Community discussions

MikroTik App
 
ax25
just joined
Topic Author
Posts: 20
Joined: Wed Jul 13, 2022 1:25 am

management VLAN problem

Fri Dec 23, 2022 3:44 pm

Hi folks,

I've searched forum through and through but cannot make simple concept to work... I would greatly appreciate your help and wisdom! Also Merry X-Mas everyone!

Facts:
RBM11G with LTE modem + hAP ac

Idea: to manage RBM11G directly from hAP ac LAN and avoid double NAT (LTE interface will be in passthrough to ether1). Since it has it only has 1 ethernet port, VLAN is needed; also as I have no better knowledge port forwarding should do: let's say it should be port 9000 for WinBox of RBM11G, 8080 for WebUI etc

What I did:
I've set up VLAN interfaces on both, can ping boxes on that network (10.10.10.0/24). Also added 2 firewall rules on hAP ac – dst-nat and input accept for VLANs

Problem:
"Connection refused" or "Timeout" when I try to access forwarded winbox (like 192.168.88.1:9000)

Configs:

hAP ac – or "WiFiBox"
[admin@WiFiBox] > /export hide-sensitive
# dec/23/2022 14:10:08 by RouterOS 7.6
# software id = 28C1-PRLG
#
# model = RB962UiGS-5HacT2HnT
# serial number = XXXX
/interface bridge
add admin-mac=CC:2D:E0:2B:7F:18 auto-mac=no comment="LAN bridge" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik5 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan1337 vlan-id=1337
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.10/24 interface=vlan1337 network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="accept VLAN from WAN" in-interface=vlan1337 log=yes
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Modem WinBox forward" disabled=yes dst-address=192.168.88.1 dst-port=9000 log=yes protocol=tcp to-addresses=10.10.10.20 to-ports=8291
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=WiFiBox
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
RBM11G – "ModemBox"
/export hide-sensitive 
# dec/23/2022 14:38:51 by RouterOS 7.6
# software id = WBRK-9IM5
#
# model = RBM11G
# serial number = XXXX
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" disabled=yes
/interface vlan
add interface=ether1 name=vlan1337 vlan-id=1337
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] passthrough-interface=ether1 passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=lte1 list=WAN
add list=LAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether1 network=192.168.8.0
add address=10.10.10.20/24 interface=vlan1337 network=10.10.10.0
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=ModemBox
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: management VLAN problem

Fri Dec 23, 2022 10:02 pm

The address of your PC is 192.168.88.x, but the RBM11G doesn't know how to deliver its responses to that subnet. So you have to add a route to 192.168.88.0/24, or maybe even better a default one, to the RBM11G, with gateway=10.10.10.10. Or instead you may add vlan1337 as a member of the interface list WAN on the hAP ac, so that the action=masquerade out-interface-list=WAN would match on it, so that the RBM11G would see the requests as coming from the hAP ac itself (10.10.10.10) so the dynamically added route to 10.10.10.0/24 would be sufficient.
 
ax25
just joined
Topic Author
Posts: 20
Joined: Wed Jul 13, 2022 1:25 am

Re: management VLAN problem

Sat Dec 24, 2022 2:05 am

Thank you sindy, adding vlan to interface list did the trick! Appreciate your help

Cheers

Who is online

Users browsing this forum: mtkvvv, rarlup and 34 guests