Community discussions

MikroTik App
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Allow one way traffic between VLANs

Thu Oct 13, 2022 6:08 pm

Hi everybody i've been strugling with this matter for the last couple of weeks without any luck.

I've setup 3 vlans (10, 20, 30), that are working propperly. What i need to do is to make VLAN 10 be able to access all other vlans, but not the other way around.
I need for any PC in vlan 10 can access via RDP to any pc in vlan 20 and vlan30.
And all the pc's in vlan 20, and vlan 30 only see and communicate with the pc's in their own vlan.

So this is my actual config:
Right now i cannot ping or RDP between vlans, i've tryed to deactivating windows firewall in both machines but still cannot link them.
(The 2 pc's that i'm doing the testing are connected to the same ARUBA manageable switch)
# oct/13/2022 12:02:47 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment="PVE3 (Servidor Consultar)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN comment="Switch Pecera (unmanageable)" \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN comment="Switch Aruba (manageable)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
    vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
    in-interface-list=ADMIN
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" dst-port=\
    53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow vlan10 access to vlan20" \
    connection-state="" dst-address=10.0.20.254 log=yes log-prefix=VALN \
    src-address=10.0.10.7
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=cosag dst-port=xxxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=xxxx
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=xx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=xxx
add action=dst-nat chain=dstnat comment=des07 dst-port=xxxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=xxx
add action=dst-nat chain=dstnat comment=w2019 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=xx
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=x
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.x routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.x routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.x routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxx@gmail.com port=xx start-tls=\
    yes user=xx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes
Any help will be appreciated!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Thu Oct 13, 2022 6:25 pm

Change this rule......
add action=accept chain=forward comment="allow vlan10 access to vlan20" \
connection-state="" dst-address=10.0.20.254 log=yes log-prefix=VALN \
src-address=10.0.10.7

TO:
add action=accept chain=forward comment="allow vlan10 access to other vlans" \
in-interface=vlan10-LAN out-interface-list=VLAN
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Thu Oct 13, 2022 8:34 pm

Still, cannot ping or rdp to the other vlan, and in the counter of the firewall rule, i've got 0 bytes.

Could it be a windows config? Windows firewall disabled in both computers but still doesn't work. If i put them in the same VLAN it rdp works fine...

I don't know what else to try
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Thu Oct 13, 2022 8:41 pm

Yes, my guess is that its not the router in this case. Its something else...........

What you need to try is accessing something like a shared printer or other computer or device, to ensure its just not RDP that is not working.
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Thu Oct 13, 2022 9:02 pm

But rdp is working, only when it's on different vlan doesn work...

Question does routing config (on the mikrotik) may have anything to do with this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Thu Oct 13, 2022 9:49 pm

You didnt attempt to answer my question, can you reach other devices from vlan10 using the rules I provided?
If you can then its not the router.

Also since you elected to hide Ports being used, which is fine, can you state whether or not you have PORT forwarding assigned for RDP already which may or may not be interfering??
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Fri Oct 14, 2022 3:01 am

i just tryed with other pc's on vlan 20 and can't access ir neither the network, ping it or rdp.
I just added the port forwarding to the pc in vlan 20 and i can access from outside the network via rdp
Last edited by consultar on Fri Oct 14, 2022 5:11 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Fri Oct 14, 2022 4:39 am

For testing purposes, disable the dstnat rules for RDP............... so we can isolate the conditions........
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 5:57 pm

I just disabled all de dstnat rules for rdp and still, same situation...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 6:04 pm

Please post latest config
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 6:37 pm

The 2 machines that i'm doing all the testing are serverX and Des07, wich are disabled
# oct/17/2022 12:34:38 by RouterOS 6.49.6
# software id = J13U-JGF2
#
# model = 2011UiAS
/interface bridge
add name=BridgeVLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Claro speed=100Mbps
set [ find default-name=ether2 ] name=ether2-Fibercorp speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=BridgeVLAN name=vlan10-LAN vlan-id=10
add interface=BridgeVLAN name=vlan20-Clientes vlan-id=20
add interface=BridgeVLAN name=vlan30-Camaras vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=ADMIN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_10 ranges=10.0.10.2-10.0.10.99
add name=dhcp_20 ranges=10.0.20.2-10.0.20.254
add name=dhcp_30 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_10 disabled=no interface=vlan10-LAN name=dhcp1
add address-pool=dhcp_20 disabled=no interface=vlan20-Clientes name=dhcp2
add address-pool=dhcp_30 disabled=no interface=vlan30-Camaras name=dhcp4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=xxx@gmail.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=BridgeVLAN comment="PVE3 (Servidor Consultar)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BridgeVLAN comment="Switch Pecera (unmanageable)" \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BridgeVLAN comment="Switch Aruba (manageable)" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/interface bridge vlan
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 untagged=ether4 \
    vlan-ids=10
add bridge=BridgeVLAN tagged=BridgeVLAN,ether5 vlan-ids=20
add bridge=BridgeVLAN tagged=BridgeVLAN,ether3,ether5 vlan-ids=30
/interface list member
add interface=ether1-Claro list=WAN
add interface=ether2-Fibercorp list=WAN
add interface=vlan10-LAN list=VLAN
add interface=vlan30-Camaras list=VLAN
add interface=vlan20-Clientes list=VLAN
add interface=ether10 list=ADMIN
add interface=vlan10-LAN list=ADMIN
/ip address
add address=10.0.10.1/24 interface=vlan10-LAN network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Clientes network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-Camaras network=10.0.30.0
add address=192.168.99.1/24 comment="acceso secundario" interface=ether10 \
    network=192.168.99.0
/ip dhcp-client
add comment="Proveedor 1 - Claro" disabled=no interface=ether1-Claro
add add-default-route=no comment="Proveedor 2 - Fibercorp" disabled=no \
    interface=ether2-Fibercorp
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,9.9.9.9
/ip firewall address-list
add address=10.0.10.1-10.0.10.101 comment="Resto de la red" list=a_fibercorp
add address=10.0.10.201 comment=webserver list=a_claro
add address=10.0.10.250-10.0.10.254 comment=Servidores list=a_fibercorp
add address=10.0.20.0/24 comment=Clientes list=a_claro
add address=10.0.10.7 comment=Des07 list=a_claro
add address=10.0.10.102 comment=cosag list=a_claro
add address=10.0.10.103 comment=w2019 list=a_claro
add address=10.0.10.14 comment=Des14 list=a_claro
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow admin to config router" \
    in-interface-list=ADMIN
add action=accept chain=input comment="Allow VLAN DNS queries-UDP" dst-port=\
    53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow vlan10 access to other vlans" \
    in-interface=vlan10-LAN out-interface-list=VLAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Fibercorp (ISP2)" new-routing-mark=a-fibercorp \
    src-address-list=a_fibercorp
add action=mark-routing chain=prerouting comment=\
    "Env\EDo de tr\E1fico a Claro (ISP1)" new-routing-mark=a-claro \
    src-address-list=a_claro
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=servidor_cp dst-port=3389 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.101 to-ports=3389
add action=dst-nat chain=dstnat comment=des07 disabled=yes dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.7 to-ports=xxx
add action=dst-nat chain=dstnat comment=cosag dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.102 to-ports=xxx
add action=dst-nat chain=dstnat comment=w2019 dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.103 to-ports=xxx
add action=dst-nat chain=dstnat comment=serverX disabled=yes dst-port=xxx \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.20.253 to-ports=xxx
add action=dst-nat chain=dstnat comment=webserver dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=10.0.10.201 to-ports=80
add action=dst-nat chain=dstnat comment=ftp dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=10.0.10.101 to-ports=21
/ip route
add check-gateway=ping comment="Ruta principal Fibercorp" distance=1 gateway=\
    x.x.x.xx. routing-mark=a-fibercorp
add check-gateway=ping comment="Respaldo Fibercorp" distance=2 gateway=\
    x.x.x.xx. routing-mark=a-fibercorp
add check-gateway=ping comment="Ruta principal Claro" distance=1 gateway=\
    x.x.x.xx. routing-mark=a-claro
add check-gateway=ping comment="Respaldo Claro" distance=2 gateway=\
    x.x.x.xx. routing-mark=a-claro
/ip traffic-flow
set enabled=yes interfaces=ether1-Claro
/lcd interface pages
set 0 interfaces="sfp1,ether1-Claro,ether2-Fibercorp,ether3,ether4,ether5,ethe\
    r6,*8,ether8,ether9,ether10"
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
add action=email topics=ups
/system scheduler
add interval=5m name="cada 5 minutos" on-event=update_gateways policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/25/2022 start-time=11:00:00
/system script
add dont-require-permissions=no name=update_gateways owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local newgw [ip dhcp-client get [find interface=\"ether1-Claro\"] gateway]\
    ;\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Claro\"] ga\
    teway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Claro\"] gateway=\$new\
    gw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Fibercorp\"] gate\
    way ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Fibercorp\"] gateway=\$newgw\
    ;\r\
    \n}\r\
    \n:local newgw [ip dhcp-client get [find interface=\"ether2-Fibercorp\"] g\
    ateway];\r\
    \n:local routegw [/ip route get [find comment=\"Ruta principal Fibercorp\"\
    ] gateway ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Ruta principal Fibercorp\"] gateway=\
    \$newgw;\r\
    \n}\r\
    \n:local routegw [/ip route get [find comment=\"Respaldo Claro\"] gateway \
    ];\r\
    \n:if (\$newgw != \$routegw) do={\r\
    \n     /ip route set [find comment=\"Respaldo Claro\"] gateway=\$newgw;\r\
    \n}"
/system ups
add name=APC900 offline-time=10h
/tool e-mail
set address=smtp.gmail.com from=xxx@gmail.com port=587 start-tls=\
    yes user=xxx
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN
/tool romon
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 8:22 pm

Well I can see a problem is someone is coming in WAN1 and yet you have that server stating due to mangles, you have to go out WAN2 ??

Or a conflict of something similar.
For example you have RDP server associated with Fibrecorp (ISP2)
You have server X associated with Claro (ISP1)

One should imagine the problem is you have directed a user out WAN1 but the server is supposed to respond to WAN2 and vice versa...........

+++++++++++++++++++++++++++++++++++++++++++++++++++
So list clearly the user requirements.

Who USERS (not servers) need to go out which WAN (does it matter and if so indicate which subnets).

Which Servers should be accessible on what WAN (where are users coming from externally to reach the Serves)??

Can you put Servers on their own subnet (easy if attached to a managed switch or router) create vlan 33 and vlan 66 one for each of the problem servers.......
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 9:14 pm

Yes the idea is to have vlan20 going out ISP1, and all others throug ISP2. I need to add all the addresses because i still can't access between vlans, therefor i still have all the servers in vlan10. But if i can get that working, then it should be subnet 10.0.10.0/24 on ISP2 and 10.0.20.0/24 on ISP2.

Maybe it would be a better config to have a dedicated vlan for each server, because in fact i don't want they can see each other. And all those vlans should go out on ISP1.
I only have 2 vitual servers right now.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Allow one way traffic between VLANs

Mon Oct 17, 2022 9:45 pm

Okay that will also remove the need for hairpin nat which it looks like you are missing anyway
To be clear, you have both local users and external users connecting to RDP and ServerX?
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Tue Oct 18, 2022 5:00 am

Exactly, we are a software company, and host the application in our servers, so external users are our clients, and we are the local users that mantein the server and the software in it. We always connect via rdp.
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs

Wed Oct 19, 2022 9:20 pm

Does the firewall rules is all that it takes to connect them (two vlan on the same bridge)? Or do i need the MT have routes to connect the inter vlan traffic?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Allow one way traffic between VLANs

Wed Oct 19, 2022 11:15 pm

Surely in a software company there is someone that understands how to read documentation.

In general on a router, there will be "connected routes" automatically added to the routing table for every ip address/subnet that exists on any of the routers interfaces.

So if the packets get to the router, then the router will be able to route to other subnets it has interfaces connected to.

If your windows host have the router defined as their default gateway, then the needed routes should be there.

If something isn't working, it is probably a firewall on either the PC or the router.

This assumes that your PCs have their ip configurations correct. If they are getting their ip config via dhcp, use window command prompt and enter ipconfig /all and netstat -rn to verify the ip info and routes are correct.

If you do a tracert from the pc, what do you get?

Here's a web based interactive troubleshooting aid FLINT HILLS TECHNICAL COLLEGE Network Troubleshooting Flowchart
Last edited by Buckeye on Wed Oct 19, 2022 11:31 pm, edited 2 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Allow one way traffic between VLANs

Wed Oct 19, 2022 11:19 pm

Hmmm ... in quite a lot of those companies that's exactly the part which is lacking.
Documentation.

Always a blast when someone else needs to take over parts of the code then.
 
User avatar
consultar
newbie
Topic Author
Posts: 26
Joined: Tue Aug 16, 2022 5:20 am
Location: Argentina

Re: Allow one way traffic between VLANs  [SOLVED]

Tue Jun 06, 2023 5:24 pm

Problem solved!
The pinging and the inter vlan communication.

For anyone struggling with the same issue, it was the routing marks of the different WANs that was generating the problem.
Find this post viewtopic.php?t=133209 that helped me.

It turns out that i needed to add a couple of mangle rules at the top
add action=accept chain=prerouting dst-address=10.0.10.0/24 passthrough=no
add action=accept chain=prerouting dst-address=10.0.20.0/24 passthrough=no
Thanks everybody! :D

Who is online

Users browsing this forum: No registered users and 27 guests