Ok. So maybe I have to write it more simple what I have and what I want:
Bridge.png
Bridgeports.png
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=br-LAN vlan-filtering=yes
add name=br-WAN
/interface bridge port
add bridge=br-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus2
add bridge=br-WAN interface=sfp-sfpplus1
/interface bridge vlan
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=10
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=20
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=30
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=40
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=50
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=60
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=70
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=80
add bridge=br-LAN tagged=br-LAN,sfp-sfpplus2 vlan-ids=90
As you can see I have two bridges.
- br-LAN with various VLAN defined + enabled VLAN-Filtering
- br-WAN
I'm using two physical interfaces;
- sfp-sfpplus1 - added as a port member to br-WAN - I have connected with it my WAN
- sfp-sfpplus2 - added as a port member to br-LAN - it's my trunk port to switch where I have divided to different VLANs
IP.png
/ip address
add address=xxx.xxx.xxx.xxx/28 comment=lo.my_domain.net interface=br-WAN network=xxx.xxx.xxx.240
add address=xxx.xxx.xxx.yyy/28 comment=lo-guests.my_domain.net interface=br-WAN network=xxx.xxx.xxx.240
add address=10.3.10.1/24 comment=gw.mgnt.lo.my_domain.net interface="vlan10 - MGNT" network=10.3.10.0
add address=10.3.20.1/24 comment=gw.capsman.lo.my_domain.net interface="vlan20 - CAPsMAN" network=10.3.20.0
add address=10.3.30.1/24 comment=gw.flora_net.lo.my_domain.net interface="vlan30 - FLORA_NET" network=10.3.30.0
add address=10.3.40.1/24 comment=gw.lo-guests.my_domain.net interface="vlan40 - GUESTS" network=10.3.40.0
add address=10.3.50.1/24 comment=gw.printnscan.lo.my_domain.net interface="vlan50 - PRINTnSCAN" network=10.3.50.0
add address=10.3.60.1/24 comment=gw.voip.lo.my_domain.net interface="vlan60 - VoIP" network=10.3.60.0
add address=10.3.70.1/24 comment=gw.iqvitroclima.lo.my_domain.net interface="vlan70 - iqVitroClima" network=10.3.70.0
add address=10.3.80.1/24 comment=gw.mg-iot.lo.my_domain.net interface="vlan80 - MG-IoT" network=10.3.80.0
add address=10.3.90.1/24 comment=gw.cctv.lo.my_domain.net interface="vlan90 - CCTV" network=10.3.90.0
As you can see each VLAN interface has its own IP.
I have two WAN IPs - one for vlan40 - GUEST for my 'untrusted' network for everybody, and one for the rest of VLANs
This is what I have. Now what I want
First of all, I want the ability to connect with IKEv2 from internet to specific VLAN, mainly vlan30 - FLORA_NET (which is main VLAN, so roadwarriors will connect to it), and vlan10 - MGNT (which is my management network - I need remote access to it), plus remote access for an external company servicing HVAC (vlan70) and so on. Of course access to the specific network should be based on user login/certificate.
Secondly, I need to join company sites with similar structures. I don't need to routeeverything, only part of it. Let's say vlan30 and vlan50.
These two things I know how to achieve. I have followed Nikita Tarikin MUM presentations
https://mum.mikrotik.com/presentations/ ... 543676.pdf
https://mum.mikrotik.com/presentations/ ... 420263.pdf
It works for me. I mean I can connect from WAN to a specific VLAN, and I have tunnel between two company's locations.
Problem which I have is when I'm in company office connected for example to vlan30 (my main vlan) and I want to do something in vlan10 - MGNT eg. connect and reconfigure router. Yes I can manually change my LAN cable and connect directly to vlan10. But it will be much more convenient if I can use the same IKEv2 tunnel whether am I in or out of office (from LAN and WAN).
I can connect from LAN, but router ignores the DHCPINFORM packet and doesn't respond with split-routes. I can manually add those routes in Windows cmd.exe and it works. While connecting from WAN everything works perfectly.
So as you suggested for a workaround I've added additional bridges. I mean, if I want the ability to connect from vlan30 to IKEv2 server, I need these additional bridge. If I want the ability to connect from vlan50 to IKEv2 server, I need next additional bridge. And so on.
/interface bridge
add name=br-vlan30
add name=br-vlan50
/interface bridge port
add bridge=br-vlan30 interface="vlan30 - FLORA_NET" multicast-router=disabled
add bridge=br-vlan50 interface="vlan50 - PRINTnSCAN" multicast-router=disabled
Now I have to move the configuration of IP addresses, DHCP server to these bridges.
I still have only one passive IKEv2 peer with many identities, policies, and mode configs
/ip ipsec mode-config
add name="site2site - out" responder=no use-responder-dns=yes
add address-pool="vlan10 - vpn pool" address-prefix-length=32 name="vpn - vlan10 - config" split-dns=lo.vitroflora.net split-include=10.3.0.0/16,10.4.10.0/25,192.168.99.0/24 system-dns=no
add address-pool="vlan30 - vpn pool" address-prefix-length=32 name="vpn - vlan30 - config" split-dns=lo.vitroflora.net split-include=10.3.30.0/24 system-dns=no
/ip ipsec policy group
add name="site2site - out"
add name="site2site - in"
add name=vlan10
add name=vlan30
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.lo.vitroflora.net generate-policy=port-strict mode-config="site2site - out" my-id=fqdn:vpn.lo.MY_DOMAIN.net peer="peer - TR" policy-template-group="site2site - out" remote-id=fqdn:vpn.tr.MY_DOMAIN.net
add auth-method=digital-signature certificate=vpn.lo.MY_DOMAIN.net comment="vlan10 - uservlan10@MY_DOMAIN.com.pl" generate-policy=port-strict match-by=certificate mode-config="vpn - vlan10 - config" peer="peer - server" policy-template-group=vlan10 remote-certificate=uservlan10@MY_DOMAIN.com.pl remote-id=user-fqdn:uservlan10@vitroflora.com.pl
add auth-method=digital-signature certificate=vpn.lo.MY_DOMAIN.net comment="vlan30 - uservlan30@MY_DOMAIN.com.pl" generate-policy=port-strict match-by=certificate mode-config="vpn - vlan30 - config" peer="peer - server" policy-template-group=vlan30 remote-certificate=uservlan30@MY_DOMAIN.com.pl remote-id=user-fqdn:uservlan30@MY_DOMAIN.com.pl
/ip ipsec policy
add comment="site2site - in" dst-address=10.3.0.0/24 group="site2site - in" proposal="IPsec - proposal" src-address=10.3.0.1/32 template=yes
add comment="site2site - out" dst-address=0.0.0.0/0 group="site2site - out" proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes
add comment=vlan10 dst-address=10.3.12.0/24 group=vlan10 proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes
add comment=vlan30 dst-address=10.3.32.0/24 group=vlan30 proposal="IPsec - proposal" src-address=0.0.0.0/0 template=yes
/ip ipsec peer
add exchange-mode=ike2 local-address=MY_WAN_IP name="peer - server" passive=yes profile="IKEv2 Profile"
Am I right? Or did I misunderand something?
You do not have the required permissions to view the files attached to this post.