Community discussions

MikroTik App
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Multiple ip WAN and isolated VLANs

Thu Mar 04, 2021 7:05 pm

Hi,
I can't find any information about this topic so I have to add own.

I have RB951G-2HnD router board and my ISP gived me five public IPs.
IP addresses:
ISP: 81.120.12.176/29 on ether1
Lan1: 192.168.88.0/24 on ether2
Computer1: 192.168.88.12 (Lan1)
Server1: 192.168.88.10 (Lan1) with access from WAN as WWW server on 81.120.12.178 public ip.
vlan79: 192.168.89.0/24 on ether3
Server2: 192.168.89.15 (vlan79) with access from WAN as WWW server on 81.120.12.179 public ip.
vlan80: 192.168.90.0/24 on ether3
Now not used but in the future will be.

So on ether1 interface I added two public IP addresses:
81.120.12.178 and 81.120.12.179
/ip address
add address=81.120.12.178/29 interface=ether1 network=81.120.12.176
add address=81.120.12.179/29 interface=ether1 network=81.120.12.176

The ether2 interface is connect with switch and there is DHCP sever (on mikrotik for ether2). To this switch are connecet Computer1 and Server1 where for Server1 on the firewall is NAT which forward form public IP (81.120.12.178) 80 port to lan IP 192.168.88.10 (Server1) where is WWW server.
/ip address add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/ip firewall nat add action=dst-nat chain=dstnat dst-address=81.120.12.178 dst-port=80 protocol=tcp to-addresses=192.168.88.10 to-ports=80

On the ether3 interface were added two vlans (79 and 80) but now I only use vlan79. On vlan79 interface I added IP address (192.168.89.1) and dhcp server. The ether3 interface is connect with Server2 where I configured vlan79 intreface. Server2 has lan address (192.168.89.15) and on the firewall is NAT which forward form public IP (81.120.12.179) 80 port to lan IP 192.168.89.15 (Server2) where is WWW server.
/interface vlan add interface=ether3 name=vlan79 vlan-id=79
/ip address add address=192.168.89.1/24 interface=vlan79 network=192.168.89.0
/ip dhcp-server add address-pool=dhcp_pool2 disabled=no interface=vlan79 name=dhcp2
/ip firewall nat add action=dst-nat chain=dstnat dst-address=81.120.12.179 dst-port=80 protocol=tcp to-addresses=192.168.89.15 to-ports=80

I omitted presenting in this topic basic configuration like masquerade etc. but this is done on my router.

All works fine, I have internet on both lans, I have access from WAN to my both servers.

But my problem is that I can access from Lan1 to vlan79 and vice versa. I want to isolate them and block i.e. deny access from server1 to server2 using ping or Web browser from 192.168.88.10 to 192.168.89.15 and vice versa but I want to have access from server1 to server2 using public IPs i.e. I can open web page on server1 from server2 using 81.120.12.179 address in Web brower on server1.

I attach a diagram for better understanding.
siec multi ip vlan firewall.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple ip WAN and isolated VLANs

Thu Mar 04, 2021 8:11 pm

(1) It would be helpful to see your config.
/export hide-sensitive file=anynameyouwish

(2) Is that a managed switch or a dumb switch on ether1?


(3) For layer 3 separation there are two fundamental ways but will discuss the preferred way.
Best method is to put a drop all else rule at the end of the forward chain, all traffic is stopped cold.
Then you only have to be concerned with allowed traffic!!

For example.
add chain=forward action=allow comment="Allow lan to wan traffic \
in-interface-list=LAN out-interface-list=WAN (or etherX).
add chain=forward action=drop comment="drop all else" {this being the last rule}

Now there should be be no cross talk between lan and vlans in both directions.

(4) Personally I would create one bridge and put all vlans on the bridge.
Then you have automatic separation between all vlans at layer 2 and with the drop all rule are good to go.

(5) You will need some source nat rules in place and some destination nat rules in place but your config should show what you are attempting here.
The good news is that since the subnets are different between the LAN and the vlan, there is no need for hairpinat (loopback).
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Sat Mar 06, 2021 10:07 pm

Thank you for your answer.
(1) Here my export:
backup.rsc
(2) To the ether2 is connect dumb switch.
/interface bridge
add admin-mac=E4:8D:8G:9A:7C:07 auto-mac=no name=OpenVPN-bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=E4:8D:8E:9A:7C:06
set [ find default-name=ether2 ] mac-address=\
    E4:8D:8E:9A:7C:07
set [ find default-name=ether3 ] mac-address=E4:8D:8E:9A:7C:08
set [ find default-name=ether4 ] mac-address=\
    E4:8D:8E:9A:7C:09
set [ find default-name=ether5 ] mac-address=E4:8D:8E:9A:7C:0A
/interface ovpn-server
add name=ovpn-in1 user=lupi
/interface vlan
add interface=ether3 name=vlan79 vlan-id=79
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.89.2-192.168.89.254
add name=OpenVpnPool ranges=192.168.85.2-192.168.85.50
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=OpenVPN-bridge name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
    interface=vlan79 name=dhcp2
/port
set 0 name=usb1
/interface ppp-client
add add-default-route=no apn=plus comment=lte dial-on-demand=no info-channel=\
    1 name=ppp-out1 port=usb1
/ppp profile
add bridge=OpenVPN-bridge change-tcp-mss=yes local-address=dhcp_pool1 name=\
    OpenVPN_Local remote-address=dhcp_pool1 use-encryption=yes
/queue simple
add disabled=yes max-limit=2M/2M name=queue1 priority=1/1 target=\
    192.168.88.9/32
add disabled=yes limit-at=19M/0 max-limit=20M/0 name=queue2 target=\
    192.168.88.25/32
add disabled=yes max-limit=0/500M name=queue5 target=192.168.88.23/32
add disabled=yes max-limit=1M/1M name=queue3 target=192.168.88.10/32
add disabled=yes max-limit=1M/1M name=queue4 target=192.168.88.243/32
/interface bridge port
add bridge=OpenVPN-bridge disabled=yes interface=ether1
add bridge=OpenVPN-bridge interface=ether2
add bridge=OpenVPN-bridge interface=ether4
add bridge=OpenVPN-bridge interface=ether5
add bridge=OpenVPN-bridge interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=ppp-out1 list=WAN
add interface=OpenVPN-bridge list=LAN
/interface ovpn-server server
set auth=sha1 certificate=SERVER-ovpn cipher=aes256 default-profile=\
    OpenVPN_Local enabled=yes keepalive-timeout=disabled mode=ethernet port=\
    1094 require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=profile1 max-mru=\
    1460 max-mtu=1460
/ip address
add address=192.168.88.1/24 interface=OpenVPN-bridge network=192.168.88.0
add address=81.120.12.178/29 interface=ether1 network=81.120.12.176
add address=192.168.89.1/24 interface=vlan79 network=\
    192.168.89.0
add address=81.120.12.179/29 interface=ether1 network=81.120.12.176
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=\
    192.168.88.1
add address=192.168.89.0/24 dns-server=192.168.89.1,8.8.8.8 gateway=\
    192.168.89.1
/ip dns
set servers=62.21.99.95,8.8.8.8
/ip firewall filter
add action=drop chain=input comment="Drop 53 DoS attack" dst-port=53 \
    in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1094 protocol=tcp
add action=drop chain=input comment=WinBox dst-port=7291 protocol=tcp \
    src-address=!192.168.88.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established, related, untracked" connection-state=\
    established,related
add action=drop chain=forward comment=\
    "defconf: Drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all not comming from LAN" disabled=yes in-interface-list=\
    !LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept established, related, untracked" connection-state=\
    established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat comment="Udostepnienie neta" \
    out-interface=ether1 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=\
    "Udostepnianie neta dla vlnow" out-interface=ether1 src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="80-81: Http; 211-222: FTP,SSH; 8767-8\
    780: Team Speak server; 9987: TeamSpeak VOIP; 10011: TeamSpeak query; 2550\
    0-25599: Minecraft; 27000-27050: FTP; 30033:TeamSpeak file; \
    \n25590: Subversion; 25589: Remote Destkop; 5013: Remote Desktop for UbSr1\
    604M;" dst-address=81.120.12.178 dst-port=\
    80-82,211-222,443,8767-8780,9987,10011,25500-25599,30033,5012 protocol=\
    tcp to-addresses=192.168.88.248
add action=dst-nat chain=dstnat comment="80-81: Http; 211-222: FTP,SSH; 8767-8\
    780: Team Speak server; 9987: TeamSpeak VOIP; 10011: TeamSpeak query; 2550\
    0-25599: Minecraft; 27000-27050: FTP; 30033:TeamSpeak file; \
    \n25590: Subversion; 25589: Remote Destkop; 5013: Remote Desktop for UbSr1\
    604M;" dst-address=81.120.12.178 dst-port=\
    80-81,211-222,443,8767-8780,9987,10011,25500-25599,30033,5012 protocol=\
    udp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat comment="80: Http;" dst-address=81.120.12.179 dst-port=\
    80 protocol=\
    tcp to-addresses=192.168.89.15
add action=masquerade chain=srcnat comment="Potrzebne aby w sieci lokalnej by\
    \B3y widoczne domeny na serwerze w tej sieci lokalnej" dst-address=\
    192.168.88.10 protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Potrzebne aby w sieci lokalnej by\
    \B3y widoczne domeny na serwerze w tej sieci lokalnej" dst-address=\
    192.168.88.10 protocol=udp src-address=192.168.88.0/24
/ip firewall service-port
set h323 disabled=yes
set pptp disabled=yes
/ip proxy
set port=1081
/ip route
add distance=2 gateway=ppp-out1 routing-mark=lte
add distance=2 routing-mark=lte type=blackhole
add distance=1 gateway=81.120.12.177 routing-mark=isp
add distance=2 routing-mark=isp type=blackhole
add comment=isp distance=1 gateway=81.120.12.177 pref-src=81.120.12.178
add comment=lte disabled=yes distance=2 gateway=ppp-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=1080
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24 port=7291
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=vpnjan profile=profile1 service=pptp
add name=lupi profile=OpenVPN_Local service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add disabled=yes topics=debug
/system ntp client
set enabled=yes primary-ntp=159.253.242.123 secondary-ntp=193.219.28.147
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sms
set channel=1 port=usb1 receive-enabled=yes
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple ip WAN and isolated VLANs

Sat Mar 06, 2021 10:42 pm

(1) Missing LAN member.
/interface list member
add interface=ether1 list=WAN
add interface=ppp-out1 list=WAN
add interface=OpenVPN-bridge list=LAN
add interface=vlan79 list=LAN

(2) Duplicate line in your config ????
add address=81.120.12.179/29 interface=ether1 network=81.120.12.176

(3) INPUT RULE chain rules SUCK!
Change to.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
{user rules}
add action=accept chain=input comment=OpenVPN dst-port=1094 protocol=tcp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=bridge-ovpn\
src-address-list=adminaccess Note: You need to identify this in firewall address list (your desktop , ipad, smartphone, laptop static IP addresses)
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop anything else! # ONLY ENABLE WHEN ADMIN RULE ABOVE IN PLACE

(4) Forward chain rules, these two are problematic and overlap......
Much easier to make one rule that allows port forwarding and then use the drop rule at end to drop all else.
add action=drop chain=forward comment=\
"defconf: Drop all from WAN not DSTNATed" connection-nat-state=!dstnat \

connection-state=new in-interface-list=WAN
&
add action=drop chain=forward comment=\
"defconf: drop all not comming from LAN" disabled=yes in-interface-list=!LAN

Just use the rules in this order as follows:
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="ENABLE Internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE admin access to VLAN79
in-interface-list=bridge-ovpn out-interface-list=vlan79
add action=accept chain=forward comment="Allow Port Forwarding" \ (If required otherwise DISABLE))
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL other FORWARD traffic

(4) Replace two sourc enat rule swith one rule.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(5) for forward chain rules need to add any access from to the servers but ran out time to add to the above.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple ip WAN and isolated VLANs

Sat Mar 06, 2021 10:43 pm

You have modified the defaut firewall rules in a way which doesn't make much sense any more. In chain forward, the basic idea is:
  • accept any packet which came in via IPsec or will get out via IPsec before it could hit the fasttrack-connection rule
  • fasttrack any connection whose initial packet has been accepted
  • accept packet belonging to any connection whose initial packet has been accepted, if the current packet got here because it took the slow path
  • selectively accept initial packets attempting to establish new connections
  • drop the rest of initial packets attempting to establish new connections
The default firewall uses just two zones (represented by /interface list items here): WAN and LAN. As you want to control traffic between different domains of your LAN, you have to add more zones, and add rules controlling traffic between them.

So let's say you add another interface list called LAN89, and make the interface vlan79 its member. Then you add the following three rules to the end of the forward chain of /ip firewall filter:
chain=forward in-interface-list=LAN out-interface-list=WAN action=accept
chain=forward in-interface-list=LAN89 out-interface-list=WAN action=accept
chain=forward action=drop


This will allow connections to servers in internet initiated by hosts in each LAN zone to establish, but initial packets of connections from one LAN zone to the other one, or of connections from the internet to any of the LAN zones, will not match any of those two selective accept rules and will hit the final "drop the rest" rule.

Regarding using a different public IP depending on the source zone, you cannot use masquerade as it randomly chooses one of the IP addresses associated to the out-interface, and you cannot affect which one.

So use the interface lists again (or source subnets if you prefer), and replace the first two action=masquerade rules in chain srcnat:
chain=srcnat in-interface-list=LAN action=src-nat to-addresses=public.ip.for.LAN
chain=srcnat in-interface-list=LAN89 action=src-nat to-addresses=public.ip.for.LAN89



In chain input, you currently accept everything but a few exceptions; it is much more secure to drop everything but a few exceptions. So as a compromise before you grasp the idea, I'd suggest you add a rule
chain=input in-interface-list=WAN action=drop
as the last one in that chain. Doing so will prevent anything but incoming OpenVPN connections from being accepted if it comes in via WAN, and it will also render the first two selective drop rules for DNS redundant.

Later you can think about the reason why the "accept established, related" rule is the first one in the default firewall configuration.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Mon Mar 22, 2021 10:18 am

Sorry for ma late reply and thank you for your reply.
(2) No it is not duplicate. There is two diferent addresses: 81.120.12.178/29 and 81.120.12.179/29 on one ethernet interface.
In near futhure I will test your suggestions.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Wed May 19, 2021 1:00 pm

Hello, I configured as you anav say, and yes now I can't connect via local lan (form 192.168.88.0/24 to 192.168.89.0/24 and vice versa) but I too can't connect via public ip (from 81.120.12.178 to 81.120.12.179 and vice versa). If I connect using
add action=accept chain=forward comment="ENABLE admin access to VLAN79
in-interface-list=bridge-ovpn out-interface-list=vlan79
then I can connect in both cases via LAN and Public IPs but it is wrong.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple ip WAN and isolated VLANs

Wed May 19, 2021 1:18 pm

Hello, I configured as you anav say, and yes now I can't connect via local lan (form 192.168.88.0/24 to 192.168.89.0/24 and vice versa) but I too can't connect via public ip (from 81.120.12.178 to 81.120.12.179 and vice versa). If I connect using
add action=accept chain=forward comment="ENABLE admin access to VLAN79
in-interfa[b]ce-list=bridge-ovpn out-interface-lis[/b]t=vlan79
then I can connect in both cases via LAN and Public IPs but it is wrong.
Consider that if you dont state the complete set of requirements in the first post, how do you expect to reach a proper design??.
What next, tongue in cheek, not happy with the config because it doesn't make breakfast for you in the morning??

Just kidding, but I'm sure you get the point................
Based on the above its still not clear to me what you want to be able to to??
Perhaps amend your initial diagram or make a new copy that just shows what additional connectivity is required.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Wed May 19, 2021 1:53 pm

I change all firewall rules as you say.
But I checked by wireshar in simulation what is traffic, and I can see that when I browsing web from vlan79 which should have public ip with ...179 I have ...178 public IP. How can I change this? I try to do what wrote sindy
chain=srcnat in-interface-list=LAN action=src-nat to-addresses=public.ip.for.LAN
chain=srcnat in-interface-list=LAN89 action=src-nat to-addresses=public.ip.for.LAN89
but there is problem with
Couldn't add New NAT rule - incoming interface matching not possible in output and postrouting chains.
.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Wed May 19, 2021 10:24 pm

I change all firewall rules as you say.
But I checked by wireshar in simulation what is traffic, and I can see that when I browsing web from vlan79 which should have public ip with ...179 I have ...178 public IP. How can I change this? I try to do what wrote sindy
chain=srcnat in-interface-list=LAN action=src-nat to-addresses=public.ip.for.LAN
chain=srcnat in-interface-list=LAN89 action=src-nat to-addresses=public.ip.for.LAN89
but there is problem with
Couldn't add New NAT rule - incoming interface matching not possible in output and postrouting chains.
.
I resolved this problem by (changing in-interfaces with src-address):
chain=srcnat src-address=192.168.88.0/24 action=src-nat to-addresses=public.ip.for.LAN
chain=srcnat src-address=192.168.89.0/24 action=src-nat to-addresses=public.ip.for.LAN89
But still I can't connect from 81.120.12.178 to 81.120.12.179 and vice versa...
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Thu May 20, 2021 1:02 am

siec multi ip vlan firewall switch.png
Maybe this picture will be better explain what I want.

So when I connect switch to the ISP port and then to this switch (but to different ports eth2 and eth3 in this switch...) I connect Mikrotik1 and Mikrotik2 where on Mikrotik1 on ether1 I set static IP(81.120.12.178) and on Mikrotik2 I set static IP(81.120.12.179) and on Mikrotik1 I set Lan with IPs 192.168.88.0/24 where in this lan are computer and server. On Mikrotik2 I set Lan with IPs 192.168.89.0/24 with server on 192.168.89.15. And then I can connect and open web page on computer or serwer1 which is in Mikrotik1 lan from serwer2 which is in Mikrotik2 Lan using his public Ip (81.120.12.179) but when I want to do this using local ip (192.168.89.15) it doesn't work and it is correct, because Mikrotik2 not recognize this ip on WAN side... I'am think this is clear. And now I want do this but using only one router... with out swich and second mikrotik router. Is this possible?
Switches are dumb switch unmanaged .
You do not have the required permissions to view the files attached to this post.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Thu May 27, 2021 10:56 am

Hi,
Is there any way to solve this problem?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Multiple ip WAN and isolated VLANs

Thu May 27, 2021 12:54 pm

Definitely there is.

I gave you some advice on Sat Mar 06, 2021 9:43 pm above, you never responded to it, not have you posted the current export after the changes you've made in the meantime. Without that, there is no way to help you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple ip WAN and isolated VLANs

Thu May 27, 2021 2:11 pm

YOu are trying to do networking between devices on different public IPs within your own allotted group of WANIPs by using different routers.
A. not sure this is possible.
B. probably need routes and firewall rules
C. To messy for me., I would prefer to use one router and dish out public IPs directly to servers from this router.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Mon Sep 06, 2021 3:15 pm

Hi
Has passed a long of time I had a lot of other work but in last week I get what I wanted and resolved my problem using marking packets and allow them in filter rules.
In firewall mangle I added:
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark packets from vlan79 to 8\
    1.120.12.176 network for accept them in filter." dst-address=\
    81.120.12.176/29 new-packet-mark=valn79 passthrough=yes src-address=\
    192.168.89.0/24
add action=mark-packet chain=prerouting comment="Mark packets from lan to 81.1\
    20.12.176 network for accept them in filter." dst-address=\
    81.120.12.176/29 new-packet-mark=lan passthrough=yes src-address=\
    192.168.88.0/24
and in /ip firewall filter I added:
/ip firewall filter
add action=accept chain=forward comment=\
    "Accept packet mark lan which connecting to public ips no locals." \
    packet-mark=lan
add action=accept chain=forward comment=\
    "Accept packet mark vlan79 which connecting to public ips no locals." \
    packet-mark=valn79
So when some computer in local lan want connect to some my public ip then I marking this packet and allow them in firewall but when this computer want connect to host in toher lan then firewall deny them by
"DROP ALL other FORWARD traffic"
rule. I think this is a good method and what is important for me it works.

Thank you anav and sindy for yours sugestions. I hope I used them correctly and if I can ask you to check my configuration, in particular the order of rules in the firewall?

This is my export. I used other router and reset this router to default configuration for clearly configuration.
/interface bridge
add admin-mac=4C:5E:0C:6D:13:C7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-6D13CB wireless-protocol=802.11
/interface vlan
add interface=ether3 name=vlan79 vlan-id=79
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN79
add name=LANALL
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan79 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=vlan79 list=LAN
add interface=vlan79 list=LAN79
add interface=bridge list=LANALL
add interface=vlan79 list=LANALL
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=81.120.12.178/29 interface=ether1 network=81.120.12.176
add address=192.168.89.1/24 interface=vlan79 network=192.168.89.0
add address=81.120.12.179/29 interface=ether1 network=81.120.12.176
/ip dhcp-server lease
add address=192.168.88.10 comment=Server1 mac-address=00:0C:29:2D:64:98 \
    server=defconf
add address=192.168.88.12 comment=ADMIN mac-address=00:50:56:2E:81:A1 server=\
    defconf
add address=192.168.89.15 client-id=1:0:e0:4c:20:b9:80 comment=Server2 \
    mac-address=00:E0:4C:20:B9:80 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=81.120.12.177,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.12 list=ADMIN
add address=192.168.88.10 disabled=yes list=ADMIN
add address=192.168.89.15 disabled=yes list=ADMIN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=\
    bridge src-address-list=ADMIN
add action=accept chain=input comment="Allow ADMIN to Router from VLAN79" \
    disabled=yes in-interface=vlan79 src-address-list=ADMIN
add action=accept chain=input comment="Allow LAN DNS queries-TCP" \
    connection-state=new dst-port=53 in-interface-list=LANALL protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
    connection-state=new dst-port=53 in-interface-list=LANALL protocol=udp
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LANALL
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="ENABLE internet traffic LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="ENABLE internet traffic VLAN79" \
    in-interface-list=LAN79 out-interface-list=WAN
add action=accept chain=forward comment="ENABLE internet traffic" disabled=\
    yes in-interface-list=LANALL out-interface-list=WAN
add action=accept chain=forward comment="ENABLE admin acces to VLAN79" \
    in-interface=bridge out-interface=vlan79 src-address-list=ADMIN
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "Accept packet mark lan which connecting to public ips no locals." \
    packet-mark=lan
add action=accept chain=forward comment=\
    "Accept packet mark vlan79 which connecting to public ips no locals." \
    packet-mark=valn79
add action=drop chain=input comment="Drop anything else!"
add action=drop chain=forward comment="DROP ALL other FORWARD traffic"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark packets from vlan79 to 8\
    1.120.12.176 network for accept them in filter." dst-address=\
    81.120.12.176/29 new-packet-mark=valn79 passthrough=yes src-address=\
    192.168.89.0/24
add action=mark-packet chain=prerouting comment="Mark packets from lan to 81.1\
    20.12.176 network for accept them in filter." dst-address=\
    81.120.12.176/29 new-packet-mark=lan passthrough=yes src-address=\
    192.168.88.0/24
/ip firewall nat
add action=dst-nat chain=dstnat comment="Allow access to server1 port 80 WAN" \
    dst-address=81.120.12.178 dst-port=80 protocol=tcp to-addresses=\
    192.168.88.10
add action=dst-nat chain=dstnat comment=\
    "Allow access to server2 port 80 from WAN" dst-address=81.120.12.179 \
    dst-port=80 protocol=tcp to-addresses=192.168.89.15
add action=src-nat chain=srcnat comment=\
    "Translate local ip 88.0 to public ip 178" dst-address=!192.168.88.1 \
    src-address=192.168.88.0/24 to-addresses=81.120.12.178
add action=src-nat chain=srcnat comment=\
    "Translate local ip 89.0 to public ip 179" dst-address=!192.168.89.1 \
    src-address=192.168.89.0/24 to-addresses=81.120.12.179
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    in-interface=bridge ipsec-policy=out,none out-interface-list=WAN \
    to-addresses=81.120.12.178
/ip route
add distance=1 gateway=81.120.12.177 pref-src=81.120.12.178
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MikroTikRsim
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
export.rsc
You do not have the required permissions to view the files attached to this post.
 
Rokoch
just joined
Topic Author
Posts: 12
Joined: Wed Feb 27, 2019 2:15 pm
Location: Poland

Re: Multiple ip WAN and isolated VLANs

Thu Sep 16, 2021 10:00 pm

Hi,
Can I ask someone to check my new configuration?
Thanks

Who is online

Users browsing this forum: Bing [Bot], bpwl, Google [Bot], GoogleOther [Bot], jookraw, st3lios and 77 guests