Need help with network organization

johnsilver · Tue Aug 23, 2011 2:01 pm

Hello, dear community. I'd like that you help me with process decision making. This is my first post here, sorry if i posted it in wrong place. This is my network map and what i want to achieve. Can it be done by using mikrotik? Can someone help with minimal manual how can i do this. I'll be very appreciated for any help or tips. Thanks

johnsilver · Tue Aug 23, 2011 2:02 pm

Ours current configuration

Tue Aug 23, 2011 2:03 pm

of course it's possible, but need more info. you will have several uplinks, do you plan to use some load balancing, or send certain users through one, and some through the other? what are the other requirements, bandwidth shaping, firewall?

johnsilver · Tue Aug 23, 2011 2:19 pm

of course it's possible, but need more info. you will have several uplinks, do you plan to use some load balancing, or send certain users through one, and some through the other? what are the other requirements, bandwidth shaping, firewall?

Thanks for fast answer. I'll give any info, just ask. Users from network #1 can use internet #1 only and FTP. Network #2 users can use both internet #1 and internet #2 and FTP also (it's logical to use load balancing in this case, right?). No other special requirements, users are browsing sites, sending email's, chatting in ICQ. But no torrents or something high-load.

PS. In our current configuration network #2 users are behind the Kerio NAT. FTP users comes from network #2 and from internet #1 alias through compex switch to ftp server (routing). Also we planned to access ours FTP server from internet #1 (213.x.x.x)

MCT · Tue Aug 23, 2011 4:39 pm

What's the story with the 1811? While you can get around not being able to configure it I'd consider it a patchwork solution that hinders the flexibility of configurations.

johnsilver · Wed Aug 24, 2011 9:29 am

the story is simple it can be configured by headquarter company only, so we haven't password for it

johnsilver · Wed Aug 24, 2011 11:42 am

question of the day, how to split one interface into bridge (A <-> CISCO) and private network (B <-> mikrotik), is it possible? how? can i use this bridge in third network (network #2)?

fewi · Wed Aug 24, 2011 12:28 pm

the story is simple it can be configured by headquarter company only, so we haven't password for it

The most important question, then, is whether or not you have proper authorization to touch the network at all.

johnsilver · Wed Aug 24, 2011 1:57 pm

ok, i contacted with hq and for now 20.0/24 doesn't require to access inner ftp server and cisco network configuration can be changed

in this case everything getting simplier, in my opinion we need:
1) network #1: load balance between internet #1 (cable) and #2 (pppoe)
2) network #2: use internet #1 only (cable)
3) 172.31.24.0/28 passthrough mtik to ftp (and only to ftp)
4) 10.201.0.0/16 passthrough mtik to ftp

MCT · Wed Aug 24, 2011 5:28 pm

I don't know the physical proximity of the gear, but if you can I'd pull the 1811 out and do everything from the mikrotik router. The 1811 is a good piece of gear but it's just going to add more complexity without any real benefits.

If not then you're going to have to configure a /30 between them and add routes.

The load balancing isn't difficult and then just use firewall rules to control access to the FTP server.

Is it the best setup? No, but that'll get it working and you can improve it as time goes on.

johnsilver · Thu Aug 25, 2011 3:51 pm

i can't pull 1811 because it used to connect 20.0/24 to other offices and hq

can mikrotik route/nat ip aliases?

MCT · Thu Aug 25, 2011 5:34 pm

i can't pull 1811 because it used to connect 20.0/24 to other offices and hq

can mikrotik route/nat ip aliases?

It will do everything the 1811 will minus Cisco proprietary things like EIGRP. Mikrotik is very capable and a lot more flexible, but Cisco has enterprise level reliability and quality assurance behind it. There's good reason it's the industry standard.

The setup you show negates that reliability factor because it will be connected to the mikrotik device anyway. The only caveat being if the 1811 is being used for a Cisco specific VPN setup. I haven't personally done much with Mikrotik VPN wise but I gather it can be quirky depending on the protocol.

Depending on how it's set up it could very well be more practical to put the connection to the mikrotik on the internal side of the 1811 and set up OSPF between the two.

The most I can do is guess at the moment based on the topology you showed. I don't know anything about the details of the current configuration or the goals of the new setup.

To be honest though and coming from the network engineering side of things if your employer has already invested in Cisco infrastructure as the standard I'd advise against mixing other gear in without it being approved by the HQ IT office. The last thing anyone trying to manage a network wants is a piece of undocumented rogue gear that deviates from the expected standard and no one is trained on. If you get hit by a bus tomorrow and the mikrotik gear is fried by lightning what's the operational continuity and disaster recovery plan like? The last thing I want is to send one of my CCNA network monkeys out and have him call me and say he doesn't know what the hell a piece of gear is or to even begin to configure it.

johnsilver · Fri Aug 26, 2011 2:03 pm

ok, i understand, then i'll will setup simple transparent bridge from internet #1 (172.30.6.0/30) to cisco router and refuse to use internet #1 in 64.0/24 network, i'm started with following config:

I. define static ip's for all interfaces
/ip address
add address=192.168.1.32/24 interface=ether1 – dsl modem
add address=10.201.64.251/24 interface=ether2 – local network
add address=172.30.6.6/30 interface=ether3 – cable main, internet
add address=172.31.24.6/30 interface=ether3 – cable alias, FTP only
add address=172.32.7.6/24 interface=ether4 – ftp server
add address=172.33.25.6/24 interface=ether5 – cisco router

II. configure internet #2 for 64.0/24 network
1) add interface pppoe – ether1:
/interface pppoe-client add name=xDSL interface=ether1 user=dsl_login password=dsl_password add-default-route=yes use-peer-dns=yes disabled=no

2) allow 64.0/24 to use internet #2:
/ip firewall nat add chain=srcnat src-address=10.201.64.0/24 action=masquerade

3) define filters:
/ ip firewall filter
add chain=input connection-state=established comment=”Accept established connections”
add chain=input connection-state=related comment=”Accept related connections”
add chain=input connection-state=invalid action=drop comment=”Drop invalid connections”
add chain=input protocol=udp action=accept comment=”UDP” disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment=”Allow limited pings”
add chain=input protocol=icmp action=drop comment=”Drop excess pings”
add chain=input in-interface=ether2 src-address=10.201.64.0/24 comment=”From our LAN” action=accept
add chain=input action=log log-prefix=”DROP INPUT” comment=”Log everything else”
add chain=input action=drop comment=”Drop everything else”

4) allow to use dns:
/ip dns set allow-remote-requests=yes

III. configure transparent bridge between internet #1 and cisco
/interface
bridge add name=cisco_bridge
bridge port add interface=ether3 bridge=cisco_bridge
bridge port add interface=ether5 bridge=cisco_bridge

...

now i have three questions:
1) how to split 172.31.24.0/30 from bridge?
2) how to route 172.31.24.0/30 and 10.201.0.0/16 to the ftp server 172.32.7.6/24?
3) can i do this in v3.30 of the router? i mean assign multiple subnets to one interface

johnsilver · Fri Aug 26, 2011 3:50 pm

trying to answer my questions:
2) it must be mangle, i guess, firstly we must mark packets from networks to the ftp server at prerouting chain

/ip firewall mangle
add action=mark-routing chain=prerouting src-address=172.31.24.5/30 dst-address=172.29.4.5/30 new-routing-mark=ftp_flow_a
add action=mark-routing chain=prerouting src-address=10.201.0.0/16 dst-address=172.29.4.5/30 new-routing-mark=ftp_flow_b

and then change the routing list

/ip route
add dst-address=172.29.4.5/30 gateway=172.29.4.6 routing-mark=ftp_flow_a
add dst-address=172.29.4.5/30 gateway=10.201.64.251 routing-mark=ftp_flow_b

is this correct?

johnsilver · Fri Aug 26, 2011 4:32 pm

trying to answer my own questions:
3) load balancing over multiple subnets can't be done in v3, but load balancing over multiple gateways can be

and general question is one, i don't know the answer...

ps. but i can keep compex switch and route 172.30/172.31 through it... and say good bye to windows

Need help with network organization

Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Re: Need help with network organization

Who is online