Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

NebularWinter · Thu Jul 06, 2023 11:28 am

Hi all, I was wondering if someone could help me out a bit here.

This is on a freshly netinstalled RoS v7.10.1 on HAP AC2 running 3 VLANs (10,20,3999 [=used for IPTV]) with HW offloading, which are all on one bridge interface (master-bridge).

I just can't seem to get the dst-nat rules to work to and I cannot figure out why.

I've already tried changing the in-interface to Eth1 - PPPoE-WAN, which wasn't possible (in-out interface matcher not possible when interface is slave, user master instead), as well as changing it to "master-bridge", which didn't do anything (no packets pass through).

For what it's worth, the services that I'm trying to dst-nat are all on Eth4 behind a simple unmanaged switch (cheap tp-link). I have no issues pinging around between the various devices / router.

Thankful for any help.

/interface bridge
add igmp-snooping=yes multicast-router=permanent name=bridge-master vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - PPPoE-WAN"
set [ find default-name=ether2 ] name="Eth2 - LAN"
set [ find default-name=ether3 ] name="Eth3 - IPTV"
set [ find default-name=ether4 ] name="Eth4 - LAN"
set [ find default-name=ether5 ] name="Eth5 - LAN"

/interface vlan
add interface=bridge-master name=Vlan10-LAN vlan-id=10
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes

/ip pool
add name=LAN-Vlan10-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-Vlan10-pool interface=Vlan10-LAN lease-time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth1 - PPPoE-WAN" pvid=20
add bridge=bridge-master interface="Eth2 - LAN" pvid=10
add bridge=bridge-master interface="Eth3 - IPTV" pvid=10
add bridge=bridge-master interface="Eth4 - LAN" pvid=10
add bridge=bridge-master interface="Eth5 - LAN" pvid=10

/interface bridge vlan
add bridge=bridge-master vlan-ids=10 tagged=bridge-master comment="LAN"
add bridge=bridge-master vlan-ids=20 tagged=bridge-master comment="PPPoE - Native VLAN"
add bridge=bridge-master vlan-ids=3999 tagged="Eth1 - PPPoE-WAN,Eth3 - IPTV" comment="Tagged VLAN"

/ip address
add address=192.168.88.1/24 interface=Vlan10-LAN network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip firewall filter
add action=accept chain=forward comment="forward established, related" connection-state=established,related
add action=accept chain=forward comment="LAN forward all" src-address=192.168.88.0/24
add action=accept chain=forward comment="#D-NAT forward" connection-nat-state=dstnat
add action=drop chain=forward comment="DROP forward"
add action=accept chain=input comment="#INPUT established, related" connection-state=established,related
add action=accept chain=input comment="LAN input all" src-address=192.168.88.0/24
add action=drop chain=input comment="DROP input"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment="WireGuard" dst-port=51820 in-interface=all-ethernet protocol=udp to-addresses=192.168.88.22 to-ports=51820
add action=dst-nat chain=dstnat comment="Website1" dst-port=80 in-interface=all-ethernet protocol=tcp to-addresses=192.168.88.33 to-ports=80
add action=dst-nat chain=dstnat comment="Website1" dst-port=443 in-interface=all-ethernet protocol=udp to-addresses=192.168.88.33 to-ports=443

anav · Thu Jul 06, 2023 4:07 pm

(1) The definition of vlan20 is wrong. Vlan 20 has nothing to do with the bridge or LAN should be....

add interface=ether1 name=Vlan20-PPPoE vlan-id=20

(2) I dont see vlan 3999 defined ?? No address no nothing????

(3) Remove ether1 from the /interface bridge port settings................

(4) Remove the second line in the /interface bridge vlan ... concerning vlan20

(5) The firewall rules are basically there but too minimal. You should not remove most of the defaults and why remove fastrack which makes the router performance improved??

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=192.168.88.0/24
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=192.168.88.0/24 out-interface=PPPoE-Client
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(6) Why do you mention wireguard in the first line of the port forwarding rules when there is no wireguard config?
Further one does not normally use port forwarding for wireguard.
Thus you are probably attempting to something that is both incomplete and fundamentally wrong.

(7) The other dst-nat rules should be in the format. for external users hitting your router................
add action=dst-nat chain=dstnat comment="Website1" dst-port=80 in-interface=PPPoE-Client protocol=tcp to-addresses=192.168.88.33 to-ports=80
add action=dst-nat chain=dstnat comment="Website1" dst-port=443 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=443

However, it sees like not stated clearly that you have internal users also needing access tot he servers?
If so, then you have a hairpin nat scenario which requires more work.
viewtopic.php?t=179343

As for your use of in-interface=all-ethernet. Never seen that used and you may felt like it was the only option but what you are missing from the config which makes config easier is
/interface list
add name=WAN
add name=LAN
/interface list members
add interface=PPPoE-Client list=WAN
add interface=bridge-master list=LAN

Not absolutely necessary but does make life easier as it simplified firewall rule making and the config throughout makes use of interface list entries.

NebularWinter · Thu Jul 06, 2023 6:02 pm

Thanks anav for your reply, appreciate it!

To answer your questions:
(1), (3), (4) - I lose PPPoE connectivity by doing these steps - the PPPoE session drops as soon as I make the change under (1). I have therefore reverted this to my current config until we figure out a better way (see next point)?

(2) See my settings for /interface bridge vlan - would that not address 3999? Essentially, what I'm trying to do is tag vlan id 3999 to Eth 3 as that's where the IPTV box is connected to. Is there a better way of achieving this? I don't necessarily need vlan ids 10 and 20....

(5), (7) I've disabled all my firewall rules and imported yours in that same order, which I will keep (I've also added the lists (which are from defconf as well) for ease of management in the future). I will waint hairpin eventually indeed, however, my primary concern is access from outside for now and I can leave this for later.

(6) Apologies, should have mentioned, I'm running WireGuard on a separate linux machine as I'm more familiar with linux for troubleshooting. Therefore I think I do need port forwarding to that linux machine to get it working, no? Clients get IPs in the 10.6.0.0 range there (so, different from the LAN DHCP range).

------------

Progress: By changing the firewall rules, I now see a single (!) packet come through each time I connect to WireGuard / visit my website. So this is better than before, however, there must be something still misconfigured / missing in the chains.

PS: By disabling these two, I can actually get a WireGuard connection running (and access internal machines/services), however, this is at glacial speed (<100kbps):

add action=accept chain=input comment="LAN input all" src-address=192.168.88.0/24
add action=drop chain=input comment="DROP input"

anav · Thu Jul 06, 2023 6:17 pm

Post your latest config so that I can see what I am dealing with please.

I smell progress!

Where is vlan 3399 coming from, is it part of the ppoe traffic or something separate???
Is the wireguard to be able to access lan devices remotely (for users) or for the admin to access router for config purpose and perhaps to access lan devices ?

NebularWinter · Thu Jul 06, 2023 6:44 pm

Thanks!

Where is vlan 3399 coming from, is it part of the ppoe traffic or something separate???

Not sure I understand this question - my ISP requires vlan tag of 3999 on the Eth port that is connected to the IPTV box (in my case ETH3) in order to get IPTV signal if that helps? I'm happy to try a different/simpler set up to achieve this. I don’t mind getting rid of vlans 10 and 20 if that makes the config simpler.

Is the wireguard to be able to access lan devices remotely (for users) or for the admin to access router for config purpose and perhaps to access lan devices?

It's for users to access lan devices. As mentioned, I can see a single packet upon connection only on the below config (but nothing further), however, if I drop the last two input rules, I can get a very slow connection to work and connect to internal services.

The only changes I made were from under your points (5) and (7), so:

/interface bridge
add igmp-snooping=yes multicast-router=permanent name=bridge-master vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - PPPoE-WAN"
set [ find default-name=ether2 ] name="Eth2 - LAN"
set [ find default-name=ether3 ] name="Eth3 - IPTV"
set [ find default-name=ether4 ] name="Eth4 - LAN"
set [ find default-name=ether5 ] name="Eth5 - LAN"

/interface vlan
add interface=bridge-master name=Vlan10-LAN vlan-id=10
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes

/ip pool
add name=LAN-Vlan10-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-Vlan10-pool interface=Vlan10-LAN lease-time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth1 - PPPoE-WAN" pvid=20
add bridge=bridge-master interface="Eth2 - LAN" pvid=10
add bridge=bridge-master interface="Eth3 - IPTV" pvid=10
add bridge=bridge-master interface="Eth4 - LAN" pvid=10
add bridge=bridge-master interface="Eth5 - LAN" pvid=10

/interface bridge vlan
add bridge=bridge-master vlan-ids=10 tagged=bridge-master comment="LAN"
add bridge=bridge-master vlan-ids=20 tagged=bridge-master comment="PPPoE - Native VLAN"
add bridge=bridge-master vlan-ids=3999 tagged="Eth1 - PPPoE-WAN,Eth3 - IPTV" comment="Tagged VLAN"

/ip address
add address=192.168.88.1/24 interface=Vlan10-LAN network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=192.168.88.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=192.168.88.0/24 out-interface=PPPoE-Client
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment="Website1" dst-port=80 in-interface=PPPoE-Client protocol=tcp to-addresses=192.168.88.33 to-ports=80
add action=dst-nat chain=dstnat comment="Website1" dst-port=443 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=443
add action=dst-nat chain=dstnat comment=“WireGuard” dst-port=51823 in-interface=PPPoE-Client protocol=tcp to-addresses=192.168.88.33 to-ports=51823

anav · Thu Jul 06, 2023 7:42 pm

You need to complete the changes I noted for ppoe to work properly
Namely, get rid of any bridge config noting vlan20 and pppoe. It will work!!
Wireguard is udp protocol.

For IPTV we need to carry the tagged frames from ether1 to ether3 for iptv.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/interface vlan
add interface=bridge-master name=Vlan10-LAN vlan-id=10
add interface=ether1 name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes

/ip pool
add name=LAN-Vlan10-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-Vlan10-pool interface=Vlan10-LAN lease-time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth1-PPPoE"
add bridge=bridge-master interface="Eth2 - LAN" pvid=10
add bridge=bridge-master interface="Eth3 - IPTV"
add bridge=bridge-master interface="Eth4 - LAN" pvid=10
add bridge=bridge-master interface="Eth5 - LAN" pvid=10

/interface bridge vlan
add bridge=bridge-master vlan-ids=10 tagged=bridge-master, untagged="Eth2 - LAN","Eth4 - LAN","Eth5 - LAN" comment="LAN"
add bridge=bridge-master vlan-ids=3999 tagged="Eth1 - PPPoE-WAN","Eth3-IPTV

/ip address
add address=192.168.88.1/24 interface=Vlan10-LAN network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address=192.168.88.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" src-address=192.168.88.0/24 out-interface=PPPoE-Client
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment="Website1" dst-port=80 in-interface=PPPoE-Client protocol=tcp to-addresses=192.168.88.33 to-ports=80
add action=dst-nat chain=dstnat comment="Website1" dst-port=443 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=443
add action=dst-nat chain=dstnat comment=“WireGuard” dst-port=51823 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=51823

NebularWinter · Fri Jul 07, 2023 12:43 am

Thanks, I will try this in the morning.

2 questions:
Under /interface vlan, may I just ask what is the point of tagging interface=ether1 with vlan-id=20 if we then never use this id anywhere?
In addition, if I don't use vlan-id=10 anywhere in my home network, can that be removed as well to simplify the overall setup?

anav · Fri Jul 07, 2023 4:09 am

Say what?
No where in the previous post do I tag port with vlan20 ??
We assign vlan20 to the interface ether1, and then we assign the ppooe interface in ppoe setup to the vlan..........
in this way the pppoe connection works!

Yes if you dont want to use a vlan for vlan10 subnet then simply do the following.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

/interface bridge
add bridge=IPTV-Bridge vlan-filtering=yes
add bridge=bridge-master vlan-filtering=no

/interface vlan
add interface=ether1 name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes

/ip pool
add name=LAN-Vlan10-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-Vlan10-pool interface=bridge-master time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth2 - LAN
add bridge=bridge-master interface="Eth4 - LAN"
add bridge=bridge-master interface="Eth5 - LAN"
add bridge=IPTV-Bridge interface="Eth1-PPPoE"
add bridge=IPTPV-Bridge interface="Eth3 - IPTV"

/interface bridge vlan
add bridge=IPTV-Bridge vlan-ids=3999 tagged="Eth1 - PPPoE-WAN","Eth3-IPTV

/ip address
add address=192.168.88.1/24 interface=bridge-master network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=bridge-master
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface=bridge-master out-interface=PPPoE-Client
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment="Website1" dst-port=80 in-interface=PPPoE-Client protocol=tcp to-addresses=192.168.88.33 to-ports=80
add action=dst-nat chain=dstnat comment="Website1" dst-port=443 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=443
add action=dst-nat chain=dstnat comment=“WireGuard” dst-port=51823 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=51823

NebularWinter · Fri Jul 07, 2023 12:57 pm

Thanks Anav. I tried both these options and in both cases PPPoE doesn't connect. See below for the config without vlan10. Once I reverted to my initial config, PPPoE came straight back up. Not sure why PPPoE isn't connecting - any ideas? I tried putting PPPoE Client directly on port ether1, however, that didn't work either (some message about it being a slave interface).

/interface bridge
add igmp-snooping=yes multicast-router=permanent name=bridge-master
add ingress-filtering=no name=bridge-tv vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - PPPoE-WAN"
set [ find default-name=ether2 ] name="Eth2 - LAN"
set [ find default-name=ether3 ] name="Eth3 - TV"
set [ find default-name=ether4 ] name="Eth4 - LAN"
set [ find default-name=ether5 ] name="Eth5 - LAN"

/interface vlan
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes

/interface list
add name=WAN
add name=LAN

/ip pool
add name=LAN-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-pool interface=bridge-master lease-time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth2 - LAN"
add bridge=bridge-tv interface="Eth3 - TV"
add bridge=bridge-master interface="Eth4 - LAN"
add bridge=bridge-master interface="Eth5 - LAN"
add bridge=bridge-tv interface="Eth1 - PPPoE-WAN"

/interface bridge vlan
add bridge=bridge-tv tagged="Eth1 - PPPoE-WAN,Eth3 - TV" vlan-ids=3999

/interface list member
add interface="Eth1 - PPPoE-WAN" list=WAN
add interface=bridge-master list=LAN

/ip address
add address=192.168.88.1/24 interface=bridge-master network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=bridge-master
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" out-interface=PPPoE-Client src-address=192.168.88.0/24
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment=WireGuard dst-port=51823 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.33 to-ports=51823

anav · Fri Jul 07, 2023 1:15 pm

The error I see in your config is this
/interface vlan
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

The pppoe connection has nothing to do with the bridge.
YOu need to assign the vlan to ether1, the port connected to the ISP.

NebularWinter · Fri Jul 07, 2023 1:30 pm

The error I see in your config is this
/interface vlan
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

The pppoe connection has nothing to do with the bridge.
YOu need to assign the vlan to ether1, the port connected to the ISP.

Thanks, however, this didn't work either:

/interface vlan
add interface="Eth1 - PPPoE-WAN" name=Vlan20-PPPoE vlan-id=20

PPPoE drops as soon as I make this change. In fact, I cannot get the PPPoE session to connect with either of the two full configs you posted and this is true with whatever I set the Vlan20-PPPoE interface to (I played with various options to try and get it to connect).

Is there a way to tag the PPPoE Client directly on ether1 perhaps? What other options do I have to establish PPPoE connections (besides the one from my initial config, which works fine, but is 'wrong')?

anav · Fri Jul 07, 2023 3:52 pm

My apologies, as I may have lead you astray.
My approach is correct but if one assigns the etherport to a bridge, any vlan that hits the etherport must be identified to that bridge.
Since normally one doesnt have IPTV on the same port, I got confused on how to handle it.
The neat/clear approach is below where we assign a bridge just for the WAN side traffic and the only difference from before is that
instead of setting the vlan to ether1, we set vlan20 to bridge-tv in /interface vlan!
Again, sorry for the mistake.

Therefore this should fix my errors.

/interface bridge
add igmp-snooping=yes multicast-router=permanent name=bridge-master
add ingress-filtering=no name=bridge-tv vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - PPPoE-WAN"
set [ find default-name=ether2 ] name="Eth2 - LAN"
set [ find default-name=ether3 ] name="Eth3 - TV"
set [ find default-name=ether4 ] name="Eth4 - LAN"
set [ find default-name=ether5 ] name="Eth5 - LAN"

/interface vlan
add interface=bridge-tv name=Vlan20-PPPoE vlan-id=20

interface bridge port
add bridge=bridge-tv interface="Eth1 - PPPoE-WAN"
add bridge=bridge-tv interface="Eth3 - TV"
add bridge=bridge-master interface="Eth2 - LAN"
add bridge=bridge-master interface="Eth4 - LAN"
add bridge=bridge-master interface="Eth5 - LAN"

/interface bridge vlan
add bridge=bridge-tv tagged="Eth1 - PPPoE-WAN,Eth3 - TV" vlan-ids=3999

anav · Fri Jul 07, 2023 4:15 pm

One question, why set igmp-snooping and multicast=permanent on the LAN bridge ??

NebularWinter · Fri Jul 07, 2023 6:21 pm

One question, why set igmp-snooping and multicast=permanent on the LAN bridge ??

This was there on my original master-bridge set up where LAN and IPTV vlans were part of the same bridge so I think I kept it as a result - probably not needed on the LAN-only bridge. In any case, it doesn't seem to make a difference in my case.

Do you mind posting full config as suggested now? I think the below may be an excerpt.

Separately, just as a test to see what difference it would make, I reset the router to factory defconf (so, vanilla simple bridge, no vlans), put the pppoe client directly on ether1 and added the pppoe client to WAN list. This got the internet up and running across the network (though not IPTV, obviously). I kept the defconf firewall rules, but added the two penultimate forward rules you suggested. I then re-tried dst-nat for WireGuard, connected from my iPhone over 4G and got.....exactly the same result as yesterday: access to LAN at a glacial speed of c.100kbps and single packet coming through at each connection try. So I think this shows that my issue is not in the vlan config, but somewhere else, right?

Any ideas on what could be throttling down dst-nat?

As background:
- PPPoE speed is 1gbps down / 100mbps up (though down speed is typically slower, I always see full 100mbps up from any machine on LAN including the machine that WireGuard is on)
- I'm doing WireGuard tests from an iPhone on 4G connection. This connection is c.80-100mbps at my location
- I see no real CPU utilisation on Hap AC2 when connected over WireGuard - it's in single digit %
- Before I added this Hap AC2, I used the ISP supplied modem as a modem, router and switch. I would get full downloads speeds of 100mbps when connected to LAN through this same WireGuard machine. The ISP's device has now been put into 'bridge' mode - therefore there is no DHCP connection or PPPoE connections on it anymore and should be 'passthrough' as such. I do need to keep it as this is takes in FTTH connection from the ISP.

anav · Fri Jul 07, 2023 11:40 pm

Well configure the router as per my latest suggestion but move the multicast and snooping to the IPTV bridge not the LAN bridge.
Then ensure you have added all your wireguard settings.

Then post the config and I will have a look........

NebularWinter · Sat Jul 08, 2023 12:44 pm

Strangest thing - so whilst still on my initial config, but with your firewall and dst-nat rules from your first response, I decided to try a different wireguard client (a wired windows pc in another location) to see if this glacial wireguard speed is there as well....and, well, it's not. I get full 100mbps download speed, which is as expected as it matches 100mbps upload speed on this hap ac2. Happy days!

I also set up Hairpin NAT and re-did the dst-nat rules to be "proper" for access to my website per the link you posted - the following works great:

/ip firewall nat
add chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.88.0/24 action=masquerade
add chain=dstnat dst-address-type=local dst-address=!192.168.88.1 protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.88.33
add chain=dstnat dst-address-type=local dst-address=!192.168.88.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=192.168.88.33

So the slow speed dst-nat must have something to do with the 4G connection on my iPhone I think, and not with this hap ac2 config, although I can't seem to figure out why. Also, two different other iPhones on a different wireless carrier connect with full speed as well so the issue must be isolated to my iPhone. The odd thing is that whilst my iPhone connects slowly to this wireguard instance, it works full speed when connected to a different wireguard in another location. So odd! I'll give it sometime, maybe try connecting from an external wifi if the speed will be any different there.

Anyway, I think this thread can be deemed over now in regards with the original issue I had - thanks for your advice on firewall filter and NAT rules as that did the trick

.

I do wonder tho, as I'm back on my initial vlan/bridge setup now, about my definition of vlan20, which you mentioned was wrong. Do I bother trying to 'fix' that even though everything (pppoe internet connection, routing, IPTV, port forwarding/NAT) now works for fine for me as it is?? Is there a particular downside to my config?

anav · Sat Jul 08, 2023 4:04 pm

Again for me to comment and happy to do so, would need to see your latest config, so I am working from truth and not memory etc...

NebularWinter · Sat Jul 08, 2023 4:56 pm

Again for me to comment and happy to do so, would need to see your latest config, so I am working from truth and not memory etc...

Sure, this is my current config. As mentioned, this works exactly as expected:

/interface bridge
add igmp-snooping=yes multicast-router=permanent name=bridge-master vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name="Eth1 - WAN-PPPoE"
set [ find default-name=ether2 ] name="Eth2 - LAN"
set [ find default-name=ether3 ] name="Eth3 - TV"
set [ find default-name=ether4 ] name="Eth4 - LAN"
set [ find default-name=ether5 ] name="Eth5 - LAN"

/interface vlan
add interface=bridge-master name=Vlan10-LAN vlan-id=10
add interface=bridge-master name=Vlan20-PPPoE vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=Vlan20-PPPoE name=PPPoE-Client use-peer-dns=yes user=USER

/interface list
add name=WAN
add name=LAN

/ip pool
add name=LAN-Vlan10-pool ranges=192.168.88.10-192.168.88.254

/ip dhcp-server
add address-pool=LAN-Vlan10-pool interface=Vlan10-LAN lease-time=1w name=DHCP-LAN-Vlan10

/interface bridge port
add bridge=bridge-master interface="Eth1 - WAN-PPPoE" pvid=20
add bridge=bridge-master interface="Eth2 - LAN" pvid=10
add bridge=bridge-master interface="Eth3 - TV" pvid=10
add bridge=bridge-master interface="Eth4 - LAN" pvid=10
add bridge=bridge-master interface="Eth5 - LAN" pvid=10

/interface bridge vlan
add bridge=bridge-master tagged=bridge-master vlan-ids=10
add bridge=bridge-master tagged=bridge-master vlan-ids=20
add bridge=bridge-master tagged="Eth1 - WAN-PPPoE,Eth3 - TV" vlan-ids=3999

/interface list member
add interface="Eth1 - WAN-PPPoE" list=WAN
add interface=bridge-master list=LAN

/ip address
add address=192.168.88.1/24 interface=Vlan10-LAN network=192.168.88.0

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="LAN input all" src-address=192.168.88.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="LAN forward all" src-address=192.168.88.0/24
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=PPPoE-Client
add action=dst-nat chain=dstnat comment="WireGuard” dst-port=51820 in-interface=PPPoE-Client protocol=udp to-addresses=192.168.88.22 to-ports=51820
add action=dst-nat chain=dstnat comment=“Website1” dst-address=!192.168.88.1 dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.88.33 to-ports=443
add action=dst-nat chain=dstnat comment=“Website1” dst-address=!192.168.88.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.88.33 to-ports=80

anav · Sat Jul 08, 2023 6:58 pm

bridge ports and bridge vlan settings dont look right.......

a. Remove the pvid from eth1, as the pppoe will deal with the tagged frames so we are not untagging but ensuring tagged frames reach ether1 and bridge
b. Ensure ether3 has the right access port noted ( aka 3999 not 10 )
c. Optional - assign the necessary untagged ports for /interface bridge vlan (optional but I prefer to do so. makes it clear to match with bridge ports the intent of the admin)

/interface bridge port
add bridge=bridge-master interface="Eth1 - WAN-PPPoE" pvid=20 remove the pvid!
add bridge=bridge-master interface="Eth2 - LAN" pvid=10
add bridge=bridge-master interface="Eth3 - TV" pvid=10 Should be 3999
add bridge=bridge-master interface="Eth4 - LAN" pvid=10
add bridge=bridge-master interface="Eth5 - LAN" pvid=10

/interface bridge vlan
add bridge=bridge-master tagged=bridge-master, untagged="Eth2 - LAN","Eth4 - LAN","Eth5 - LAN" vlan-ids=10
add bridge=bridge-master tagged=bridge-master,"Eth1 - WAN-PPPoE" vlan-ids=20
add bridge=bridge-master tagged="Eth1 - WAN-PPPoE,Eth3 - TV" vlan-ids=3999

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

See if that works for you!
Since there are no other settings shown ( aka wireguard ) cannot comment on those.

NebularWinter · Mon Jul 10, 2023 6:17 pm

Thanks for this review as well as for new config lines and explanations.

I was able to make changes under b. and c. Curiously enough, the IPTV, which requires VLAN3999, was running just fine on ETH3 before as well when pvid was set to 10.

Anyway, making changes under a. breaks my PPPoE connection. Therefore I cannot make the following changes in bold that you suggested:

/interface bridge port
add bridge=bridge-master interface="Eth1 - WAN-PPPoE" pvid=20 remove the pvid!

/interface bridge vlan
add bridge=bridge-master tagged=bridge-master,"Eth1 - WAN-PPPoE" vlan-ids=20

anav · Mon Jul 10, 2023 7:21 pm

You misunderstood.
Only, the orange pvid should be removed.
The /interface bridge vlan setting is good to go as is, needs not be touched.
/interface bridge vlan
add bridge=bridge-master tagged=bridge-master,"Eth1 - WAN-PPPoE" vlan-ids=20

NebularWinter · Mon Jul 10, 2023 7:53 pm

The PPPoE connection drops as soon as I remove the orange pvid (i.e. change it to '1' using winbox - which I believe is the default here).

anav · Mon Jul 10, 2023 8:20 pm

That makes no sense.
The ppoe traffic is hitting ether1 tagged , FROM THE ISP, thus there is no untagging at all to be done.

NebularWinter · Wed Jul 12, 2023 6:31 pm

It's strange indeed. The only thing I can think of is that this may be a strange software bug in 7.10.1? I will give it a couple of months and then try again on a future version down the line. For now, I'll keep this as is as everything works as it should and it's stable.

Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Re: Struggling with DST-NAT on this network with a simple 1 bridge / 3 VLAN network

Who is online