Community discussions

MikroTik App
 
vivisan
just joined
Topic Author
Posts: 1
Joined: Wed Apr 26, 2023 12:06 pm

No internet behind bridge - Microtik 1100AHx2

Wed Apr 26, 2023 12:08 pm

Hello everyone,

I have a strange issue with my config, I'm not used to Microtik but I try my best to understand the logics :)
I've created a bridge with 2 eth interfaces (eth3 and eth6) to interconnect with another firewall (fortigate) for VOIP purpose.

The microtik have 10.4.254.1/24 address and the fortigate 10.4.254.254/24I can ping them on both sides but I can't ping 8.8.8.8 behind the bridge (either with the fortigate or with my laptop connected on eth3 or eth6)

I've added an interface list "INTERCO-FORTI" and add the bridge and the eth interfaces, then create a rule"add action=accept chain=forward in-interface-list=INTERCO-FORTI log=yes out-interface-list=WAN-PPPoE-Ports"

The scr-nat is created too :"add action=masquerade chain=srcnat out-interface-list=WAN-PPPoE-Ports src-address=10.4.254.0/24"

I post the microtik config below if someone can check if something isn't configured correctly

Thanks


/interface bridge
add name=Bridge-Interco-Fortinet
add fast-forward=no name=vpn-mixvoip
/interface ethernet
set [ find default-name=ether6 ] comment="Fortinet MASTER" name=Eth3-Fortinet-WAN2-MASTER speed=100Mbps
set [ find default-name=ether3 ] comment="Fortinet SLAVE" mac-address=E4:8D:8C:2C:C9:6C name=Eth6-Fortinet-WAN2-SLAVE speed=100Mbps
set [ find default-name=ether4 ] comment="Physical Internet Connection via VO Fiber, and its Children" name=INet1-MV-eth4 speed=100Mbps
set [ find default-name=ether2 ] comment="Eth2: Primary Link for MainTrunk (trnk-NGX1-NG1), Connects to NGX1" name=Trunk-Eth2-NGX1
/interface vlan
add interface=INet1-MV-eth4 name=INet1-MV-eth4-Data vlan-id=35
/interface bonding
add comment="Trunk: Connects the FW to 2 Main Switches: eth1->NGX1, eth1->NG5" mode=active-backup name=Trunk primary=Trunk-Eth2-NGX1 slaves=Trunk-Eth2-NGX1
/interface vlan
add interface=Trunk name=Trunk-VL-PBX vlan-id=69
/interface list
add name=WAN-PPPoE-Ports
add name=LAN-Interfaces
add exclude=dynamic name=discover
add name=INTERCO-FORTI
/ip pool
add comment="MIXvoip phone pool" name=mixvoip-pool ranges=10.20.152.131-10.20.152.252
/ip dhcp-server
add address-pool=mixvoip-pool disabled=no interface=vpn-mixvoip lease-time=3h name=MIXvoip
/queue type
set 9 kind=red red-burst=3 red-limit=8 red-max-threshold=5 red-min-threshold=2
/user group
add name=sshPF policy=ssh,!local,!telnet,!ftp,!reboot,!read,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=vpn-mixvoip interface=Trunk-VL-PBX
add bridge=Bridge-Interco-Fortinet interface=Eth3-Fortinet-WAN2-MASTER
add bridge=Bridge-Interco-Fortinet interface=Eth6-Fortinet-WAN2-SLAVE
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set default-profile=default enabled=yes
/interface list member
add interface=INet1-MV-eth4-Data-PPP list=WAN-PPPoE-Ports
add list=WAN-PPPoE-Ports
add interface=Trunk-VL-UserSpace list=LAN-Interfaces
add interface=Trunk-VL-PBX list=LAN-Interfaces
add interface=Trunk-Eth2-NGX1 list=discover
add interface=Eth6-Fortinet-WAN2-SLAVE list=INTERCO-FORTI
add interface=INet1-MV-eth4 list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add list=discover
add interface=Trunk-VL-PBX list=discover
add interface=Bridge-Interco-Fortinet list=INTERCO-FORTI
add interface=Eth3-Fortinet-WAN2-MASTER list=INTERCO-FORTI
/ip address
add address=10.20.152.129/25 comment="MIXvoip Network" interface=Trunk-VL-PBX network=10.20.152.128
add address=10.4.254.1/24 interface=Bridge-Interco-Fortinet network=10.4.254.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,185.104.170.78,138.201.172.95
/ip firewall filter
add action=accept chain=input src-address-list=LOCAL
add action=accept chain=input src-address=185.104.171.249
add action=accept chain=forward comment="Accept Port25 for SMTP Whitelist" dst-port=25 protocol=tcp src-address-list=smtp-whitelist
add action=accept chain=forward in-interface-list=INTERCO-FORTI log=yes out-interface-list=WAN-PPPoE-Ports
add action=accept chain=forward dst-port=25 protocol=udp src-address-list=smtp-whitelist
add action=drop chain=forward dst-port=25 protocol=tcp
add action=drop chain=forward dst-port=25 protocol=udp
add action=drop chain=input dst-port=53,9099,8443 protocol=udp src-address-list=!LOCAL
add action=drop chain=input dst-port=53,9099,8443 protocol=tcp src-address-list=!LOCAL
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=1409 out-interface-list=WAN-PPPoE-Ports passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1410-65535
/ip firewall nat
add action=dst-nat chain=dstnat comment="FROM MIXvoip jumphost to PBX" dst-port=2323 protocol=tcp src-address=85.93.219.236 to-addresses=10.4.4.210 to-ports=22
add action=dst-nat chain=dstnat dst-port=123 protocol=tcp src-address=10.20.152.128/25 to-addresses=172.16.16.10
add action=masquerade chain=srcnat out-interface-list=WAN-PPPoE-Ports src-address=10.20.152.0/24
add action=masquerade chain=srcnat out-interface-list=WAN-PPPoE-Ports src-address=10.4.89.0/24
add action=masquerade chain=srcnat log=yes log-prefix=CAM90 out-interface-list=WAN-PPPoE-Ports src-address=10.4.90.0/24
add action=masquerade chain=srcnat comment="MIXvoip API Server" dst-address=88.198.13.18
add action=masquerade chain=srcnat comment="MIXvoip API Server" dst-address=78.46.95.114
add action=masquerade chain=srcnat out-interface=l2tp-mixvoip src-address=!10.20.152.0/24
add action=masquerade chain=srcnat out-interface-list=WAN-PPPoE-Ports src-address=10.4.254.0/24
/ip route
add distance=1 gateway=*1B
add distance=10 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=10.4.4.0/24 gateway=10.4.254.254
add distance=1 dst-address=10.4.23.0/24 gateway=10.4.254.254
add distance=1 dst-address=10.4.24.0/24 gateway=10.4.254.254
add distance=1 dst-address=10.20.0.0/16 gateway=l2tp-mixvoip
add distance=1 dst-address=10.40.0.0/16 gateway=l2tp-mixvoip
add distance=1 dst-address=78.46.95.114/32 gateway=l2tp-mixvoip
add distance=1 dst-address=85.93.215.140/32 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=85.93.219.224/27 gateway=l2tp-mixvoip
add distance=1 dst-address=85.93.219.236/32 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=88.198.13.18/32 gateway=l2tp-mixvoip
add distance=1 dst-address=172.16.16.0/22 gateway=l2tp-mixvoip
add distance=1 dst-address=172.16.16.81/32 gateway=l2tp-mixvoip
add distance=1 dst-address=172.25.0.0/18 gateway=l2tp-mixvoip
add distance=1 dst-address=172.26.0.0/16 gateway=l2tp-mixvoip
add distance=1 dst-address=185.104.170.93/32 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=185.104.171.249/32 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=185.125.180.0/22 gateway=l2tp-mixvoip
add distance=1 dst-address=185.125.180.13/32 gateway=INet1-MV-eth4-Data-PPP
add distance=1 dst-address=185.125.180.28/32 gateway=INet1-MV-eth4-Data-PPP
/ip service
set telnet disabled=yes
set ftp address=192.168.88.0/24,10.4.22.0/24 disabled=yes
set www port=9099
set ssh port=23646
set www-ssl disabled=no port=8443
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/ip traffic-flow
set interfaces=*1B
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Luxembourg
/system identity
set name=RB1100
/system ntp client
set enabled=yes primary-ntp=194.154.192.101 secondary-ntp=80.92.86.19
/system ntp server
set enabled=yes
/system scheduler
/tool netwatch
add comment="Clean sip sessions when VPN goes down or up" down-script=clean-sip-sessions host=172.16.16.4 interval=7s timeout=500ms up-script=clean-sip-sessions
/tool sniffer
set file-limit=5000KiB filter-ip-address=185.125.180.46/32 memory-scroll=no
/tool traffic-monitor
add disabled=yes interface=INet1-MV-eth4-Data-PPP name=tmon1 threshold=5000000

Who is online

Users browsing this forum: mtkvvv and 30 guests