In my SOHO network I am using an RB3011UiAS device with ROS 6.48.2 installed.
I have a bridge in which there are many subnets, a "main" 192.168.3.0/24 and a VLAN400 172.16.10.0/24. Some ports are untagged and some tagged in VLAN400.
I have two Synology NAS. The first is connected to an untagged port with IP 192.168.3.173, while the second is connected to a port tagged in VLAN400 with IP 172.16.10.5.
Using this firewall rule I allow all devices on subnet 172.16.10.0/24 to communicate only with the IP of the synology NAS on subnet 192.168.3.0/24.
Code: Select all
add action=drop chain=forward comment="Drop all from vlan 400 except IP NAS" dst-address=!192.168.3.173 in-interface="vlan 400"
Code: Select all
add action=accept chain=forward comment="Accept request from lan master to vlan NAS Synology Backup" dst-address=172.16.10.0/24 src-address=192.168.3.0/24
Code: Select all
add action=dst-nat chain=dstnat comment="NAS Management WAN" dst-address-type="" dst-port=5050 protocol=tcp to-addresses=192.168.3.173 to-ports=5050
What am I doing wrong?
Complete config:
Code: Select all
[simone@Routerboard] > export
# dec/08/2021 19:08:37 by RouterOS 6.48.2
# software id =
#
# model = RouterBOARD 3011UiAS
# serial number = B8********
/interface bridge
add arp=proxy-arp comment="LAN untagged + VLAN" name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] comment=FASTWEB
set [ find default-name=ether10 ] comment="FIBRA 200"
/interface vlan
add arp=proxy-arp comment="vlan Synology NAS Backup" interface=bridge1 name="vlan 400" vlan-id=400
add comment="vlan C***** L******" interface=bridge1 name="vlan 410" vlan-id=410
add comment="vlan G****** WiFi" interface=bridge1 name=vlan100 vlan-id=100
add comment="vlan service" interface=bridge1 name=vlan200 vlan-id=200
add arp=proxy-arp comment="vlan Simone" interface=bridge1 name=vlan300 vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.101-192.168.3.149
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.200
add name=dhcp_pool2 ranges=192.168.2.100-192.168.2.200
add name=dhcp_pool3 ranges=192.168.5.100-192.168.5.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp-master
add address-pool=dhcp_pool1 disabled=no interface=vlan100 name=dhcp-g******
add address-pool=dhcp_pool2 disabled=no interface=vlan200 name=dhcp-service
add address-pool=dhcp_pool3 disabled=no interface=vlan300 name=dhcp-simone
/interface bridge port
add bridge=bridge1 interface=ether1 multicast-router=disabled
add bridge=bridge1 interface=ether2 multicast-router=disabled
add bridge=bridge1 interface=ether3 multicast-router=disabled
add bridge=bridge1 interface=ether4 multicast-router=disabled
add bridge=bridge1 interface=ether5 multicast-router=disabled
add bridge=bridge1 interface=sfp1 multicast-router=disabled
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=100,200,300,400,410
/ip address
add address=192.168.3.75/24 interface=bridge1 network=192.168.3.0
add address=192.168.1.1/24 interface=vlan100 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan200 network=192.168.2.0
add address=192.168.5.1/24 interface=vlan300 network=192.168.5.0
add address=192.168.50.200/24 comment="Fastweb ADSL" interface=ether9 network=192.168.50.0
add address=192.168.100.100/24 comment="FIBRA 200" interface=ether10 network=192.168.100.0
add address=172.16.10.1/24 interface="vlan 400" network=172.16.10.0
add address=172.16.20.1/28 interface="vlan 410" network=172.16.20.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.75
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list="Subnet"
add address=172.16.10.0/24 list="Subnet"
add address=192.168.2.0/24 list="Subnet"
add address=172.16.20.0/28 list="Subnet"
/ip firewall filter
add action=accept chain=forward comment="Consenti inoltro per connessioni stabilite e correlate" connection-state=!related,new
add action=accept chain=input comment="Consenti richieste ICMP" protocol=icmp
add action=accept chain=input disabled=yes dst-port=1723 in-interface=ether10 protocol=tcp
add action=accept chain=forward comment="Accept request from lan master to vlan NAS Synology Backup" dst-address=172.16.10.0/24 src-address=192.168.3.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=34w6d chain=input comment="Port scanners to list " fragment=no hotspot="" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop richieste DNS esterne TCP" dst-port=53 in-interface=ether10 protocol=tcp
add action=drop chain=input comment="Drop richieste DNS esterne UDP" dst-port=53 in-interface=ether10 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether10
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=Bogons
add action=drop chain=input comment="Regola Drop accesso WinBox" dst-port=8291 protocol=tcp src-address-list="!Subnet"
add action=drop chain=input protocol=tcp src-address-list="port scanners"
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=drop chain=forward comment="Drop all from vlan 400 except IP NAS" dst-address=!192.168.3.173 in-interface="vlan 400"
add action=drop chain=input comment="Drop tutto il resto"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade FIBRA 200" out-interface=ether10
add action=masquerade chain=srcnat comment="Masquerade Fastweb" out-interface=ether9
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=!192.168.3.75 src-address=192.168.3.0/24
add action=dst-nat chain=dstnat comment="NAS Management WAN" dst-address-type="" dst-port=5050 protocol=tcp to-addresses=192.168.3.173 to-ports=5050
/ip route
add comment=FIBRA distance=10 gateway=192.168.100.1
add comment=ADSL distance=30 gateway=192.168.50.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=17800
set ssh disabled=yes
set www-ssl certificate=ca disabled=no port=17801
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="Routerboard"
/system package update
set channel=long-term