special setup in need of help - new to mikrotik

Mrreyes · Wed Jun 06, 2012 11:00 pm

hey all,

im building a new system for testing and im new to routeros.

ive got an RB1100 fittet for 4 VLAN (2-3-4-5) and and service ip scope for the equipment.

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.0.1/22 192.168.0.0 ether1
1 192.168.4.254/24 192.168.4.0 VLAN2-1
2 192.168.6.1/23 192.168.6.0 VLAN3-1
3 192.168.8.1/24 192.168.8.0 VLAN4-1
4 192.168.128.1/17 192.168.128.0 VLAN5-1
5 D 192.168.1.32/24 192.168.1.0 ether11

the ports on the RB ive fittes so that ether1-6-7-8-9-10 are trunks for all VLANS
and ether2-3-4-5 are their respective VLAN.

Ive added DHCP for VLAN 3-4-5, and i keep VLAN 2, and the servicescope at static.

i figured out using the bridges where from cisco i waas used to subinterfaces:

[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU
0 ether12 ether 1500 1600 9116
1 ether13 ether 1500 1600 9116
2 R ether11 ether 1500 1600 9116
3 ;;; Trunk VLAN2-3-4-5
ether6 ether 1500 1598 9498
4 ;;; Trunk VLAN2-3-4-5
ether7 ether 1500 1598 9498
5 ;;; Trunk VLAN2-3-4-5
ether8 ether 1500 1598 9498
6 ;;; Trunk VLAN2-3-4-5
ether9 ether 1500 1598 9498
7 ;;; Trunk VLAN2-3-4-5
ether10 ether 1500 1598 9498
8 ;;; Trunk VLAN2-3-4-5
ether1 ether 1500 1598 9498
9 ;;; VLAN2
ether2 ether 1500 1598 9498
10 ;;; VLAN3
ether3 ether 1500 1598 9498
11 ;;; VLAN4
ether4 ether 1500 1598 9498
12 R ;;; VLAN5
ether5 ether 1500 1598 9498
13 VLAN2-1 vlan 1500 1594
14 VLAN3-1 vlan 1500 1594
15 VLAN4-1 vlan 1500 1594
16 VLAN5-1 vlan 1500 1594
17 R br-vlan2 bridge 1500 65535
18 R br-vlan3 bridge 1500 65535
19 R br-vlan4 bridge 1500 65535
20 R br-vlan5 bridge 1500 1598
21 VLAN2-6 vlan 1500 1594
22 VLAN3-6 vlan 1500 1594
23 VLAN4-6 vlan 1500 1594
24 VLAN5-6 vlan 1500 1594
25 VLAN2-7 vlan 1500 1594
26 VLAN2-8 vlan 1500 1594
27 VLAN2-9 vlan 1500 1594
28 VLAN2-10 vlan 1500 1594
29 VLAN3-7 vlan 1500 1594
30 VLAN3-8 vlan 1500 1594
31 VLAN3-9 vlan 1500 1594
32 VLAN3-10 vlan 1500 1594
33 VLAN4-7 vlan 1500 1594
34 VLAN4-8 vlan 1500 1594
35 VLAN4-9 vlan 1500 1594
36 VLAN4-10 vlan 1500 1594
37 VLAN5-7 vlan 1500 1594
38 VLAN5-8 vlan 1500 1594
39 VLAN5-9 vlan 1500 1594
40 VLAN5-10 vlan 1500 1594

probably another way thats easier than this, but i found the dok quite confusing.

because all VLAN has a port on the RB they are directly connectet, thus i had to isolated them from each other:

[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop src-address=192.168.0.0/22
dst-address=192.168.4.0/24

1 chain=input action=drop src-address=192.168.0.0/22
dst-address=192.168.6.0/23

2 chain=input action=drop src-address=192.168.0.0/22
dst-address=192.168.8.0/24

3 chain=input action=drop src-address=192.168.0.0/22
dst-address=192.168.128.0/17

4 chain=input action=drop src-address=192.168.4.0/24
dst-address=192.168.0.0/22

5 chain=input action=drop src-address=192.168.4.0/24
dst-address=192.168.6.0/23

6 chain=input action=drop src-address=192.168.4.0/24
dst-address=192.168.8.0/24

7 chain=input action=drop src-address=192.168.4.0/24
dst-address=192.168.128.0/17

8 chain=input action=drop src-address=192.168.6.0/23
dst-address=192.168.0.0/22

9 chain=input action=drop src-address=192.168.6.0/23
dst-address=192.168.4.0/24

10 chain=input action=drop src-address=192.168.6.0/23
dst-address=192.168.8.0/24

11 chain=input action=drop src-address=192.168.6.0/23
dst-address=192.168.128.0/17

12 chain=input action=drop src-address=192.168.8.0/24
dst-address=192.168.0.0/22

13 chain=input action=drop src-address=192.168.8.0/24
dst-address=192.168.4.0/24

14 chain=input action=drop src-address=192.168.8.0/24
dst-address=192.168.6.0/23

15 chain=input action=drop src-address=192.168.8.0/24
dst-address=192.168.128.0/17

16 chain=input action=drop src-address=192.168.128.0/17
dst-address=192.168.0.0/22

17 chain=input action=drop src-address=192.168.128.0/17
dst-address=192.168.4.0/24

18 chain=input action=drop src-address=192.168.128.0/17
dst-address=192.168.6.0/23

19 chain=input action=drop src-address=192.168.128.0/17
dst-address=192.168.8.0/24

Now my problem is:

i get an ISP on port ether11, as an DHCP Client.

port gets ip fine, and i can use dns through the console, but how do i route all networks to that gateway so that they all have internet access but still isolated from each other? and even better, how do i setup using both ether 11 and optional ether12 for loadbalancing?

Feklar · Thu Jun 07, 2012 5:32 pm

The router will naturally route between all connected subnets, so it is already set to go to route out traffic of your WAN port. However you usually need to NAT traffic out of the WAN port so that it can be addressed properly. Also, you are very likely going to have a conflict because of your subnet on ether11 overlaps with what is on ether1. You will need to chance one or the other so they are in completely different subnets.

NAT rules

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether11
add action=masquerade chain=srcnat out-interface=ether12

To block communication between multiple interfaces is fairly easy, you can actually narrow it down by quite a few rules. Only traffic that you explicitly allow to be forwarded between the drop invalid and drop all rules will be allowed.

add action=accept chain=forward connection-state=established disabled=no comment="Allow established connections"
add action=accept chain=forward connection-state=related disabled=no comment="Allow related connections"
add action=drop chain=forward connection-state=invalid disabled=no comment="Drop invalid connections"
add action=accept chain=forward disabled=no out-interface=ether11 comment="Allow new connections to go out of ether11"
add action=accept chain=forward disabled=no out-interface=ether12 comment="Allow new connections to go out of ether12"
add action=drop chain=forward disabled=no comment="Drop all other connections going out other interfaces"

For load balancing, please read the wiki on PCC.
http://wiki.mikrotik.com/wiki/Manual:PCC

Mrreyes · Thu Jun 07, 2012 6:11 pm

thanx, i will try it when i get home...

the ether11 address will be in a diffrent allocation, så that shouldnt be a problem

Mrreyes · Thu Jun 07, 2012 9:57 pm

nat worked as a charm, firewall rules didnt (i tried to ping, connected to one vlan, ping twards gw on another vlan).

now i have connection trough ether11 (changed the sbnet to an 10.0.0.0/24).

only one problem remain, why doesnt the dns pass on to the vlan?

Feklar · Thu Jun 07, 2012 11:41 pm

Pinging to a gateway on another VLAN would be on the input chain and not forward, that's why it didn't work there. Try to a host behind that interface, or place in extra rules to take care of that if you don't want them to be able to do that.

Can you explain what you mean by why DNS doesn't pass on the VLAN? What is your setup there, what are you expecting, and what are you seeing?

Mrreyes · Fri Jun 08, 2012 4:46 pm

When i connect a host to one of the vlans i can ping internet ip adr, but i cant ping an dns adr. I can from the console, thats what seems strange. Is it because i need to route the dns requests from the vlans to the ether11 interface?

scampbell · Fri Jun 08, 2012 6:50 pm

Please go to ip.dns and export your settings so we can see what is configured.

The most common issue is DNS does not have Accept Requests ticked.

Feklar · Fri Jun 08, 2012 7:58 pm

What is the DNS server of the connected host when you plug it into an interface? Is it getting DNS settings via the DHCP server? Can the host ping the DNS servers? If you are using the router as a DNS server, then it needs to be set to accept DNS requests under it's settings. You will also then want to firewall that service off to the outside world so others can't use it.

Mrreyes · Fri Jun 08, 2012 9:12 pm

[admin@MikroTik] /ip dns> print
servers: 8.26.56.26,8.20.247.20
allow-remote-requests: no
max-udp-packet-size: 512
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 8KiB

Mrreyes · Sat Jun 09, 2012 2:33 pm

solved it by setting alloved-remote-request to yes

thanx a lot for the help