Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Intervlan routing issue  [SOLVED]

Post Reply
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Intervlan routing issue

Mon Dec 20, 2021 1:25 pm

Good day!

I have two newbie questions:

1) I would like device 10.0.1.253 to be able to connect to device 10.0.2.254 and vice versa. The accept rule sees the packet and allows it. Still, the packets are not reaching their destination. What have I forgotten?

2) I have set a FasTrack and an accept rule for established and related connections. Every time the Fasttrack rule gets hit by a packet, the  the accept established, related connections gets hit by the same packet. Is it normal? I though a fasttrack rule would have skipped the rest of the firewall rules. 
Code: Select all
# dec/20/2021 09:31:38 by RouterOS 7.1rc7
#
# model = RB760iGS
/interface bridge
add ingress-filtering=no name=lan-bridge pvid=999 vlan-filtering=yes
/interface vlan
add interface=lan-bridge name=IoT-vlan-interface vlan-id=20
add interface=lan-bridge name=guest-vlan-interface vlan-id=40
add interface=lan-bridge name=main-vlan-interface vlan-id=10
add interface=lan-bridge name=server-vlan-interface vlan-id=30
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=WAN_PPoE use-peer-dns=yes user=\
    myusername
/interface list
add comment="List with all the my vlan interfaces" name=List_vlan_interfaces
add comment="WAN list to use in firewall. Makes the changing of WAN much easier" name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp-pool-main-network ranges=10.0.1.101-10.0.1.254
add name=dhcp-pool-IoT-network ranges=10.0.2.101-10.0.2.254
add name=dhcp-pool-guest-network ranges=10.0.4.101-10.0.4.254
/ip dhcp-server
add address-pool=dhcp-pool-main-network interface=main-vlan-interface lease-time=2d name=dhcp-main-network
add address-pool=dhcp-pool-IoT-network interface=IoT-vlan-interface lease-time=2d name=dhcp-IoT-network
add address-pool=dhcp-pool-guest-network interface=guest-vlan-interface lease-time=1d name=\
    dhcp-guest-network
/port
set 0 name=serial0
/interface bridge port
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=lan-bridge frame-types=admit-only-vlan-tagged interface=ether5 pvid=999
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=lan-bridge comment="main vlan " tagged=lan-bridge,ether5 untagged=ether4,ether2 vlan-ids=10
add bridge=lan-bridge comment="IoT vlan" tagged=lan-bridge,ether5 untagged=ether3 vlan-ids=20
add bridge=lan-bridge comment="server vlan" tagged=lan-bridge vlan-ids=30
add bridge=lan-bridge comment="guest vlan" tagged=lan-bridge,ether5 vlan-ids=40
/interface list member
add interface=IoT-vlan-interface list=List_vlan_interfaces
add interface=guest-vlan-interface list=List_vlan_interfaces
add interface=main-vlan-interface list=List_vlan_interfaces
add interface=server-vlan-interface list=List_vlan_interfaces
add interface=WAN_Proximus_PPoE list=WAN
/ip address
add address=10.0.1.1/24 comment="gateway main vlan" interface=main-vlan-interface network=10.0.1.0
add address=10.0.2.1/24 comment="gateway IoT vlan" interface=IoT-vlan-interface network=10.0.2.0
add address=10.0.3.1/24 comment="gateway server vlan" interface=server-vlan-interface network=10.0.3.0
add address=10.0.4.1/24 comment="gateway guest vlan" interface=guest-vlan-interface network=10.0.4.0
/ip dhcp-server network
add address=10.0.1.0/24 comment="main network" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=10.0.1.1
add address=10.0.2.0/24 comment="IoT network" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=10.0.2.1
add address=10.0.4.0/24 comment="Guest network" dns-server=1.1.1.1,8.8.8.8,8.8.4.4 gateway=10.0.4.1
/ip dns
set servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.0.1.0/24 list=vlan_network_address_list
add address=10.0.2.0/24 list=vlan_network_address_list
add address=10.0.3.0/24 list=vlan_network_address_list
add address=10.0.4.0/24 list=vlan_network_address_list
/ip firewall filter
add action=accept chain=input comment="allow established related connections" connection-state=\
    established,related in-interface=main-vlan-interface
add action=accept chain=input comment="allow acces from main vlan" in-interface=main-vlan-interface
add action=accept chain=input comment="allow icmp" protocol=icmp
add action=drop chain=input comment="drop all others"
add action=fasttrack-connection chain=forward comment="FastTrack established, related connections" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established, related connections" connection-state=\
    established,related
add action=accept chain=forward comment="accept NAT'ed connections" connection-nat-state=srcnat \
    in-interface-list=WAN
add action=accept chain=forward dst-address=10.0.2.254 src-address=10.0.1.253
add action=accept chain=forward dst-address=10.0.1.253 src-address=10.0.2.254
add action=drop chain=forward comment="Drop intervlan routing" dst-address-list=vlan_network_address_list \
    src-address-list=vlan_network_address_list
add action=drop chain=forward comment="drop reaching private addresses via WAN" dst-address-list=\
    not_in_internet out-interface-list=WAN
add action=drop chain=forward comment="Drop invalid connections " connection-state=invalid
add action=accept chain=forward comment="Allow vlans to internet" out-interface-list=WAN src-address-list=\
    vlan_network_address_list
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=\
    icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="Drop all the rest"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Brussels
Thank you very much for the help in advance!
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Intervlan routing issue

Mon Dec 20, 2021 2:23 pm

From a quick look in your configuration i can't see any reason as to why the communication is blocked between the devices in VLAN 10 and 20.
Are you sure the communication is not being dropped by the end devices firewall ?
Top
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: Intervlan routing issue

Mon Dec 20, 2021 3:03 pm

Yes, I am. When I connect them both devices to the same VLAN they manage to communicate with each other without any issues.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Intervlan routing issue  [SOLVED]

Mon Dec 20, 2021 3:09 pm

Yes, I am. When I connect them both devices to the same VLAN they manage to communicate with each other without any issues.
This does not indicate anything...it can still be a firewall issue on the end devices..
If you think its a firewall problem simply disable it, test, and enable again ...
Top
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: Intervlan routing issue

Tue Dec 21, 2021 10:03 am

Thank you. This was indeed the "issue". Sometimes you don't learn from your mistake. I remember I had "resolved" this issue in the past. Let's hope I won't forget it this time.


If someone ever have this issue and find this thread by googling:

The two clients might be able to ping when they are in the same subnet. However, once you switch one client to another subnet it will most likely hit another, more strict, firewall rule in your client.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 105 guests
  4. RouterOS
  5. Beginner Basics