Hello guys,

I'm having trouble reaching the devices on VLAN12 from a service PC that resides on VLAN11. I can reach the devices on all other VLANS from this PC (like unifi switches that are on VLAN10, ecc...).

I have rules in the firewall to block all access from VLAN13 (a guest reserved VLAN for external users) to other VLANs, but even if I disable these rules the problem is still there.

As you see I have used mangle to create a static route/rule because this customer has 2 internet routers (an optic fiber for normal internet access and a backup ADSL on which I have routed the VoIP traffic from the VLAN12 with said mangle, reserved for IP phones connected to a cloud pbx)

I hope I made myself clear. Here is my config

# jun/20/2022 15:58:20 by RouterOS 6.47.8
# software id = UDB2-X12K
#
# model = 2011iL
# serial number = 7DCF073A6FC2
/interface bridge
add admin-mac=6C:3B:6B:D6:0F:52 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:D6:0F:51
set [ find default-name=ether2 ] mac-address=6C:3B:6B:D6:0F:52
set [ find default-name=ether3 ] disabled=yes mac-address=6C:3B:6B:D6:0F:53
set [ find default-name=ether4 ] disabled=yes mac-address=6C:3B:6B:D6:0F:54
set [ find default-name=ether5 ] mac-address=6C:3B:6B:D6:0F:55
set [ find default-name=ether6 ] disabled=yes mac-address=6C:3B:6B:D6:0F:56
set [ find default-name=ether7 ] disabled=yes mac-address=6C:3B:6B:D6:0F:57
set [ find default-name=ether8 ] disabled=yes mac-address=6C:3B:6B:D6:0F:58
set [ find default-name=ether9 ] mac-address=6C:3B:6B:D6:0F:59
set [ find default-name=ether10 ] disabled=yes mac-address=6C:3B:6B:D6:0F:5A
/interface vlan
add interface=ether5 name=VLAN10_MGMT vlan-id=10
add interface=ether5 name=VLAN11_Uffici vlan-id=11
add interface=ether5 name=VLAN12_Telefoni vlan-id=12
add interface=ether5 name=VLAN13_Guest vlan-id=13
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.200
add name=MGMT_pool ranges=192.168.10.50-192.168.10.250
add name=uffici_pool ranges=192.168.0.50-192.168.0.250
add name=TELEFONI_pool ranges=192.168.12.50-192.168.12.250
add name=GUEST_pool ranges=192.168.13.50-192.168.13.250
add name=OVPN_pool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=MGMT_pool disabled=no interface=VLAN10_MGMT name=vlan10_dhcp
add address-pool=uffici_pool disabled=no interface=VLAN11_Uffici name=\
vlan11_dhcp
add address-pool=TELEFONI_pool disabled=no interface=VLAN12_Telefoni name=\
vlan12_dhcp
add address-pool=GUEST_pool disabled=no interface=VLAN13_Guest name=\
vlan13_dhcp
/ppp profile
add local-address=192.168.10.1 name=ovpn_fidia remote-address=OVPN_pool
/queue simple
add max-limit=2M/10M name=Test_2 queue=ethernet-default/ethernet-default \
target=10.10.13.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 enabled=yes \
port=11940 require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.0.1/24 interface=VLAN11_Uffici network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10_MGMT network=192.168.10.0
add address=192.168.12.1/24 interface=VLAN12_Telefoni network=192.168.12.0
add address=192.168.13.1/24 interface=VLAN13_Guest network=192.168.13.0
/ip dhcp-client
add comment=defconf default-route-distance=2 disabled=no interface=ether1
add disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.0.70 client-id=1:f4:2:70:aaae mac-address=\
F4:02:70:AA:DE:AE server=vlan11_dhcp
add address=192.168.0.102 client-id=1:98:ee:cb:75:aa:44 mac-address=\
98:EE:CB:75:AA:44 server=vlan11_dhcp
/ip dhcp-server network
add address=192.168.0.0/24 comment=UFFICI dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.0.1
add address=192.168.10.0/24 comment=MGMT dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.10.1
add address=192.168.12.0/24 comment=TELEFONI dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.12.1
add address=192.168.13.0/24 comment=GUEST dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.13.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=WinBox in-interface=VLAN11_Uffici
add action=accept chain=input comment=OVPN dst-port=11940 in-interface=ether2 \
protocol=tcp
add action=accept chain=input comment=WinBox_WAN dst-port=8291 in-interface=\
ether2 protocol=tcp
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN11_Uffici
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN12_Telefoni
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN10_MGMT
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=VLAN12_Telefoni \
new-routing-mark=to_Fastweb passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="UltraVNC Ilaria" dst-port=6688 \
in-interface=ether2 protocol=tcp to-addresses=192.168.0.102 to-ports=6688
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=to_Fastweb
/ppp secret
add name=martina profile=ovpn_fidia service=ovpn
add name=nicola profile=ovpn_fidia service=ovpn
add name=andrea profile=ovpn_fidia service=ovpn
add name=kyle profile=ovpn_fidia service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=FIDIA
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I am a noob with ROS firewalls, but I think you need to add your vlan interfaces to your LAN member list, unless you want to treat each vlan with its own firewall rules.

i.e. I think this rule is causing the packets from vlan 12 to vlan 11 to be dropped.

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

On possible fix given:

/interface vlan
add interface=ether5 name=VLAN10_MGMT vlan-id=10
add interface=ether5 name=VLAN11_Uffici vlan-id=11
add interface=ether5 name=VLAN12_Telefoni vlan-id=12
add interface=ether5 name=VLAN13_Guest vlan-id=13

add the bold part to the following stanza

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=VLAN11_Uffici list=LAN
add interface=VLAN12_Telefoni list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN

Tried adding the two VLAN interfaces to the LAN list but still not working, unable to reach the IP phones from VLAN11

If I read the config correctly ... then you have some kind of VLAN-aware switch connected to ether5, which is configured as a trunk port? There is no firrwall rule blocking traffic between said VLANs so you'll have to verify that packets intended to flow between both VLANs actually reach your router both ways (if there's a routing triangle in your network, then packets would be dropped by rule add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid (what does counter for this rule say, anything hitting it?).

And the other thing (often forgotten by people): make sure OS firewalls allow connections from IP subnets other than own (windows firewall by default doesn't).

Yes I have Unifi switches in this network, and the port connected to Ether5 is a trunk port, allowing all VLANS to enter. The weird thing is that from this "service PC" residing on VLAN11 I can enter the Unifi devices via SSH (they reside on VLAN10_MGMT) without problems, so it looks that interVLAN routing works!

I'll check the log for the rule you mentioned, and this comes out:

forward: in:VLAN12_Telefoni out:ether1, src-mac 0c:38:3e:44:0f:fd, proto TCP (SYN,ACK), 192.168.12.246:80->192.168.0.68:62142, len 52

192.168.12.246 is an IP phone, 192.168.0.68 is the service PC

Tried disabling the rule to no avail. I'm going crazy.

Above that rule add a rule something like this one:

It should show fou if forward teaffic is passing your router as well, the packet you showed is first return packet actually and it's extremely suspicious to see it marked as invalid. The only explanation would be that the initial (forward) packet bypasses router/firewall.

Above that rule add a rule something like this one:

Code: Select all

add chain=forward action=log src-address=192.168.0.68 dst-address=192.168.12.246

It should show fou if forward teaffic is passing your router as well, the packet you showed is first return packet actually and it's extremely suspicious to see it marked as invalid. The only explanation would be that the initial (forward) packet bypasses router/firewall.

Tried this and the log shows "forward: in:VLAN11_Uffici out:VLAN12_Telefoni, src-mac 00:0c:29:58:ae:b1, proto TCP (SYN), 192.168.0.68:62345->192.168.12.246:80, len 52"

There's your routing problem:

forward: in:VLAN11_Uffici out:VLAN12_Telefoni, src-mac 00:0c:29:58:ae:b1, proto TCP (SYN), 192.168.0.68:62345->192.168.12.246:80, len 52

forward: in:VLAN12_Telefoni out:ether1, src-mac 0c:38:3e:44:0f:fd, proto TCP (SYN,ACK), 192.168.12.246:80->192.168.0.68:62142, len 52

So forward packet enters router through VLAN11_Ufici and leaves through VLAN12_Telefoni. Return packet enters through VLAN12_Telefoni but leaves through ether1.

I'm not a mangle expert, but there might be some problem there ...

add action=mark-routing chain=prerouting in-interface=VLAN12_Telefoni \
new-routing-mark=to_Fastweb passthrough=yes

It says everything (no exceptions) from phone VLAN should use to_Fastweb routing table.

There's your routing problem:

forward: in:VLAN11_Uffici out:VLAN12_Telefoni, src-mac 00:0c:29:58:ae:b1, proto TCP (SYN), 192.168.0.68:62345->192.168.12.246:80, len 52

forward: in:VLAN12_Telefoni out:ether1, src-mac 0c:38:3e:44:0f:fd, proto TCP (SYN,ACK), 192.168.12.246:80->192.168.0.68:62142, len 52

So forward packet enters router through VLAN11_Ufici and leaves through VLAN12_Telefoni. Return packet enters through VLAN12_Telefoni but leaves through ether1.

I'm not a mangle expert, but there might be some problem there ...

Could be, I didn't think of that. I have that mangle to mark packets from phones to be routed through the backup ADSL line instead of the optic fiber.

i just tried disabling it, and magically I could reach the IP phones.

Thanks for the help guys, appreciate it.