Community discussions

MikroTik App
 
shawgrim
just joined
Topic Author
Posts: 2
Joined: Thu Feb 18, 2021 2:43 pm
Location: Manchester, UK

New to MikroTik, only one issue...

Wed Sep 22, 2021 5:02 pm

Hi all,

I'm a PBX engineer for my sins. I know enough about networking to be dangerous, and get me by in my day-to-day :) but I am looking to further my knowledge and quals in this area. With this in mind, I decided to get a MikroTik for my home router so I can work in my 'lab' so to speak, and we also use this kit in our infrastructure at work.

So I picked up a RB951Ui-2HnD and slapped a basic config on from some guides. I have it running a PPPoE session on ethernet1 and ethernet2 acting as a trunking port for the rest of my LAN. I setup some VLANs (I'm aware they can all talk at the moment and I'm not too fussed about that for the moment) but I am seeing some issues in the logs.

I keep getting 'invalid forward: in vlan10 out:plusnet' with various mac addresses. I wonder if someone can point me in the right direction.

Thanks in advance
# sep/16/2021 13:51:16 by RouterOS 6.48.4
# software id = 2319-L8KS
#
# model = 951Ui-2HnD
# serial number = 7BCC06CDC5D1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=plusnet user=\
    shawgrim@plusdsl.net
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=ether2-lan name=vlan10 vlan-id=10
add interface=ether2-lan name=vlan20 vlan-id=20
add interface=ether2-lan name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.15-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2-lan lease-time=1d \
    name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan10 lease-time=1d name=\
    dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan20 lease-time=1d name=\
    dhcp3
add address-pool=dhcp_pool3 disabled=no interface=vlan30 lease-time=1d name=\
    dhcp4
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=192.168.1.1/24 interface=ether2-lan network=192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,1.1.2.2 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.10.10,1.1.1.1 gateway=\
    192.168.10.1
add address=192.168.20.0/24 dns-server=1.1.1.1,1.1.2.2 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.1.2.2 gateway=192.168.30.1
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    ether1-wan log=yes log-prefix=!public src-address-list=not_in_internet
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    ether1-wan log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=ether2-lan \
    log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=plusnet
/system clock
set time-zone-name=Etc/GMT+0
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set vlan30 disabled=yes display-time=5s
set vlan20 disabled=yes display-time=5s
set vlan10 disabled=yes display-time=5s
set plusnet disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1-wan disabled=yes display-time=5s
set ether2-lan disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/system ntp client
set enabled=yes server-dns-names=europe.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool user-manager database
set db-path=user-manager
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to MikroTik, only one issue...

Thu Sep 23, 2021 5:58 pm

Hi there.
Looking at your config, interesting not useing any bridge which I suppose is fine.
Also assuming that your ether2 is connected to a smart device which can read/handle
the untagged traffic coming in from ether2 and the tagged traffic coming in on the three vlans ???

Where you start to go astray IMHO is the firewall filter rules. First thing I would do is dump all those extra icmp rules. Not required unless you have a specific issue.

(1) Access to router considerations:
/ip firewall filter
add action=accept chain=input src-address-list=allowed_to_router

This is a good rule it basically says only people from my trusted LAN (the non vlan subnet) shall have access to the router.
In fact only the ADMIN requires FULL access to the router but we can address that nuance later!!!
The problem here is that with a last input chain rule of DROP ALL, you have effectively blocked all your vlan users from receiving DNS support from the router and NTP support.
So you need to add rules to provide necessary router services for those user, ON THE INPUT CHAIN, just before the DROP all rule.
Ex.
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow NTP service" connection-state=\
new dst-port=123 in-interface-list=LAN protocol=udp src-address-list=\
NTPserver
add action=drop chain=input comment="Drop All Else"


You will note the use of INTERFACE LIST of LAN which you seem to be missing on your config
Typically it would look like this.

/interface list
add name=WAN
add name=LAN
add name=Vlan

/interface list members
add interface=ether1 list=WAN
add interface=plusnet list=WAN
add interface=ether2 list=LAN
add interface=vlan10 list=LAN
add intterface=vlan20 list=LAN
add interface=vlan30 list=LAN
Note: for forward filter rules discussed below at (6)
add interface=vlan10 list=Vlan
add interface=vlan20 list=Vlan
add interface=vlan30 list=Vlan

(2) Missing!
Add this rule right after the first input chain rule, the establish rule etc...
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

(3) Now lets tackle the forward chain ruleS.
As noted GET RID of all ICMP rules here, not required and normally if done, done in the input chain anyway.

(4) You have many duplicated rules, some 3x stated!! get rid of all duplicates!!

(5) You have some rules that need work as they are actually redundant and not helpful.
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=\
ether1-wan log=yes log-prefix=!public src-address-list=not_in_internet

and
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=ether2-lan \
log=yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24


Just like your INPUT CHAIN with a drop all else rule
At the end of the forward chain just add the last rule.
add chain=forward action=drop comment="drop all else"

The last rule does what? It says block ALL wan to lan, lan to wan and lan to lan traffic. So you no longer need those two rules above.
Clean and simple. However do you want any of that type of traffic. The answer is probably yes.

(6) To allow traffic in the forward chain, place rules just above the last drop all rule.
You may want to allow LAN traffic access to the internet.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN

You may want to allow yourself as admin to access all vlans.
add chain=forward action=accept source-address=IPofadmindesktop out-interface-list=LAN

you may wish to allow vlans access to a shared printer on the trusted subnet
add chain=forward action=accept in-interface-list=LAN dst-address=IPofSharedPrinter

IF one has created the Vlan interface noted above the rules can be more precise and just delinate the vlan subnets by use of interface-list=Vlan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to MikroTik, only one issue...

Thu Sep 23, 2021 6:06 pm

What is better in terms of router access is to separate out the admin from the rest of the trusted subnet user for access to the router for config purposes.
The rule in the input chain becomes
add action=accept chain=input in-interface=ether2 src-address-list=adminaccess

where firewall address list (assuming static dhcp leases assigned to admin devices)
add IP of admin desktop list=adminaccess
add IP of admin laptop list=adminaccess
add IP of admin ipad list=adminaccess
add IP of admin smartphone list=adminaccess
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: New to MikroTik, only one issue...

Thu Sep 23, 2021 8:20 pm

So I picked up a RB951Ui-2HnD and slapped a basic config on from some guides.
A 951Ui with Lora and an LCD? Seems unlikely.
Have you just slapped every package you can find on to it, or what?
Why don't you just start from the default configuration instead of some random guide(s), which are usually outdated and/or sub-optimal?

I keep getting 'invalid forward: in vlan10 out:plusnet' with various mac addresses. I wonder if someone can point me in the right direction.
Turn off the log=yes bit on the relevant firewall lines (all 3 of them). Or actually delete the two that shouldn't be there.

And your 'internet' interface is 'plusnet' not 'ether1-wan'.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: New to MikroTik, only one issue...

Thu Sep 23, 2021 8:42 pm

I keep getting 'invalid forward: in vlan10 out:plusnet' with various mac addresses. I wonder if someone can point me in the right direction.
States which connection tracking is not expecting are 'invalid'. This can either packets being deliberately sent, but more usually either the client or server repeating a message as it hasn't yet seen a response so the connection tracking state machine in the Mikrotik is out of sync with the client or server. Search for TCP state diagram to see what connection tracking has to follow.

Who is online

Users browsing this forum: ccrsxx, Google [Bot], GoogleOther [Bot], nichky, onnyloh, outtahere and 65 guests