Hello guys,
I'm having trouble reaching the devices on VLAN12 from a service PC that resides on VLAN11. I can reach the devices on all other VLANS from this PC (like unifi switches that are on VLAN10, ecc...).
I have rules in the firewall to block all access from VLAN13 (a guest reserved VLAN for external users) to other VLANs, but even if I disable these rules the problem is still there.
As you see I have used mangle to create a static route/rule because this customer has 2 internet routers (an optic fiber for normal internet access and a backup ADSL on which I have routed the VoIP traffic from the VLAN12 with said mangle, reserved for IP phones connected to a cloud pbx)
I hope I made myself clear. Here is my config
# jun/20/2022 15:58:20 by RouterOS 6.47.8
# software id = UDB2-X12K
#
# model = 2011iL
# serial number = 7DCF073A6FC2
/interface bridge
add admin-mac=6C:3B:6B:D6:0F:52 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:D6:0F:51
set [ find default-name=ether2 ] mac-address=6C:3B:6B:D6:0F:52
set [ find default-name=ether3 ] disabled=yes mac-address=6C:3B:6B:D6:0F:53
set [ find default-name=ether4 ] disabled=yes mac-address=6C:3B:6B:D6:0F:54
set [ find default-name=ether5 ] mac-address=6C:3B:6B:D6:0F:55
set [ find default-name=ether6 ] disabled=yes mac-address=6C:3B:6B:D6:0F:56
set [ find default-name=ether7 ] disabled=yes mac-address=6C:3B:6B:D6:0F:57
set [ find default-name=ether8 ] disabled=yes mac-address=6C:3B:6B:D6:0F:58
set [ find default-name=ether9 ] mac-address=6C:3B:6B:D6:0F:59
set [ find default-name=ether10 ] disabled=yes mac-address=6C:3B:6B:D6:0F:5A
/interface vlan
add interface=ether5 name=VLAN10_MGMT vlan-id=10
add interface=ether5 name=VLAN11_Uffici vlan-id=11
add interface=ether5 name=VLAN12_Telefoni vlan-id=12
add interface=ether5 name=VLAN13_Guest vlan-id=13
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.100-192.168.88.200
add name=MGMT_pool ranges=192.168.10.50-192.168.10.250
add name=uffici_pool ranges=192.168.0.50-192.168.0.250
add name=TELEFONI_pool ranges=192.168.12.50-192.168.12.250
add name=GUEST_pool ranges=192.168.13.50-192.168.13.250
add name=OVPN_pool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=MGMT_pool disabled=no interface=VLAN10_MGMT name=vlan10_dhcp
add address-pool=uffici_pool disabled=no interface=VLAN11_Uffici name=\
vlan11_dhcp
add address-pool=TELEFONI_pool disabled=no interface=VLAN12_Telefoni name=\
vlan12_dhcp
add address-pool=GUEST_pool disabled=no interface=VLAN13_Guest name=\
vlan13_dhcp
/ppp profile
add local-address=192.168.10.1 name=ovpn_fidia remote-address=OVPN_pool
/queue simple
add max-limit=2M/10M name=Test_2 queue=ethernet-default/ethernet-default \
target=10.10.13.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 enabled=yes \
port=11940 require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.0.1/24 interface=VLAN11_Uffici network=192.168.0.0
add address=192.168.10.1/24 interface=VLAN10_MGMT network=192.168.10.0
add address=192.168.12.1/24 interface=VLAN12_Telefoni network=192.168.12.0
add address=192.168.13.1/24 interface=VLAN13_Guest network=192.168.13.0
/ip dhcp-client
add comment=defconf default-route-distance=2 disabled=no interface=ether1
add disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.0.70 client-id=1:f4:2:70:aaae mac-address=\
F4:02:70:AA:DE:AE server=vlan11_dhcp
add address=192.168.0.102 client-id=1:98:ee:cb:75:aa:44 mac-address=\
98:EE:CB:75:AA:44 server=vlan11_dhcp
/ip dhcp-server network
add address=192.168.0.0/24 comment=UFFICI dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.0.1
add address=192.168.10.0/24 comment=MGMT dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.10.1
add address=192.168.12.0/24 comment=TELEFONI dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.12.1
add address=192.168.13.0/24 comment=GUEST dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.13.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=WinBox in-interface=VLAN11_Uffici
add action=accept chain=input comment=OVPN dst-port=11940 in-interface=ether2 \
protocol=tcp
add action=accept chain=input comment=WinBox_WAN dst-port=8291 in-interface=\
ether2 protocol=tcp
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN11_Uffici
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN12_Telefoni
add action=drop chain=forward in-interface=VLAN13_Guest out-interface=\
VLAN10_MGMT
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=VLAN12_Telefoni \
new-routing-mark=to_Fastweb passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="UltraVNC Ilaria" dst-port=6688 \
in-interface=ether2 protocol=tcp to-addresses=192.168.0.102 to-ports=6688
/ip route
add distance=1 gateway=192.168.1.1 routing-mark=to_Fastweb
/ppp secret
add name=martina profile=ovpn_fidia service=ovpn
add name=nicola profile=ovpn_fidia service=ovpn
add name=andrea profile=ovpn_fidia service=ovpn
add name=kyle profile=ovpn_fidia service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=FIDIA
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN