Today I wanted to build the following test setup as a required workaround and noticed that the traffic drops as soon as I attach the Mikrotik WAN port to the network. Am I missing out something?
1. Until the WAN port is connected I can obtain a DHCP adress (192.168.80.x) or configure a static 10.0.0.x address and reach the ISP modem (10.0.0.138)
2. As soon as I attach the WAN port I can reach the WAN IP of the Mikrotik Router but neither the Mikrotik Router nor my Client can reach 10.0.0.138
I disabled all kind of STP already but it doesn't work.
See diagram for details about the setup.
Issues when WAN and LAN network are on the same switch
You do not have the required permissions to view the files attached to this post.
Re: Issues when WAN and LAN network are on the same switch
Such a setup definitely does not follow a "best current practice", but unless the WAN and LAN interface of the Mikrotik are member ports of the same bridge inside the Mikrotik, it should work. Post the export of your Mikrotik configuration - there are many posts here that explain how to properly obfuscate sensitive information. The DHCP server on the ISP router must be disabled, I assume you did that although you haven't explicitly mentioned it.
Re: Issues when WAN and LAN network are on the same switch
Thanks for your reply. I know that it's not good practice but a temorarily required workaround. Why do the ports have to be member ports of the same bridge? In my oppinion it should also work if they are on different networks.
Config:
Config:
Code: Select all
/interface bridge
add admin-mac=18:FD:74:D2:24:48 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
/interface wireguard
add comment=wg-mobile listen-port=13231 mtu=1420 name=wg-road-warrior
add listen-port=13235 mtu=1420 name=wg-s2s
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.80.100-192.168.80.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=wg-s2s
/snmp community
set [ find default=yes ] addresses=192.168.80.227/32
/system logging action
add email-start-tls=yes email-to=wo@sensitive-field.at name=mail2wo target=email
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg-road-warrior list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.253.253/32,192.168.0.0/24,0.0.0.0/0 comment=vpn-zeisigg.sensitive-field.eu endpoint-address=vpn-zeisigg.sensitive-field.eu endpoint-port=13235 interface=wg-s2s name=peer1 persistent-keepalive=25s public-key="bvQdMF8Pzz92L579jAG55TENJz4P62dM6EiYCkNVNG4="
add allowed-address=192.168.253.252/32,192.168.2.0/24 comment=stelzer-josefsw.duckdns.org endpoint-address=stelzer-vpn-josefsw.clients.sensitive-field.eu endpoint-port=13235 interface=wg-s2s name=peer2 persistent-keepalive=25s public-key="azLEiJUgVqZp1Mq+HWOJ7Hap2GEfunemJKyUHkOq114="
add allowed-address=192.168.100.2/32,192.168.80.0/24 comment=iphone-GRM interface=wg-road-warrior name=peer3 persistent-keepalive=25s public-key="XsWl5kvRBpRnq+Cgj0lFo/g7RriUAi3H17ztpy+ApAs="
add allowed-address=192.168.253.250/32,192.168.80.0/24 comment=pi-backup-fls46 endpoint-port=13235 interface=wg-s2s name=peer4 persistent-keepalive=25s public-key="1q9usEMqz/9kSdc5wADMLbLKU4p2MJc+JyL5cDcP32U="
add allowed-address=192.168.253.251/32,192.168.40.0/24 comment=nuf-innerm-vpn.sensitive-field.eu endpoint-address=nuf-innerm-vpn.sensitive-field.eu endpoint-port=13235 interface=wg-s2s name=peer5 persistent-keepalive=25s public-key="2j3fKAmYGQ74dip72i/cmymqiUG2c9VGfqwKGwuHzC4="
/ip address
add address=10.0.0.150/24 interface=ether1 network=10.0.0.0
add address=192.168.100.1/24 interface=wg-road-warrior network=192.168.100.0
add address=192.168.80.254/24 interface=bridge network=192.168.80.0
add address=192.168.253.254/24 comment=wg-s2s interface=wg-s2s network=192.168.253.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.80.111 mac-address=B8:27:EB:21:1A:1F
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.254 gateway=192.168.80.254 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=192.168.253.252,1.1.1.1
/ip dns static
add address=192.168.80.203 name=vu1.sensitive-field.lan type=A
/ip firewall address-list
add address=prod1.sensitive-field.at list=RDP-Allow
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard Traffic" src-address=192.168.100.0/24 src-address-list=""
add action=accept chain=input comment=";wg-s2s-vpn-zg.sensitive-field.eu" dst-port=13235 protocol=udp
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Garage Opener" dst-port=443 protocol=tcp
add action=accept chain=input comment="Garage Opener" dst-port=80 protocol=tcp
add action=accept chain=input comment=RDP-MediaPC dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=RDP-Allow
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=dst-nat chain=dstnat comment=docker1.sensitive-field.lan dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=docker1.sensitive-field.lan dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=unifi.sensitive-field.at dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=unifi.sensitive-field.at dst-port=3478 in-interface-list=WAN protocol=udp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=unifi.sensitive-field.at dst-port=10001 in-interface-list=WAN protocol=udp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=unifi.sensitive-field.at dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=192.168.80.221
add action=dst-nat chain=dstnat comment=Buero-PC dst-port=3389 in-interface-list=WAN protocol=tcp src-address-list=RDP-Allow to-addresses=192.168.80.217
add action=dst-nat chain=dstnat comment=test disabled=yes dst-port=64001 protocol=tcp to-addresses=192.168.80.224 to-ports=443
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.138 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wg-s2s routing-table=wg-s2s suppress-hw-offload=no
add disabled=no dst-address=192.168.2.0/24 gateway=wg-s2s routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wg-s2s routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.40.0/24 gateway=wg-s2s routing-table=main suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip traffic-flow
set interfaces=WAN
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup-only-in-table comment="fire-tv-stick -> Zemann" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.80.209/32 table=wg-s2s
add action=lookup-only-in-table comment="Media-PC -> Zemann" disabled=yes dst-address=0.0.0.0/0 src-address=192.168.80.217/32 table=wg-s2s
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=gw.sensitive-field.lan
/system logging
set 1 action=mail2wo topics=error,!script
set 3 action=mail2wo disabled=yes topics=account
add action=mail2wo topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
/system scheduler
add interval=5m name="Update DynDNS every 5 Minutes" on-event=":log debug \"DynDNS Update Script started\"\r\
\n/system script run \"DynDNS Update Script\"" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-01-15 start-time=22:36:02
/system script
add dont-require-permissions=yes name="DynDNS Update Script" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global DynDNSDomain \"sensitive.duckdns.org\"\r\
\n:global DynDNSUpdateURL \"https://www.duckdns.org/update\?domains=grm-ls&token=xxxx&ip=\$newIP\"\r\
\n:local InternetCheckTimeoutCount 10\r\
\n#Do not modify below\r\
\n:log info (\"*** Freedns IP address update started ****\");\r\
\n:local stayInLoop true;\r\
\n:local counter 0;\r\
\n:while (\$stayInLoop) do={\r\
\n :set counter (\$counter + 1);\r\
\n #check if internet is up\r\
\n :if ([:typeof ([:ping address=8.8.8.8 count=1 as-value]->\"time\")] = \"nothing\") do={\r\
\n :log info \"Freedns: reply NOT received, retry no \$counter in 10 seconds\"\r\
\n :delay 10\r\
\n } else={\r\
\n :log info \"Freedns: Internet is up\"\r\
\n :set stayInLoop false;\r\
\n #:global IPCurrent [:put [/ip cloud get public-address]];;\r\
\n :global IPCurrent [:put [:resolve myip.opendns.com server=208.67.222.222]];\r\
\n :log info \"Current IP: \$IPCurrent\"\r\
\n :global DynDNSIP [:put [:resolve \$DynDNSDomain server=1.1.1.1]];\r\
\n :log info \"DuckDNS IP address: \$DynDNSIP\"\r\
\n #check if if associated to domain is the same as the current ip\r\
\n :if (\$DynDNSIP != \$IPCurrent) do={\r\
\n #the IPs are different, update IP at DuckDNS.org\r\
\n :log info \"IPs are different, update IP at DuckDNS.org\"\r\
\n /tool fetch url=\$DynDNSUpdateURL keep-result=no\r\
\n :log info \"New IP Found and updated : \$DynDNSDomain - \$IPCurrent\"\r\
\n } else={\r\
\n :log info \"No need to update IP, as: CURRENT IP: \$NoCIDR DuckDNS IP: \$DynDNSIP\";\r\
\n }\r\
\n }\r\
\n #if the timeout timer expires and there is no internet, then abort\r\
\n :if (\$counter=\$InternetCheckTimeoutCount) do={:set stayInLoop false;}\r\
\n}\r\
\n:log info \"**** Freedns update script finished **** \"\r\
\n"
add dont-require-permissions=no name="Enable S2S Routing of FireTVStick" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info (\"*** Enable S2S Routing of FireTVStick ****\");\r\
\n\r\
\n/routing/rule/enable numbers=0"
add dont-require-permissions=no name="Disable S2S Routing of FireTVStick" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info (\"*** Disable S2S Routing of FireTVStick ****\");\r\
\n\r\
\n/routing/rule/disable numbers=0"
/tool e-mail
set from=<xxx@sensitive-field.at> port=587 server=xxxx.kasserver.com tls=starttls user=xxxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all streaming-server=192.168.80.136
Last edited by BartoszP on Thu Jan 16, 2025 10:54 pm, edited 1 time in total.
Reason: please use proper tags (button "</>") for code
Reason: please use proper tags (button "</>") for code
Re: Issues when WAN and LAN network are on the same switch
unless means if not. So what I was actually saying was that the two interfaces connected to the same external switch must not be members of the same bridge in the Mikrotik, because without STP, you would get an L2 loop, and with STP, one of the ports would get blocked.Why do the ports have to be member ports of the same bridge?
An issue I can see is that you have a DHCP server attached to the LAN interface (bridge) and a DHCP client attached to the WAN interface (ether1) of the Mikrotik. So to prevent accidents, you have to set the 10.0.0.x/24 address to ether1 "manually" (and manually add a default route via 10.0.0.138 and possibly the DNS server addresses) and disable/remove the DHCP client attached to ether1 (which will prevent the WAN interface from getting a LAN address from the LAN DHCP server), and you also have to disable the DHCP server on the ISP router (which will prevent the LAN hosts from getting a 10.0.0.x address from there).
-
-
ConradPino
Member
- Posts: 455
- Joined:
- Location: San Francisco Bay
- Contact:
Re: Issues when WAN and LAN network are on the same switch
You have switching loops in your broadcast domain: unmanaged switch and MikroTik bridge interface. The Spanning Tree Protocol may block ports.
Placing insecure and secure subnets on same switch is bad practice; just plug modem directly into MT WAN port for security and reliability.
Placing insecure and secure subnets on same switch is bad practice; just plug modem directly into MT WAN port for security and reliability.