NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

mbze430 · Sun Apr 07, 2024 9:52 am

What seems to be happening is that the way I have it [miss]configured is that traffic comes out and in from both the ether1 port and sfp-sfpplus1 port.

Here is the config file:

# 2024-04-07 01:28:49 by RouterOS 7.14.2
# software id = BKEZ-7BGA
#
# model = CRS305-1G-4S+
# serial number = B9EA-------
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes igmp-version=3 mtu=1500 \
    multicast-querier=yes name=local priority=0xB000
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9216
set [ find default-name=sfp-sfpplus1 ] advertise="100M-baseT-half,100M-baseT-f\
    ull,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,10G-baseT,1\
    0G-baseSR-LR,10G-baseCR" l2mtu=9216
set [ find default-name=sfp-sfpplus2 ] l2mtu=9216
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface list
add name=listBridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=local interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=ether1 list=listBridge
/ip address
add address=172.16.255.1/30 comment="router port" interface=local network=\
    172.16.255.0
add address=10.0.254.88/24 interface=ether1 network=10.0.254.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="accept SSH mgmt" dst-port=2222 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="accept WWW mgmt" dst-port=80 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="accept WinBox mgmt" dst-port=8291 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=sfp-sfpplus1 \
    port=2222 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    sfp-sfpplus1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
set api-ssl disabled=yes
/ipv6 dhcp-client
add interface=sfp-sfpplus1 pool-name=ipv6-general request=prefix
/ipv6 nd
set [ find default=yes ] interface=local
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=50.218.103.254
add address=138.236.128.36
add address=204.17.205.8
add address=192.48.105.15
/system routerboard settings
set boot-os=router-os
/system swos
set identity=MikroTik
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

the network flow is as follows:
What I want to do is make ether1 the management port. access the WWW, SSH, and WinBox on VLAN254 10.0.254.0/24 I gave the ip 10.0.254.88. It's connected to a switch set to access mode vlan 254.
sfp-sfpplus1 I want to use it for "WAN" traffic. I am getting DHCP from my provider.
sfp-sfpplus2 I want to use it for "LAN" traffic. I assigned it 172.16.255.1/30 on the other end of that is a L3 Switch port has been assigned ip 172.16.255.2/30 which also contain all the SVI table.

As of right now... any port on vlan254 can get out of the internet. think all the traffic is going through the ether1.
in the config console of the L3 switch, I can ping 1.1.1.1, but any other vlan host won't pass 1.1.1.1 only to their own gateway and other vlan subnet.
Here is a screenshot from a host on 254 doing a speedtest.

Screenshot 2024-04-07 013244.png

as you can see one interface is in-bound traffic and the other interface out-bound traffic

Any help/suggestion would be greatly appreciated.

TheCat12 · Sun Apr 07, 2024 8:27 pm

To enable VLAN254 on the ether1 and thus isolating it from the rest of the network you should remove it from the interface list, add it to a bridge of its own, set up and enable bridge VLAN filtering, optionally add a DHCP server and set the firewall rules to work for VLAN instead of ether1:

/interface list member remove [ find interface=ether1 ]

/interface bridge add name=bridge_mgmt

/interface bridge port add bridge=bridge_mgmt interface=ether1 pvid=254

/interface bridge vlan add interface=bridge_mgmt name=MGMT vlan-id=254

/ip address set [ find interface=ether1 ] address=10.0.254.81/30 interface=MGMT network=10.0.254.80

/ip pool add ranges=10.0.254.82 name=pool_mgmt

/ip dhcp-server network add address=10.0.254.80/30 gateway=10.0.254.81

/ip dhcp-server add address-pool=pool_mgmt interface=MGMT name=dhcp_mgmt

/interface bridge vlan add bridge=bridge_mgmt tagged=bridge_mgmt vlan-ids=254

/interface bridge set bridge_mgmt vlan-filtering=yes frame-types=admit-only-vlan-tagged

/ip firewall filter
set [ find in-interface=ether1 ] in-interface=MGMT

Instead of using firewall filters and with the "Block everything else" also block internet access why don't you set allowed addresses in the /ip services? For the SSH it is reasonable to use firewall filters but for port 80 not so much. Example config:

/ip service
set www address=10.0.254.80/30
set winbox address=10.0.254.80/30

/ip firewall filter
remove [ find interface=MGMT ]
add action=accept chain=input comment="accept SSH mgmt" dst-port=2222 in-interface=MGMT protocol=tcp place-before=[ find comment="block everything else" ]
set [ find comment="block everything else" ] protocol=tcp dst-port=!80,443

mbze430 · Mon Apr 08, 2024 2:18 am

Please bear with me as I try to understand this part of your recommendation. I just followed the First Time configuration provided by Mikrotik. As I am not very familiar with the concept of the bridge.

/ip address set [ find interface=ether1 ] address=10.0.254.81/30 interface=MGMT network=10.0.254.80

/ip pool add ranges=10.0.254.82 name=pool_mgmt

/ip dhcp-server network add address=10.0.254.80/30 gateway=10.0.254.81

/ip dhcp-server add address-pool=pool_mgmt interface=MGMT name=dhcp_mgmt

/interface bridge vlan add bridge=bridge_mgmt tagged=bridge_mgmt vlan-ids=254

/interface bridge set bridge_mgmt vlan-filtering=yes frame-types=admit-only-vlan-tagged

/ip firewall filter
set [ find in-interface=ether1 ] in-interface=MGMT

The line :

/ip address set [ find interface=ether1 ] address=10.0.254.81/30 interface=MGMT network=10.0.254.80

why am I limiting myself to only two IPs to this interface? Should I be changing the address to 10.0.254.81 to 10.0.254.88 in my case?
What is the benefit of enabling the DHCP server?

TheCat12 · Mon Apr 08, 2024 12:51 pm

The purpose of the bridge is to allow hardware offloading (i.e. not overloading you CPU) for VLAN tagging/untagging. Typically bridges are used to link two or more physical interface as if they were attached to a single LAN. In our case it consists of only one ethernet port due to it being the only one involved with VLAN traffic and, as I mentioned earlier, to enable hardware offloading. For the DHCP server I assume that you would use one device to manage the router so that's why I limited it to only two addresses. The practical side of using DHCP server is that you don't need set up an address statically on the management device (computer, laptop, etc.)

mbze430 · Mon Apr 08, 2024 4:42 pm

For the DHCP server I assume that you would use one device to manage the router so that's why I limited it to only two addresses. The practical side of using DHCP server is that you don't need set up an address statically on the management device (computer, laptop, etc.)

Thank you making the clarification, it was even more helpful with the explanation.

As for the DHCP, Our VLAN 254 is consider our management network. All our IPMI/iDRAC/iLo/LoM and console switches are all located in this vlan. So all I need is just assign our vlan ip address to ether1 port. No need for DHCP as the entire subnet are statically assigned. Unless you mean that the Mikrotik will assign an IP to ether1 via DHCP?

I will disregard and work my way through with out the DHCP portion of what you recommended.

NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

Who is online