Community discussions

MikroTik App
  4. RouterOS
  5. General

(yet another) Inter-vlan routing question  [SOLVED]

Post Reply
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

(yet another) Inter-vlan routing question

Tue Apr 12, 2022 10:40 am

Firstly thank you for your time. I perused this excellent post (and read each .rsc file) by pcunite but it does not seem to solve my issue viewtopic.php?f=23&t=143620.

I can't remember when it stopped working, because it used to work. I wonder if one of the recent firmware updates changed the implementation of inter-vlan routing.

Correct me if I am wrong, inter-vlan routing (a device in vlan A being able to ping/access a device in vlan B does not require "Use IP Firewall" and "Use IP Firewall for VLAN" to be enabled, is this correct? Both are unchecked.

----

Simple setup, HAPAC2 as router/dhcp-server/firewall with several vlans (NETWORK DEVICES, CCTV, OFFICE, IT).

This inter-vlan routing is not working. It works if I enable bridge "Use IP Firewall" and "Use IP Firewall for VLAN" but as I understand it, this is not necessary. I am stumped. Would appreciate some tips.

Relevant sections of the setup:
Code: Select all
/ip firewall address-list
add address=172.16.35.50 list="CCTV SERVER"
add address=172.16.35.40 list="CCTV SERVER"
add address=172.16.35.41 list="CCTV SERVER"
add address=172.16.35.42 list="CCTV SERVER"
add address=172.16.10.2-172.16.10.254 list="VL10 - Office"
add address=172.16.10.105 list="IP GROUP - PC IT"
add address=172.16.10.186 list="IP GROUP - PC IT"
add address=172.16.2.2-172.16.3.254 list="VL03 - Network Devices"
add address=172.16.1.2-172.16.1.254 list="No Internet Access"

/ip firewall filter

### INPUTS ###
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop Everything Else"

### FWD PART 1 ###
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=drop chain=forward comment="Drop specific LAN to WAN" \
    connection-state=new out-interface-list=WAN src-address-list="No Internet Access"
add action=accept chain=forward comment="LAN allowed to WAN" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WAN Port Fwd" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

### FWD PART 2 - INTER VLAN ROUTING ###
add action=accept chain=forward comment="Allow Office LAN to CCTV" \
	dst-address-list="CCTV SERVER" src-address-list="VL10 - Office"
add action=accept chain=forward comment="Allow IT access to VL03" \
    dst-address-list="VL03 - Network Devices" src-address-list="IP GROUP - PC IT"
add action=drop chain=forward comment="Drop all else"
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Tue Apr 12, 2022 10:50 am

If necessary, this is the complete setup:
Code: Select all
/interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="LAN 1"
set [ find default-name=ether2 ] comment="LAN 2"
set [ find default-name=ether3 ] comment="LAN 3"
set [ find default-name=ether4 ] comment="WAN 2"
set [ find default-name=ether5 ] comment="WAN 1"

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 name=WAN1 password=xxx user=xxx

/interface vlan
add interface=bridge1 name=VL01 vlan-id=1
add interface=bridge1 name="VL03 - Network Devices" vlan-id=3
add interface=bridge1 name="VL05 - IT Admins" vlan-id=5
add interface=bridge1 name="VL10 - Office" vlan-id=10
add interface=bridge1 name="VL35 - CCTV" vlan-id=35

/interface list
add name=WAN
add name=LAN
add name="LAN VL03"

/ip pool
add comment="Network Dev" name="VL03 Pool" ranges=172.16.2.50-172.16.3.254
add comment="IT Admins" name="VL05 Pool" ranges=172.16.5.50-172.16.5.59
add comment=Office name="VL10 Pool" ranges=172.16.10.50-172.16.10.59
add comment=CCTV name="VL35 Pool" ranges=172.16.35.50-172.16.35.254

/ip dhcp-server
add address-pool="VL03 Pool" disabled=no interface="VL03 - Network Device" name="VL03 DHCP"
add address-pool="VL05 Pool" disabled=no interface="VL05 - IT Admins" name="VL05 DHCP"
add address-pool="VL10 Pool" interface="VL10 - Office" name="VL10 DHCP"
add address-pool="VL35 Pool" disabled=no interface=VL35 lease-time=1h name="VL35 DHCP"

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3

/interface bridge settings
set allow-fast-path=no use-ip-firewall-for-vlan=yes

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-ids=3
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-ids=5
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-ids=35

/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=VL01 list=LAN
add interface="VL03 - Network Device" list=LAN
add interface="VL05 - IT Admins" list=LAN
add interface="VL10 - Office" list=LAN
add interface="VL35 - CCTV" list=LAN
add interface="VL03 - Network Device" list="LAN VL03"
add interface=ether5 list=WAN
add interface=WAN1 list=WAN

/ip address
add address=172.16.1.1/24 comment="LAN VL01" interface=bridge1 network=172.16.1.0
add address=172.16.2.1/23 comment="LAN VL03" interface="VL03 - Network Device" network=172.16.2.0
add address=172.16.5.1/24 comment="LAN VL05" interface="VL05 - IT Admins" network=172.16.5.0
add address=172.16.10.1/24 comment="LAN VL10" interface="VL10 - Office" network=172.16.10.0
add address=172.16.35.1/24 comment="LAN VL35" interface=VL35 network=172.16.35.0

/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.1,1.1.1.1 gateway=172.16.1.1
add address=172.16.2.0/23 dns-server=172.16.2.1,1.1.1.1 gateway=172.16.2.1
add address=172.16.5.0/24 dns-server=172.16.5.1,1.1.1.1 gateway=172.16.5.1
add address=172.16.10.0/24 dns-server=172.16.10.1,1.1.1.1 gateway=172.16.10.1
add address=172.16.35.0/24 dns-server=172.16.35.1,1.1.1.1 gateway=172.16.35.1

/ip firewall address-list
add address=172.16.35.50 list="CCTV SERVER"
add address=172.16.35.40 list="CCTV SERVER"
add address=172.16.35.41 list="CCTV SERVER"
add address=172.16.35.42 list="CCTV SERVER"
add address=172.16.10.2-172.16.10.254 list="VL10 - Office"
add address=172.16.10.105 list="IP GROUP - PC IT"
add address=172.16.10.186 list="IP GROUP - PC IT"
add address=172.16.2.2-172.16.3.254 list="VL03 - Network Devices"
add address=172.16.1.2-172.16.1.254 list="No Internet Access"

/ip firewall filter

### INPUTS ###
add action=accept chain=input comment="Accept established, related" connection-state=established,related
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Accept DNS Request from LAN" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop Everything Else"

### FWD PART 1 ###
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=drop chain=forward comment="Drop specific LAN to WAN" \
    connection-state=new out-interface-list=WAN src-address-list="No Internet Access"
add action=accept chain=forward comment="LAN allowed to WAN" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow WAN Port Fwd" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN

### FWD PART 2 - INTER VLAN ROUTING ###
add action=accept chain=forward comment="Allow Office LAN to CCTV" \
	dst-address-list="CCTV SERVER" src-address-list="VL10 - Office"
add action=accept chain=forward comment="Allow IT access to VL03" \
    dst-address-list="VL03 - Network Devices" src-address-list="IP GROUP - PC IT"
add action=drop chain=forward comment="Drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN


I am detecting an unusual behavior:
I can't seem to disable "Use IP Firewall for VLAN".
I checked "use ip firewall" then unchecked both. As soon as I click OK, the "use ip firewall for vlan" checks itself. Is this normal?
zzzz.jpg
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12003
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: (yet another) Inter-vlan routing question

Tue Apr 12, 2022 10:51 am

Is useless uncheck the 2nd (and the 3rd) if the first is not active...


Your "export" is just a fragment and, for example, missing other pieces, like /ip settings, /ip route, and so on...
For example you disable fast-forward, fast-path, and probably ip-forward
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Tue Apr 12, 2022 11:27 am

Code: Select all
### IP SETTINGS: I've left this at default, should I chg anything?
              ip-forward: yes
          send-redirects: yes
     accept-source-route: no
        accept-redirects: no
        secure-redirects: yes
               rp-filter: no
          tcp-syncookies: no
    max-neighbor-entries: 8192
             arp-timeout: 30s
         icmp-rate-limit: 10
          icmp-rate-mask: 0x1818
             route-cache: yes
         allow-fast-path: yes
   ipv4-fast-path-active: no
  ipv4-fast-path-packets: 0
    ipv4-fast-path-bytes: 0
   ipv4-fasttrack-active: no
  ipv4-fasttrack-packets: 0
    ipv4-fasttrack-bytes: 0

### IP ROUTES:
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 ADS  0.0.0.0/0                          WAN1                      1
 2 ADC  172.16.1.0/24      172.16.1.1      bridge1                   0
 3 ADC  172.16.2.0/23      172.16.2.1      VL03 - Network ...        0
 4 ADC  172.16.5.0/24      172.16.5.1      VL05 - IT Admins          0
 5 ADC  172.16.10.0/24     172.16.10.1     VL10 - Office             0
 6 ADC  172.16.35.0/24     172.16.35.1     VL35                      0
 7 ADC  xxx.xxx.xx.xxx/32  xxx.xxx.xxx.x   WAN1                      0
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Wed Apr 13, 2022 6:05 am

No suggestions?

Essentially I cannot get inter-vlan routing to work unless I enable "use ip firewall" and "use ip firewall for vlan". Since this is not recommended, I have left them disabled (and inter-vlan routing does not work). I cannot spot the error in my setup.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: (yet another) Inter-vlan routing question

Wed Apr 13, 2022 7:13 am

Nice brain teaser. Aside from useless VL01 interface, I don't see anything clearly wrong. You have bridge with ether1-3, and on all ports you have untagged vlan 1, tagged vlans 3, 5, 10, 35, with I assume some managed switches connected and access ports configured on them. Everything should be using this router as gateway. It does if it gets address from dhcp here, or if anything uses static config, it should be the same. Then it's completely standard config, any traffic between vlans goes in forward chain, and is allowed if it matches one of the two rules in your FWD PART 2. Is there perhaps anything you left out from posted config?
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Wed Apr 13, 2022 7:51 am

Nice brain teaser. Aside from useless VL01 interface, I don't see anything clearly wrong. You have bridge with ether1-3, and on all ports you have untagged vlan 1, tagged vlans 3, 5, 10, 35, with I assume some managed switches connected and access ports configured on them. Everything should be using this router as gateway. It does if it gets address from dhcp here, or if anything uses static config, it should be the same. Then it's completely standard config, any traffic between vlans goes in forward chain, and is allowed if it matches one of the two rules in your FWD PART 2. Is there perhaps anything you left out from posted config?

Everything is as you say. I went through every .rsc in viewtopic.php?f=23&t=143620 and I can't find anything I did different.

Is there any other part of the setup you need to see? I can't think of anything else.

The next step is to try logging or torch, which I am not super familiar with as yet. Will post an update once I do this.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19352
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: (yet another) Inter-vlan routing question

Wed Apr 13, 2022 2:47 pm

(1) Get rid of vlan1 and use vlan101 for ID instead and dont attach it to the bridge later on in addresss arggggg
(2) You have five vlans and four pools, Fix that ( same same for dhcp-server, )
(3) So you have three etherports all trunk ports, you can add ingress filtering and frame-types admit only vlan tagged for better security on the interface bridge ports settings
(4) Get rid of this line
/interface bridge settings
set allow-fast-path=no use-ip-firewall-for-vlan=yes

(5) This can be shortened TO
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3 vlan-ids=3,5,10,35,101

(6) /ip address
add address=172.16.1.1/24 comment="LAN VL01" interface=bridge1 network=172.16.1.0
TO
add address=172.16.1.1/24 comment="LAN VL01" interface=VL01 network=172.16.1.0

(7) CONVOLUTED can be shortened and you last WAN member is wrong, should be ether4
/interface list member
add interface=VL01 list=LAN
add interface="VL03 - Network Device" list=LAN
add interface="VL05 - IT Admins" list=LAN
add interface="VL10 - Office" list=LAN
add interface="VL35 - CCTV" list=LAN
add interface="VL03 - Network Device" list="LAN VL03" ??????????????????
add interface=ether5 list=WAN
add interface=WAN1 list=WAN
TO
add interface=ether4 list=WAN

???? WHAT IS THE PURPOSE OF ASSIGNING A SINGLE INTERFACE as a LIST........... the only reason to do that is if it is the trusted network. Do you have one???
Yes
So you should have
/interface list
add name=Trusted

/interface list members
add VL05 list=Trusted

(8) I also dont see the point of creating a firewall address list for a subnet by itself. Practically speaking firewall addresses makes sense when needs to describe a number of single IPs or small small range or a combination of IPs and subnets...........but not single subnets........ ALSO you make firewall address list names the same as the interface names, which points out to poor nomenclature and more to the point that its silly duplication.

/ip firewall address-list
add address=172.16.35.50 list="CCTV SERVER"
add address=172.16.35.40 list="CCTV SERVER"
add address=172.16.35.41 list="CCTV SERVER"
add address=172.16.35.42 list="CCTV SERVER"
add address=172.16.10.2-172.16.10.254 list="VL10 - Office" ????????
add address=172.16.10.105 list="IP GROUP - PC IT"
add address=172.16.10.186 list="IP GROUP - PC IT"
add address=172.16.2.2-172.16.3.254 list="VL03 - Network Devices" ?????
add address=172.16.1.2-172.16.1.254 list="No Internet Access" ??????

(9) Input rules why did you omit these defaults??\
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp

(10) input rules WHERE Is admin access to the router for config purposes.......
add chain=input action=accept in-interface=VL05 dst=port=winboxport protocol=tcp

(11) FORWARD CHAIN RULES FIXED (why no fastrack........dont see mangling or anything that would preclude its use ?? )

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Accept established, related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Prevent VLAN101 internet access" in-interface=VL01 out-interface-list=WAN
add action=accept chain=forward comment="LAN allowed to WAN" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

add action=accept chain=forward comment="Allow Office LAN to CCTV" in-interface="VL10 - Office" out-interface="VL35 - CCTV"
add action=accept chain=forward comment="Allow some IT access to Devices" in-interface="VL05 - IT Admins" src-address-list="IP Group - PC IT" out-interface="VL03 - Network Devices"
add action=drop chain=forward comment="Drop all else"

(12) Ip neighbors discovery................. interface-list=Trusted
(13) IP tools mac server WINMAC SERVER interface-list=Trusted
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: (yet another) Inter-vlan routing question

Wed Apr 13, 2022 11:36 pm

Is there any other part of the setup you need to see? I can't think of anything else.
Ideally everything (except maybe some long list of static dhcp leases). Right now I don't have an idea what could cause this behaviour. But there must be something.
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Thu Apr 21, 2022 1:09 pm

Huge thanks to anav for helping me to clean up my settings. I had questions regarding the duplication of address lists, and other questions, which you have answered.

I have identified the reason why vlan routing does not work.

I have a mangle rule to test routing internet traffic from Office VLAN to WAN2:
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=\
out-biznet passthrough=no src-address-list="VL10 - Office"
/ip route
add check-gateway=ping comment=BIZNET distance=30 gateway=192.168.18.1 \
routing-mark=out-biznet

With this mangle rule, PCs in the office VLAN is not able to ping the router or other vlans (despite the internet working). The setup file I uploaded in this thread was from just before I added WAN2 and this mangle rule, MY BAD!

When I tried adding out-interface-list=WAN2 to the mangle rule, I get the error "Outgoing interface matching not possible in input and prerouting chains".
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: (yet another) Inter-vlan routing question  [SOLVED]

Thu Apr 21, 2022 2:33 pm

This makes sense. If you tell router to route everything elsewhere, then it does exactly that. If you want to do this and still have local routing working, you could either make exceptions using mangle rules, or use simpler:
Code: Select all
/ip route rule
add action=lookup-only-in-table dst-address=<subnet> table=main
And add it for all local subnets that should be looked up only in main routing table.
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Fri Apr 22, 2022 11:52 am

And add it for all local subnets that should be looked up only in main routing table.

I will try this thank you.

I don't have a good handle on mangle rules yet. If I changed the mangle chain (to route VL10-Office to WAN2) from prerouting to forward and added in-interface = VL10 and out-interface=WAN2, would that not work?
Top
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: (yet another) Inter-vlan routing question

Fri Apr 22, 2022 2:17 pm

And add it for all local subnets that should be looked up only in main routing table.

Is this the correct routing rules to allow inter-vlan routing to work with the mangle rule to route office vlan out wan2 active.

Flags: X - disabled, I - inactive
0 src-address=172.16.0.0/12 dst-address=172.16.0.0/12 action=lookup table=main
1 src-address=192.168.0.0/16 dst-address=172.16.0.0/12 action=lookup table=main
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: (yet another) Inter-vlan routing question

Fri Apr 22, 2022 2:49 pm

Dst-address alone should be enough.
Top
Post Reply

Who is online

Users browsing this forum: jingjingbalucan, Laxity, pajapatak and 137 guests
  4. RouterOS
  5. General