MT not processing traffic from a specific interface

dot02 · Fri Jul 01, 2022 12:28 am

Hi all,

I have another question, I am overlooking something very simple I guess.
I’ve set up my RB3011 with several VLANs. They are all connected to the network via trunk, which is linked to a port-aggregation (eth 4+5)
In parallel, I have eth10 acting as a management port (VLAN 2 - 172.20.2.0/24)

hosts in the vlan 2 can ping themselves, but can’t ping the MT Vlan2 interface (.10), nor can the MT ping any of these hosts in that directly connected network. As the network is directly connected, it can’t be a routing issue.

Even more interrestingly, I can reach the the vlan2 L3 IP from any of the other vlans (traffic ingress from LAG+trunk which does NOT contain VLAN2)

My config looks like this, I just cleaned up the stuff that is not relevant (GRE's, IPsec, disabled interfaces, etc):

# jun/30/2022 23:07:06 by RouterOS 7.3.1
# software id = GTSP-YUM6
#
# model = RB3011UiAS
/interface bridge
add name=loopback0
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether4 ] name="eth4 - Transit LAG 10"
set [ find default-name=ether5 ] name="eth5 - Transit LAG 10"
set [ find default-name=ether10 ] name="eth10 - MGT" poe-out=off

/interface vlan
add interface="eth10 - MGT" name="vlan2 - MGT" vlan-id=2
add interface=ether8 name="vlan51 - VLAN0051" vlan-id=51
add interface=eth1-WAN loop-protect=off name="vlan4001 - ISP WAN" vlan-id=4001

/interface bonding
add arp-ip-targets=0.0.0.0 lacp-rate=1sec mode=802.3ad name=LAG10 slaves="eth4 - Transit LAG 10,eth5 - Transit LAG 10"

/interface vlan
add interface=LAG10 name="vlan10 - SERVER-PRIVATE" vlan-id=10
add interface=LAG10 name="vlan15 - SERVER-PUBLIC" vlan-id=15
add interface=LAG10 name="vlan20 - WORKSTATIONS" vlan-id=20
add interface=LAG10 name="vlan30 - IPTEL" vlan-id=30
add interface=LAG10 name="vlan40 - PRINTERS" vlan-id=40
add interface=LAG10 name="vlan50 - LAB" vlan-id=50
add interface=LAG10 name="vlan60 - WLAN" vlan-id=60
add interface=LAG10 name="vlan100 - TRANSIT" vlan-id=100

/interface list
add comment=defconf name=WAN
add comment=TRANSIT name=TRANSIT
add comment="Out-of-Band Management" name=MGT

/interface bridge port
add bridge=*E ingress-filtering=no interface=*D

/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all

/interface list member
add comment="WAN - Public Fiber" interface=eth1-WAN list=WAN
add comment="Management Interface" interface="eth10 - MGT" list=MGT
add comment=Transit interface=LAG10 list=TRANSIT

/ip address
add address=172.20.2.10/24 comment=Management interface="eth10 - MGT" network=172.20.2.0
add address=172.20.100.254/24 comment="Transit vlan 100" interface="vlan100 - TRANSIT" network=172.20.100.0
add address=172.20.10.1/24 comment=SERVER-PRIVATE interface="vlan10 - SERVER-PRIVATE" network=172.20.10.0
add address=172.20.20.1/24 comment=WORKSTATIONS interface="vlan20 - WORKSTATIONS" network=172.20.20.0
add address=172.20.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.20.30.0
add address=172.20.40.1/24 comment=PRINTER interface="vlan40 - PRINTERS" network=172.20.40.0
add address=172.20.50.1/24 comment=LAB interface="vlan50 - LAB" network=172.20.50.0
add address=172.20.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.20.60.0
add address=172.20.0.1 interface=loopback0 network=172.20.0.1

/ip firewall address-list
add address=172.20.20.0/24 list=NAT
add address=172.20.60.0/24 list=NAT

/ip firewall filter
add action=accept chain=input dst-address=172.20.2.0/24 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.20.2.0/24
(...)

/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=172.20.0.0/16

The only clues I could think of would be some issue with the interface lists (VLAN2/interface eth10 is the only vlan in the MGT list), or the packets getting into the wrong chain.

When I torch the interface eth10, I see incoming packets from the host in the 172.20.2.0/24 segment I am initiating the icmp packets from.

Does any of you have an idea what the cause could be?
Cheers
Denis

anav · Sat Jul 02, 2022 12:57 am

Two things for me to look at it.
a. network diagram
b. full config, nothing truncated, the config is interrelated. (just hide any public IPs........)

dot02 · Sat Jul 02, 2022 5:26 pm

Here we go. the OSPF config is in progress, please ignore that part completely. My issue regarding the reachability of the eth10/vlan2 IP is unrelated to the OSPF config in progress (which I only started 2 or 3 days ago). The FW rules are also being staged (a lot of try&guess) as I was tshooting a lot of things in parallel, but they will get cleaned up nicely once all is done.

# jul/02/2022 15:40:08 by RouterOS 7.3.1
# software id = GTSP-YUM6
#
# model = RB3011UiAS
# serial number = <HIDDEN>
/interface bridge
add name=loopback0
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether4 ] name="eth4 - Transit LAG 10"
set [ find default-name=ether5 ] name="eth5 - Transit LAG 10"
set [ find default-name=ether10 ] name="eth10 - MGT" poe-out=off
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes mac-address=08:55:31:D2:37:0A
set [ find default-name=sfp1 ] disabled=yes loop-protect=off loop-protect-disable-time=1s loop-protect-send-interval=1s
/interface gre
add allow-fast-path=no mtu=1300 name=gre-tunnel1 remote-address=<Public_IP_SiteP>
add !keepalive local-address=172.20.0.1 name=gre-tunnel2 remote-address=172.18.0.1
add allow-fast-path=no mtu=1300 name=gre-tunnel10 remote-address=<Public_IP_SiteB>
add disabled=yes !keepalive name=gre-tunnel30 remote-address=<DNS_Site_T>
/interface vlan
add interface="eth10 - MGT" name="vlan2 - MGT" vlan-id=2
add interface=ether8 name="vlan51 - VLAN0051" vlan-id=51
add interface=eth1-WAN loop-protect=off name="vlan4001 - ISP WAN" vlan-id=4001
/interface bonding
add arp-ip-targets=0.0.0.0 lacp-rate=1sec mode=802.3ad name=LAG10 slaves="eth4 - Transit LAG 10,eth5 - Transit LAG 10"
/interface pppoe-client
add add-default-route=yes allow=chap disabled=no interface="vlan4001 - ISP WAN" name=pppoe-WAN user=<HIDDEN>
/interface vlan
add interface=LAG10 name="vlan10 - SERVER-PRIVATE" vlan-id=10
add interface=LAG10 name="vlan15 - SERVER-PUBLIC" vlan-id=15
add interface=LAG10 name="vlan20 - WORKSTATIONS" vlan-id=20
add interface=LAG10 name="vlan30 - IPTEL" vlan-id=30
add interface=LAG10 name="vlan40 - PRINTERS" vlan-id=40
add interface=LAG10 name="vlan50 - LAB" vlan-id=50
add interface=LAG10 name="vlan60 - WLAN" vlan-id=60
add interface=LAG10 name="vlan100 - TRANSIT" vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=TRANSIT name=TRANSIT
add comment="Out-of-Band Management" name=MGT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=<HIDDEN>
add code=77 name=userclass value=<HIDDEN>
add code=90 name=authsend value=<HIDDEN>
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=Profile_B prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_P nat-traversal=no proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_T nat-traversal=no proposal-check=strict
add dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_H prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=<DNS_Site_B> comment="VPN to B" exchange-mode=ike2 local-address=<Public_IP> name=Peer_B profile=Profile_B
add address=<DNS_Site_T> comment="VPN to T" local-address=<Public_IP> name=Peer_T profile=Profile_T
add address=<Public_IP_SiteP>/32 comment="VPN to P" local-address=<Public_IP> name=Peer_P profile=Profile_P
add comment="VPN to H" exchange-mode=ike2 local-address=<Public_IP> name=Peer_H passive=yes profile=Profile_H send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_P pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_B pfs-group=modp1536
add disabled=yes enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_T pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-ctr lifetime=1h name=Proposal_H pfs-group=ecp521
/ip pool
add name=dhcp_pool0 ranges=172.20.60.11-172.20.60.200
add name=dhcp_pool1 ranges=172.20.20.11-172.20.20.200
add name=dhcp_pool2 ranges=172.20.30.11-172.20.30.200
add name=dhcp_pool3 ranges=172.20.40.11-172.20.40.200
add name=dhcp_pool4 ranges=172.20.50.11-172.20.50.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="vlan60 - WLAN" lease-time=4h name=dhcp_VLAN60
add address-pool=dhcp_pool1 interface="vlan20 - WORKSTATIONS" lease-time=4h name=dhcp_VLAN20
add address-pool=dhcp_pool2 interface="vlan30 - IPTEL" lease-time=8h name=dhcp_VLAN30
add address-pool=dhcp_pool3 interface="vlan40 - PRINTERS" lease-time=8h name=dhcp_VLAN40 relay=172.20.40.1
add address-pool=dhcp_pool4 interface="vlan50 - LAB" lease-time=8h name=dhcp_VLAN50 relay=172.20.40.1
/ipv6 pool
add name=Pool_WAN_dhcpPool prefix-length=48
/port
set 0 name=serial0
/queue interface
set sfp1 queue=ethernet-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=ospf-1 version=3
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-1 name=ospf-area-1
/interface bridge filter
# no interface
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes
/interface bridge port
add bridge=*E ingress-filtering=no interface=*D
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment="WAN - Public Fiber" interface=eth1-WAN list=WAN
add comment="Management Interface" interface="eth10 - MGT" list=MGT
add comment=Transit interface=LAG10 list=TRANSIT
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.20.2.10/24 comment=Management interface="eth10 - MGT" network=172.20.2.0
add address=172.20.100.254/24 comment="Transit vlan 100" interface="vlan100 - TRANSIT" network=172.20.100.0
add address=172.20.10.1/24 comment=SERVER-PRIVATE interface="vlan10 - SERVER-PRIVATE" network=172.20.10.0
add address=172.20.20.1/24 comment=WORKSTATIONS interface="vlan20 - WORKSTATIONS" network=172.20.20.0
add address=172.20.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.20.30.0
add address=172.20.40.1/24 comment=PRINTER interface="vlan40 - PRINTERS" network=172.20.40.0
add address=172.20.50.1/24 comment=LAB interface="vlan50 - LAB" network=172.20.50.0
add address=172.20.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.20.60.0
add address=172.30.1.1/30 comment="GRE Tunnel1 - Site_P" interface=gre-tunnel1 network=172.30.1.0
add address=10.10.10.2/30 comment="GRE Tunnel10 - Site_B" interface=gre-tunnel10 network=10.10.10.0
add address=10.10.30.2/30 comment="GRE Tunnel30 - Site_T" interface=gre-tunnel30 network=10.10.30.0
add address=172.30.2.1/30 interface=gre-tunnel2 network=172.30.2.0
add address=172.20.0.1 interface=loopback0 network=172.20.0.1
/ip cloud
set update-time=no
/ip dhcp-client
add !dhcp-options interface=eth1-WAN use-peer-ntp=no
/ip dhcp-server network
add address=172.20.20.0/24 dns-server=172.16.10.20,172.20.20.2 gateway=172.20.20.1 netmask=24
add address=172.20.30.0/24 dns-server=172.16.10.20 gateway=172.20.30.1 netmask=24
add address=172.20.40.0/24 dns-server=172.16.20.2 gateway=172.20.40.1 netmask=24
add address=172.20.50.0/24 dns-server=172.20.50.1,172.16.10.20 gateway=172.20.50.1 netmask=24
add address=172.20.60.0/24 dns-server=8.8.8.8,172.20.60.1,172.16.20.2 gateway=172.20.60.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=130.117.11.11,172.16.10.20
/ip dns static
add address=172.20.2.10 comment=defconf name=otte.lan
add address=<Public_ISP_DNS> comment="WAN DNS Server" name=WAN
/ip firewall address-list
add address=172.20.20.0/24 list=NAT
add address=172.20.60.0/24 list=NAT
/ip firewall filter
add action=accept chain=input dst-address=172.20.2.0/24 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.20.2.0/24
add action=accept chain=input dst-address=172.20.0.0/16 protocol=icmp src-address=172.16.0.0/12
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop incoming DNS requests from Internet (DDoS)" dst-port=53 in-interface=pppoe-WAN log=yes protocol=udp
add action=drop chain=input dst-port=22,80,443 in-interface=pppoe-WAN log=yes protocol=tcp
add action=accept chain=forward dst-address=172.20.2.0/24 log=yes out-interface="eth10 - MGT" src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.16.0.0/12 in-interface="eth10 - MGT" log=yes src-address=172.20.2.0/24
add action=accept chain=input comment=MANAGEMENT dst-address=172.20.2.10 dst-port=80,443,22 protocol=tcp src-address=172.16.0.0/12
add action=accept chain=input comment="Allow internal networks to ping GW" dst-address=172.20.0.0/16 log=yes protocol=icmp src-address=172.16.0.0/12
add action=accept chain=input comment="VPN P" dst-address=<Public_IP> protocol=ipsec-esp src-address=<Public_IP_SiteP>
add action=accept chain=output dst-address=<Public_IP_SiteP> protocol=ipsec-esp src-address=<Public_IP>
add action=accept chain=input dst-address=<Public_IP> log=yes protocol=gre src-address=<Public_IP_SiteP>
add action=accept chain=output dst-address=<Public_IP_SiteP> log=yes protocol=gre src-address=<Public_IP>
add action=accept chain=input dst-address=172.30.1.0/30 in-interface=gre-tunnel1 protocol=icmp src-address=172.30.1.0/30
add action=accept chain=input comment="VPN B" dst-address=<Public_IP> protocol=ipsec-esp src-address=<Public_IP_SiteB>
add action=accept chain=output dst-address=<Public_IP_SiteB> protocol=ipsec-esp src-address=<Public_IP>
add action=accept chain=input dst-address=<Public_IP> protocol=gre src-address=<Public_IP_SiteB>
add action=accept chain=output dst-address=<Public_IP_SiteB> protocol=gre src-address=<Public_IP>
add action=accept chain=input dst-address=10.10.10.0/30 in-interface=gre-tunnel10 protocol=icmp src-address=10.10.10.0/30
add action=accept chain=input comment="VPN H" dst-address=<Public_IP>
add action=accept chain=output src-address=<Public_IP>
add action=accept chain=input dst-address=172.30.2.0/30 in-interface=gre-tunnel2 src-address=172.30.2.0/30
add action=accept chain=input dst-address=172.20.0.1 src-address=172.18.0.1
add action=accept chain=output dst-address=172.18.0.1 src-address=172.20.0.1
add action=accept chain=input comment=NTP dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=194.0.5.123 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=82.64.42.185 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=92.222.209.69 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=162.159.200.123 src-port=123
add action=accept chain=input dst-port=123 protocol=udp src-address=172.16.0.0/12
add action=drop chain=input comment="STEALTH RULE 1: DROP ALL PACKETS NOT EXPLICITLY ALLOWED ABOVE (INPUT CHAIN)" log=yes
add action=accept chain=forward comment="OUTBOUND INTERNET TRAFFIC" connection-nat-state=srcnat in-interface="vlan100 - TRANSIT" src-address=172.20.0.0/16
add action=accept chain=forward comment="Accept trafic to LAB vlan" dst-address=172.20.50.0/24 src-address=172.20.0.0/16
add action=accept chain=forward dst-address=172.20.0.0/16 src-address=172.20.50.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=pppoe-WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=172.20.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add comment=IPsec_P peer=Peer_P
add comment=IPsec_B my-id=fqdn:<DNS_site_HQ> peer=Peer_B remote-id=fqdn:<DNS_Site_B>
add comment=IPsec_T peer=Peer_T
add comment=IPsec_H my-id=fqdn:<DNS_site_HQ> peer=Peer_H remote-id=fqdn:<DNS_site_H>
/ip ipsec policy
set 0 disabled=yes proposal=Proposal_P
add disabled=yes dst-address=<Public_IP_SiteB>/32 peer=Peer_B proposal=Proposal_B protocol=gre src-address=<Public_IP>/32 tunnel=yes
add dst-address=<Public_IP_SiteP>/32 peer=Peer_P proposal=Proposal_P protocol=gre src-address=<Public_IP>/32 tunnel=yes
add disabled=yes dst-address=<Public_IP_SiteT>/32 peer=Peer_T proposal=Proposal_T protocol=gre src-address=<Public_IP>/32 tunnel=yes
add dst-address=172.18.0.1/32 peer=Peer_H proposal=Proposal_H protocol=gre src-address=172.20.0.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.127.0/24 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.18.0.0/16 gateway=gre-tunnel2 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-WAN pool-name=WAN_dhcpPool pool-prefix-length=48 rapid-commit=no request=prefix
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set "eth4 - Transit LAG 10" disabled=yes
set "eth5 - Transit LAG 10" disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set "eth10 - MGT" disabled=yes
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 5 disabled=yes
/routing ospf area range
add area=ospf-area-1 disabled=no prefix=172.20.0.0/16
/routing ospf interface-template
add area=ospf-area-1 disabled=no type=ptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Paris
/system identity
set name=MT_HQ
/system logging
set 0 disabled=yes
add disabled=yes topics=ipsec
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=194.0.5.123
add address=82.64.42.185
add address=92.222.209.69
add address=162.159.200.123
/tool mac-server
set allowed-interface-list=TRANSIT
/tool mac-server mac-winbox
set allowed-interface-list=TRANSIT

The MT has 3 links to the cisco stack: 1 link (eth10)/vlan2 for mgt only, and 2 aggregated links (eth 4+5) for all the other VLANs (tagged) (+1WAN connection)

drawing.jpg

Do you see what I did wrong?

cheers

anav · Sat Jul 02, 2022 5:32 pm

Hi there, so you have three ports connected between the same devices (2 aggregated and one separate)......... Yikes. Probably okay but I would scare myself into some sort of loop issue. Probably fine just not what I am capable of mastering.

I will take a look at the config......

dot02 · Sat Jul 02, 2022 5:40 pm

My thought was to have the management port completely separated from the data traffic. I might change the design in the future, though...

anav · Sat Jul 02, 2022 7:10 pm

That is what I do. Two choices
a. use your trusted LAN as the management vlan OR
b. use a specific single LAN as the management vlan (which you have done)

Interesting config as never dealt with LAG/bond before.

(1) Curious as to why you have vlans defined and yet not complete dhcp etc..
For example where are complete setups for vlans 100, 10 and 15??

(2) Not seen this used often what is the purpose???
/interface bridge filter
# no interface
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes
/interface bridge port
add bridge=*E ingress-filtering=no interface=*D

(3) For that matter dont see any purpose to the bridge you have thus far??

(4) Normally I set to the management interface as all managed devices should get their IP from the management LAN!!
/ip neighbor discovery-settings
set discover-interface-list=all

(5) RP filter strict is normally not recommended and definitely not for dual wan. With IP connection tracking enabled (YES( you have pretty decent tcp stack checking as long a LOOSE connection tracking is UNCHECKED. I dont think rp filter strict will impede any flow just not the normal what I see.
/ip settings
set max-neighbor-entries=8192 rp-filter=strict

(6) YOu need to add another member to WAN interface list.........
/interface list member
add comment="WAN - Public Fiber" interface=eth1-WAN list=WAN
add interface="vlan4001 - ISP WAN" list=WAN

(7) I dont think you need any entries here as it should be covered in the pPPOE client settings
/ip dhcp-client
add !dhcp-options interface=eth1-WAN use-peer-ntp=no

(8) Not a fan of an unorganized firewall list. suggest put all input chain rules together and then all forward chain rules together for ease of troubleshooting!
What is purpose of output chain rule..... is it required, dont see it very often...
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.20.2.0/24

The reason I ask is because you have a source nat rule that looks similar but not...........
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=172.20.0.0/16

Plus the fact I have rarely seen multiple output chain rules on top??

(9) This rule should be directly after the fastrack rule.........
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

(10) The input chain is too complex for me to comment.

(11) I would change the following rule to be clearer and more efficient, the next rule drop all WAN packets so no need to get too fancy (redundant)............ However the next rule needs some tidying as well, namely dropping ALL packets not yet matched. Normally one has to then include a specific LAN to WAN rule for internet but you already have one!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=pppoe-WAN log=yes

add action=allow chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL OTHER PACKETS"

If you want to log something specifically, because its just so much noise, just insert a log rule before the last rule...

Hopefully someone else can comment on your input chain and output chain as its beyond my scope.

dot02 · Mon Jul 04, 2022 1:20 pm

Thanks for your reply. To answer your questions

1. all the other VLANs have static IP’s, DHCP is not needed. And even the existing DHCP config is temporary, another DHCP server is being staged and will be ready in a couple of weeks.

2. Bridge filter: This was part of an old config as far as I can remember. It can be removedInterface bridge port: This was created automatically. I think it can be removed as well, I’ll try to disable it tonight.

3. The lookback is used as the source-address of my ike2 policy for Peer_H. And it will also be used for ospf.

4. This is what I want to avoid. I want mgt to be only for management purposes, and nothing else. the vlan2 serves this. there are other devices on that vlan such as server’s ILO interfaces, UPS mgt port, vSphere management address. But there will be no clients (workstations) in that vlan.

5. According to MT, strict seems the right way to go: “Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDoS attacks. If using asymmetric routing or other complicated routing or VRRP, then loose mode is recommended.” source: https://wiki.mikrotik.com/wiki/Manual:IP/Settings. However the disclaimer that strict mode doesn’t work with routing tables is confusing. In my case, I don’t have dual WAN anyway. But I can try setting it to loose, even though I don’t think this will solve my issue. but it’s worth a try.

6. why? the way I see it is that the WAN interface list contains the physical interface eth1, which is bound to vlan4001 itself. What would be the benefit to add the vlan4001 to the WAN interface list as well?

7. this line is added as the result of the “use peer NTP” tickbox being not checked.

8. Me neither, and a makeover is planned. That being said, it is not that much unsorted. Instead of sorting by chain, which is definitely a way to go, I sorted it by traffic flow (per service/device/network) and defined different sections for VPN, NTP, MGT, stealth and cleanup rules. But I’m really not a big fan of the MF firewall design, I prefer pfsense or Checkpoint. One good FW practice is to put the put the rules with the highest match rate as close to the top as possible as this saved resources on the FW (source: Checkpoint training).

“add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.20.2.0/24” => I need this for the other sites to reach this network. But the rule is way to permissive and will be narrowed down when the contif is finished (still OSPF to implement). the NAT rule you are referring to is to ensure that traffic to remote sites will not get NAT-ed.

“I have rarely seen multiple output chain rules on top” => which ones? I only have one close to the top: “add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.20.2.0/24”

9. I agree. This is a leftover from a support request during a tshoot. I’ll change it back.

10. …and it will get even more complex soon…

11. I agree. They can be merged.

But anyway, do you see what could explain this weird behaviour where I cannot reach the vlan2 IP from eth10 interface, but can reach it from the trunk/LAG where vlan 2 is not transported?

cheers
Denis

MT not processing traffic from a specific interface

MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Re: MT not processing traffic from a specific interface

Who is online