Community discussions

MikroTik App
  4. RouterOS
  5. General

Masquarading traffic from VLAN  [SOLVED]

Post Reply
 
forestarean
just joined
Topic Author
Posts: 4
Joined: Sat Feb 12, 2022 10:08 pm

Masquarading traffic from VLAN

Wed Nov 02, 2022 11:03 am

Dear All,

I have a very simple setup on my CRS326-24G-2S+ switch which I want to try as a router. It sits in a public network and the default VLAN1 handles that traffic. My idea is to introduce VLAN100 and VLAN200 for cameras and guest traffic, respectfully keeping all interfaces in a single bridge. However, I cannot ping anything public from a device connected to VLAN100 (ether6 in my case). It seems that masquerading addresses 192.168.100.0/24 is not working. The export follows. Any advice? Tnx in advance!
Code: Select all
# nov/02/2022 10:00:10 by RouterOS 7.6
# software id = 9AI6-G02G
#
# model = CRS326-24G-2S+
# serial number = DA720CA93C26
/interface bridge
add admin-mac=48:8F:5A:B9:F2:0F auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=100Mbps
/interface vlan
add interface=bridge name=VLAN100 vlan-id=100
add interface=bridge name=VLAN200 vlan-id=200
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan100-adrese ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add address-pool=vlan100-adrese interface=VLAN100 name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether6 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether7 pvid=200
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=100
add bridge=bridge tagged=bridge vlan-ids=200
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=PUBLIC_IPV4/24 comment=defconf interface=ether2 network=NETWORK
add address=192.168.100.1/24 interface=VLAN100 network=192.168.100.0
add address=192.168.200.1/24 interface=VLAN200 network=192.168.200.0
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=147.91.209.2,147.91.209.20 gateway=192.168.100.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.100.0/24 to-addresses=PUBLIC_IPV4
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=GW
/ipv6 route
add disabled=no dst-address=::/0 gateway=GW6 routing-table=main
/ipv6 address
add address=PUBLIC_IPV6 interface=bridge
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name=crs326
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static allow-from-ports=p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26 identity=MikroTik static-ip-address=PUBLIC_IPV4
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13219
Joined: Thu Mar 03, 2016 10:23 pm

Re: Masquarading traffic from VLAN  [SOLVED]

Wed Nov 02, 2022 5:16 pm

A couple of things. Most importantly: your device is wildly exposed to hacking attempts from WAN (which seems to be ether2 right now). You better introduce some solid firewall rules at least for chain=input ASAP.

Other than that:

/ip address
add address=PUBLIC_IPV4/24 comment=defconf interface=ether2bridge network=NETWORK
If physical interface is bridge port, then further config has to be done on bridge interface

/ip firewall nat
add action=masqueradesrc-nat chain=srcnat src-address=192.168.100.0/24 to-addresses=PUBLIC_IPV4
Masquerade action doesn't use to-addresses property. It rather uses egress interface IP address as new src-address. Previously IP address was bound to ether2 while actual WAN interface is bridge interface. You can use action=src-nat instead, together with to-addresses property. You might want to use additional selection criteria for SRC-NAT, such as out-interface=bridge (when you start using VLAN200 and if you don't want traffic between both VLANs to be NATed).

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=GWx.y.z.w
In case where WAN interface is a point-to-multipoint type of interfaces (e.g. ethernet interface) it's more correct to set next hop's IP address as gateway. The way you have it right now works probably because ISP router has proxy ARP enabled, but that0s not always the case.
Top
 
forestarean
just joined
Topic Author
Posts: 4
Joined: Sat Feb 12, 2022 10:08 pm

Re: Masquarading traffic from VLAN

Fri Nov 04, 2022 12:13 pm

Many thanks, @mkx! Changing the source NAT rule the way you suggested resolved the issue. Besides that, thank you for the suggestion regarding the overall security. This is not a problem, I just copied the relevant config, without these security measures.
Top
Post Reply
  4. RouterOS
  5. General