from the external DHCP server. So somewhere along the way, ether1 isn't passing incoming traffic to VLAN 10 or VLAN 10 isn't passing the (tagged) traffic to ether3. Hopefully it's a small thing I'm missing.

Here's my current config:
[admin@MikroTik] > /export hide-sensitive terse
# jul/30/2018 23:48:30 by RouterOS 6.42.6
# software id = DYMH-RJ3W
#
# model = RouterBOARD 750G r3
# serial number = xxx
/interface bridge add admin-mac=xx:xx auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet set [ find default-name=ether2 ] name=ether2-master
/interface vlan add interface=bridge1 name=if-vlan-lan vlan-id=20
/interface vlan add interface=bridge1 name=if-vlan-wan vlan-id=10
/interface list add exclude=dynamic name=discover
/interface list add name=mactel
/interface list add name=mac-winbox
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.56.10-192.168.56.254
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=if-vlan-lan name=defconf
/port set 0 name=usb1
/interface bridge port add bridge=bridge1 interface=ether3 pvid=20
/interface bridge port add bridge=bridge1 interface=ether4
/interface bridge port add bridge=bridge1 interface=ether5
/interface bridge port add bridge=bridge1 interface=ether2-master pvid=20
/interface bridge port add bridge=bridge1 interface=ether1 pvid=10
/ip neighbor discovery-settings set discover-interface-list=discover
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether2-master,ether3,ether4,ether5 vlan-ids=20
/interface l2tp-server server set enabled=yes use-ipsec=yes
/interface list member add interface=bridge1 list=discover
/interface list member add interface=ether3 list=discover
/interface list member add interface=ether4 list=discover
/interface list member add interface=ether5 list=discover
/interface list member add interface=ovpn-jcltel list=discover
/interface list member add interface=bridge1 list=mactel
/interface list member add interface=bridge1 list=mac-winbox
/interface pptp-server server set enabled=yes
/interface sstp-server server set default-profile=default-encryption enabled=yes
/ip address add address=192.168.56.1/24 comment=defconf interface=if-vlan-lan network=192.168.56.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=if-vlan-wan use-peer-dns=no
/ip dhcp-server network add address=192.168.56.0/24 comment=defconf gateway=192.168.56.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,9.9.9.10
/ip dns static add address=192.168.56.1 name=router
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall filter add action=drop chain=input comment="defconf: drop all from WAN" in-interface=if-vlan-wan
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=if-vlan-wan
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=if-vlan-wan
/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=isp-ipv6 request=address,prefix
/ppp secret add name=xxx
/system clock set time-zone-name=America/Chicago
/system ntp client set enabled=yes server-dns-names=time.nist.gov,pool.ntp.org
/system routerboard settings set silent-boot=no
/tool mac-server set allowed-interface-list=mactel
/tool mac-server mac-winbox set allowed-interface-list=mac-winbox
[admin@MikroTik] >
Thanks again for all your help--not just for this specific config, but helping me to grasp the concept of VLANning on the Tik. :)
 
sindy
Forum Guru
Forum Guru
Posts: 5334
Joined: Mon Dec 04, 2017 9:19 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Tue Jul 31, 2018 12:07 pm

Ehm... I must have been sleeping.

Extend

/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=10

to

/interface bridge vlan add bridge=bridge tagged=bridge1,ether3 untagged=ether1 vlan-ids=10

(or you may add the other ports to the tagged list if you need).

Background:
  • if tagless packets received on ether1 weren't getting tagged with VLAN ID 10, the if-vlan-wan would not get its IP address either. So this part must have been OK.
  • the line in /interface bridge vlan specifies membership and mode in cooperation with a line in /interface bridge port; interfaces on the untagged list in the former must have a proper pvid set in the latter. If that VLAN should get anywhere outside the switch chip (to /interface vlan or to L2 tunnels, wireless interfaces or other switch chips on the same board), the bridge itself must be listed as its own member port.
  • I forgot about /interface bridge vlan because my mind was in "hardware accelerated VLANs" mode and in this mode the vlan tagging and untagging on access/hybrid ports is configured using /interface ethernet switch, but this cannot be done on your hardware.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alaskanjackal
newbie
Topic Author
Posts: 25
Joined: Tue Sep 29, 2015 1:29 pm

Re: Setting up a VLAN that bypasses NAT/Firewall

Tue Jul 31, 2018 7:34 pm

Ehm... I must have been sleeping.

Extend

/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=10

to

/interface bridge vlan add bridge=bridge tagged=bridge1,ether3 untagged=ether1 vlan-ids=10

(or you may add the other ports to the tagged list if you need).

Background:
  • if tagless packets received on ether1 weren't getting tagged with VLAN ID 10, the if-vlan-wan would not get its IP address either. So this part must have been OK.
  • the line in /interface bridge vlan specifies membership and mode in cooperation with a line in /interface bridge port; interfaces on the untagged list in the former must have a proper pvid set in the latter. If that VLAN should get anywhere outside the switch chip (to /interface vlan or to L2 tunnels, wireless interfaces or other switch chips on the same board), the bridge itself must be listed as its own member port.
  • I forgot about /interface bridge vlan because my mind was in "hardware accelerated VLANs" mode and in this mode the vlan tagging and untagging on access/hybrid ports is configured using /interface ethernet switch, but this cannot be done on your hardware.
We have success!

I didn't try that last night because I was assuming that a) you were correct in your original post and b) the bridge being marked as a tagged port on the VLAN would cause the VLAN tags on anything connected to the bridge be read. Never occurred to me that a) was wrong, so I didn't think b) could be wrong. :P

Anyway, beautiful! Test is working perfectly. Not sure if I'll keep the config long-term as the lack of hardware acceleration does cap my LAN interface speeds at ~300mbps (CPU pegs at 50%; I natively have gigabit fiber...the bypassed-WAN-direct speeds seem unaffected, though, so those are still being accelerated, I guess). But it's good to be able to flip back and forth in the config to test things when I have a double-NAT-related issue or want to do some testing to see if my ISP has enabled IPv6 as they claim they are in the process of doing. And it was a very fun experiment--learning how to do VLANs is invaluable, too. Thanks!

Who is online

Users browsing this forum: AndyGs, basteel, Renfrew and 60 guests