RB2011 src-nat strange behaviour?

HWTest · Sun Nov 11, 2018 4:40 pm

I have a RB2011 (6.43.4) and a VDSL router in bridge mode connected to ether10 on the RB2011, the rest of the ports (including WLAN) is bridged
The VDSL PPPoE connection is initiated from the RB2011.´and is called WIA
192.168.240.0/24 is the subnet of ether10 (192.168.240.254) and the VDSL router (192.168.240.253)
192.168.242.0/24 is the subnet of the BRIDGE (192.168.242.254) and all other devices are connected to this bridge.

I wanted that the VDSL router has also a connection to the internet, so the clock gets synchronized and log entries have correct timestamps.
And I want to access the VDSL router web interface from the 192.168.242.0/24 subnet

My src-nat rules are:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WIA src-address=192.168.242.0/24
add action=masquerade chain=srcnat out-interface=WIA src-address=192.168.240.0/24

and the VDSL router web interface is not available.

If I change it to:

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.242.0/24
add action=masquerade chain=srcnat out-interface=WIA src-address=192.168.240.0/24

it works (the VDSL router web interface is available), but according to this https://wiki.mikrotik.com/wiki/Tips_and ... _NAT_rules it is wrong!

How can I make it work, with the correct rules?

stoser · Sun Nov 11, 2018 5:13 pm

Hello, I think that the problem is that you need to masquerade with the Out-Interface set to Interface 10 in order to access the vdsl router. You were masquerading to the PPPoE interface, which is one step ahead of the VDSL router. The PPPoE (WIA) is connecting to you the DSLAM of your provider. Recall that the router address is 192.168.240.253, but the PPPoE address is whatever IP address your provider gives you.

This is why when you do not specify an outgoing interface it works, because the NAT rule matches for all interfaces, including interface 10

anav · Sun Nov 11, 2018 6:37 pm

If you need to associate specific LANs with specific WANIPs I have to ask
a. is it separate ISP wanips (multiple physical interfaces with either a dynamic or static IP address) OR
b. is it one physical WAN interface with static fixed multiple WAN ips.

Until one understands the scenario its difficult to make any concrete recommendations.
Im suggesting that the OP use src-nat action vice masquerade and use the to-addresses entry to establish which wanip is used, in addition to the source address.

However this only informs the router which wanip is to be used for translation of private (local) Ips to public IPs and back.
One still needs to route the traffic appropriately.

HWTest · Sun Nov 11, 2018 7:13 pm

I'm afraid I wasn't clear enough in my original post.
I try to make it as simple as possible:
I have an internet connection called WIA and two local subnets.
192.168.242.0/24 which is connected to the BRIDGE
192.168.240.0/24 which is connected to ether10

I need that both subnets are connected to the internet and that I can access devices in the 192.168.240.0/24 subnet from the 192.168.242.0/24 subnet.
I've read that ROS does route between local subnets automatically.

The routing looks good to me:

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 WIA 1
1 ADC A.B.C.D/32 W.X.Y.Z WIA 0
2 ADC 192.168.240.0/24 192.168.240.254 ether10 0
3 ADC 192.168.242.0/24 192.168.242.254 BRIDGE 0

Edit: I have a very similar config running on a RB532 - one WAN interface and two local subnets on the LAN1 and LAN2 interfaces and the last time I checked, I could connect from one local subnet to the other and vice versa.
But I'm not sure if the src-nat is set icluding the "out-interface=WAN"

anav · Sun Nov 11, 2018 7:24 pm

Okay in that case,
You only need one masquerade rule.

add chain=srcnat out-interface=WAN action=masquerade (dynamic IP)
add chain=srcnat out-interface=WAN action=src-nat to-addresses=wanip (if static wanip).

The fact that you have one subnet on the bridge and one subnet on its own LAN, not on the bridge is good in that they are not connected at layer2 and thus firewall rules will work!

So, there are two cases.
a. if you have a drop all else rule at the end of the forward chain you will need to create LAN2 (on eth10) to LAN1 (on bridge) allow rule.
b. if you dont have such a drop all else rule you will need one rule: LAN1 to LAN2 drop rule to ensure the traffic permitted is LAN2 to LAN1 only.
As the router should be able to route the traffic between the subnets normally at the routing level (its aware of both subnets and thus will route traffic between them).

HWTest · Sun Nov 11, 2018 7:29 pm

Thank you.
My new src-nat rule:
chain=srcnat action=masquerade out-interface=WIA log=no log-prefix=""
I've disabled the two old ones but it still doesn't work ...

I don't have a drop all rule on the end of the firewall chains (yet), instead I have a log all rule there, until all is tuned.

anav · Sun Nov 11, 2018 7:37 pm

Post your config
/export hide-senstive file=mylatestconfignov11

stoser · Sun Nov 11, 2018 7:42 pm

Hello, I still think that the OP's issue is that the OP was manquerading only when the out interface was equal to "WIA" (the pppoe interface layered on top of ether10). To access the WAN IP subnet, he will need to masquerade traffic to the subnet associated to ether10. See OP's original post.

HWtest: Two masquerade rules are needed.
1 - masquerade between the internal bridge subnet (192.168.242.0/24) to the WAN subnet (192.168.240.0/24). This will allow clients on the internal bridge subnet to access the VDSL modem/router, as well as any other devices on the 192.168.240.0/24 subnet
2 - masquerade all traffic going out of the pppoe interface (WIA). This will allow internet access.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10 src-address=192.168.242.0/24
add action=masquerade chain=srcnat out-interface=WIA

mkx · Sun Nov 11, 2018 7:47 pm

How does IP setup on the VDSL router look like? It should be set-up to use RB as default gateway.

If you don't (yet) have firewall rules in place to restrict access between LAN and VDSL router, then try to debug connectivity there. When LAN host can "talk" with VDSL router, proceed with internet connectivity of VDSL modem.

If VDSL modem only needs internet for time sync, you can install ntp package on RB and run NTP server ... then instruct VDSL modem to sync to RB.

@stoser: if routes on VDSL modem are set correctly, no masquerading between LAN and VDSL modem is needed ... straight routing should do the trick. Single masquerading towards internet (covering both 192.168 networks) should be enough.

stoser · Sun Nov 11, 2018 7:55 pm

I wanted that the VDSL router has also a connection to the internet, so the clock gets synchronized and log entries have correct timestamps

Concerning the VDSL router having the correct time, please note that the VDSL router in BRIDGE mode has no direct internet access. You need to define the default gateway of the VDSL router as the IP address of the Mikrotik router (the IP address associated to ether10). Then the Mikrotik needs to have the rules present to route and masq those requests out of the PPPoE interface (WIA).

Another solution is if If you have an SNTP server sunning on your network, you could just have the VDSL router get the time from there, if the vdsl router even allows you to change the IP address of the SNTP server ...

stoser · Sun Nov 11, 2018 8:07 pm

@stoser: if routes on VDSL modem are set correctly, no masquerading between LAN and VDSL modem is needed ... straight routing should do the trick. Single masquerading towards internet (covering both 192.168 networks) should be enough.

I completely agree with mkx's post. Including the quoted part. Especially when there are only two subnets, But in the future there may be more. Simply put, it is sometimes easier to masq between subnets that try to mess around with static routes in inexpensive VDSL modems especially when the load between the two subnets is small. I have some VDSL modems that don't even allow me to export a config. I have others that reset themselves once every few months. All of them get bogged down after a couple of weeks of continuous usage and require a restart. I would much rather depend on a solid Mikrotik masquerading than pray that a VDSL modem doesn't lose it's configuration. If the VDSL modem is an aftermarket solid dependable modem, then by all means put a static route in the routing table of the VDSL modem for the 192.168.242.0/24 subnet with a gateway as the ether10 address of the Mtik, and let the mtik do the routing.

HWTest · Sun Nov 11, 2018 8:15 pm

The VDSL part works, the clock gets synchronized.
VDSL settings:
IP 192.168.240.253
Mask 255.255.255.0
GW 192.168.240.254

HWTest · Sun Nov 11, 2018 8:22 pm

Post your config
/export hide-senstive file=mylatestconfignov11

/export hide-senstive file=mylatestconfignov11
expected end of command (line 1 column 9)

HWTest · Mon Nov 12, 2018 11:17 am

Here is the full config (sensitive parts deleted):

# nov/11/2018 19:28:15 by RouterOS 6.43.4
# software id =
#
# model = 2011UiAS-2HnD
# serial number =

/interface bridge
add fast-forward=no name=BRIDGE

/interface ethernet
set [ find default-name=ether5 ] name=Duo speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Epson
set [ find default-name=ether1 ] disabled=yes name=G1 speed=100Mbps
set [ find default-name=ether2 ] disabled=yes name=G2 speed=100Mbps
set [ find default-name=ether3 ] disabled=yes name=G3 speed=100Mbps
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=HP
set [ find default-name=ether4 ] name=NetGear speed=100Mbps
set [ find default-name=sfp1 ] disabled=yes name=Optika
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=Panasonic
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ZYXEL poe-out=off
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=eGreat

/interface pppoe-client
add add-default-route=yes disabled=no interface=ZYXEL keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=WIA password= use-peer-dns=yes user=

/interface wireless
set [ find default-name=wlan1 ] ampdu-priorities=0,1,2,3,4,5,6,7 band=2ghz-b/g/n country="czech republic" disabled=no distance=indoors frequency=2437 frequency-mode=regulatory-domain mode=ap-bridge name=WLAN ssid=TEST wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled

/interface list
add name=BRIDGELIST
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key= wpa2-pre-shared-key=
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" mode=static-keys-required name=legacy static-algo-0=40bit-wep static-key-0= supplicant-identity=""

/interface wireless
add default-forwarding=no keepalive-frames=disabled mac-address= master-interface=WLAN multicast-buffering=disabled name=VWLAN security-profile=legacy ssid=legacy wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

/ip pool
add name=Pool ranges=192.168.242.51-192.168.242.100
add name=PoolL ranges=192.168.241.1-192.168.241.50

/ip dhcp-server
add add-arp=yes address-pool=Pool authoritative=after-2sec-delay disabled=no interface=BRIDGE lease-time=3d name=DHCP
add add-arp=yes address-pool=PoolL authoritative=after-2sec-delay disabled=no interface=VWLAN lease-time=3d name=DHCPL

/port
set 0 name=Serial

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0

/interface bridge port
add bridge=BRIDGE interface=WLAN
add bridge=BRIDGE interface=G1
add bridge=BRIDGE interface=Epson
add bridge=BRIDGE interface=G2
add bridge=BRIDGE interface=G3
add bridge=BRIDGE interface=Duo
add bridge=BRIDGE interface=eGreat
add bridge=BRIDGE interface=Panasonic
add bridge=BRIDGE interface=HP
add bridge=BRIDGE interface=NetGear

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=BRIDGE list=LAN
add interface=BRIDGE list=BRIDGELIST
add interface=ZYXEL list=LAN
add interface=VWLAN list=LAN

/interface wireless access-list
add comment=Kamera interface=WLAN mac-address= vlan-mode=no-tag
add comment=Aligator interface=WLAN mac-address= vlan-mode=no-tag
add comment=Kindle interface=WLAN mac-address= vlan-mode=no-tag
add comment=Venue interface=WLAN mac-address= vlan-mode=no-tag
add comment=D505 interface=WLAN mac-address= vlan-mode=no-tag
add comment=D505 forwarding=no interface=VWLAN mac-address= vlan-mode=no-tag
add comment=Armada forwarding=no interface=VWLAN mac-address= vlan-mode=no-tag
add authentication=no comment="Reject the rest" forwarding=no vlan-mode=no-tag

/ip address
add address=192.168.242.254/24 interface=BRIDGE network=192.168.242.0
add address=192.168.240.254/24 interface=ZYXEL network=192.168.240.0
add address=192.168.241.254/24 interface=VWLAN network=192.168.241.0

/ip cloud
set update-time=no

/ip dhcp-server lease
add address=192.168.242.55 mac-address= server=DHCP
add address=192.168.242.60 mac-address= server=DHCP

/ip dhcp-server network
add address=192.168.241.0/24 dns-server=192.168.241.254,8.8.8.8,208.67.222.222,208.67.220.220 gateway=192.168.241.254 netmask=24
add address=192.168.242.0/24 dns-server=192.168.242.254,8.8.8.8,208.67.222.222,208.67.220.220 gateway=192.168.242.254 netmask=24 wins-server=192.168.242.10

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,208.67.220.220

/ip dns static
add address=208.67.222.222 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2

/ip firewall address-list
add address=A.B.C.D comment=Internet list=public-add
add address=192.168.242.0/24 comment=LAN list=internal-nets
add address=192.168.240.0/24 comment=Zyxel list=internal-nets
add address=192.168.241.0/24 comment="Legacy Wifi" list=internal-nets
add address=0.0.0.0/8 comment="RFC6890 Self-Identification - This host on this network" list=not_in_internet
add address=127.0.0.0/8 comment="RFC6890 Loopback" list=not_in_internet
add address=169.254.0.0/16 comment="RFC6890 Link Local" list=not_in_internet
add address=10.0.0.0/8 comment="RFC6890 Private - CLASS A" list=not_in_internet
add address=172.16.0.0/12 comment="RFC6890 Private - CLASS B" list=not_in_internet
add address=192.168.0.0/16 comment="RFC6890 Private - CLASS C" disabled=yes list=not_in_internet
add address=224.0.0.0/4 comment="Multicast, Class D, IANA" list=not_in_internet
add address=192.0.2.0/24 comment="RFC6890 Reserved - IANA - TestNet1" list=not_in_internet
add address=198.51.100.0/24 comment="RFC6890 Reserved - IANA - TestNet2" list=not_in_internet
add address=203.0.113.0/24 comment="RFC6890 Reserved - IANA - TestNet3" list=not_in_internet
add address=192.88.99.0/24 comment="RFC6890 6to4 Relay Anycast" list=not_in_internet
add address=198.18.0.0/15 comment="RFC6890 Network Interconnect Device Benchmark Testing" list=not_in_internet
add address=100.64.0.0/10 comment="RFC6890 Shared Address Space" list=not_in_internet
add address=192.0.0.0/24 comment="RFC6890 Reserved - IANA - IETF Protocol Assignments" list=not_in_internet
add address=240.0.0.0/4 comment="RFC6890 Reserved for Future Use" list=not_in_internet
add address=91.121.109.209 comment=TALOS list=DROPDDOS
add address=217.12.202.40 comment=TALOS list=DROPDDOS
add address=94.242.222.68 comment=TALOS list=DROPDDOS
add address=82.118.242.124 comment=TALOS list=DROPDDOS
add address=46.151.209.33 comment=TALOS list=DROPDDOS
add address=217.79.179.14 comment=TALOS list=DROPDDOS
add address=91.214.203.144 comment=TALOS list=DROPDDOS
add address=95.211.198.231 comment=TALOS list=DROPDDOS
add address=195.154.180.60 comment=TALOS list=DROPDDOS
add address=5.149.250.54 comment=TALOS list=DROPDDOS
add address=91.200.13.76 comment=TALOS list=DROPDDOS
add address=94.185.80.82 comment=TALOS list=DROPDDOS
add address=62.210.180.229 comment=TALOS list=DROPDDOS

/ip firewall filter
add action=jump chain=input comment="Accept up to 5 pings in 5 seconds and jump for ICMP input flow" jump-target=ICMP limit=5/5s,1 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment="Add all other ICMP input into icmp-attack address list" in-interface=WIA protocol=icmp
add action=drop chain=input comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add chain=input comment="Established, Related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=BRIDGE protocol=udp src-port=68
add action=tarpit chain=input comment="Tarpit port-scan address list" protocol=tcp src-address-list=port-scan
add action=drop chain=input comment="Drop port-scan address list" src-address-list=port-scan
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="Add port scannes to port-scan list" in-interface=WIA protocol=tcp psd=21,3s,3,1 src-address-list=!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop syn-flood address list" src-address-list=syn-flood
add action=add-src-to-address-list address-list=syn-flood address-list-timeout=30m chain=input comment="Add Syn Flooders to syn-flood address list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=input comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=input comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=input comment="Drop FIN,SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=input comment="Drop FIN,RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=input comment="Drop FIN,!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=input comment="Drop FIN,URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=input comment="Drop SYN,RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=input comment="Drop RST,URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=input comment="Drop src Port 0 TCP" protocol=tcp src-port=0
add action=drop chain=input comment="Drop dst Port 0 TCP" dst-port=0 protocol=tcp
add action=drop chain=input comment="Drop src Port 0 UDP" protocol=udp src-port=0
add action=drop chain=input comment="Drop dst Port 0 UDP" dst-port=0 protocol=udp
add action=drop chain=input comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=udp
add action=drop chain=input comment="Drop DNS queries from the internet" dst-port=53 in-interface=WIA protocol=tcp
add action=drop chain=input comment="Drop all packets which are not destined to routers IP address" dst-address-type=!local log=yes log-prefix="Not for router"
add action=drop chain=input comment="Drop all packets which don't have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=input comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=input comment="Drop all access to the winbox - except list" dst-port=8291 log=yes log-prefix="Winbox attack" protocol=tcp src-address-list=!internal-nets
add action=drop chain=input comment=DROPDDOS src-address-list=DROPDDOS
add action=drop chain=input comment="Drop new from WIA" connection-state=new in-interface=WIA log-prefix="Drop new"
add action=log chain=input comment="Log everything else" log-prefix=Log
add action=drop chain=input comment="Drop everything else" disabled=yes
add action=jump chain=forward comment="Jump for ICMP forward flow" jump-target=ICMP protocol=icmp
add chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="From LAN" in-interface=!WIA src-address-list=internal-nets
add action=drop chain=forward comment="Drop port-scan address list" src-address-list=port-scan
add action=drop chain=forward comment="Drop RFC6890 and multicast inbound" in-interface=WIA src-address-list=not_in_internet
add action=drop chain=forward comment="Drop our addressing inbound - spoofed" in-interface=WIA src-address-list=public-add
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=!LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=BRIDGE log=yes log-prefix=LAN_!LAN src-address=!192.168.242.0/24
add action=drop chain=forward comment="Drop packets from ZYXEL that do not have ZYXEL IP" in-interface=ZYXEL log=yes log-prefix=LAN_!LAN src-address=!192.168.240.0/24
add action=drop chain=forward comment="Drop packets from VWLAN that do not have VWLAN IP" disabled=yes in-interface=VWLAN log=yes log-prefix=LAN_!LAN src-address=!192.168.241.0/24
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=WIA log=yes log-prefix=!NAT
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward comment="Drop FIN,SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="Drop FIN,RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="Drop FIN,!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="Drop FIN,URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward comment="Drop SYN,RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward comment="Drop RST,URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward comment="Drop src Port 0 TCP" protocol=tcp src-port=0
add action=drop chain=forward comment="Drop dst Port 0 TCP" dst-port=0 protocol=tcp
add action=drop chain=forward comment="Drop src Port 0 UDP" protocol=udp src-port=0
add action=drop chain=forward comment="Drop dst Port 0 UDP" dst-port=0 protocol=udp
add action=drop chain=forward comment="Drop bogon list" dst-address-list=not_in_internet
add action=drop chain=forward comment=DROPDDOS src-address-list=DROPDDOS
add action=drop chain=forward comment="Drop Windows ports" port=135-139 protocol=tcp
add action=log chain=forward comment="Drop new from WIA" connection-state=new in-interface=WIA log-prefix="Log new"
add action=log chain=forward comment="Log everything else" log-prefix=Log
add action=drop chain=forward comment="Drop everything else" disabled=yes
add chain=output comment="Established, Related" connection-state=established,related
add action=drop chain=output comment="Drop invalid" connection-state=invalid
add action=jump chain=output comment="Jump for ICMP output flow" jump-target=ICMP protocol=icmp
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=tcp
add chain=output comment="DNS query" dst-port=53 out-interface=WIA protocol=udp
add chain=output comment="NTP query" dst-port=123 out-interface=WIA protocol=udp
add action=log chain=output comment="Log everything else" log-prefix=Log
add action=drop chain=output comment="Drop everything else" disabled=yes
add action=drop chain=ICMP comment="Drop excessive ICMP traffic" protocol=icmp src-address-list=icmp-attack
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=ICMP comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=ICMP comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=ICMP comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=ICMP comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=ICMP comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP comment="Drop all other types"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WIA
add action=masquerade chain=srcnat disabled=yes out-interface=WIA src-address=192.168.242.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WIA src-address=192.168.241.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WIA src-address=192.168.240.0/24

/ip service
set telnet address=192.168.242.0/24 disabled=yes
set ftp address=192.168.242.0/24 disabled=yes
set www address=192.168.242.0/24
set ssh address=192.168.242.0/24 disabled=yes
set www-ssl address=192.168.242.0/24
set api address=192.168.242.0/24 disabled=yes
set winbox address=192.168.242.0/24
set api-ssl address=192.168.242.0/24 disabled=yes

/ip smb
set allow-guests=no domain=

/ip ssh
set strong-crypto=yes

/lcd
set backlight-timeout=1h default-screen=interfaces read-only-mode=yes time-interval=hour

/lcd pin
set hide-pin-number=yes pin-number=

/lcd interface
set Optika disabled=yes
set G1 disabled=yes
set G2 disabled=yes
set G3 disabled=yes
set NetGear disabled=yes
set Duo disabled=yes
set Epson disabled=yes
set eGreat disabled=yes
set Panasonic disabled=yes
set HP disabled=yes
add interface=WIA

/lcd interface pages
set 0 interfaces=WIA,WLAN,ZYXEL

/system clock
set time-zone-name=Europe/Prague

/system identity
set name=RB2011

/system leds
add interface=WIA leds=sfp-led type=interface-activity

/system logging
add disabled=yes topics=pppoe

/system ntp client
set enabled=yes server-dns-names=cz.pool.ntp.org

/system routerboard settings
set silent-boot=no

/tool bandwidth-server
set enabled=no

/tool graphing interface
add allow-address=192.168.242.0/24 interface=WIA store-on-disk=no
add allow-address=192.168.242.0/24 interface=WLAN store-on-disk=no

/tool graphing resource
add allow-address=192.168.242.0/24 store-on-disk=no

/tool mac-server
set allowed-interface-list=BRIDGELIST

/tool mac-server mac-winbox
set allowed-interface-list=BRIDGELIST

/tool mac-server ping
set enabled=no

anav · Mon Nov 12, 2018 4:20 pm

I dont understand your setup.

/interface list - should be
default WAN
default LAN

/interface list members - should be
LAN - Bridge
LAN - (LAN not on bridge, or WLAN not on bridge)
LAN - (VLANs)
WAN - zyxel

If you had any WLANs or LANs not on the bridge they would be listed with LAN
If you had a second ISP, it would also be listed with WAN
All Vlans should have an entry under LAN.

The other thing I noticed is that you have the WLAN (dhcpl) and the bridgelan (dhcp) as both being on the bridge???
I believe this may not be possible as you have already assigned a network to the Bridge, if it was possible, you would have a situation where the LANs are connect at layer 2 (like an unmanaged switch with no way to control access via firewall rules). So not sure how to proceed there............ either put the WLAN outside the bridge or simply create a VLAN and put your wireless traffic on that with commensurate FW rules to control traffic.

Without knowing the why of the setup its often difficult to determine the mechanics of the setup.

I have no idea what you intend with bridgelist ?????

HWTest · Mon Nov 12, 2018 5:31 pm

I'll try to explain it.
Basically all interfaces (except ZYXEL) are bridged to act as a simple switch, including WLAN.
The VWLAN (as Virtual WLAN of the WLAN interface) is my latest idea, not finished yet - an isolated wifi network for guests, with access only to the internet.
The RB dials the PPoE connection through ZYXEL creating the interface WIA through which the intenet traffic is routed.

Subnets:
192.168.242.0/24 BRIDGE is the gateway with the address 192.168.242.254, DHCP server for the 192.168.242.0/24 subnet on the BRIDGE interface
192.168.241.0/24 VWLAN is the gateway with the address 192.168.241.254, DHCP server for the 192.168.241.0/24 subnet on the VWLAN interface - not finished yet, needs some filtering on the BRIDGE
192.168.240.0/24 ZYXEL is the gateway with the address 192.168.240.254, no DHCP server, only one device on this subnet - the VDSL router in bridge mode 192.168.240.253
What I'm trying to achieve is:
- to be able to access the VDSL router on 192.168.240.253 from my home network 192.168.242.0/24.
- the VDSL router on 192.168.240.253 should have access to the internet for clock synchronizing
- a completely isolated wifi network for guests, with access only to the internet.

If something is not clear please ask, I'll gladly explain

Edit: BRIDGELIST - there are some settings which accepted only interface lists not interfaces, so I have created the list with only the BRIDGE interface in it

anav · Mon Nov 12, 2018 7:08 pm

Thanks, that makes much more sense to me now. I am not that smart at this stuff so sometimes I need to be lead by the hand.
Additionally my wireless is done separately on some cap AC units so I am extrapolating to your unit which seems to have wifi on board (my hex router is wired only)

Okay, so all is good then
1. Interface List should be (and dont use bridgelist!@!!)
LAN-Bridge
LAN-Vwlan
WAN-zyxel

I would call my LAN differently at the interface to communicate to me what LAN it is. No where else but on the interface menu.

2. Interfaces
bridge - bridge
- Vwlan
ether10 your ISP
ether1-9 - homelan
sftp1 - homelan
WLAN - guestwifilan

The reason I do this assignment of using "homelan" to name my ethernet physical interfaces is that in my mind I know what the interfaces are for.
If I just say bridge its not clear to me.
For example what If I have 3 more LANS at home that are not on the bridge on interfaces 4-6
ether4 - DMZLAN
ether5 - TVLAN
ether6 - ThERMOSTAT LAN

For example what if have a second bridge that I Use for the DMZ Lan and still have two separate LANs 5,6
Bridge1 - Bridge (type)
Bridge2 - Bridge (type)
ether1 - homelan_b1
ether2 - homelan_b1
ether3 -homelan_b1
ether4 -dmzlan_b2
ether5 -tvlan
ether6 -thermostat lan

I much prefer to know or have an idea what my etherports are attached too................
I can add little endings to the LAN names to communicate to the reader which bridge they are on as well.

3. IP Addresses and IP Pools seem fine.

4. DHCP seems fine
home-server - interface is bridge (dhcp pool)
wifiguest-server - interface is Vwlan (dhcpl pool)

5. DHCP Network seems fine.

6. Did we define Vwlan? associated with interface=bridge and vlanID lets say 100.

7. Did we define radio: WLAN (interface=bridge, vlanID=100, vlan mode: use tag)

8. Bridge Ports
eth1-9
sfp1
WLAN

9. Bridge Tabs
add bridge and if already there, modify as follows
bridge name (pulldown menu select)
VLAN IDs (separate line for each one, in your case just one) - 100
Tagged Devices (separate line for each one)
a. bridge (itself)
b. WLAN
c. ether port X
d. ether port Y
(basically what is tagged is the bridge, any WLANs on the bridge carrrying VLANS, and any physical ports that VLANS pass through

So only you would know which physical ports the guest wifi VLANS may travel through?
In my case, the Cap AC (my access point) has etherport2 to reach the Hex
In my case the Hex transports vlans through its etherport 3 to get to the capAC

In your case, I would say there are no etherports involved just the WLAN interface.

10. Bridge Name Vlan (ensure SAFE MODE IS ON)
Go back to the Bridge Tab (the default tab when you select Bridge on the LHM of Winbox and double click on the bridge name itself.
On the popup menu select vlans and ensure vlan filtering is then checked ON.

HWTest · Tue Nov 13, 2018 6:17 pm

Sorry for the delayed answer, I'm pretty busy ATM.
I have to admit I'm a little confused - are you suggesting I should introduce VLANs in my setup?

1) I use BRiDGELIST for limiting MAC server ping and MAC Winbox to interfaces on the BRIDGE.
I don't want to disable it completely and interface lists are the only option.
Maybe a BRiDGELIST with all bridged interfaces instead of the BRIDGE itself?

ZYXEL is not WAN (it's LAN - at least I think so?), WIA is WAN.

2) As I see it, I have:
WIA - WAN, PPPoE to the internet
ZYXEL, all interfaces on the BRIDGE - LAN
VWLAN - virtual access point for guests

because:
BRIDGE is the only bridge, so it's the BRIDGE
ZYXEL is used for dialling the PPPoE connection a administering the VDSL router
WIA PPPoE connection, WAN interface connected to the internet
I see the VDSL router as 2 devices:
1. VDSL modem
2. "webserver" for administering the VDSL router

My "homelan" interfaces are named:
ether1 name=G1
ether2 name=G2
ether3 name=G3
ether4 name=NetGear
ether5 name=Duo
ether6 name=Epson
ether7 name=eGreat
ether8 name=Panasonic
ether9 name=HP
ether10 name=ZYXEL
sfp1 Optika

G1-G3 and Optika are unused and disabled

My idea of the VWLAN was, that I disable the "default forward" on this interface and I'll filter it with the bridge firewall, because VWLAN is part of WLAN which is on the BRIDGE.
So indirectly VWLAN is also part of the BRIDGE - so at least this is, how I understand it.

Yes, the wifi is integrated in the RB2011.

One interesting thing from this morning. I realized I have no internet connection
After replacing the

add action=masquerade chain=srcnat out-interface=WIA

with

add action=masquerade chain=srcnat disabled=yes out-interface=WIA src-address=192.168.242.0/24
add action=masquerade chain=srcnat disabled=yes out-interface=WIA src-address=192.168.240.0/24

the connection was back ...

anav · Tue Nov 13, 2018 9:00 pm

Well I cannot speak to your VDSL and webserver setup, suffice to say they are WAN client objects and not LAN objects.
Feel free to use lists where appropriate (firewall rules, nat rules etc). I would stay away from trying to use it any bridge type settings.

HWTest · Tue Nov 13, 2018 9:55 pm

Well I cannot speak to your VDSL and webserver setup, suffice to say they are WAN client objects and not LAN objects.

I have to disagree, the webserver has its own address, which I set up (192.168.240.253) and the PPPoE interface has an different address, which is obtained via DHCP from the ISP.
And these two interfaces are not able to communicate with each other until I set up proper routes in the RB.

Feel free to use lists where appropriate (firewall rules, nat rules etc). I would stay away from trying to use it any bridge type settings.

You recommend to not use any bridge or not use bridge in any interface lists?

anav · Tue Nov 13, 2018 11:15 pm

Like I said I am not familiar with the setup described on the WAN side or control of it so that is best left for you to figure out.
THe Bridge is a conglomerate of items and should not be used in lists as far as I know.

Typical things in lists are
source addresses
destination addresses
device IPs

RB2011 src-nat strange behaviour?

RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Re: RB2011 src-nat strange behaviour?

Who is online