Community discussions

MikroTik App
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Fri Nov 30, 2018 9:59 pm

Hi,

I have some VLANs running on one main bridge. Everything is working with use IP Firewall turned off, but when I turn it on DNS resolution stops working. I have the appropriate DNS rules to allow input to router from these networks specified with address lists.

Vlan filtering is used on the bridge with specific ports for trunk, access, hybrid etc... all working properly.

I some guest vlan users on wifi and lan connection and am trying to isolate them from one another. That part works but breaks the DNS for all other subnets.

What am I missing?
Last edited by RackKing on Sun Dec 02, 2018 5:06 pm, edited 4 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: DSN stops working with use IP Firewall & IP VLAN?

Fri Nov 30, 2018 11:22 pm

What am I missing?
As you didn't show any configuration, I can only guess: proper firewall rules?
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DSN stops working with use IP Firewall & IP VLAN?

Fri Nov 30, 2018 11:48 pm

Thank you for your reply.

The system is working with this unchecked. I have an input rules working that allows in UDP, TCP requests from the lan port 53 while blocking WAN requests. Name resolution is working properly. When I turn on Bridge / use IP firewall /use VLAN that rule stops running.

There are no filter rules on the bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DSN stops working with Bridge use IP Firewall & IP VLAN?

Fri Nov 30, 2018 11:52 pm

Please post your config if you want assistance.
Your asking for us to find the black dot in a barrel full of sand, no fun ;-)
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN?

Sun Dec 02, 2018 5:05 pm

Thank you all for your replies. I have narrowed it down some, but must admit I am not sure why it is failing to work. I have a NAT redirect rule for DNS. That is the rule the stops the DNS from resolving with IP firewall and VLAN use turned on. When they are disabled DNS works fine. In torch - the moment those are turned on the dns/53 packets disappear but the counter on then nat rule runs... I tried an action dst-nat rule to send them to the router for dns but that failed as well. I think this is working the way it is supposed to, and getting the DNS allowed is where I am going wrong and I just don't get it. Any help or education is appreciated. Sometimes I love ROS and sometimes it makes me crazy... :-)
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=wan
set [ find default-name=ether2 ] comment=v90
set [ find default-name=ether3 ] comment=v88
set [ find default-name=ether4 ] comment=v90
set [ find default-name=ether5 ] comment="admin"
/interface vlan
add interface=bridge name=v88 vlan-id=88
add interface=bridge name=v89 vlan-id=89
add interface=bridge name=v90 vlan-id=90
/interface list
add name=LAN
add name=WAN
/ip pool
add name=v88 ranges=192.168.88.10-192.168.88.254
add name=v90 ranges=192.168.90.10-192.168.90.254
add name=v89 ranges=192.168.89.10-192.168.89.254
/ip dhcp-server
add address-pool=v88 disabled=no interface=v88 lease-time=1d name=v88
add address-pool=v90 disabled=no interface=v90 lease-time=1d name=v90
add address-pool=v89 disabled=no interface=v89 lease-time=1d name=v89
/interface bridge port
add bridge=bridge interface=ether2 pvid=90
add bridge=bridge interface=ether3 pvid=88
add bridge=bridge interface=ether4 pvid=90
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=88
add bridge=bridge tagged=bridge vlan-ids=89
add bridge=bridge tagged=bridge untagged=ether2,ether4 vlan-ids=90
/interface list member
add interface=ether1 list=WAN
add interface=v88 list=LAN
add interface=v89 list=LAN
add interface=v90 list=LAN
/ip address
add address=192.168.88.1/24 interface=v88 network=192.168.88.0
add address=192.168.89.1/24 interface=v89 network=192.168.89.0
add address=192.168.90.1/24 interface=v90 network=192.168.90.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
add address=192.168.90.0/24 dns-server=192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=192.168.89.0/24 list=LAN
add address=192.168.90.0/24 list=LAN
add address=192.168.88.0/24 list=Admin
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=Admin
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward dst-address-list=LAN src-address-list=LAN
add action=accept chain=forward out-interface-list=WAN src-address-list=LAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
    LAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address-list=\
    LAN to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address-list=\
    LAN to-ports=53
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DSN stops working with use IP Firewall & IP VLAN?

Sun Dec 02, 2018 6:09 pm

The system is working with this unchecked. I have an input rules working that allows in UDP, TCP requests from the lan port 53 while blocking WAN requests. Name resolution is working properly. When I turn on Bridge / use IP firewall /use VLAN that rule stops running.
There are no filter rules on the bridge.
So if I get you right: you used to have a completely working firewall, and the only thing you've done is that you've set both use-ip-firewall and use-ip-firewall-for-vlan to yes in /interface bridge settings, and your DNS handling rule "stopped working", or, more exactly, the clients stopped receiving DNS responses from the Mikrotik itself?

If so, something in chain=prerouting of your /ip firewall raw or /ip firewall mangle rules may block or redirect DNS requests coming from the clients connected to bridge ports to the IP address of your Mikrotik itself - see these pictures for how /interface bridge settings set use-ip-firewall=yes changes the path of the packet through the system. In another words, in this case, the ip firewall rules mentioned above are used in addition to the /interface bridge filter rules, so even if the bridge filter rule table is empty, the ip firewall rules affect the packet flow.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 7:20 pm

Hi sindy - thanks for taking the time to help.

Well yes - to put it a different way. The firewall works as I desire, but when I added the NAT redirect rule the clients stop getting DNS resolution from the router. This is with the use-ip-firewall and use-ip-firewall-for-vlan enabled on the bridge. The NAT rule keeps counting but the clients get no DNS resolution.

If I disable use-ip-firewall and use-ip-firewall-for-vlan - the redirect rule will start working.

I will check the prerouting mangle and raw rules and report back. I have not put anything there but perhaps the default rules are a problem. I will study the drawing as well.

Thanks again.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 8:06 pm

Hi sindy,

The only thing running in the raw on mangle section are the dummy Fasttrack counters. I assume those would not cause any issue?

Anything else I should check?

Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 8:10 pm

Well, when I started writing my response, your configuration export wasn't there yet, and I haven't noticed it to appear while sending my response.

The dstnat chain of nat is also part of the "prerouting" path through the IP firewall, so I would suspect that the action=redirect may get confused in the bridging phase and it may set the new destination address to something weird. So I'd try to replace action=redirect by action=dst-nat and specify that hazy "one of routers's own addresses" explicitly using the to-addresses parameter.

Other than that I cannot spot anything suspicious in your configuration.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 8:18 pm

I guess the reason for things stopping with use-ip-firewall-for-vlan is that you allow DNS requests from interface list LAN, but that one doesn't contain ether ports ... and those are ports seen by firewall when used for vlan filtering.

Out of curiosity, why do you want to use firewall on traffic between hosts in vlan90 iff they communicate via routerboard? Vlan firewall doesn't add security for devices which are not in same vlan (their traffic will pass the usual IP firewall anyway) and doesn't filter anything if devices can talk to each other directly (i.e. they are connected to same downstream L2 switch).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 8:43 pm

I guess the reason for things stopping with use-ip-firewall-for-vlan is that you allow DNS requests from interface list LAN, but that one doesn't contain ether ports ... and those are ports seen by firewall when used for vlan filtering.
@mkx, I'm only theoretising here, but the choice between INPUT and FORWARD paths takes place after the ip firewall handling in bridge has already been done, so the /ip firewall filter chain=input should not affect bridge processing even if use-ip-firewall=yes in /interface bridge settings.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 8:55 pm

Well, when I started writing my response, your configuration export wasn't there yet, and I haven't noticed it to appear while sending my response.

The dstnat chain of nat is also part of the "prerouting" path through the IP firewall, so I would suspect that the action=redirect may get confused in the bridging phase and it may set the new destination address to something weird. So I'd try to replace action=redirect by action=dst-nat and specify that hazy "one of routers's own addresses" explicitly using the to-addresses parameter.

Other than that I cannot spot anything suspicious in your configuration.
Thank you again very much for your help. I have done just that with the same no-client response. I have tried a dst-nat to the router address 192.168.90.1 for example with and with out the port. It is getting confused for sure :-). Thanks again very much.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 9:00 pm

Out of curiosity, why do you want to use firewall on traffic between hosts in vlan90 iff they communicate via routerboard? Vlan firewall doesn't add security for devices which are not in same vlan (their traffic will pass the usual IP firewall anyway) and doesn't filter anything if devices can talk to each other directly (i.e. they are connected to same downstream L2 switch).
Hi mkx - thanks for your help and input.

Good question - I have a guest wlan along with a couple of guest LAN ports. In this configuration I was just trying to figure out the DNS issues, but in other versions I do block that traffic.

It is more important to me to isolate the guest traffic than to do redirect rule. Although I would like to have both :-).

Thank you very much for your help.
 
RackKing
Member
Member
Topic Author
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sun Dec 02, 2018 9:14 pm

I guess the reason for things stopping with use-ip-firewall-for-vlan is that you allow DNS requests from interface list LAN, but that one doesn't contain ether ports ... and those are ports seen by firewall when used for vlan filtering..

I gave the above a shot and moved to and scr address list as opposed to the interface list. Posted below, the result is the same. No client DNS resolution.

I then simply allowed all DNS in but had the same no-go result. Thanks for the idea.
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=192.168.89.0/24 list=LAN
add address=192.168.90.0/24 list=LAN
add address=192.168.88.0/24 list=Admin
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=Admin
add action=accept chain=input dst-port=53 protocol=tcp src-address-list=LAN
add action=accept chain=input dst-port=53 protocol=udp src-address-list=LAN
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward dst-address-list=LAN src-address-list=LAN
add action=accept chain=forward out-interface-list=WAN src-address-list=LAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
    LAN
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-address-list=LAN to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    src-address-list=LAN to-ports=53
 
User avatar
Xtreme512
Member Candidate
Member Candidate
Posts: 119
Joined: Sun Jun 08, 2014 2:43 pm
Location: Nicosia, CY
Contact:

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sat Jun 05, 2021 1:33 am

Same thing is happening to me right now. I opened a thread about it. viewtopic.php?f=2&t=175805&p=861012#p861012

Looked those 2 as well.
https://www.reddit.com/r/mikrotik/comme ... truggling/
viewtopic.php?t=146915

No luck, but now I know its due to the VLANs, implementation maybe?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS stops working with Bridge use IP Firewall & IP VLAN with NAT redirect?

Sat Jun 05, 2021 9:53 pm

Racking please post your latest complete config and I will have a look.

Who is online

Users browsing this forum: coreshock, Railander, sted and 64 guests