Community discussions

MikroTik App
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

IKEv2 server ignores dhcp query on vlan interface

Mon Mar 29, 2021 11:03 pm

Hi guys.
I have a problem with IKEv2 IPsec configuration.

Normally when I have configured IKEv2/IPsec server peer on IP address assign to bridge interface. Windows 10 connects to this IP, ask for policy 0.0.0.0/0, then ask via dhcp option 249 for 'split-include' defined in mode config. -> Everything works fine as expected. - In IPsec log I can see both dhcp query and response

But when I set up IKEv2/IPsec server peer on IP address assign to VLAN interface (defined as a subinterface of bridge, not a port of bridge) it's not working.
Windows 10 connects, but 'split-include' doesn't work. I can add dummy log rule to the firewall so I can see that the dhcp 249 request is coming. But in log of IPsec I see neither response nor query.
If I manually add route from cmd, it looks that the IPsec tunnel works fine.

I am on CCR2004 with v6.47.9 (long-term), bridge VLAN-filtering on.

Do you have any hints, what am I doing wrong? Maybe it is something trivial.
Maybe it is related to this two topics:
viewtopic.php?t=154743
viewtopic.php?t=156314

I've tried disabling 'Allow Fast Path' in IP/Setings, disabling 'Fast Forward' in bridge interface settings and 'Allow Fast Path' global bridge settings. But even after router reboot it doesn't help.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Tue Mar 30, 2021 9:30 pm

I don't think you're doing anything wrong. I had the same experience when the IKEv2 session was landing on an IPIP tunnel interface at the responder, but I was assuming back then it had to do with DHCP server expecting the client messages to come to L2 interfaces.

Depending on the throughput required, you may try to add an auxiliary bridge interface, move the IP configuration from the VLAN interface to it, and make the VLAN interface a member port of this auxiliary bridge, while its tagged end will remain attached to the main bridge.

Also, can you log the DHCPINFORM packet on the firewall and see what is its destination address?
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Thu Apr 01, 2021 2:18 pm

Sindy, thanks for your reply.
Yes, I can grab DHCP inform - in both scenarios they are sent as broadcast to address 255.255.255.255:67. See below
First one from VLAN - as you can see, after established SAs repeated DHCP packet without response
1.gif
Second scenario - not from VLAN - after established SAs DHCP inform and response with routes. What's interesting to me, IPsec sees that DHCP inform packet before a firewall. Maybe it similar to DHCP server which is operating on RAW packets.
2.gif
IP 10.3.12.4 is my IP obtained from IKEv2 IP pool in ModeConfig

I have to read carefully once again your solution and try it. But probably at the begging I have something similar but not exactly - second bridge but without VLAN port as a member of it.
I need IKEv2 mainly for RoadWarious so peer is listening on WAN IP (IP not assigned directly to WAN interface, but to WAN bridge with WAN interface). And this is working.
But I also plan to use IKEv2 as a backdoor/gateway for 'management VLAN' so while working in office connected to 'normal VLAN' I can vpn to 'management VLAN' without changing LAN cables. Plus I can use it of course also outside LAN from WAN - It has worked only from WAN. From LAN was the problem with pushing routes. From LAN I was also connecting to 'WAN bridge IP address.

So when it didn't work as I have planned, I start playing around. I've thought it may be because of wrong NAT. So I've tried listening on local IP of VLAN interface (IP assigned to VLAN interface defined as subinterface of bridge) without success. Then on local IP of some interface without any VLAN. And it works. So I get my assumption of VLAN issue.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Thu Apr 01, 2021 2:38 pm

If it works when the IKE connection establishes with a local IP address attached to a bridge with no member ports at all, you indeed don't need the VLAN to join this bridge to the main one. But at least until recently, Windows clients didn't like by default that the responder was behind a NAT, and you had to explicitly allow that in registry. A workaround for this at responder side is to put the public IP up on it as a /32 one and dst-nat the incoming connections to it even though the WAN IP is private.
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Thu Apr 01, 2021 3:54 pm

So I've added a third bridge - now I have 'Bridge LAN' 'Bridge WAN' and 'Bridge IKEv2'
I've set up IKEv2 peer on IP assigned to 'Bridge IKEv2', and added dst-nat rules for UDP 500, 4500 and ipsec-esp to forward them to the IP of 'Bridge IKEv2'. I still can connect from WAN and LAN. But only on WAN pushing routes from ModeConf works.

'Bridge IKEv2' - is portless
'Bridge LAN' - VLANs as subinterfaces, LAN interfaces (sfp-sfpplus2 configured as TRUNK) as bridge port
'Bridge WAN' - has WAN interface

But now I'he realized two things:
- in situation when it works, in firewall I can see DHCP packet with source MAC-address
input: in:br_WAN out:(unknown 0), src-mac b8:69:f4:ae:de:97, proto UDP, 10.3.12.4:68->255.255.255.255:67, len328
when it doesn't work there is no information about src-mac:
input: in:vlan30 - FLORA_NET out:(unknown 0), proto UDP, 10.3.12.3:68->255.255.255.255:67, len 328
You can see the difference in first and second printscreen.

Secondly, I have my 'Bridge LAN' with only one port member defined as TRUNK port. On another Mikrotik, I have split it into untagged ports. I will add an untagged port set as an ingress port to that bridge and try if it changes something.
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Thu Apr 01, 2021 5:11 pm

I've done the test with direct ingres port, still without success :(
Also, DHCP inform packet without src-mac address.
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Wed Apr 07, 2021 4:34 pm

Depending on the throughput required, you may try to add an auxiliary bridge interface, move the IP configuration from the VLAN interface to it, and make the VLAN interface a member port of this auxiliary bridge, while its tagged end will remain attached to the main bridge.
Hi Sindy. I've read it carefully once again and try it.
I've made new bridge-TEST, add to it as a port member the VLAN interface defined in the main bridge-LAN. Then move from VLAN-interface IP configuration, DHCP configuration, and firewall rules to the bridge-TEST. It's working now.
Also what is worth noticing, now in logs I can see DHCP query packet with src-address=my_lap_mac_address.

So theoretically I should create separately additional bridge for each VLAN interface from which I want to start a VPN connection.
How about the speed performance? Not only VPN traffic is going thru this additional bridge, but also all remain traffic to WAN and others VLANs.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Wed Apr 07, 2021 8:39 pm

If you use that "bridge-reinforced" VLAN interface also for other traffic than the VPN one, some CPU cycles will indeed be wasted on the additional bridging. So my solution would be to use a dedicated VLAN and IP address only for the IPsec responder to listen at. But I don't get the difference between attaching the address to a port-less bridge (which is an L2 interface), attaching it to a VLAN interface (which is an L2 interface too), and attaching it to a bridge which has a single member port - the VLAN interface connecting it to the main bridge, where the former two ways end up with an L3 DHCPINFORM whereas the latter one ends up in an L2 DHCPINFORM.

I didn't get much what you mean by "each VLAN interface from which I want to start a VPN connection". Do you intend to use several responders, each with a different profile, each listening at another local address, with its dedicated dst-nat rule? If so, it should still be possible to attach all those individual local addresses to the same bridge interface.
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Thu Apr 08, 2021 12:52 pm

Ok. So maybe I have to write it more simple what I have and what I want:
Bridge.png
Bridgeports.png
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=br-LAN vlan-filtering=yes
add name=br-WAN
/interface bridge port
add bridge=br-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus2
add bridge=br-WAN interface=sfp-sfpplus1
/interface bridge vlan
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=10
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=20
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=30
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=40
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=50
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=60
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=70
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=80
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=90
As you can see I have two bridges.
- br-LAN with various VLAN defined + enabled VLAN-Filtering
- br-WAN
I'm using two physical interfaces;
- sfp-sfpplus1 - added as a port member to br-WAN - I have connected with it my WAN
- sfp-sfpplus2 - added as a port member to br-LAN - it's my trunk port to switch where I have divided to different VLANs
IP.png
/ip address
add address=xxx.xxx.xxx.xxx/28 comment=lo.my_domain.net interface=br-WAN network=xxx.xxx.xxx.240
add address=xxx.xxx.xxx.yyy/28 comment=lo-guests.my_domain.net interface=br-WAN network=xxx.xxx.xxx.240
add address=10.3.10.1/24 comment=gw.mgnt.lo.my_domain.net interface="vlan10 - MGNT" network=10.3.10.0
add address=10.3.20.1/24 comment=gw.capsman.lo.my_domain.net interface="vlan20 - CAPsMAN" network=10.3.20.0
add address=10.3.30.1/24 comment=gw.flora_net.lo.my_domain.net interface="vlan30 - FLORA_NET" network=10.3.30.0
add address=10.3.40.1/24 comment=gw.lo-guests.my_domain.net interface="vlan40 - GUESTS" network=10.3.40.0
add address=10.3.50.1/24 comment=gw.printnscan.lo.my_domain.net interface="vlan50 - PRINTnSCAN" network=10.3.50.0
add address=10.3.60.1/24 comment=gw.voip.lo.my_domain.net interface="vlan60 - VoIP" network=10.3.60.0
add address=10.3.70.1/24 comment=gw.iqvitroclima.lo.my_domain.net interface="vlan70 - iqVitroClima" network=10.3.70.0
add address=10.3.80.1/24 comment=gw.mg-iot.lo.my_domain.net interface="vlan80 - MG-IoT" network=10.3.80.0
add address=10.3.90.1/24 comment=gw.cctv.lo.my_domain.net interface="vlan90 - CCTV" network=10.3.90.0
As you can see each VLAN interface has its own IP.
I have two WAN IPs - one for vlan40 - GUEST for my 'untrusted' network for everybody, and one for the rest of VLANs

This is what I have. Now what I want
First of all, I want the ability to connect with IKEv2 from internet to specific VLAN, mainly vlan30 - FLORA_NET (which is main VLAN, so roadwarriors will connect to it), and vlan10 - MGNT (which is my management network - I need remote access to it), plus remote access for an external company servicing HVAC (vlan70) and so on. Of course access to the specific network should be based on user login/certificate.
Secondly, I need to join company sites with similar structures. I don't need to routeeverything, only part of it. Let's say vlan30 and vlan50.
These two things I know how to achieve. I have followed Nikita Tarikin MUM presentations
https://mum.mikrotik.com/presentations/ ... 543676.pdf
https://mum.mikrotik.com/presentations/ ... 420263.pdf

It works for me. I mean I can connect from WAN to a specific VLAN, and I have tunnel between two company's locations.
Problem which I have is when I'm in company office connected for example to vlan30 (my main vlan) and I want to do something in vlan10 - MGNT eg. connect and reconfigure router. Yes I can manually change my LAN cable and connect directly to vlan10. But it will be much more convenient if I can use the same IKEv2 tunnel whether am I in or out of office (from LAN and WAN).
I can connect from LAN, but router ignores the DHCPINFORM packet and doesn't respond with split-routes. I can manually add those routes in Windows cmd.exe and it works. While connecting from WAN everything works perfectly.

So as you suggested for a workaround I've added additional bridges. I mean, if I want the ability to connect from vlan30 to IKEv2 server, I need these additional bridge. If I want the ability to connect from vlan50 to IKEv2 server, I need next additional bridge. And so on.
/interface bridge
add name=br-vlan30
add name=br-vlan50
/interface bridge port
add bridge=br-vlan30 interface="vlan30 - FLORA_NET" multicast-router=disabled
add bridge=br-vlan50 interface="vlan50 - PRINTnSCAN" multicast-router=disabled
Now I have to move the configuration of IP addresses, DHCP server to these bridges.

I still have only one passive IKEv2 peer with many identities, policies, and mode configs
/ip ipsec mode-config
add name="site2site - out" responder=no use-responder-dns=yes
add address-pool="vlan10 - vpn pool" address-prefix-length=32 name="vpn - vlan10 - config" split-dns=lo.vitroflora.net split-include=10.3.0.0/16,10.4.10.0/25,192.168.99.0/24 system-dns=no
add address-pool="vlan30 - vpn pool" address-prefix-length=32 name="vpn - vlan30 - config" split-dns=lo.vitroflora.net split-include=10.3.30.0/24 system-dns=no

/ip ipsec policy group
add name="site2site - out"
add name="site2site - in"
add name=vlan10
add name=vlan30

/ip ipsec identity
add auth-method=digital-signature certificate=vpn.lo.vitroflora.net generate-policy=port-strict mode-config="site2site - out" my-id=fqdn:vpn.lo.MY_DOMAIN.net peer="peer - TR" policy-template-group="site2site - out" remote-id=fqdn:vpn.tr.MY_DOMAIN.net
add auth-method=digital-signature certificate=vpn.lo.MY_DOMAIN.net comment="vlan10 - uservlan10@MY_DOMAIN.com.pl" generate-policy=port-strict match-by=certificate mode-config="vpn - vlan10 - config" peer="peer - server" policy-template-group=vlan10  remote-certificate=uservlan10@MY_DOMAIN.com.pl remote-id=user-fqdn:uservlan10@vitroflora.com.pl
add auth-method=digital-signature certificate=vpn.lo.MY_DOMAIN.net comment="vlan30 - uservlan30@MY_DOMAIN.com.pl" generate-policy=port-strict match-by=certificate mode-config="vpn - vlan30 - config" peer="peer - server" policy-template-group=vlan30 remote-certificate=uservlan30@MY_DOMAIN.com.pl remote-id=user-fqdn:uservlan30@MY_DOMAIN.com.pl

/ip ipsec policy
add comment="site2site - in" dst-address=10.3.0.0/24 group="site2site - in" proposal="IPsec - proposal" src-address=10.3.0.1/32 template=yes
add comment="site2site - out" dst-address=0.0.0.0/0 group="site2site - out" proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes
add comment=vlan10 dst-address=10.3.12.0/24 group=vlan10 proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes
add comment=vlan30 dst-address=10.3.32.0/24 group=vlan30 proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes

/ip ipsec peer
add exchange-mode=ike2 local-address=MY_WAN_IP name="peer - server" passive=yes profile="IKEv2 Profile"
Am I right? Or did I misunderand something?
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Sat Apr 10, 2021 2:02 pm

You've provided a lot of information but still some bits are missing, so let me rephrase it.
  • No matter what the reasons are, the essence is that the IKEv2 VPN client needs to connect also from the server's LAN.
  • According to your configuration excerpt, the responder peer listens at all addresses.
  • According to what you wrote,
    it will be much more convenient if I can use the same IKEv2 tunnel whether am I in or out of office (from LAN and WAN)
    I assume that no matter where the laptop is connected, you always connect to the WAN IP of the office router (i.e. you do not change the client settings).
  • The title issue of this topic is that the IPsec stack clearly treats the incoming connections that came in via WAN differently from those that came in via LAN.
  • The secondary issue you deal with is that the workaround (an additional bridge) makes the frame path from the physical interface to the IP interface more complex, and this affects all the traffic in that VLAN/subnet, not just the IKEv2 one.
Is all the above correct?
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Mon Apr 12, 2021 12:45 pm

No matter what the reasons are, the essence is that the IKEv2 VPN client needs to connect also from the server's LAN.
YES
According to your configuration excerpt, the responder peer listens at all addresses.
Not exactly - I always have
address=0.0.0.0/0
and local-address I've tried different configuration
local-address=EMPTY/NOT_SET
- I can 'dial' MY_WAN_IP or MY_LAN_IP - I can connect both from WAN and LAN (I think it works because MY_WAN_IP is routable from LAN)
local-address=MY_WAN_IP
- I have to 'dial' MY_WAN_IP - I can connect both from WAN and LAN (I think it works because MY_WAN_IP is routable from LAN)
local-address=MY_LAN_IP
- I have to 'dial' MY_LAN_IP - I can connect only from LAN
In all cases when I connect from LAN I don't get the split-routes.
I assume that no matter where the laptop is connected, you always connect to the WAN IP of the office router (i.e. you do not change the client settings).
Yes, ideally I don't want to change anything, nor have two VPN entries. But as you can read above I've tried different addresses.
The title issue of this topic is that the IPsec stack clearly treats the incoming connections that came in via WAN differently from those that came in via LAN.
I'm not sure if this is because of IPsec stack. Maybe it is connected to DHCP server, but probably not - I've tried to disable DHCP on this interface but this not solve the problem. (I thought maybe somehow DHCP consumes/blocks those packets)
The secondary issue you deal with is that the workaround (an additional bridge) makes the frame path from the physical interface to the IP interface more complex, and this affects all the traffic in that VLAN/subnet, not just the IKEv2 one.
YES, exactly
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Mon Apr 12, 2021 3:38 pm

local-address=empty/not set and local-address=0.0.0.0 is the same thing, as you can see if you use /ip ipsec peer export verbose (without the verbose modifier, export does not show default values).

Mikrotik's DHCP server apparently expects an L2 frame in order that it responded, so if the DHCPINFORM comes without the L2 headers, it is ignored. Hence one possible fix would be that the DHCP server would not be that picky about the DHCPINFORM, another possible fix would be that the IPsec stack would always provide the L2 header, even a made up one, to satisfy the DHCP server.

I'd suggest you to create a supout.rif and open a support ticket at Mikrotik. You can refer to this topic in the ticket in addition to a brief description, but supout.rif is the first thing they ask for if you don't attach it straight away, no exceptions.

As you say that the DHCP server ignores the DHCPINFORM even if you set the client to connect to the own IP address of the Mikrotik in the subnet from which the client is connecting, rather than to the WAN IP, the different handling of the DHCPINFORM doesn't seem to be triggered by the fact that the destination address of the initial request is not the one attached to the in-interface of the request but rather by the fact that the in-interface is an /interface vlan. Just for the case, can you double-check what the sa-src-address of the policy is when you let the client in VLAN 30 subnet connect to Mikrotik's own IP in that subnet (the peer's local-address may remain 0.0.0.0)?

As the only workaround that wouldn't cost any extra CPU cycles (in fact, it should even save them), I can currently imagine to make VLAN 30 the native one of the common bridge (i.e. to set bridge's pvid to 30 and move all the IP configuration from /interface vlan with vlan-id=30 to the bridge, after making sure it won't break anything, which may include creation of /interface vlan with vlan-id=1 and moving the current IP configuration from the bridge to this new /interface vlan).


Totally unrelated to the topic - can you translate the exact meaning of "To jest jak w czeskim filmie!" for me?
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Mon Apr 12, 2021 8:55 pm

I'd suggest you to create a supout.rif and open a support ticket at Mikrotik. You can refer to this topic in the ticket in addition to a brief description, but supout.rif is the first thing they ask for if you don't attach it straight away, no exceptions.
I will do that :)
Totally unrelated to the topic - can you translate the exact meaning of "To jest jak w czeskim filmie!" for me?
Okay, so "To jest jak w czeskim filmie!" exactly means 'It is exactly as in Czech movie'. I don't know if the phrase 'Czech movie' is world wide know - probably not :P
As I found in 'polish' internet this phrase was born due to Czech movie: https://www.imdb.com/title/tt0133126/
But in general, it is a term which you can name a situation where nobody knows anything, nobody knows what happens, or why doest it happen.
Eg. When you went to an electronic shop and ask the specialist guys about some device feature, and everyone gave you a completely different answer.
Or imagine a construction site where everybody is digging holes, but no one knows where it should be dug, how big, how many, or why.

I have one more question related to IKEv2. Is it possible to switch on/off user-led based on IKEv2 peer status? Similar to interface-status under /system leds

You can use it also as a negative comment on a movie - if you watched it, but don't get the story/clue because it was so badly directed, or so chaotic.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Mon Apr 12, 2021 10:35 pm

I have one more question related to IKEv2. Is it possible to switch on/off user-led based on IKEv2 peer status? Similar to interface-status under /system leds
It is, but only using a periodically scheduled script. None of the possible type values has any relationship to IPsec. So you must use a script to switch between type=on and type=off as required. And the script must be periodically scheduled because currently no on-up, on-down scripts can be directly specified for a peer or identity, to be spawned on status changes.

Okay, so "To jest jak w czeskim filmie!" exactly means 'It is exactly as in Czech movie'.
I do get the word-by-word translation, I just wanted to understand the degree of confusion it expresses. According to what you wrote, a total one :)

And thank you for the reference to the particular movie - I was afraid all Czech movies were considered confusing in Poland ;)
 
MITM
just joined
Posts: 3
Joined: Sun Mar 31, 2019 12:54 pm

Re: IKEv2 server ignores dhcp query on vlan interface

Fri Oct 22, 2021 11:45 pm

Hi!
I have a problem with obtain DHCP 249 from IKEv2 on VLAN Interface (Windows 10 client)
I have a trunk port on switch chip in my RB1100AHx2
In config below there is only a part of vlan comfiguration on switch chip

interface ethernet switch port
set 10 vlan-mode=secure
set 11 vlan-mode=secure
 
/interface ethernet switch port
set 10 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=secure
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=secure
 
/interface ethernet switch vlan
add independent-learning=no ports=WAN-1,switch2-cpu switch=switch2 vlan-id=500
 
/interface bridge
add name=bridge-WAN protocol-mode=none
 
/interface bridge port
add bridge=bridge-WAN interface=WAN-1
 
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
 
/interface vlan
add interface=bridge-WAN name=WAN500 vlan-id=500

When i establish connection to IKEv2 it works as expected. SA established and I have access to internal resources and Internet.
But, split-include not working. I added log rule to firewall and filtered dhcp packets with layer7 protocol by regex corresponding to DHCP Inform Type.
Log says

 in:WAN500 out(unknown 0), proto UDP, 10.10.10.5:68 -> 255.255.255.255:67, len 328

It seems that DHCP Server can't receive or process request, coming from VLAN interface

When I destroy VLAN configuration, configure IP address on bridge interface (without any vlans) - It works properly. Splite-include works.

Please, help! Is it bug? Or does proper solution exist when IKEv2 receive connections on VLAN interface?

Who is online

Users browsing this forum: erlinden and 71 guests