Hello All,
I have a lab setup, please look at attached network map and configs posted. The underlying goal is to create a VXLAN between 2 endpoints for multicast traffic. In the lab, I essentially have 2 simple fairly default configurations. The difficulty, lies in understanding on how the firewall rule "drop all not coming from LAN" is interacting with the VXLAN, and how to allow traffic to pass down the VXLAN without this rule blocking the traffic. and yet remain effective for its intended purpose. In this lab setup it works as expected if the rule is disabled, and I have tried several variations of the rule to allow the traffic to pass without success, and I need a fresh set of eyes to help me see what I am missing. I am certain there will be questions about aspects that I have overlooked in this synopsis, so ask, but as to the "why" questions at the moment this is a proof of concept project, so its about the how to make it work, not anything more on the final implementation if the concept proves out.
VXLAN LAB1 config
# 2025-04-02 13:56:24 by RouterOS 7.18.2
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=ether1
set [ find default-name=ether1 ] disable-running-check=no name=ether2
/interface vxlan
add dont-fragment=disabled mac-address=5E:BA:F4:D6:87:92 name=VXLAN-VNI504 vni=504
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.81.10-192.168.81.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
/interface bridge port
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VXLAN-VNI504 list=LAN
/interface vxlan vteps
add interface=VXLAN-VNI504 remote-ip=192.168.90.12
/ip address
add address=192.168.81.1/24 interface=bridge network=192.168.81.0
add address=172.16.25.1/30 interface=VXLAN-VNI504 network=172.16.25.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp
/ip dhcp-server network
add address=192.168.81.0/24 dns-server=192.168.81.1 gateway=192.168.81.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=VXLAN-VNI504
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix="drop all not coming from LAN->"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop all from WAN not DSTNATed->"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="VXLAN1 LAB"
VXLAN LAB 2 Config
# 2025-04-02 13:58:35 by RouterOS 7.18.2
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface vxlan
add dont-fragment=disabled mac-address=42:6B:EC:D2:63:2A name=VXLAN-VNI504 vni=504
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.82.10-192.168.82.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
/interface bridge port
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VXLAN-VNI504 list=LAN
/interface vxlan vteps
add interface=VXLAN-VNI504 remote-ip=192.168.90.11
/ip address
add address=192.168.82.1/24 interface=bridge network=192.168.82.0
add address=172.16.25.2/30 interface=VXLAN-VNI504 network=172.16.25.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp
/ip dhcp-server network
add address=192.168.82.0/24 dns-server=192.168.82.1 gateway=192.168.82.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=VXLAN-VNI504
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix="drop all not coming from LAN->"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop all from WAN not DSTNATed->"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="VXLAN2 LAB"
I have a lab setup, please look at attached network map and configs posted. The underlying goal is to create a VXLAN between 2 endpoints for multicast traffic. In the lab, I essentially have 2 simple fairly default configurations. The difficulty, lies in understanding on how the firewall rule "drop all not coming from LAN" is interacting with the VXLAN, and how to allow traffic to pass down the VXLAN without this rule blocking the traffic. and yet remain effective for its intended purpose. In this lab setup it works as expected if the rule is disabled, and I have tried several variations of the rule to allow the traffic to pass without success, and I need a fresh set of eyes to help me see what I am missing. I am certain there will be questions about aspects that I have overlooked in this synopsis, so ask, but as to the "why" questions at the moment this is a proof of concept project, so its about the how to make it work, not anything more on the final implementation if the concept proves out.
VXLAN LAB1 config
# 2025-04-02 13:56:24 by RouterOS 7.18.2
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=ether1
set [ find default-name=ether1 ] disable-running-check=no name=ether2
/interface vxlan
add dont-fragment=disabled mac-address=5E:BA:F4:D6:87:92 name=VXLAN-VNI504 vni=504
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.81.10-192.168.81.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
/interface bridge port
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VXLAN-VNI504 list=LAN
/interface vxlan vteps
add interface=VXLAN-VNI504 remote-ip=192.168.90.12
/ip address
add address=192.168.81.1/24 interface=bridge network=192.168.81.0
add address=172.16.25.1/30 interface=VXLAN-VNI504 network=172.16.25.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp
/ip dhcp-server network
add address=192.168.81.0/24 dns-server=192.168.81.1 gateway=192.168.81.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=VXLAN-VNI504
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix="drop all not coming from LAN->"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop all from WAN not DSTNATed->"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="VXLAN1 LAB"
VXLAN LAB 2 Config
# 2025-04-02 13:58:35 by RouterOS 7.18.2
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface vxlan
add dont-fragment=disabled mac-address=42:6B:EC:D2:63:2A name=VXLAN-VNI504 vni=504
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.82.10-192.168.82.254
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
/interface bridge port
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=VXLAN-VNI504 list=LAN
/interface vxlan vteps
add interface=VXLAN-VNI504 remote-ip=192.168.90.11
/ip address
add address=192.168.82.1/24 interface=bridge network=192.168.82.0
add address=172.16.25.2/30 interface=VXLAN-VNI504 network=172.16.25.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge name=dhcp
/ip dhcp-server network
add address=192.168.82.0/24 dns-server=192.168.82.1 gateway=192.168.82.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=VXLAN-VNI504
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix="drop all not coming from LAN->"
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix="drop invalid->"
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="drop all from WAN not DSTNATed->"
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="VXLAN2 LAB"
Statistics: Posted by msteil — Wed Apr 02, 2025 10:33 pm
