Fri May 03, 2024 4:20 pm
(1) The Management VLAN/SUBNET has no pool, no dhcp etc. Which makes sense if you are attempting to use the setup to config the router OFF the bridge and highly recommended.
In this case, no VLAN is defined and ether 7 is NOT associated from the bridge. This is what I will show.
(2) Dont need connection=new in firewall rules. Each rule is implied as new upon the first packets hitting the rule, and then subsequent packets travel through fastrack or established,related rule.
(3) The port forwarding rules are put in the dstnat chain
(4) Disable IPV6 service if not using and remove ipv6 address lists and firewall rules..
# model = RB5009UG+S+
/interface vlan
add interface=bridge name=vlan100-mgmt vlan-id=100 < ---- REMOVE
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan-vlan35 name=pppoe-wan use-peer-dns=yes user=user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN-mgmt
add name=LAN
/interface bridge port
add bridge=bridge disabled=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2-Trk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3-Trk
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=13
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7-mgmt pvid=100 <---- REMOVE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk vlan-ids=99,100
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether6 vlan-ids=12
add bridge=bridge tagged=bridge,ether1-Trk,ether2-Trk,ether3-Trk untagged=ether4 vlan-ids=13
/interface list member
add interface=pppoe-wan list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan99-work list=LAN
add interface=ether7-mgmt list=LAN
add interface=vlan1 list=LAN-mgmt
add interface=ether7-mgmt list=LAN-mgmt
/ip address
add address=192.168.100.1/24 interface=ether7-mgmt network=192.168.100.0
add address=192.168.10.1/24 interface=vlan1 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan2 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan3 network=192.168.30.0
add address=192.168.40.1/24 interface=vlan99-work network=192.168.40.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="only if in management interface" in-interface-list=LAN-mgmt
add action=accept chain=input comment="user to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment="user to services" dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { put this rule in last or will lock yourself out }
++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN-mgmt out-interface-list=LAN
add action=accept chain=forward in-interface=vlan2 out-interface=vlan3
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { only rule in forward chain required for port forwarding }
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.5
/tool mac-server
set allowed-interface-list=NONE { not secure so dont allow access via mac only }
/tool mac-server mac-winbox
set allowed-interface-list=LAN-mgmt
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now your port forwarding should work from external users.
If you have users IN VLAN3 ( subnet 30 ) trying to reach servers on VLAN3 then we need to make more changes.
If you have other local users from VLAN1,2, mananament trying to reach servers on VLAN3 you should be good to go.
To reach your router for config purpose on ether7, simply change the nic settings on your PC/laptop and change IPV4 ip to 192.168.100.X for example.
Otherwise if you are on vlan1, you should also be able to reach the config ( this time from a place on the bridge).