Network/Mikrotik setup
I have the following config:
Code: Select all
/export hide-sensitive
# jun/12/2022 12:10:24 by RouterOS 7.3.1
# software id = A1GI-TFVF
#
# model = 960PGS
# serial number = 89F90861A06A
/interface bridge
add admin-mac=CC:2D:E0:81:0A:BE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
set [ find default-name=ether5 ] poe-out=forced-on
/interface ethernet switch port
set 0 default-vlan-id=10 vlan-mode=secure
set 1 default-vlan-id=10 vlan-mode=secure
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=10 vlan-mode=secure
set 4 default-vlan-id=10 vlan-mode=secure
set 5 default-vlan-id=10 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface ethernet switch vlan
add comment=native independent-learning=yes ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=10
add comment=management independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=11
add comment=replication independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=12
add comment=public independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu,ether1 switch=switch1 vlan-id=13
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=log chain=output connection-state=new,untracked log=yes log-prefix="LOG ALL"
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes
add action=log chain=input connection-state=new,untracked log=yes log-prefix="LOG ALL"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward connection-state=new,untracked protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=log chain=forward connection-state=new dst-address=172.27.13.0/24 dst-port=80,443 log=yes log-prefix="DROP WEB" protocol=tcp
add action=log chain=forward connection-state=new,untracked log=yes log-prefix="LOG ALL"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=172.27.13.0/24 gateway=ether1 routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rt2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Code: Select all
/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 172.27.10.1 1
DAc 172.27.10.0/24 ether1 0
0 As 172.27.13.0/24 ether1 1
My network looks like this:
Workstation --> layer 2 switch --> ISP provider modem/router --> ether1 (Mikrotik) --> ether2 (Mikrotik)
As you can also see in the VLAN setup, VLAN 10 is the native VLAN. ether2-5 have VLAN 11-13 only for themselves. I only added the switch1-cpu to the VLANs for experimentation.
Native VLAN has 172.27.10.0/24 as subnet. The other VLANs have 172.27.{11,12,13}.0/24.
172.27.10.1 is my ISP modem/router. 172.27.10.3 is my Mikrotik. 172.27.10.100 is my workstation. 172.27.{10,11,12,13}.11 is a host connected to ether2.
Firewall
The following is or is not registered by the firewall.
* input: in:ether1 out:(unknown 0), proto 2, 172.27.10.1->224.0.0.1
* input: in:ether1 out:(unknown 0), proto UDP, 172.27.10.1:53805->255.255.255.255:53805
* input: in:ether1 out:(unknown 0), proto ICMP (type 8, code 0), 172.27.10.100->172.27.10.3
* input: in:ether1 out:(unknown 0), proto TCP (SYN), 172.27.10.100:51176->172.27.10.3:18988 (and basically any traffic going from my workstation to ether1)
* output: in:(unknown 0) out:ether1, proto TCP (SYN), 172.27.10.3:46702->159.148.172.226:80 (and basically any traffic going out from ether1, initiated by the Mikrotik, not the connected hosts)
* An nmap scan from my workstation to 172.27.10.11 (ether2) does not show up in the firewall logs, the host is reachable though
* An nmap scan from 172.27.10.11 to my workstation does not show up in the firewall logs, host is reachable
* A ping from 172.27.10.11 to the Mikrotik (172.27.10.3) results in a (Destination Host Unreachable), the default gateway is set to 172.27.10.1 (so it should get a route and back).
* A ping from my workstation to 172.27.13.11 (ether2) also has some routing issues (see next section for details), but reaches the destination eventually, however, this is not picked up by the Mikrotik firewall either
* An nmap scan from my workstation to 172.27.13.11 (ether2) also does not result in firewall logs on the Mikrotik
It seems like ether1 to ether2 traffic is not picked up at all. Could this be part of a routing issue? Or has this to do with offloading the VLAN networks (layer 2) to hardware and thus doesn't get processed by the firewall which uses the CPU?
Routing issue
A ping from my workstation to a VLAN on ether2 is a bit flaky due to a routing issue. But eventually the ping does work. This is likely due to asymmetric routing. What would be a good fix for this in this situation?
Code: Select all
$ ping 172.27.13.11
PING 172.27.13.11 (172.27.13.11) 56(84) bytes of data.
From 172.27.10.1 icmp_seq=1 Redirect Host(New nexthop: 172.27.10.3)
From 172.27.10.3 icmp_seq=1 Redirect Host(New nexthop: 172.27.13.11)
From 172.27.10.3 icmp_seq=2 Redirect Host(New nexthop: 172.27.13.11)
64 bytes from 172.27.13.11: icmp_seq=3 ttl=64 time=0.361 ms
64 bytes from 172.27.13.11: icmp_seq=4 ttl=64 time=0.368 ms
From 172.27.10.3 icmp_seq=1 Destination Host Unreachable
From 172.27.10.3 icmp_seq=2 Destination Host Unreachable
64 bytes from 172.27.13.11: icmp_seq=5 ttl=64 time=0.310 ms
64 bytes from 172.27.13.11: icmp_seq=6 ttl=64 time=0.342 ms
64 bytes from 172.27.13.11: icmp_seq=7 ttl=64 time=0.272 ms
^C
--- 172.27.13.11 ping statistics ---
7 packets transmitted, 5 received, +5 errors, 28.5714% packet loss, time 6161ms
rtt min/avg/max/mdev = 0.272/0.330/0.368/0.035 ms, pipe 4
Code: Select all
ip route
default via 172.27.10.1 dev enp4s0u1u4 proto dhcp src 172.27.10.100 metric 100
default via 172.27.10.1 dev wlp0s20f3 proto dhcp src 172.27.10.5 metric 600
172.27.10.0/24 dev enp4s0u1u4 proto kernel scope link src 172.27.10.100 metric 100
172.27.10.0/24 dev wlp0s20f3 proto kernel scope link src 172.27.10.5 metric 600
Code: Select all
/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 172.27.10.1 1
DAc 172.27.10.0/24 ether1 0
0 As 172.27.13.0/24 ether1 1
Code: Select all
ip route
default via 172.27.10.1 dev eth0 onlink
172.27.10.0/24 dev eth0 proto kernel scope link src 172.27.10.11
172.27.11.0/24 dev eth0.11 proto kernel scope link src 172.27.11.11
172.27.12.0/24 dev eth0.12 proto kernel scope link src 172.27.12.11
172.27.13.0/24 dev eth0.13 proto kernel scope link src 172.27.13.11
It does have a static route set: