Community discussions

MikroTik App
  4. RouterOS
  5. General

Vlan don't go on internet

Post Reply
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Vlan don't go on internet

Thu Mar 21, 2024 9:31 pm

Hi!

I have a problem.. the vlan 100 who is bonded with JP's lan does not work on internet.. devices on this network, in 192.168.2.0 network, ping 192.168.2.1 gateway without any issue but can't go on internet.

Can you help me? I didn't see what's the bug

Quick schema: Cell phone on SSID xyz -> Ubiquiti SSID xyz on vlan 100 -> Netgear managed switch -> Mikrotik -> Internet PPPoE Bell Fiber
All the link are well connected with vlan 100 tagged. The problem is in the mikrotik, the cell phone ping the gateway.

Thanks!
# 2024-03-21 15:15:40 by RouterOS 7.14.1
# software id = 13S7-4K9N
#
# model = RB5009UG+S+
# serial number = HFD095XXXXX

/interface ethernet

set [ find default-name=ether2 ] name=Dave

set [ find default-name=ether1 ] name=Internet

set [ find default-name=ether3 ] disabled=yes

set [ find default-name=ether4 ] disabled=yes

set [ find default-name=ether5 ] disabled=yes

set [ find default-name=ether6 ] disabled=yes

set [ find default-name=ether7 ] disabled=yes

set [ find default-name=ether8 ] disabled=yes

/interface pppoe-client

add add-default-route=yes disabled=no interface=Internet name="Bell PPPoE" \

password=xxxxx use-peer-dns=yes user=b12xxxxx

/interface vlan

add interface=Dave name=JP vlan-id=100

add interface=Dave name=Security vlan-id=200

add interface=Dave name=Spa vlan-id=400

add interface=Dave name=Visiteurs vlan-id=10

add interface=Dave name=iot vlan-id=300

/interface list

add name=WAN

add name=LAN

/interface wireless security-profiles

set [ find default=yes ] supplicant-identity=MikroTik

/ip firewall layer7-protocol

add name="Block YoutubeApp" regexp="^.+(youtube.com|www.youtube.com|m.youtube.\

com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube.l.google.com|i.google\

.com|googlevideo.com|youtu.be).*\$"

add name="Block tiktok" regexp="^.+(myqcloud.com|wsdvs.com|worldfcdn.com|footp\

rint.net|byteoversea.|ibyteimg.|.ibyteimg|ibyteimg.com|musemuse.cn|muscdn.\

com|.byteoversea|byted.org|bytecdn.cn|byteoversea.com|.musical|musical.|mu\

sical.ly|tiktokcdn.com|tiktokv.com|tiktokcdn.com|.tiktokv|tiktokv.|tiktokc\

dn-com|.akamaized|akamaized.net|akamaized.|tiktok.com|www.tiktok.com|m.tik\

tok.com|tiktok.|tiktok|.zhiliaoapp|.musically|zhiliaoapp.|musically.).*\$"

add name=Facebook regexp="^.+(www.facebook.com|facebook.com|login.facebook.com\

|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.com|st\

atic.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.net|www.\

connect.facebook.net|apps.facebook.com).*\\\$\"^.+"

/ip pool

add name=Pool_Dave ranges=192.168.1.100-192.168.1.254

add name=Pool_Security ranges=192.168.200.10-192.168.200.100

add name=Pool_JP ranges=192.168.2.100-192.168.2.200

add name=Pool_iot ranges=192.168.3.10-192.168.3.254

add name=Pool_Visiteurs ranges=10.0.10.100-10.0.10.200

add name=Pool_Spa ranges=192.168.4.100-192.168.4.150

/ip dhcp-server

add address-pool=Pool_Dave interface=Dave lease-time=10m name=DHCP_Dave

add address-pool=Pool_Security interface=Security lease-time=10m name=\

DHCP_Security

add address-pool=Pool_JP interface=JP name=DHCP_JP

add address-pool=Pool_iot interface=iot name=DHCP_iot

add address-pool=Pool_Visiteurs interface=Visiteurs name=DHCP_Visiteurs

add address-pool=Pool_Spa interface=Spa name=DHCP_Spa

/ip smb users

set [ find default=yes ] disabled=yes

/queue simple

add burst-limit=100M/100M burst-threshold=15M/15M burst-time=5s/5s max-limit=\

20M/20M name=QOS_Visiteurs target=Visiteurs

/ip firewall connection tracking

set udp-timeout=10s

/ip neighbor discovery-settings

set discover-interface-list=!dynamic

/interface detect-internet

set detect-interface-list=all

/interface list member

add interface="Bell PPPoE" list=WAN

add interface=*FFFFFFFF list=LAN

/ip address

add address=192.168.1.1/24 interface=Dave network=192.168.1.0

add address=192.168.200.1/24 interface=Security network=192.168.200.0

add address=192.168.2.1/24 interface=JP network=192.168.2.0

add address=192.168.3.1/24 interface=iot network=192.168.3.0

add address=10.0.10.1/24 interface=Visiteurs network=10.0.10.0

add address=192.168.4.1/24 interface=Spa network=192.168.4.0

/ip dhcp-server lease
*Removed for visual confort*

/ip dhcp-server network

add address=10.0.10.0/24 dns-server=8.8.8.8 gateway=10.0.10.1

add address=192.168.1.0/24 dns-server=192.168.1.10 gateway=192.168.1.1 \

netmask=24

add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1

add address=192.168.3.0/24 dns-server=8.8.8.8 gateway=192.168.3.1

add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1 netmask=24

add address=192.168.200.0/24 dns-none=yes gateway=192.168.200.1

/ip firewall address-list
*Removed a lot for visual confort*

add address=192.168.1.0/24 list=Block_Visiteurs

add address=192.168.2.0/24 list=Block_Visiteurs

add address=192.168.3.0/24 list=Block_Visiteurs

add address=192.168.200.0/24 list=Block_Visiteurs

/ip firewall filter

add action=drop chain=input comment="Block China" in-interface="Bell PPPoE" \

src-address-list=CN

add action=drop chain=input comment="Block Russia" in-interface="Bell PPPoE" \

src-address-list=RU

add action=drop chain=forward comment="Block internet security" \

out-interface="Bell PPPoE" src-address-list=Security

add action=drop chain=input comment=\

"Allow Winbox attempt from internet CANADA ONLY" dst-port=8291 \

in-interface="Bell PPPoE" log-prefix=winboxWAN protocol=tcp \

src-address-list=!CA

add action=drop chain=input comment="Drop ping from WAN" disabled=yes \

in-interface="Bell PPPoE" protocol=icmp

add action=accept chain=forward comment="Accept JP->DNS Dave" dst-address=\

192.168.1.10 dst-port=53 protocol=udp src-address=192.168.2.0/24

add action=drop chain=forward comment="Block JP->Dave" dst-address=\

192.168.1.0/24 src-address=192.168.2.0/24

add action=drop chain=forward comment="Block JP->Security" dst-address=\

192.168.200.0/24 src-address=192.168.2.0/24

add action=drop chain=forward comment="Block Visteurs->Tous" \

dst-address-list=Block_Visiteurs src-address=10.0.10.0/24

/ip firewall nat

add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=\

192.168.1.0/24

add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=\

192.168.2.0/24

add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=\

192.168.3.0/24

add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=\

10.0.10.0/24

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set sip disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www address=192.168.1.0/24

set ssh address=192.168.1.0/24

set api disabled=yes

set api-ssl disabled=yes

/ip smb shares

set [ find default=yes ] directory=/pub

/ipv6 firewall address-list
*Removed for visual confort*

/system clock

set time-zone-name=America/Toronto

/system note

set show-at-login=no

/system script

*Removed for visual confort*

/tool bandwidth-server

set authenticate=no enabled=no
Last edited by Chouby on Tue Apr 02, 2024 11:14 pm, edited 1 time in total.
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2682
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Vlan don't go on internet

Thu Mar 21, 2024 9:47 pm

Without checking the config...did you add the VLAN to LAN in the /interface list member?
Top
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Re: Vlan don't go on internet

Thu Mar 21, 2024 9:57 pm

Without checking the config...did you add the VLAN to LAN in the /interface list member?
nope.. it's the only vlan who can't connect to internet, all others are OK
Top
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Re: Vlan don't go on internet

Fri Mar 22, 2024 3:09 pm

Without checking the config...did you add the VLAN to LAN in the /interface list member?
Added, no difference..
Top
 
neki
Member Candidate
Member Candidate
Posts: 248
Joined: Thu Sep 07, 2023 10:20 am

Re: Vlan don't go on internet

Sat Mar 23, 2024 6:53 pm

Try to change this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.3.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=10.0.10.0/24

to this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface="Bell PPPoE"
Top
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Re: Vlan don't go on internet

Wed Mar 27, 2024 9:06 pm

Try to change this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=192.168.3.0/24
add action=masquerade chain=srcnat out-interface="Bell PPPoE" src-address=10.0.10.0/24

to this:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface="Bell PPPoE"
Did not work.. again, all vlan go to the internet, no this vlan especially
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 257
Joined: Thu Dec 21, 2023 6:45 pm

Re: Vlan don't go on internet

Fri Mar 29, 2024 9:07 am

Well you have this rule in the middle of your IP firewall filter:

Code: Select all
/interface vlan
...
add interface=Dave name=Security vlan-id=200
...

/ip firewall filter
...
add action=drop chain=forward comment="Block internet security" \
    out-interface="Bell PPPoE" src-address-list=Security
...

You've omitted most of the address list entries from the export output, but I assume that that "Security" list has the address ranges of VLAN 200, the "Security" VLAN (192.168.200.10-192.168.200.100)?
Top
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Re: Vlan don't go on internet

Tue Apr 02, 2024 4:51 pm

Well you have this rule in the middle of your IP firewall filter:

Code: Select all
/interface vlan
...
add interface=Dave name=Security vlan-id=200
...

/ip firewall filter
...
add action=drop chain=forward comment="Block internet security" \
    out-interface="Bell PPPoE" src-address-list=Security
...

You've omitted most of the address list entries from the export output, but I assume that that "Security" list has the address ranges of VLAN 200, the "Security" VLAN (192.168.200.10-192.168.200.100)?
Correct, security is my ip camera.. I don't want them to talk with china :P hehehe yes it's 192.168.200.0/24
the vlan who don't wanna go on the internet is 192.168.2.0/24
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 257
Joined: Thu Dec 21, 2023 6:45 pm

Re: Vlan don't go on internet

Tue Apr 02, 2024 8:27 pm

Yes, but above you've described connection problems with vlan 200. And the vlan with that id is the "Security" one with the 192.168.200.10-192.168.200.100 range. So according to your configuration. It's normal that that vlan 200 is unable to go to the internet.

Your "JP" vlan is the one with id=100. Shouldn't you configure your device to use that vlan 100 instead to be able to go to the internet?
Top
 
Chouby
newbie
Topic Author
Posts: 35
Joined: Fri Apr 07, 2017 3:49 am

Re: Vlan don't go on internet

Tue Apr 02, 2024 11:02 pm

Yes, but above you've described connection problems with vlan 200. And the vlan with that id is the "Security" one with the 192.168.200.10-192.168.200.100 range. So according to your configuration. It's normal that that vlan 200 is unable to go to the internet.

Your "JP" vlan is the one with id=100. Shouldn't you configure your device to use that vlan 100 instead to be able to go to the internet?
My bad.. vlan 100 can't go on the internet. Just edited original post
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 257
Joined: Thu Dec 21, 2023 6:45 pm

Re: Vlan don't go on internet

Tue Apr 02, 2024 11:59 pm

Does ping 1.1.1.1 work from a device using vlan 100? Also do the devices in vlan 100 use 8.8.8.8 as DNS server or 192.168.1.10? If they use 192.168.1.10 you might need another "Accept JP->DNS Dave" rule, but this time for protocol=tcp dst-port=53. If the DNS query answers are bigger than the limit of one UDP packet, the query will switch to using TCP 53 instead of UDP 53.

Besides that, your current firewall configuration is not secure. You are missing drop all rules for both the input and forward chains (see https://help.mikrotik.com/docs/display/ ... d+Firewall). On your RB5009, you can see the firewall rules shipped with the default configuration by executing the command:

Code: Select all
/system/default-configuration/print without-paging

and finding the section that begins with /interface list member add list=LAN interface=bridge comment="defconf". If you use the rules from the web page above or defconf, you'll need to add all your vlan interfaces to the list LAN and remove the existing invalid entry *FFFFFFF which was for the bridge that you've removed. You'll also see that the masquerade rule for instance uses the better practice of using interface list (WAN) instead of specifying the individual interface ("Bell PPPoE") and that ICMP should not be blocked on the input chain! ICMP is not only used for ping but also for important stuffs like path MTU discovery. If you want to drop ping, filter only echo request by adding the condition icmp-options=0:0-255 to the drop rule.
Top
Post Reply

Who is online

Users browsing this forum: dcavni and 132 guests
  4. RouterOS
  5. General