I'm setting a VLAN (vlan_camera in the config) to isolate a network for security cameras. The cameras are connected to a unmanaged switch, and the switch is connected to ether2 port of the router (hEX S).
The VLAN is correctly set (I think) with dhcp and devices can get IP addresses. However, when I try to set a port forwarding to access to the camera from outside, it doesn't work. Also, if i try to ping vlan device from Mikrotik terminal, it doesn't work either:
Code: Select all
[user@MikroTik] > ping 10.10.50.153
SEQ HOST SIZE TTL TIME STATUS
0 10.10.50.153 timeout
1 10.10.50.153 timeout
2 10.10.50.153 timeout
I'm attaching the configuration below:
Code: Select all
/interface bridge
add comment=defconf fast-forward=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan-internet vlan-id=6
add interface=ether1 name=vlan-telefono vlan-id=3
add interface=bridge name=vlan_camera vlan-id=30
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-internet \
keepalive-timeout=60 max-mru=1492 max-mtu=1492 name=pppoe-out1 \
use-peer-dns=yes user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
/ip pool
add name=dhcp ranges=192.168.1.180-192.168.1.254
add name=pool_camera ranges=10.10.50.2-10.10.50.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=pool_camera disabled=no interface=vlan_camera name=\
dhcp_camera
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=30
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add comment=defconf interface=sfp1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=deconf interface=bridge list=LAN
add comment=deconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=vlan_camera list=VLAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.10.50.1/24 interface=vlan_camera network=10.10.50.0
/ip dhcp-client
add comment=defconf disabled=no
add add-default-route=no disabled=no interface=vlan-telefono use-peer-ntp=no
/ip dhcp-server network
add address=10.10.50.0/24 dns-server=192.168.1.1 gateway=10.10.50.1
add address=192.168.1.0/24 comment=defconf dns-server=\
192.168.1.9,192.168.0.16,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=input comment="accept winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=accept chain=input comment=\
"Defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="Defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"Defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"Defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"Defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
"Acepta el trafico de la vlan del telefono" disabled=yes in-interface=\
vlan-telefono src-address=10.0.0.0/8
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
vlan-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
dst-address-list="" src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade voz" \
out-interface=vlan-telefono
add action=masquerade chain=srcnat disabled=yes out-interface=vlan_camera
add action=dst-nat chain=dstnat dst-port=1500 protocol=tcp src-port="" \
to-addresses=192.168.1.150 to-ports=1500
add action=dst-nat chain=dstnat dst-port=1510 protocol=tcp src-port="" \
to-addresses=192.168.1.151 to-ports=1510
add action=dst-nat chain=dstnat dst-port=1520 protocol=tcp src-port="" \
to-addresses=192.168.1.152 to-ports=1520
add action=dst-nat chain=dstnat dst-port=1530 protocol=tcp to-addresses=\
10.10.50.153 to-ports=1530
add action=dst-nat chain=dstnat disabled=yes dst-port=43389 protocol=tcp \
to-addresses=192.168.1.14 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=43390 protocol=tcp \
to-addresses=192.168.1.19 to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rip interface
add interface=vlan-telefono passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8