Can not dst-nat to vlan device

taons · Sun Nov 21, 2021 9:37 pm

Hi all,

I'm setting a VLAN (vlan_camera in the config) to isolate a network for security cameras. The cameras are connected to a unmanaged switch, and the switch is connected to ether2 port of the router (hEX S).

The VLAN is correctly set (I think) with dhcp and devices can get IP addresses. However, when I try to set a port forwarding to access to the camera from outside, it doesn't work. Also, if i try to ping vlan device from Mikrotik terminal, it doesn't work either:

[user@MikroTik] > ping 10.10.50.153
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 10.10.50.153                                            timeout            
    1 10.10.50.153                                            timeout            
    2 10.10.50.153                                            timeout

Any suggestion will be more than appreciated!

I'm attaching the configuration below:

/interface bridge
add comment=defconf fast-forward=no name=bridge protocol-mode=none \
    vlan-filtering=yes

/interface vlan
add interface=ether1 name=vlan-internet vlan-id=6
add interface=ether1 name=vlan-telefono vlan-id=3
add interface=bridge name=vlan_camera vlan-id=30

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-internet \
    keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 \
    use-peer-dns=yes user=adslppp@telefonicanetpa

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN

/ip pool
add name=dhcp ranges=192.168.1.180-192.168.1.254
add name=pool_camera ranges=10.10.50.2-10.10.50.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool_camera disabled=no interface=vlan_camera name=\
    dhcp_camera

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=30
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add comment=defconf interface=sfp1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30

/interface detect-internet
set detect-interface-list=all

/interface list member
add comment=deconf interface=bridge list=LAN
add comment=deconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_camera list=VLAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.10.50.1/24 interface=vlan_camera network=10.10.50.0

/ip dhcp-client
add comment=defconf disabled=no
add add-default-route=no disabled=no interface=vlan-telefono use-peer-ntp=no

/ip dhcp-server network
add address=10.10.50.0/24 dns-server=192.168.1.1 gateway=10.10.50.1
add address=192.168.1.0/24 comment=defconf dns-server=\
    192.168.1.9,192.168.0.16,8.8.8.8 gateway=192.168.1.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=input comment="accept winbox" dst-port=8291 protocol=\
    tcp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input comment=\
    "Defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="Defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "Acepta el trafico de la vlan del telefono" disabled=yes in-interface=\
    vlan-telefono src-address=10.0.0.0/8
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
    dst-address-list="" src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade voz" \
    out-interface=vlan-telefono
add action=masquerade chain=srcnat disabled=yes out-interface=vlan_camera
add action=dst-nat chain=dstnat dst-port=1500 protocol=tcp src-port="" \
    to-addresses=192.168.1.150 to-ports=1500
add action=dst-nat chain=dstnat dst-port=1510 protocol=tcp src-port="" \
    to-addresses=192.168.1.151 to-ports=1510
add action=dst-nat chain=dstnat dst-port=1520 protocol=tcp src-port="" \
    to-addresses=192.168.1.152 to-ports=1520
add action=dst-nat chain=dstnat dst-port=1530 protocol=tcp to-addresses=\
    10.10.50.153 to-ports=1530
add action=dst-nat chain=dstnat disabled=yes dst-port=43389 protocol=tcp \
    to-addresses=192.168.1.14 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=43390 protocol=tcp \
    to-addresses=192.168.1.19 to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rip interface
add interface=vlan-telefono passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8

anav · Mon Nov 22, 2021 2:12 pm

Remove this (not required) use standard IP Firewall Rules!!
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes

IF not required, set this to none, can often cause issues.
interface detect-internet
set detect-interface-list=all

Since you only have one vlan, and its untagged on etherport 2,
the /interface bridge vlan rule is incorrect...
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30

Instead could be:
/interface bridge vlan
add bridge=bridge untagged=ether2 vlan-ids=30
OR
NO RULE as the router will create the untagging dynamically when required.

For most people we like to see the input chains and forward chains separated as it makes ruleset much easier to read and thus less likely to make errors!!
This is what it should look like: (lines with possible concerns in orange)

/ip firewall filter
add action=accept chain=input comment=\
"Defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input comment=\
"Acepta el trafico de la vlan del telefono" disabled=yes in-interface=\
vlan-telefono src-address=10.0.0.0/8 {just not sure of the purpose of this rule}
add action=accept chain=input comment=\
"Defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="Defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"Defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward connection-nat-state=dstnat log=yes
add action=accept chain=forward connection-nat-state=dstnat disabled=yes {not required remove}
add action=drop chain=forward comment=\
"Defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

(1) You are allowing winbox port access from the internet at least limit it to source-address=192.168.1.0/24 so it looks something like........
add action=accept chain=input comment="accept winbox" in-interface=bridge src-address=192.168.1.0/24 dst-port=8291 protocol=tcp

(2) Recommend you include the VLAN for cameras on the interface list members for LAN!!
add interface=vlan_camera list=LAN

Then the vlan cameras will have access to the router for such things as DNS services because at the moment they will not have any.....
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
in-interface-list=!LAN

anav · Mon Nov 22, 2021 2:13 pm

I have no clue what you are attempting to do with telefeno and a private IP address block 10.0.X.X beyond my scope of knowledge?
Also, it looks like you are using mangle type rules, but in a way I am not familiar with but again beyond my scope of knowledge but I will say typically, mangle rules being used and fastrack in the firewall rule set dont mix well........??

In terms of NAT, all of these are missing the destination address (fixed wanip) or some variant of destination address (dynamic WANIP).
Quick question I noticed you have a hairpin type sourcenat rule in place.
Does this mean many or one of the rules below are being accessed by LAN users via a DYNDNS name (domain name) and NOT via the LANIP directly to the server?????
Source port is not a valid entry for dst-nat rules!

add action=dst-nat chain=dstnat dst-port=1500 protocol=tcp src-port="" \
to-addresses=192.168.1.150 to-ports=1500
add action=dst-nat chain=dstnat dst-port=1510 protocol=tcp src-port="" \
to-addresses=192.168.1.151 to-ports=1510
add action=dst-nat chain=dstnat dst-port=1520 protocol=tcp src-port="" \
to-addresses=192.168.1.152 to-ports=1520
add action=dst-nat chain=dstnat dst-port=1530 protocol=tcp to-addresses=\
10.10.50.153 to-ports=1530
add action=dst-nat chain=dstnat disabled=yes dst-port=43389 protocol=tcp \
to-addresses=192.168.1.14 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=43390 protocol=tcp \
to-addresses=192.168.1.19 to-ports=443

taons · Mon Nov 22, 2021 4:29 pm

Hi @anav ! Thanks for replying! This line solved the issue:

/interface bridge vlan
add bridge=bridge untagged=ether2 vlan-ids=30

Also thanks a lot for the suggestions, I'll adjust my configs.

Answering your doubt, vlan_telefono was required for the phone to work (true that currently I'm not plugging any phone to the router), because my ISP uses VLAN for internet and phone services.

taons · Mon Nov 22, 2021 4:35 pm

Quick question I noticed you have a hairpin type sourcenat rule in place.
Does this mean many or one of the rules below are being accessed by LAN users via a DYNDNS name (domain name) and NOT via the LANIP directly to the server?????

Didn't see this. Yes I'm accessing the video cameras via dyndns, and I have the same URL configuration in and outside home

anav · Mon Nov 22, 2021 4:57 pm

To clarify, users on the bridge 192.168.1.X will be accessing the cameras on the VLAN via dyndns name as well as folks having external access to the cameras.
There is no case of users on the vlan accessing the camera on the vlan (as there are no users on the vlan)?

In this case there is no hairpin nat (users and server on same subnet) and thus you will NOT need this rule.........
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
dst-address-list="" src-address=192.168.1.0/24

What is important is the proper structure for the dynamic WANIP dst-nat rules.
Suggesting....... modify each rule to look like the following.
This ensure that the rule matches the wan address as its the only available local address left after excluding the two local LAN addresses.

Add chain=dstnat action=dst-nat dst-address-type=local dst-address-list=!allsubnets \
protocol=tcp dst-port=12566 to-addresses=192.168.88.68

where the firewall address list looks like
add address=192.168.1.0/24 name=allsubnets
add address=10.0.0.0/24 name=allsubnets

This may or may not work, still trying to work it out.........

Can not dst-nat to vlan device [SOLVED]

Can not dst-nat to vlan device

Re: Can not dst-nat to vlan device [SOLVED]

Re: Can not dst-nat to vlan device

Re: Can not dst-nat to vlan device

Re: Can not dst-nat to vlan device

Re: Can not dst-nat to vlan device

Who is online