Perhaps I missed something in my research but I am having a devil of a time setting up a simple one-port VLAN on my CCR2004-1G-12S+2XS. Here is what I am trying to achieve:
- I have a site-to-site wireguard VPN which is functioning as expected for years now.
- I would like to bypass this and route to the great, wide internet for specifically marked traffic. This traffic is marked on a per application instance (ex. there may be some HTTPS traffic destined for the VPN while other traffic needs to bypass direct to the outside world).
- To mark this traffic, I am creating a VLAN (1050) with the intent that any traffic the router receives on this VLAN will skip the relevant mangle rules. Note that I am not yet even at the mangle step yet so it will not be discussed further.
- VLAN traffic is expected to arrive on sfp-sfpplus3 along with untagged traffic.
To try to implement this, I have read a bunch of articles, almost all of which seem to involve setting up a bridge. To my (admittedly limited) understanding, the bridge is superfluous as the traffic arriving just needs to be marked and untagged on ingress. Is there a reason I would still want a bridge in this case?
Given the above, I took a stab at it with:
Code: Select all
/interface/vlan/add interface=sfp-sfpplus3 name=sfp3_vlan1050 vlan-id=1050 arp=enabled
/ip/address/add interface=sfp3_vlan1050 address=172.16.50.3/24
And then on my Linux PC on that port (connected via dumb switch):
Code: Select all
sudo ip link add link eno1 name eno1.1050 type vlan id 1050
sudo ip addr add 172.16.50.103/24 dev eno1.1050
sudo ip link set up eno1.1050
To my understanding, I should be able to ping 172.16.50.3 (the IP on the VLAN interface on the CCR) from 172.16.50.103 (Linux PC) and vice-versa. Is this assumption correct?
Assuming so, here is where the problem occurs; I am not able to ping the remote host in either direction. If I tcpdump on the Linux machine, I see that there is a properly tagged (802.1Q) ARP message formed and sent but no response is ever received. Bummer. Using /tool/sniffer forwarded to wireshark on the Linux PC, I don't see any VLAN traffic received (
Code: Select all
/tool/sniffer/set filter-interface=sfp-sfpplus3
So, in short, what am I missing here?
Additionally, if there is a better way to achieve different routing rules on a per application instance basis?
Thanks!
Config dump, trimmed for brevity:
Code: Select all
# dec/26/2022 17:04:28 by RouterOS 7.1
# software id = QKDK-CKFY
#
# model = CCR2004-1G-12S+2XS
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface wireguard
add listen-port=59999 mtu=1384 name=wireguard-vpn
/interface vlan
add interface=sfp-sfpplus3 name=sfp3_vlan1050 vlan-id=1050
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.100-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=sfp-sfpplus1 lease-time=30m name=dhcp1
add address-pool=dhcp_pool1 interface=sfp-sfpplus2 lease-time=30m name=dhcp2
add address-pool=dhcp_pool2 interface=sfp-sfpplus3 lease-time=30m name=dhcp3
add address-pool=dhcp_pool3 interface=sfp-sfpplus4 lease-time=30m name=dhcp4
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=routes-vpn
/interface bridge port
add interface=sfp-sfpplus3
add interface=sfp28-1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<redacted> endpoint-port=1337 interface=wireguard-vpn persistent-keepalive=25s public-key="<redacted>"
/ip address
add address=172.16.50.3/24 interface=sfp3_vlan1050 network=172.16.50.0
/ip dhcp-client
add interface=sfp28-1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.20.2,192.168.20.3 gateway=192.168.40.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!pia_wireguard_conn connection-state=established,related hw-offload=no
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=sfp28-1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=sfp28-1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from incorrect subnet (10)" in-interface=sfp-sfpplus1 log=yes log-prefix=not-10net src-address=!192.168.10.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (20)" in-interface=sfp-sfpplus2 log=yes log-prefix=not-20net src-address=!192.168.20.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (30)" disabled=yes in-interface=sfp-sfpplus3 log=yes log-prefix=not-30net src-address=!192.168.30.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (40)" in-interface=sfp-sfpplus4 log=yes log-prefix=not-40net src-address=!192.168.40.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (50)" in-interface=sfp-sfpplus5 log=yes log-prefix=not-50net src-address=!192.168.50.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (60)" in-interface=sfp-sfpplus6 log=yes log-prefix=not-60net src-address=!192.168.60.0/24
add action=drop chain=forward comment="Drop packets from incorrect subnet (70)" in-interface=sfp-sfpplus7 log=yes log-prefix=not-70net src-address=!192.168.70.0/24
add action=drop chain=forward comment="Subnet 50 routes ONLY to internet" in-interface=sfp-sfpplus5 log=yes log-prefix=50net-not-inet out-interface=!sfp28-1
add action=drop chain=forward comment="Subnet 60 routes NOWHERE" in-interface=sfp-sfpplus6 log=yes log-prefix=60net-not-routable out-interface=!sfp-sfpplus6
add action=drop chain=forward comment="Subnet 70 routes NOWHERE" in-interface=sfp-sfpplus7 log=yes log-prefix=70net-not-routable out-interface=!sfp-sfpplus7
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=syn_flooder
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=port_scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list" disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else!" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input port=22,9022 protocol=tcp src-address=!192.168.30.10
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address=!192.168.0.0/16 new-connection-mark=pia_wireguard_conn src-address=192.168.0.0/16
add action=mark-routing chain=prerouting connection-mark=pia_wireguard_conn new-routing-mark=routes-vpn src-address=192.168.0.0/16
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp routing-mark=routes-vpn tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-vpn
add action=dst-nat chain=dstnat dst-port=9022 in-interface=sfp28-1 protocol=tcp to-addresses=192.168.30.10 to-ports=22
add action=masquerade chain=srcnat out-interface=sfp28-1
/ip route
add dst-address=0.0.0.0/0 gateway=10.25.128.1 routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.20.128.1 routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.5.128.1 routing-table=routes-vpn
add dst-address=10.21.128.1/32 gateway=wireguard-vpn routing-table=routes-vpn
add dst-address=0.0.0.0/0 gateway=10.21.128.1 routing-table=routes-vpn
/routing rule
add action=lookup-only-in-table disabled=yes routing-mark=routes-vpn table=routes-vpn