Guys,
This is not working could you explain why not ?
/interface ethernet set ether2 master-port=ether1
/interface ethernet set ether3 master-port=ether1
/interface vlan add name=vlan110 interface=ether1 vlan-id=110
/interface vlan add name=vlan120 interface=ether1 vlan-id=120
/ip address add address=10.10.110.1/24 interface=vlan110 network=10.10.110.0
/ip address add address=10.10.120.1/24 interface=vlan120 network=10.10.120.0
/ip route add gateway=10.10.110.1
/ip route add gateway=10.10.120.1
/interface ethernet switch egress-vlan-tag add tagged-ports=switch1-cpu vlan-id=110
/interface ethernet switch egress-vlan-tag add tagged-ports=switch1-cpu vlan-id=120
/interface ethernet switch ingress-vlan-translation add ports=ether1-master-local customer-vid=0 new-customer-vid=110 sa-learning=yes
/interface ethernet switch ingress-vlan-translation add ports=ether1-master-local customer-vid=0 new-customer-vid=120 sa-learning=yes
/interface ethernet switch add ports=ether2-slave-local customer-vid=0 new-customer-vid=110 sa-learning=yes
/interface ethernet switch add ports=ether3-slave-local customer-vid=0 new-customer-vid=120 sa-learning=yes
/ip firewall nat add chain=srcnat action=src-nat to-addresses=10.10.110.1 src-address=192.168.1.0/24 out-interface=vlan110
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.1.0/24 dst-address=10.10.110.1 in-interface=vlan110
/ip firewall connection tracking set enabled=yes
DMZ with VLAN
You do not have the required permissions to view the files attached to this post.
Re: DMZ with VLAN
I'm skipping the VLAN part, because I'm not familiar enough with VLANs using hardware switch. But those default routes with gateways being addresses on the same router can't do you any good. NAT rules are also a little strange. And some more info about 192.168.1.0/24 and the black device would probably help too.
Re: DMZ with VLAN
Hi,
Just to clarify 10.10.110.0/24 is a vlan for a web server the other vlan is one for the office PCs
NAT rules I got off the internet as getting src address out gateway and masquerade doesn't work.
A sample config with vlans would be very helpful.
Just to clarify 10.10.110.0/24 is a vlan for a web server the other vlan is one for the office PCs
NAT rules I got off the internet as getting src address out gateway and masquerade doesn't work.
A sample config with vlans would be very helpful.
Re: DMZ with VLAN
the "Switching without bridging" tutorial really helped me setting up VLANs.
I'm still noob, so take everything I say with a grain of salt.
isn't eth1 the first port? and I guess thats your "outside world", probably the modem?
You put the master port of your switch to eth1, I think that you should not do that (and it's maybe the reason masquerade does not work), it should be eth2-4 and you can then bridge.
What you did is use the device as a "switch only"
I guess my devices have a lower license level, so my ingress/egress configuration is different. However, I made the mistake not to enable vlan on the switch-cpu and therefore the vlan did not reach the bridge.
My firewall rule was really simple for the vlan (eth1 is outside, 10.10.10.0/24 is the vlan):
But I'm actually not even sure if that was needed, the default firewall rule might be enough to route it to the outside.
I'm still noob, so take everything I say with a grain of salt.
isn't eth1 the first port? and I guess thats your "outside world", probably the modem?
You put the master port of your switch to eth1, I think that you should not do that (and it's maybe the reason masquerade does not work), it should be eth2-4 and you can then bridge.
What you did is use the device as a "switch only"
I guess my devices have a lower license level, so my ingress/egress configuration is different. However, I made the mistake not to enable vlan on the switch-cpu and therefore the vlan did not reach the bridge.
My firewall rule was really simple for the vlan (eth1 is outside, 10.10.10.0/24 is the vlan):
Code: Select all
add action=masquerade chain=srcnat comment="NATing int 10 vlan to outside" out-interface=ether01-outside src-address=10.10.10.0/24Re: DMZ with VLAN
Lets pretend for a while that you don't need any VLANs and try some basics.
I guess the black modem/router probably does routing and its LAN is 192.168.1.0/24. Let say it has internal address 192.168.1.1. Then if you wanted to have two independent LANs, you'd keep ports 1-3 on RB separate, i.e. not switched or bridged together. The basic config would be:
RB:
ether1 address: 192.168.1.x/24 (where x is anything except 1)
ether2 address: 10.10.110.1/24
ether3 address: 10.10.120.1/24
default gateway: 192.168.1.1
Server(s):
address: 10.10.110.x/24
default gateway: 10.10.110.1
Office PC(s):
address: 10.10.120.x/24
default gateway: 10.10.120.1
This would not work by itself. To access internet, you'd need to do one of following:
a) Add routes on modem if possible:
- destination 10.10.110.0/24, gateway 192.168.1.x
- destination 10.10.120.0/24, gateway 192.168.1.x
b) Use NAT on RB:
At this point, both LANs would be able to access internet. To forward ports to webserver, you'd do e.g.:
Where 10.10.110.y is server's address. But for it to work, you'd need to first porward those ports on modem from its public address to 192.168.1.x.
When you add VLANs, this basic config remains the same, you only work with different interfaces. That's unless the modem would be handling VLANs and you'd really be using RB only as managed switch. In any case, I'm not good with VLANs in hardware switch, but there are some nice examples in wiki.
I guess the black modem/router probably does routing and its LAN is 192.168.1.0/24. Let say it has internal address 192.168.1.1. Then if you wanted to have two independent LANs, you'd keep ports 1-3 on RB separate, i.e. not switched or bridged together. The basic config would be:
RB:
ether1 address: 192.168.1.x/24 (where x is anything except 1)
ether2 address: 10.10.110.1/24
ether3 address: 10.10.120.1/24
default gateway: 192.168.1.1
Server(s):
address: 10.10.110.x/24
default gateway: 10.10.110.1
Office PC(s):
address: 10.10.120.x/24
default gateway: 10.10.120.1
This would not work by itself. To access internet, you'd need to do one of following:
a) Add routes on modem if possible:
- destination 10.10.110.0/24, gateway 192.168.1.x
- destination 10.10.120.0/24, gateway 192.168.1.x
b) Use NAT on RB:
Code: Select all
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=192.168.1.x out-interface=ether1Code: Select all
/ip firewall nat
add chain=dstnat action=dst-nat dst-address=192.168.1.x protocol=tcp dst-port=80,443 to-addresses=10.10.110.yWhen you add VLANs, this basic config remains the same, you only work with different interfaces. That's unless the modem would be handling VLANs and you'd really be using RB only as managed switch. In any case, I'm not good with VLANs in hardware switch, but there are some nice examples in wiki.
Re: DMZ with VLAN
Hi Sob,
Thanks for your reply. I can do this configuration using bridges like I normally do and it works fine. Unfortunately, on this setup I will need to use VLANS as they will be used to communicate to other equipment. What I need is a basic setup using VLANs
Thanks for your reply. I can do this configuration using bridges like I normally do and it works fine. Unfortunately, on this setup I will need to use VLANS as they will be used to communicate to other equipment. What I need is a basic setup using VLANs
Re: DMZ with VLAN
Is ether1 your WAN interface? I'll assume from your diagram.
VLANs in ROS can be done either by software (add VLAN interface) or by hardware using the switch chip on those routerboards that have it.
You actually added both, you need to either use one method or another.
Let's use the software approach as is easier and more flexible. Start by resetting the hap to no defaults (you can connect later using the neighbors tab on winbox)
Make ether3 slave of ether2; ether1 is the WAN interface so should be alone and not used as master/slave of any other interface, nor added to any bridge.
It's all needed. The hAP will start routing between VLANs.
Now, why these two default gateways?
Those are not needed for inter-VLAN routing, delete them.
ROS will know how to reach to 10.10.110.0/24 and 10.10.120.0/24 as vlan interfaces IP assignment will create Directly Connected routes. No need to set itself as default gateway.
I don't understand why the need for NAT for inter-VLAN communication either, I assume you have control over the whole LAN?
If this same hAP will be providing internet access, all you need is asigning the WAN IP on ether1 (or create a DHCP or pppoe client interface depending on your ISP) and make sure is the default (dst-address=0.0.0.0/0) one; if you use DHCP client for WAN, just set Add Default Route to yes, if using PPPoE client, tick Add Default Gateway.
VLANs in ROS can be done either by software (add VLAN interface) or by hardware using the switch chip on those routerboards that have it.
You actually added both, you need to either use one method or another.
Let's use the software approach as is easier and more flexible. Start by resetting the hap to no defaults (you can connect later using the neighbors tab on winbox)
Make ether3 slave of ether2; ether1 is the WAN interface so should be alone and not used as master/slave of any other interface, nor added to any bridge.
Code: Select all
/interface ethernet set ether3 master-port=ether2
/interface vlan add name=vlan110 interface=ether2 vlan-id=110
/interface vlan add name=vlan120 interface=ether2 vlan-id=120
/ip address add address=10.10.110.1/24 interface=vlan110 network=10.10.110.0
/ip address add address=10.10.120.1/24 interface=vlan120 network=10.10.120.0
Now, why these two default gateways?
Code: Select all
/ip route add gateway=10.10.110.1
/ip route add gateway=10.10.120.1
ROS will know how to reach to 10.10.110.0/24 and 10.10.120.0/24 as vlan interfaces IP assignment will create Directly Connected routes. No need to set itself as default gateway.
I don't understand why the need for NAT for inter-VLAN communication either, I assume you have control over the whole LAN?
If this same hAP will be providing internet access, all you need is asigning the WAN IP on ether1 (or create a DHCP or pppoe client interface depending on your ISP) and make sure is the default (dst-address=0.0.0.0/0) one; if you use DHCP client for WAN, just set Add Default Route to yes, if using PPPoE client, tick Add Default Gateway.
Re: DMZ with VLAN
Hi Pukkita,
Thanks
This is much closer to what I need but ether 1 will have a DHCP client to connect to the provider's router will the vlans be able to communicate to the internet in this way ?
BR,
Mark
Thanks
This is much closer to what I need but ether 1 will have a DHCP client to connect to the provider's router will the vlans be able to communicate to the internet in this way ? BR,
Mark
Re: DMZ with VLAN
Yes.
You just need to add the final touch: Natting WAN outgoing connections:
Do not forget to add proper firewall rules, default ones are optimal:
By your post title I guess you want incoming connections from internet to your VLANs?
If this is the case, research on how to put your ISP router in bridge mode, so that it hands out the public WAN IP directly to the hAP, try to avoid DMZ at all costs.
Not only best practice, it will simplify configuration and all you'll need to make inside LAN IPs available to Internet would be (let's say you want an internal webserver, 10.10.110.100 to be available at your wan IP):
The last IP > Firewall > Filter rule will automatically allow external connections to dst-nat'ed ports.
You just need to add the final touch: Natting WAN outgoing connections:
Code: Select all
/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
Code: Select all
/ip firewall
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"
filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related comment="defconf: accept established,related"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 comment="defconf: drop all from WAN"
If this is the case, research on how to put your ISP router in bridge mode, so that it hands out the public WAN IP directly to the hAP, try to avoid DMZ at all costs.
Not only best practice, it will simplify configuration and all you'll need to make inside LAN IPs available to Internet would be (let's say you want an internal webserver, 10.10.110.100 to be available at your wan IP):
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Internal Web Server" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.110.100 to-ports=80