Community discussions

 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Routing between VLAN & VLAN+VPN

Mon Aug 05, 2019 6:06 pm

Hey,

I have three VLANs, MGMT, HOME and GUEST.
I can access HOME and GUEST from MGMT, but I can't access GUEST from HOME, even with rejecting/dropping firewall rules off. And I don't know what's the reason. I moved my IoTs to GUEST to separate them, and I can't access them in LAN.

My current config below:
[admin@RB760iGS] > export hide-sensitive 
# aug/05/2019 16:57:48 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number = A36A0A453B20
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether4 ] name=ether4-TRUNK-MR3020
set [ find default-name=ether5 ] advertise=100M-full,1000M-full name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=MANAGEMENT vlan-id=99
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=home
add authentication-types=wpa2-psk encryption=aes-ccm name=guest
add authentication-types=wpa2-psk encryption=aes-ccm name=management
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.5.100-192.168.5.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=MANAGEMENT ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=MANAGEMENT disabled=no interface=MANAGEMENT name=MANAGEMENT
add address-pool=HOME disabled=no interface=HOME_VLAN lease-time=12h name=HOME
/dude
set data-directory=disk1 enabled=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4-TRUNK-MR3020
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
add interface=HOME_VLAN list=LAN
add interface=MANAGEMENT list=LAN
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.5.1/24 interface=HOME_VLAN network=192.168.5.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1 ntp-server=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1 ntp-server=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.5.0/24 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=reject chain=forward comment="Reject HOME from GUEST" dst-address=192.168.5.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24
add action=reject chain=forward comment="Reject MGMT from GUEST" connection-state=new dst-address=192.168.0.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24
add action=reject chain=forward comment="Reject LIVEBOX from GUEST" dst-address=192.168.1.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24
add action=reject chain=forward comment="Reject MGMT from HOME" dst-address=192.168.0.0/24 reject-with=icmp-host-prohibited src-address=192.168.5.0/24
add action=accept chain=forward comment="Forward / Allow / Estabilished / ALL" connection-state=established
add action=accept chain=forward comment="Forward / Allow / Related / ALL" connection-state=related
add action=accept chain=forward comment="Forward / Allow / New / ALL" connection-state=new
add action=drop chain=forward comment="Drop all other connections through the router"
add action=reject chain=input comment="Reject 5.1 from ALL" dst-address=192.168.5.1 dst-port=21,22,23,80,2000 protocol=tcp reject-with=icmp-host-prohibited
add action=reject chain=input comment="Reject 20.1 from ALL" dst-address=192.168.20.1 dst-port=21,22,23,80,2000 protocol=tcp reject-with=icmp-admin-prohibited src-address=192.168.20.0/24
add action=reject chain=input comment="Reject 0.1 from 5.0" dst-address=192.168.0.1 reject-with=icmp-host-prohibited src-address=192.168.5.0/24
add action=reject chain=input comment="Reject 0.1 from 20.0" dst-address=192.168.0.1 reject-with=icmp-host-prohibited src-address=192.168.20.0/24
add action=accept chain=input comment="Allow everything from the LAN interface to the router"
add action=accept chain=input comment="Allow established  connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add action=accept chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
    sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS
/system ntp client
set enabled=yes primary-ntp=193.110.137.171 secondary-ntp=158.75.5.245
/system ntp server
set enabled=yes manycast=no multicast=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Proud owner of RB760iGS & RB951G-2HnD.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: Routing between VLAN & VLAN+VPN

Mon Aug 05, 2019 6:18 pm

Update:
pinging GUEST from HOME result: "From 199.229.249.115 icmp_seq=1 Destination Port Unreachable".
So it asks VPN server about second VLAN. Even though static routes for each VLAN show up.
Proud owner of RB760iGS & RB951G-2HnD.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Routing between VLAN & VLAN+VPN

Tue Aug 06, 2019 1:00 am

Hey

You're firewall rules:

* add action=reject chain=forward comment="Reject HOME from GUEST" dst-address=192.168.5.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24
add action=reject chain=forward comment="Reject MGMT from GUEST" connection-state=new dst-address=192.168.0.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24

any return traffic will be dropped by first. You need something like the second line for the first: -> stateful firewalling
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: Routing between VLAN & VLAN+VPN

Tue Aug 06, 2019 12:40 pm

Yes I know, I was just testing this rules.
Anyways, even without them, I can't access any VLAN from HOME.
Proud owner of RB760iGS & RB951G-2HnD.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Routing between VLAN & VLAN+VPN

Wed Aug 07, 2019 3:56 pm

to start with, move "accept establish & related" to top of forward chain -> stateful part of firewall
so rules for forward should be:
1. accept established / related
2. drop invalid
3 (rest)

In the rest you can then control from where connections are allowed:
ex lan -> guest is allowed (for all with state=new). The response traffic (with state=established) will be allowed by first rule (est & rel)

Who is online

Users browsing this forum: Google [Bot] and 121 guests