Community discussions

MikroTik App
 
Gnits
just joined
Topic Author
Posts: 7
Joined: Sun Jul 26, 2020 9:13 pm

Firewall issue with added VLAN200

Wed Nov 18, 2020 2:43 am

So I am using the older stock configuration on my RB4011.

I have add new VLANs for the IOT stuff and i have one device that i could not get to find its back end service.

When i connected it back to the main network, it started to work.
This is not a ground up configuration.

I know there is junk in this configuration but primarily i want to configure it so that the VLAN 200 can get out to the internet.
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] poe-out=forced-on
set [ find default-name=sfp-sfpplus1 ] mtu=1600 name=sfp-sfpplus1-downlink
/interface vlan
add interface=bridge name=INT_VLAN1 vlan-id=1
add interface=bridge name=INT_VLAN100 vlan-id=100
add interface=bridge name=INT_VLAN101 vlan-id=101
add interface=bridge name=INT_VLAN200 vlan-id=200
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.0.10-192.168.0.254
add name=dhcp_pool3 ranges=192.168.200.10-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=INT_VLAN1 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=INT_VLAN200 name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1-downlink
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1-downlink untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=1
add bridge=bridge tagged=bridge,sfp-sfpplus1-downlink vlan-ids=100
add bridge=bridge tagged=bridge,ether1,sfp-sfpplus1-downlink vlan-ids=200
add bridge=bridge tagged=bridge,sfp-sfpplus1-downlink vlan-ids=101
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=INT_VLAN1 list=LAN
add interface=INT_VLAN200 list=LAN
/ip address
add address=192.168.0.1/24 interface=INT_VLAN1 network=192.168.0.0
add address=192.168.200.1/24 interface=INT_VLAN200 network=192.168.200.0
add address=192.168.101.1/24 interface=INT_VLAN101 network=192.168.101.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/32 dns-server=75.75.75.75,75.75.75.76 gateway=192.168.0.1 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
add address=192.168.200.0/32 dns-server=75.75.75.75,75.75.75.75 gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=TheWay
/system ntp client
set enabled=yes primary-ntp=107.152.35.167 server-dns-names=0.pool.ntp.org
/system package update
set channel=long-term
/tool graphing interface
add interface=ether1
add interface=ether10
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I do plan to build a configuration from the ground up but right now i am just trying to get something working.
 
Gnits
just joined
Topic Author
Posts: 7
Joined: Sun Jul 26, 2020 9:13 pm

Re: Firewall issue with added VLAN200

Wed Nov 18, 2020 12:59 pm

Additional information:]

I connected my Echo Show 5 to this new IOT network and it can establish a proper connection to the wifi and stay there. However, no services function.
So, I am pretty confident that I have an issue with either the dhcp scope or the firewall.
 
sindy
Forum Guru
Forum Guru
Posts: 6311
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall issue with added VLAN200  [SOLVED]

Wed Nov 18, 2020 1:20 pm

formatted code

/ip dhcp-server network
..
add address=192.168.200.0/32 dns-server=75.75.75.75,75.75.75.75 gateway=192.168.200.1 netmask=24
There should be /24.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Gnits
just joined
Topic Author
Posts: 7
Joined: Sun Jul 26, 2020 9:13 pm

Re: Firewall issue with added VLAN200

Thu Nov 19, 2020 4:35 am

formatted code

/ip dhcp-server network
..
add address=192.168.200.0/32 dns-server=75.75.75.75,75.75.75.75 gateway=192.168.200.1 netmask=24
There should be /24.
What is interesting is why i need /24 when there is a netmask field for 24 as well.
 
mkx
Forum Guru
Forum Guru
Posts: 5054
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall issue with added VLAN200

Thu Nov 19, 2020 10:05 am

What is interesting is why i need /24 when there is a netmask field for 24 as well.

The address part of the config stanza actually tells ROS which IP interface the whole stanza refers to (and then DHCP server uses correct network definition for DHCP requests coming through that interface). There fore the address part should match exactly the address as set in /ip address. The rest of properties (netmask, list of DNS servers, ...) are sent to DHCP client ...

In ROS it is possible to set some things which are not exactly usual. Such as having several interfaces configured with same IP address but with different network addresses (and different netmasks)...
BR,
Metod

Who is online

Users browsing this forum: Baidu [Spider], mammadli, Mrdude, niksus and 225 guests