Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

How do I setup NAT for multiple VLANs on different Subtnets?  [SOLVED]

Post Reply
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 10:53 am

I have a Mikrotik router with me. On ether1, I connected my ISP connection line. On ether2, I have my laptop plugged in. ether2 is on vlan40, with its own DHCP and everything. I configured ether1 as DHCP client and added NAT rules, but I still can't access the internet from both the router itself (tried pinging 8.8.8.8 from the winbox cli) and from my laptop through the router.

(The subnets you see in the firewall sections (10, 20 30 and 99) which don't exist on this router are actually on another router that I want to connect to this one)

Help please.
Below is my router config
Code: Select all
# jan/02/1970 04:37:20 by RouterOS 6.47.1
# software id = WRR1-G24G
#
# model = 951Ui-2HnD
# serial number = <removed>
/interface bridge
add name=bridge2 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge2 name=management_vlan2 vlan-id=100
add interface=bridge2 name=vlan40 vlan-id=40
/interface list
add name=vlan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_vlan40 ranges=192.168.40.2-192.168.40.254
add name=pool_vlan100 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool2 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan40 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=management_vlan2 name=dhcp2
/interface bridge port
add bridge=bridge2 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=40
/interface bridge vlan
add bridge=bridge2 tagged=bridge2 untagged=ether2 vlan-ids=40
add bridge=bridge2 tagged=bridge2 vlan-ids=100
/interface list member
add interface=vlan40 list=vlan
add interface=management_vlan2 list=vlan
/ip address
add address=192.168.100.1/24 interface=management_vlan2 network=192.168.100.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.200.1/24 interface=ether5 network=192.168.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLANs to access router services" \
    in-interface-list=vlan
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Established and Related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow VLANs to access each other" \
    connection-state=new in-interface-list=vlan out-interface-list=vlan
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24
add action=masquerade chain=srcnat src-address=192.168.40.0/24
add action=masquerade chain=srcnat src-address=192.168.99.0/24
add action=masquerade chain=srcnat src-address=192.168.100.0/24
/ip route
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.200.2
add distance=1 dst-address=192.168.20.0/24 gateway=192.168.200.2
add distance=1 dst-address=192.168.30.0/24 gateway=192.168.200.2
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.200.2
add distance=1 dst-address=192.168.200.0/24 gateway=192.168.200.2
/system identity
set name=RouterSwitchAP2
Last edited by holvoetn on Mon Sep 18, 2023 1:26 pm, edited 1 time in total.
Reason: Removed serial
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13288
Joined: Thu Mar 03, 2016 10:23 pm

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 12:30 pm

The firewall section is complete mess.

One example:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow Established and Related" connection-state=established,related
add action=accept chain=forward comment="Allow VLANs to access each other" connection-state=new in-interface-list=vlan out-interface-list=vlan
add action=drop chain=forward comment=Drop
First line allows already ongoing connections in all directions. Second line allows new connections which originate in one of VLANs and terminate in one of VLANs. The third line drops all the rest.
Now the second line doesn't include traffic which should egress via ether1, so this line doesn't allow internet-bound connections (while the last line actively drops them).

All the src-nat rules are a mess ... why would you want to src-nat traffic between two VLANs? You want to src-nat traffic, bound towards internet ...

My recommendation: have a good look at default config - you can get it by running /system/default-configuration/print (while your screen is as wide as it gets, long lines get truncated). Even if you're introducing VLANs (which are L2 feature), IP firewall is still more or less the same (L3 feature) ... apart from the number of interfaces and interface list memberships. The default makes very good base to play with.
Top
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 12:47 pm

Okay, thank you for your response. I understand that default config is good starting ground but I didn't use it since this is a task and I'm expected to start a new config from scratch.
But I didn't understand what you said about my nat config
Thank you again
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13288
Joined: Thu Mar 03, 2016 10:23 pm

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 2:48 pm

Even if you need to start from scratch, you can still use some high-quality working config as inspiration.

Regarding SRC-NAT ... take this example:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.40.0/24
This rule instructs firewall to do SRC NAT on any packet with source address belonging to 192.168.10.0/24 subnet ... passing outer in any direction. Even towards 192.168.40.0/24. So target host will see ingress packets as if originating from router (masquerade automatically uses most suitable IP address, in this case it'll be router's own IP address in target subnet, 192.168.40.1). But then you have the second src-nat rule which essentially means that anything originating form 192.168.40.0/24 should be masqueraded as well. Which opens question how exactly should any traffic, hitting first rule, arrive at this router.

As I said: it's a mess. There's no logic in it ... or the network layout you're dealing with is plenty convoluted, but then you really should be well experienced in VLANs before tackling the task.

Or is this some kind of task in some course?
Top
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 3:35 pm

I see. I clearly am not experienced in VLANs or NAT at all since I didn't know that, but essentially what I was trying to do was that any packet coming from any of these VLANs to the internet shall be masquerated before failing miserably :D. I am an intern at a company and this task was given to me.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13288
Joined: Thu Mar 03, 2016 10:23 pm

Re: How do I setup NAT for multiple VLANs on different Subtnets?  [SOLVED]

Mon Sep 18, 2023 4:02 pm

If you want to masquerade traffic, which goes out via specific interface, then configure it so. E.g.
Code: Select all
/ip/firewall/nat
add action=masquerade chain=srcnat out-interface=ether1
The above construct has also it's weak points, but let's leave these for a later time.

BTW, that's pretty much how it's done in default config. Please do have a look at it, we won't tell your supervisors :wink:
Top
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 4:22 pm

Hahaha, thank you so much. They might read this. Hi guys
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 4:30 pm

Yeah config majorly hosed.,
No point in vlans being able to access each other, otherwise just have one flat subnet and no vlans.
Added etherport 3 for vlan100 for some context as you had nothing assigned, another weirdness to this config.
Assuming ether5 is to configure the router or to access in an emerg if the bridge goes wonky.
..........
Code: Select all
# jan/02/1970 04:37:20 by RouterOS 6.47.1
# software id = WRR1-G24G
#
# model = 951Ui-2HnD
# serial number = <removed>
/interface bridge
add name=bridge2 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge2 name=management_vlan2 vlan-id=100
add interface=bridge2 name=vlan40 vlan-id=40
/interface list
add name=WAN
add name=LAN
add name=MANAGE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=vlan40 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=management_vlan2 name=dhcp2
/interface bridge port
add bridge=bridge2 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=40
add bridge=bridge2  frame-types=admit-only-untagged-and-priority-tagged \
   ingress-filtering=yes interface=ether3 pvid=100
/interface bridge vlan
add bridge=bridge2 tagged=bridge2 untagged=ether2 vlan-ids=40
add bridge=bridge2 tagged=bridge2  untagged=ether3 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=vlan40 list=LAN
add interface=management_vlan2 list=LAN
add interface=management_vlan2 list=MANAGE
add interface=ether5  list=MANAGE
/ip address
add address=192.168.100.1/24 interface=management_vlan2 network=192.168.100.0
add address=192.168.40.1/24 interface=vlan40 network=192.168.40.0
add address=192.168.200.1/24 interface=ether5 network=192.168.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=MANAGE
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip firewall address-list { from static dhcp leases }
add address=admin-IP1 list=Authorized comment="admin desktop"
add address=admin-IP2 list=Authorized comment="admin laptop"
add address=admin-IP3 list=Authorized comment="admin smartphone/ipad"
add address=192.168.200.X  list=Authorized comment="admin from ether5"
/ip firewall filter
add action=accept chain=input comment="Allow Estab Related & Untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access"  src-address-list=Authorized
add action=accept chain=input comment="Allow VLANs to access router services" \
    in-interface-list=LAN dst-port=53  protocol=udp
add action=accept chain=input comment="Allow VLANs to access router services" \
    in-interface-list=LAN dst-port=53  protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to access all vlans"   \
    src-address-list=Authorized  out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or delete if not needed }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=ISPgateway-IP  routing-table=main {  required if you did NOT select default route in IP DHCP client settings }
/system identity
set name=RouterSwitchAP2
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE
Top
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 4:38 pm

Actually, I haven't figured out how to do this yet but ether5 will be used to connect between 2 mikrotik routers and a static route will be setup so that VLANs from router1 can talk to VLANs from router2, however even though I defined the static route it's still not working; the routers can't even ping each other and ether5 on router1 is 192.168.200.2/24 and ether5 on router2 is 192.168.200.1/24. Same subnet, directly connected with an ethernet cable. IK VLANs are supposed to be seperate but I'm just following instructions.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 4:42 pm

Yeah, im outta here, not interested in chasing part configs and half thoughts.
when you have a full set of requirements and an actual plan and a proper network diagram... I may come back
Top
 
AndrewChedid
just joined
Topic Author
Posts: 18
Joined: Mon Sep 11, 2023 11:51 am

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 4:53 pm

This is the task:

Rest the router to default as in Task 1 (this is the last time we reset the router)
Create 3 VLANs, with all of them needing to accommodate 253 devices. (use 192.168.0.0/16) have port 2 and 3 in VLAN 1, port 4 in VLAN 2 and keep a VLAN with no assigned port to it.
Connect your desktop to one of the VLANs and another desktop to another and make sure they can ping each other
Analyze the result
Now connect between the 2 mikrotic. So you should have the following physical setup:

*Diagram*

Test connectivity between the 2 Mikrotic by pinging from computer in VLAN 1 to the other one in VLAN 1’ and by pinging from VLAN 2 to VLAN 1 (Note VLAN 1 and VLAN 1’ are separate VLANs in our setup)(Hint [copy &paste on notepad to see hint]: routing is needed between the 2 Mikrotic you can do a simple static route )


I used VLANs 10, 20, 30 etc. instead of 1, 2, 3...

Hope this helps
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Mon Sep 18, 2023 8:20 pm

Okay so this has nothing to do with a real world situation, and is a homework assignment.
Good luck!
Assuming you are taking some course, apply your training.
Top
 
Kentril
just joined
Posts: 2
Joined: Wed Dec 06, 2023 1:56 pm

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Thu Jan 18, 2024 4:05 pm

Hello everyone, does any1 has solution for the post above? Becasuse I§m facing the similar problem. I have Mikrotik with 10 ports. I've already configured DHCP for 3 different subnets 192.168.X.0/24, FW etc. But I found in 1 office I needed mikrotik too, because of lack of ETH ports :( Is it possible to connect 2 Mikrotiks via 1 cable? And share VLANs? I'm not very experienced user. Thank you

Simple diagram:
Image
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Thu Jan 18, 2024 11:43 pm

Yes of course! Just set it up more like a switch aka no need for dhcp, firewall rules etc....
This should help with VLAN work............ viewtopic.php?t=143620
and also the pointers given at this post highlight the main points to consider for this Switch device.
viewtopic.php?p=1049517#p1049528


For the original poster after rereading the thread, if being an intern in a company assigned to address MT products, then suggest this is really a good place to start...
https://mynetworktraining.com/

He often has sales/bundles for his courses.
Top
 
Kentril
just joined
Posts: 2
Joined: Wed Dec 06, 2023 1:56 pm

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Sat Jan 20, 2024 9:49 pm

Thanks a lot! Finaly I managed to connect the routers. FY this video helps a lot: https://www.youtube.com/watch?v=4G0nIklG9Pw
Cheers!

J.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22387
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: How do I setup NAT for multiple VLANs on different Subtnets?

Sun Jan 21, 2024 4:47 pm

If by the video you mean setting up hybrid ports on MT routers, piece of cake!
The ether port is simply pvid for the port you wish to pass untagged in /interface bridge ports, and in /interface bridge vlan settings, simply tag the same etherport port for all vlan-ids needing to be sent tagged and for the etherport that was PVID ensuring its untagged for the associated vlan-ID.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics