Community discussions

MikroTik App
  4. RouterOS
  5. General

poor intervlan on rb5009, lots of invalid connections dropped  [SOLVED]

Post Reply
 
ostryck
just joined
Topic Author
Posts: 5
Joined: Tue Feb 21, 2023 4:07 pm

poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 1:36 am

Hey,
I'm having problems with configuring the vlans on rb5009 (fw 7.13.5). The issue is that with the config below the speed is only ~300Mbps between one of the vlans in the trunk and port 8.
From my investigation it looks like once I allow invalid connection state in the forward chain the speed is back to ~1gbps wire speed, I know I must be doing something wrong, any help appreciated.
Code: Select all
# 2024-02-24 10:02:32 by RouterOS 7.13.5
# software id = VTG3-U53X
#
# model = RB5009UG+S+

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="Router Lesny"

#######################################
# VLAN Overview
#######################################

# 10 = STAFF_VLAN
# 20 = VIDEO_VLAN
# 30 = CR_VLAN
# 40 = GUESTS_1_VLAN
# 50 = GUESTS_2_VLAN
# 60 = DEV_SANDBOX_VLAN
# 210 = CC_VLAN
# 99 = MGMT VLAN

#######################################
# Bridge
#######################################
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
# Wireguard
#######################################
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=\
    "blah blah"

/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "blah blah"
add allowed-address=192.168.100.3/32 interface=wireguard1 public-key=\
    "blah blah"

/ip address add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0


#######################################
#
# Ports
#
#######################################

# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether6
add bridge=BR1 interface=ether7
# MGMT_VLAN, set aside a port for admin access to Winbox the device.
add bridge=BR1 interface=ether8 pvid=99

# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    50
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    80
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    210

add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=\
    ether8 vlan-ids=99

#######################################
# IP Addressing & Routing
#######################################
/ip dhcp-client
add interface=ether1

#######################################
# IP Services
#######################################

# MGMT_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=MGMT_VLAN vlan-id=99
/ip address add address=172.20.0.1/16 interface=MGMT_VLAN network=172.20.0.0
/ip pool add name=MGMT_POOL ranges=172.20.128.1-172.20.255.254
/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no
/ip dhcp-server network add address=172.20.0.0/16 dns-server=172.20.0.1 gateway=172.20.0.1

# STAFF_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=STAFF_VLAN vlan-id=10
/ip address add address=172.21.0.1/16 interface=STAFF_VLAN network=172.21.0.0
/ip pool add name=STAFF_POOL ranges=172.21.128.1-172.21.255.254
/ip dhcp-server add address-pool=STAFF_POOL interface=STAFF_VLAN name=STAFF_DHCP disabled=no
/ip dhcp-server network add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1

# VIDEO_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=VIDEO_VLAN vlan-id=20
/ip address add address=172.22.0.1/16 interface=VIDEO_VLAN network=172.22.0.0
/ip pool add name=VIDEO_POOL ranges=172.22.128.1-172.22.255.254
/ip dhcp-server option add code=43 name=infomir value="0x1635687474703a2f2f6d6964646c6577617265312e6c\
    65736e792f7374616c6b65725f706f7274616c2f632f696e6465782e68746d6c00"
/ip dhcp-server add address-pool=VIDEO_POOL interface=VIDEO_VLAN name=VIDEO_DHCP disabled=no
/ip dhcp-server network add address=172.22.0.0/16 dhcp-option=infomir dns-server=172.22.0.1 gateway=172.22.0.1 ntp-server=172.22.0.1

# CR_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=CR_VLAN vlan-id=30
/ip address add address=172.23.0.1/16 interface=CR_VLAN network=172.23.0.0
/ip pool add name=CR_POOL ranges=172.23.128.1-172.23.255.254
/ip dhcp-server add address-pool=CR_POOL interface=CR_VLAN name=CR_DHCP disabled=no
/ip dhcp-server network add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1

# GUESTS_1_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUESTS_1_VLAN vlan-id=40
/ip address add address=172.24.0.1/16 interface=GUESTS_1_VLAN network=172.24.0.0
/ip pool add name=GUESTS_1_POOL ranges=172.24.128.1-172.24.255.254
/ip dhcp-server add address-pool=GUESTS_1_POOL interface=GUESTS_1_VLAN name=GUESTS_1_DHCP disabled=no
/ip dhcp-server network add address=172.24.0.0/16 dns-server=172.24.0.1 gateway=172.24.0.1

# GUESTS_2_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUESTS_2_VLAN vlan-id=50
/ip address add address=172.25.0.1/16 interface=GUESTS_2_VLAN network=172.25.0.0
/ip pool add name=GUESTS_2_POOL ranges=172.25.128.1-172.25.255.254
/ip dhcp-server add address-pool=GUESTS_2_POOL interface=GUESTS_2_VLAN name=GUESTS_2_DHCP disabled=no
/ip dhcp-server network add address=172.25.0.0/16 dns-server=172.25.0.1 gateway=172.25.0.1

# DEV_SANDBOX_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=DEV_SANDBOX_VLAN vlan-id=60
/ip address add address=172.26.0.1/16 interface=DEV_SANDBOX_VLAN network=172.26.0.0
/ip pool add name=DEV_SANDBOX_POOL ranges=172.26.128.1-172.26.255.254
/ip dhcp-server add address-pool=DEV_SANDBOX_POOL interface=DEV_SANDBOX_VLAN name=DEV_SANDBOX_DHCP disabled=no
/ip dhcp-server network add address=172.26.0.0/16 dns-server=172.26.0.1 gateway=172.26.0.1

# CC_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=CC_VLAN vlan-id=210
/ip address add address=192.168.1.1/24 interface=CC_VLAN network=192.168.1.0 disabled=yes

##################
# DHCP static
##################
/ip dhcp-server lease
add address=172.20.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\
    E4:5F:01:C4:3E:64 server=MGMT_DHCP
add address=172.22.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\
    E4:5F:01:C4:3E:64 server=VIDEO_DHCP
add address=172.20.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=MGMT_DHCP
add address=172.22.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=VIDEO_DHCP
add address=172.20.0.55 client-id=1:e0:46:ee:10:a9:ca mac-address=\
    E0:46:EE:10:A9:CA server=MGMT_DHCP
add address=172.23.3.101 mac-address=44:07:0B:E9:F4:9B server=\
    CR_DHCP
add address=172.24.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=GUESTS_1_DHCP
add address=172.23.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=CR_DHCP
add address=172.23.3.99 client-id=1:d4:ab:cd:b7:33:e7 mac-address=\
    D4:AB:CD:B7:33:E7 server=CR_DHCP
add address=172.20.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=MGMT_DHCP
add address=172.22.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=VIDEO_DHCP
add address=172.23.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=CR_DHCP
add address=172.24.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=GUESTS_1_DHCP
add address=172.23.3.100 mac-address=44:09:B8:13:7B:E6 server=\
    CR_DHCP
add address=172.20.1.60 client-id=1:f0:a7:31:d5:62:b4 mac-address=\
    F0:A7:31:D5:62:B4 server=MGMT_DHCP
add address=172.20.1.20 client-id=1:5c:e9:31:81:c0:61 mac-address=\
    5C:E9:31:81:C0:61 server=MGMT_DHCP
add address=172.20.1.101 client-id=1:5c:e9:31:fb:83:5c mac-address=\
    5C:E9:31:FB:83:5C server=MGMT_DHCP

##################
# DNS
##################
/ip dns
set allow-remote-requests=yes servers=8.8.8.8

#######################################
# Firewalling & NAT
#######################################
/interface list
add name=WAN
add name=VLAN
add name=MGMT
add include=WAN name=STAFF_ACCESS
add include=WAN name=DEV_SANDBOX_ACCESS
add include=WAN name=GUESTS_1_ACCESS
add include=WAN name=GUESTS_2_ACCESS
add include=WAN name=VIDEO_ACCESS
add name=CC_ACCESS
add include=WAN name=CR_ACCESS

/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=STAFF_VLAN list=VLAN
add interface=VIDEO_VLAN list=VLAN
add interface=CR_VLAN list=VLAN
add interface=GUESTS_1_VLAN list=VLAN
add interface=GUESTS_2_VLAN list=VLAN
add interface=DEV_SANDBOX_VLAN list=VLAN
add interface=CC_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
add interface=wireguard1 list=MGMT
add interface=DEV_SANDBOX_VLAN list=STAFF_ACCESS
add interface=CC_VLAN list=STAFF_ACCESS
add disabled=yes interface=MGMT_VLAN list=VIDEO_ACCESS

/ip firewall filter

##################
# INPUT CHAIN
##################
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Allow VLAN icmp" in-interface-list=\
    VLAN protocol=icmp
add action=accept chain=input comment="Allow VLAN NTP" dst-port=123 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop

##################
# FORWARD CHAIN
##################
add action=fasttrack-connection chain=forward comment="Allow Estab & Related fasttrack" \ connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="MGMT-ALL routing" connection-state=\
    new in-interface-list=MGMT
add action=accept chain=forward comment="CC routing" connection-state=new \
    in-interface=CC_VLAN out-interface-list=CC_ACCESS
add action=accept chain=forward comment="CR routing" \
    connection-state=new in-interface=CR_VLAN out-interface-list=\
    CR_ACCESS
add action=accept chain=forward comment="GUESTS_1 routing" connection-state=\
    new in-interface=GUESTS_1_VLAN out-interface-list=GUESTS_1_ACCESS
add action=accept chain=forward comment="GUESTS_2 routing" connection-state=\
    new in-interface=GUESTS_2_VLAN out-interface-list=GUESTS_2_ACCESS
add action=accept chain=forward comment="STAFF routing" connection-state=new \
    in-interface=STAFF_VLAN out-interface-list=STAFF_ACCESS
add action=accept chain=forward comment="VIDEO routing" connection-state=new \
    in-interface=VIDEO_VLAN out-interface-list=VIDEO_ACCESS
add action=accept chain=forward comment="DEV_SANDBOX routing" \
    connection-state=new in-interface=DEV_SANDBOX_VLAN out-interface-list=\
    DEV_SANDBOX_ACCESS
add action=drop chain=forward comment="Drop forward"

##################
# NAT
##################
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN


#######################################
# VLAN Security
#######################################
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]

#######################################
# Services settings
#######################################
/ip service
set telnet disabled=yes
set ftp disabled=yes
/system note
set show-at-login=no


#######################################
# clock and NTP Server settings
#######################################
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org

#######################################
# MAC Server settings
#######################################
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Last edited by ostryck on Mon Feb 26, 2024 7:41 am, edited 2 times in total.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 2:44 pm

1 Main issue - you didnt turn on VLAN filtering yet.

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

2. I gather all your bridge ports save ether8 are trunk ports going to smart devices and thus would make some minor modifications.

/interface bridge port
add bridge=BR1 interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether3 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether4 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether5 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether6 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether7 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=BR1 interface=ether8 pvid=99 ingress-filtering=yes frame-types=admit-priority-and-untagged

Personally I would do something slightly different. I would ensure that the vlan99 that you send down every port save 8, gets to where my PC is located (and with a small smart switch at my desk) could be a cheap hex or a 5 port netgear, or TPLink etc, run vlan99 untagged on the switch as well as any other vlan I r egularly tapped into or wanted access to etc... In that way you can alway reach the router from the management vlan at your desk.

At port 8 I would add another address to the router 192.168.55.1/24 and assign it too ether8, AFTER removing ether8 from the bridge.
I would add ether8 to the management list etc.. In this way you have off bridge emergency access at the router, when something happens to the bridge and vlan configuration. Hiccups while working on the router do happen from time to time, and being able to know (peace of mind), you have an alternate way of accessing and configuring the router separate from the vlans and bridge is well worth it.

(3). Tad more efficient on /interface bridge vlans as you only need two entries.
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10,20,30,40,50,80,210
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=ether8 vlan-ids=99

(4) Dont understand your list creation entries after the dotted line ???

/interface list
add name=WAN
add name=VLAN
add name=MGMT
add name=CC_ACCESS
............................................................................
add include=WAN name=STAFF_ACCESS
add include=WAN name=DEV_SANDBOX_ACCESS
add include=WAN name=GUESTS_1_ACCESS
add include=WAN name=GUESTS_2_ACCESS
add include=WAN name=VIDEO_ACCESS
add include=WAN name=CR_ACCESS


What I dont understand is the purpose of including WAN in the rest of the names??
Perhaps when I get to firewall rules it will make sense.

(5) Okay so all VLANs are part of list VLAN (instead of using LAN name).
HERE IS the weird part, you created names above your dont use ???????????????

I see you have ONE only STAFF ACCESS!! but then the list above should simply be...........
add name=STAFF_ACCESS

(6) add action=accept chain=input comment="Allow VLAN icmp" in-interface-list=\
VLAN protocol=icmp

Not clear why you limite ICMP to just the vlans, there is no harm in leaving this as is, per the default rule?? Usually better in most cases and also helps in troubleshooting issues. LIke with wireguard.
I would remove the bits in orange.

(7) add action=accept chain=input comment="Allow VLAN NTP" dst-port=123 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS & NTP" dst-port=53,123 \
in-interface-list=VLAN protocol=udp

By one addition in the second rule you can remove the first rule.........

(8) I do not understand why you have this port 67 rule.
Are you sure you need to have this here, usually not required 99% of the time.

add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
in-interface-list=VLAN protocol=udp

(9) Forward Chain rules. One does NOT need to state connection=new, its redundant.

I don't particularly like OPEN ended rules such as sometimes consequences are not fully understood.
add action=accept chain=forward comment="MGMT-ALL routing" in-interface-list=MGMT out-interface-list=VLAN

ON this rule by adding the in-interface-list=VLAN, mgmt has access to all vlans. Isnt that what you desired??

(10) Then you have weird rules such as the below. What the heck??
add action=accept chain=forward comment="DEV_SANDBOX routing" \
connection-state=new in-interface=DEV_SANDBOX_VLAN out-interface-list=\
DEV_SANDBOX_ACCESS


Ahh I get it now, you wanted to create individual interface lists for each vlan to access the WAN......... This is a silly twisted and confusing way that can be accomplished in a much simpler fashion.

EITHER you want all vlans to reach the internet and do this.......
add action=accept chain=forward comment="internet access" in-interface-list=VLAN out-interface-list=WAN

OR you want most of the vlans to have internet and some not. SO create a CLEARER interface list name called INTERNET
then assign vlans accordingly in interface list members.
add interface name=INTERNET
add interface NAME=INTERNET
etc.

So the rule would be
add action=accept chain=forward comment="internet access" in-interface-list=INTERNET out-interface-list=WAN
Top
 
ostryck
just joined
Topic Author
Posts: 5
Joined: Tue Feb 21, 2023 4:07 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 3:22 pm

Thanks for the analysis! Regarding the first point, unfortunately it is enabled, see the last rule. It’s the modified script from the vlan topic. I’ll try to adjust to the suggestions with the minimal config and see how it goes.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 5:00 pm

There should be another rule for posters: post actual config, not the script which is supposed to add wanted functionality.

Because it's everybody's guess how device is configured prior to application of published script. But that does matter. A lot.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 6:21 pm

hahahah, you make me laugh, there should be a first post process period, ONE solution for all the littly bitty ideas you guys come up on so many posts, please do this, please do that, you should do this, you should do that....... There is a way. No one supported me. ;-P
Top
 
ostryck
just joined
Topic Author
Posts: 5
Joined: Tue Feb 21, 2023 4:07 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 10:07 pm

Unfortunately the minimal firewall rules with allowing pretty much everything besides invalid doesn't work, still ~300Mbps. Here is the exported full config, sorry for posting the script before. Once I disable the forward chain drop for invalid the speed is back at wire speed. The same happens when I'm using the inter vlan routing with switch plugged into the trunk port 2.
Code: Select all
# 2024-02-25 20:51:22 by RouterOS 7.13.5
# software id = VTG3-U53X
#
# model = RB5009UG+S+
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=CC_VLAN vlan-id=210
add interface=BR1 name=CR_VLAN vlan-id=30
add interface=BR1 name=DEV_SANDBOX_VLAN vlan-id=60
add interface=BR1 name=GUESTS_1_VLAN vlan-id=40
add interface=BR1 name=GUESTS_2_VLAN vlan-id=50
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=STAFF_VLAN vlan-id=10
add interface=BR1 name=VIDEO_VLAN vlan-id=20
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=infomir value="0x1635687474703a2f2f6d6964646c6577617265312e6c\
    65736e792f7374616c6b65725f706f7274616c2f632f696e6465782e68746d6c00"
/ip pool
add name=MGMT_POOL ranges=172.20.128.1-172.20.255.254
add name=STAFF_POOL ranges=172.21.128.1-172.21.255.254
add name=VIDEO_POOL ranges=172.22.128.1-172.22.255.254
add name=CR_POOL ranges=172.23.128.1-172.23.255.254
add name=GUESTS_1_POOL ranges=172.24.128.1-172.24.255.254
add name=GUESTS_2_POOL ranges=172.25.128.1-172.25.255.254
add name=DEV_SANDBOX_POOL ranges=172.26.128.1-172.26.255.254
/ip dhcp-server
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
add address-pool=STAFF_POOL interface=STAFF_VLAN name=STAFF_DHCP
add address-pool=VIDEO_POOL interface=VIDEO_VLAN name=VIDEO_DHCP
add address-pool=CR_POOL interface=CR_VLAN name=CR_DHCP
add address-pool=GUESTS_1_POOL interface=GUESTS_1_VLAN name=GUESTS_1_DHCP
add address-pool=GUESTS_2_POOL interface=GUESTS_2_VLAN name=GUESTS_2_DHCP
add address-pool=DEV_SANDBOX_POOL interface=DEV_SANDBOX_VLAN name=\
    DEV_SANDBOX_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=99
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    50
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    80
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    210
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 untagged=\
    ether8 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
/ip address
add address=172.20.0.1/16 interface=MGMT_VLAN network=172.20.0.0
add address=172.21.0.1/16 interface=STAFF_VLAN network=172.21.0.0
add address=172.22.0.1/16 interface=VIDEO_VLAN network=172.22.0.0
add address=172.23.0.1/16 interface=CR_VLAN network=172.23.0.0
add address=172.24.0.1/16 interface=GUESTS_1_VLAN network=172.24.0.0
add address=172.25.0.1/16 interface=GUESTS_2_VLAN network=172.25.0.0
add address=172.26.0.1/16 interface=DEV_SANDBOX_VLAN network=172.26.0.0
add address=192.168.1.1/24 disabled=yes interface=CC_VLAN network=192.168.1.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.20.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\
    E4:5F:01:C4:3E:64 server=MGMT_DHCP
add address=172.22.2.32 client-id=1:e4:5f:1:c4:3e:64 mac-address=\
    E4:5F:01:C4:3E:64 server=VIDEO_DHCP
add address=172.20.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=MGMT_DHCP
add address=172.22.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=VIDEO_DHCP
add address=172.20.0.55 client-id=1:e0:46:ee:10:a9:ca mac-address=\
    E0:46:EE:10:A9:CA server=MGMT_DHCP
add address=172.24.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=GUESTS_1_DHCP
add address=172.23.2.10 client-id=1:b8:27:eb:dd:f7:86 mac-address=\
    B8:27:EB:DD:F7:86 server=CR_DHCP
add address=172.20.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=MGMT_DHCP
add address=172.22.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=VIDEO_DHCP
add address=172.23.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=CR_DHCP
add address=172.24.2.11 client-id=1:d8:3a:dd:ba:29:68 mac-address=\
    D8:3A:DD:BA:29:68 server=GUESTS_1_DHCP
add address=172.20.1.60 client-id=1:f0:a7:31:d5:62:b4 mac-address=\
    F0:A7:31:D5:62:B4 server=MGMT_DHCP
add address=172.20.1.20 client-id=1:5c:e9:31:81:c0:61 mac-address=\
    5C:E9:31:81:C0:61 server=MGMT_DHCP
add address=172.20.1.101 client-id=1:5c:e9:31:fb:83:5c mac-address=\
    5C:E9:31:FB:83:5C server=MGMT_DHCP
/ip dhcp-server network
add address=172.20.0.0/16 dns-server=172.20.0.1 gateway=172.20.0.1
add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1
add address=172.22.0.0/16 dhcp-option=infomir dns-server=172.22.0.1 gateway=\
    172.22.0.1 ntp-server=172.22.0.1
add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1
add address=172.24.0.0/16 dns-server=172.24.0.1 gateway=172.24.0.1
add address=172.25.0.0/16 dns-server=172.25.0.1 gateway=172.25.0.1
add address=172.26.0.0/16 dns-server=172.26.0.1 gateway=172.26.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="Router Lesny"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 10:39 pm

Can you add "log=yes" to the drop invalid rule and show a few log lines? I don't see anything utterly wrong in config ... but seeing exact logs may help to get closer to the problem.
Top
 
ostryck
just joined
Topic Author
Posts: 5
Joined: Tue Feb 21, 2023 4:07 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 10:50 pm

Can you add "log=yes" to the drop invalid rule and show a few log lines? I don't see anything utterly wrong in config ... but seeing exact logs may help to get closer to the problem.
Sure thing
Code: Select all
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK), 172.20.255.249:38158->172.22.2.11:5001, len 52
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 112
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK), 172.20.255.249:38158->172.22.2.11:5001, len 1500
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 5844
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 5844
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK), 172.20.255.249:38158->172.22.2.11:5001, len 1500
 21:47:51 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 112
 21:47:52 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 112
 21:47:52 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK), 172.20.255.249:38158->172.22.2.11:5001, len 52
 21:47:53 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 112
 21:47:54 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK), 172.20.255.249:38158->172.22.2.11:5001, len 52
 21:47:54 firewall,info inv_forward forward: in:MGMT_VLAN out:VIDEO_VLAN, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,PSH), 172.20.255.249:38158->172.22.2.11:5001, len 112
 21:47:57 firewall,info inv_input input: in:ether1 out:(unknown 0), connection-state:invalid src-mac b8:66:85:7a:58:c0, proto TCP (RST), 162.247.243.29:443->192.168.1.81:55410, len 40
 21:47:57 firewall,info inv_input input: in:ether1 out:(unknown 0), connection-state:invalid src-mac b8:66:85:7a:58:c0, proto TCP (RST), 162.247.243.29:443->192.168.1.81:55410, len 40
 21:48:02 firewall,info inv_forward forward: in:MGMT_VLAN out:ether1, connection-state:invalid src-mac b0:25:aa:4e:d4:f3, proto TCP (ACK,FIN), 172.20.255.249:57412->159.148.147.239:443, len 52
 21:48:14 firewall,info inv_input input: in:ether1 out:(unknown 0), connection-state:invalid src-mac b8:66:85:7a:58:c0, proto TCP (RST), 162.247.243.29:443->192.168.1.81:57936, len 40
 21:48:49 firewall,info inv_input input: in:ether1 out:(unknown 0), connection-state:invalid src-mac b8:66:85:7a:58:c0, proto TCP (RST), 162.247.243.29:443->192.168.1.81:46902, len 40
FYI: I'm using iperf from 172.20.255.249 to 172.22.2.11 to test it out
EDIT: One additional observation is that when I f.e. try to connect with ssh between vlans it's really sluggish at the beginning of the connecting stage, after this it seems to be ok
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Sun Feb 25, 2024 11:19 pm

And you're sure there isn't another path between 172.20.255.249 and 172.22.2.11 which would allow packets to bypass your RB?
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped

Mon Feb 26, 2024 12:36 am

What happened to all the firewall rules and interface lists??
Top
 
ostryck
just joined
Topic Author
Posts: 5
Joined: Tue Feb 21, 2023 4:07 pm

Re: poor intervlan on rb5009, lots of invalid connections dropped  [SOLVED]

Mon Feb 26, 2024 7:35 am

And you're sure there isn't another path between 172.20.255.249 and 172.22.2.11 which would allow packets to bypass your RB?
You’re completely right, I was checking it with server connected to multiple VLANs 🤦‍♂️ When I disable the other virtual interfaces, everything works as expected, also with the initial config. Thanks for all the help!

@Mesquite it’s a minimal non working setup, just to show the issue! Thanks for the other suggestions, I’ll look into them more and check if those other rules are not needed.
Top
Post Reply

Who is online

Users browsing this forum: kennethrc, own3r1138 and 33 guests
  4. RouterOS
  5. General