Community discussions

just joined
Topic Author
Posts: 1
Joined: Tue Aug 13, 2019 5:25 pm

NAT Table with VLAN Firewall

Tue Aug 13, 2019 5:37 pm

Hello everyone

I am configuring a CCR1036 and I have found that with the Firewall activated in the BRIDGE or in VLAN, the packets do not pass through the NAT table. Is this normal or am I doing something wrong?

I am configuring a Hotspot and when I deactivate the BRIDGE Firewall it works correctly, but if I activate it I see no activity.

Can you help me? The VLANs in router is in new-way mode.

Thank you.

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,ether3,ether4 vlan-ids=70,72

/interface bridge
add mtu=1500 name=bridge vlan-filtering=yes
add mtu=1500 name=bridge-70 vlan-filtering=yes
add mtu=1500 name=bridge-72 vlan-filtering=yes

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge-70 interface=vlan-70
add bridge=bridge-72 interface=vlan-72
NAT Table
[admin@VA-CCR1036-INF-1L018-1] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 

 1  D chain=hotspot action=jump jump-target=pre-hotspot 
 2  D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53 
 3  D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53 
 4  D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80 
 5  D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443 
 6  D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth 
 7  D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth 
 8  D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp in-interface=bridge-72 dst-port=443  
 9  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80 
10  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128 
11  D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080 
12  D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 
13  D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http 
14  D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25 
15  X chain=unused-hs-chain action=passthrough 
16    chain=srcnat action=masquerade src-address= log=no log-prefix=""

Who is online

Users browsing this forum: No registered users and 61 guests