Community discussions

MikroTik App
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

How to configure MikroTik to be primary router?

Mon Feb 19, 2018 11:02 pm

Hi there.

I need to use my MikroTik as primary router, to be connected to the WAN from the ISP and then a secondary router connected to the Mikrotik and all devices.

The topology should be as follows:

Internet -> Modem/Switch -> Mikrotik -> my new ASUS router -> All devices within my home.

Mikrotik is so customizable and has so many ways to be set up that I just don't know how and actually I don't know the name of this topology. The MT acts as what?

How should I configure the MT to act as nothing more than a point in the chain and pass-on all internet to the Asus?

Also, I am not sure about the primary (first) router which is connected to the internet ISP modem but the second router must definitely run DHCP and give IPs to the devices.

I want to use option 2 here: router behind router
https://learntomato.com/router-bridge-c ... nd-router/

Topology drawing attached.

After reading a bit it is already clear to me that my MT should act as a bridge. How do I achieve that?

Thanks!
You do not have the required permissions to view the files attached to this post.
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 6:50 am

I'm now dumber after reading the article at that link. The terminology is ridiculous. It's written by someone who is not a network person.

Disable the DHCP server in the MikroTik, then attach your links to the LAN ports (not port 1). Those are bridged so the MikroTik will behave as a switch.

What exactly is the point of the MikroTik in that diagram then? What you wrote in red text doesn't make any sense. Just connect the ASUS to the internet if that's what you want.

Or forget about the ASUS and use the MikroTik. Either way, you'll accomplish what you wrote in red.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 10:22 am

1. Yeah. I guess you are right. If it is just a bridge it has no function and can be removed from the topology? Is that what you are saying. I guess so.

2. New status. The Mikrotik should better work in router mode, but then how complicated will the port forwarding be?

I would need different services to run on the second router ASUS and on the clients connected to the ASUS , e.g. gaming, VoIP, access to the ASUS router from their Mobile application, etc?

Would the complexity of port forwarding in the Mikrotik be reasonable?

Thanks
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 2:32 pm

"Reasonable" is a question that only you can answer because it's your network. If you explained why you want to use both routers at once, perhaps someone could hazard a guess.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2307
Joined: Mon May 14, 2012 9:30 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 6:35 pm

"Reasonable" is a question that only you can answer because it's your network. If you explained why you want to use both routers at once, perhaps someone could hazard a guess.
YUP.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 9:38 pm

It is the advise of the ExpressVPN providers and I don't want to question that advice.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 9:57 pm

It is the advise of the ExpressVPN providers and I don't want to question that advice.
If you need the MT to be a VPN tunnel endpoint, then I expect you can't use it in a bridge configuration. You'll need the MT to be a router. If the MT only has one public IP address, unfortunately that will complicate any static NAT and firewall rules you wish to implement.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 10:03 pm

Yes. I have not established the whole deal but some things are clear.

The MT should be a router. It should get the public IP. From there onwards the ASUS will be one of the clients of the MT and will be in Bridge mode (as advised by ExpressVPN) , then even more the devices will all be connected to the ASUS. How would the port forwarding look like?
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 10:11 pm

The MT should be a router. It should get the public IP. From there onwards the ASUS will be one of the clients of the MT and will be in Bridge mode (as advised by ExpressVPN) , then even more the devices will all be connected to the ASUS. How would the port forwarding look like?
If the ASUS will be in bridge mode, then what do you expect it to do besides function as a switch? Perhaps attach wifi to the bridge I suppose.

A typical port forward on the MT would look something like this:
/ip firewall nat
 add action=dst-nat chain=dstnat dst-address=<public IP> dst-port=8080 protocol=tcp to-addresses=<inside host IP> to-ports=80
This would forward traffic destined for the public IP on port 8080 to the inside host IP on port 80.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 10:15 pm

The MT should be a router. It should get the public IP. From there onwards the ASUS will be one of the clients of the MT and will be in Bridge mode (as advised by ExpressVPN) , then even more the devices will all be connected to the ASUS. How would the port forwarding look like?
If the ASUS will be in bridge mode, then what do you expect it to do besides function as a switch? Perhaps attach wifi to the bridge I suppose.

A typical port forward on the MT would look something like this:
/ip firewall nat
 add action=dst-nat chain=dstnat dst-address=<public IP> dst-port=8080 protocol=tcp to-addresses=<inside host IP> to-ports=80
This would forward traffic destined for the public IP on port 8080 to the inside host IP on port 80.
Well I've been advised that the ASUS should be in bridge mode (by ExpressVPN support) and all devices connected to the ASUS ? Is this correct or nonsense?
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: How to configure MikroTik to be primary router?

Tue Feb 20, 2018 11:45 pm

If the ASUS will be in bridge mode, then what do you expect it to do besides function as a switch? Perhaps attach wifi to the bridge I suppose.
I think he's referring to that ridiculous article at the link in the first post, which talks about a "router" but it's really a bridge (switch) or access point bridge. Read it at your own peril.

I'm thinking that this VPN support just "gave you something to do" (the OP) and he went off and searched on it and found something even wronger (is that a word?) than what they told him to do.

Waste of time. Hire someone to help that knows something about networking. Or learn about it yourself before asking for help.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 12:24 am

There is something very wrong in your post. "Learn about it before asking for help." What could be crazier? Invest tons of time in self educating yourself and finally when you're done post a question on the forums?!?!?!

Further: "Hire someone" . Blah. If I were willing to accept the costs for hiring someone I would probably never had heard of Mikrotik brand. Hence never would have had a 60 EUR MT myself.

Enough off topic.

It is clear that ExpressVPN assert by competent knowledge or by experience that it is best to keep your old router and add the new router behind it. As router behind router even sounds crazy I am left, by deduction with the only conclusion that old router is in router mode and new ASUS is in Bridge.

Would one port forwarding rule be enough on the MT or it will require many to get all that is behind, connected to the second router exposed to the internet on specific ports?

I've been told by ASUS support that port forwarding would be needed only on the ASUS, but myself as a layman find it counterintuitive that the first router will just forward all traffic to one of it's LAN ports?
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 12:56 am

It is clear that ExpressVPN assert by competent knowledge or by experience that it is best to keep your old router and add the new router behind it. As router behind router even sounds crazy I am left, by deduction with the only conclusion that old router is in router mode and new ASUS is in Bridge.

Would one port forwarding rule be enough on the MT or it will require many to get all that is behind, connected to the second router exposed to the internet on specific ports?

I've been told by ASUS support that port forwarding would be needed only on the ASUS, but myself as a layman find it counterintuitive that the first router will just forward all traffic to one of it's LAN ports?
If the Asus is in bridge mode, then there will be no port forwarding on it. Port forwarding is a router function because it involves translating IP addresses and (optionally) ports.

True bridges, switches, and hubs have no concept of IP addresses. They simply do not work at that level. So you need to decide what the requirements for your network are and select the best option.

(If anyone wants to bring up layer 3 switches, save your typing--they are just misnamed routers.).
 
jimmyj
just joined
Posts: 3
Joined: Mon Feb 19, 2018 10:17 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 2:02 am

This is an exceptionally over-convoluted design for something that really should be very simple. What others are saying is your diagram doesn't make sense, because you have one device too many which 1. adds complexity, 2. adds another point of failure and 3. and reduces the ability for you to do simple NAT'ing for any inbound traffic (with both as routers, and having one sitting behind the other, means double NAT which is just mega ugly).

Realistically, you need EITHER the ASUS OR the MT and have it act as a router for Internet traffic (or bridge/router). The only reason you may want both devices, is if you were wanting to have say one router dedicated to Internet traffic and one router doing routing to some other private network - but they'd have to hang off the same bridge group / be on the same subnet, say 192.168.1.254 as your Internet gateway, and 192.168.1.253 as your private WAN gateway, then PC's would have their default route set to the Internet gateway, and that router has a route on it that says "to get to remote subnet 172.16.1.0/24, then hop to 192.168.1.253)

- A bridge operates at layer 2 (does NOT do routing, never will, ever)
- A router operates at layer 3 (does routing between networks)
- The Internet facing device (whether it be the ASUS or MT) must be a router (and NAT your private network out to the Internet)
- If the Internet facing device IS a bridge, then there must be another device behind it that does the routing to the Internet (then there are many other factors you need to consider, such as your Internet connection type, encapsulation etc)

Now you have to ask yourself, and as others have said - WHY would you need both routers? Having both is possible - but it is totally unnecessary UNLESS that internal router routes to some other location, in which case it should really be connected to the bridge.

So... (hopefully this comes out right... EDIT: nope it didn't - the bottom line with the ^ points to the Bridge....)

Internet <----> Router <-----> Bridge <----> PC's
^
|_____> Router <------> { WAN } <---> Remote Router <----> Remote LAN

Both MT and most likely the ASUS can be a bridge and router, depending on the number of LAN ports you need, then that maybe one reason why you'd want one over the other (assuming both had similar features and functionality)

If you can list your requirements, then we can help you with the best design. You mention "ExpressVPN" which makes me assume you want some sort of site-to-site or client VPN tunnel established?
 
User avatar
Paternot
Forum Guru
Forum Guru
Posts: 1056
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 2:51 am

This is getting weirder and weirder. It is reaching the "truly bizarre" region.

To the OP:

They said to keep the old device for (their) convenience sake. They don't want you asking how to reconfigure wifi, DHCP, DNS and whatnot. Doing this weird setup "solves" this question. For them.

Mikrotik as a router, and Asus as a bridge, will allow you to use its wireless - saving the expense of buying a new one. If you go by the article you posted ($DEITY forgive me), then it will sort of work. Would be cleaner to take the Asus out of the picture, and use the Mikrotik wifi. By the way: does your Mikrotik have a wifi?

If don't, you could wire things as the first example on the link. It is ugly, but should work. For a given value of "work".

The better way would be to put the Asus in bridge mode. Some routers do it, some don't.
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 6:21 am

There is something very wrong in your post. "Learn about it before asking for help." What could be crazier? Invest tons of time in self educating yourself and finally when you're done post a question on the forums?!?!?!

Further: "Hire someone" . Blah. If I were willing to accept the costs for hiring someone I would probably never had heard of Mikrotik brand. Hence never would have had a 60 EUR MT myself.

Enough off topic.

It is clear that ExpressVPN assert by competent knowledge or by experience that it is best to keep your old router and add the new router behind it. As router behind router even sounds crazy I am left, by deduction with the only conclusion that old router is in router mode and new ASUS is in Bridge.

Would one port forwarding rule be enough on the MT or it will require many to get all that is behind, connected to the second router exposed to the internet on specific ports?

I've been told by ASUS support that port forwarding would be needed only on the ASUS, but myself as a layman find it counterintuitive that the first router will just forward all traffic to one of it's LAN ports?
I understand what I said was a bit prickly.

But I worked in customer support for years for a very advanced product. Bad knowledge posted on the internet (such as that link you posted) wastes so much time because "everything on the internet is true". But it isn't. I suspect "you know what you want" but you don't know enough about networking to know how stuff actually works (because the text in red makes absolutely no sense) and you leave us to figure it out for you. This is why I said you should learn a few things before posting something like this.

Nobody who has replied can figure out why it is that you need 2 routers yet as far as I can tell.

I read the product guides for some of these new home WiFi "routers" with "gaming protection" and other nonsense and I'm guessing you want some of this whiz bang functionality mixed with the MikroTik functionality.

Please explain what you need, very simply, and maybe someone can figure it out.

Example:

I want a VPN and extra protection for some devices and not others.

Or something.
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 6:29 am

(If anyone wants to bring up layer 3 switches, save your typing--they are just misnamed routers.).
Yes and no depending on what you need. Cisco 3750 switches have settings that help decide how to allocate resources (is it a switch or a router?) depending on how you use it. There is a difference if what you're doing requires enough resources.

I need a MAC table on my router that can handle hundreds of thousands of MAC addresses and arp entries. You need a real router with lots of memory to do that. Some of the latest high dollar "switches" might be able to do it, but you're talking $25,000 and up, each. And I need redundant line cards. And routers. My routers are about $200K a piece... A layer 3 switch won't do the job.

It would be fun to drop in the highest CCR to see what it could handle for the heck of it though. If MikroTik wants to send me a few I will test it between Christmas and New Year, heh.
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 6:07 pm

The MT should be a router. It should get the public IP. From there onwards the ASUS will be one of the clients of the MT and will be in Bridge mode (as advised by ExpressVPN) , then even more the devices will all be connected to the ASUS. How would the port forwarding look like?
What type of VPN it is will determine what, if any, ports need forwarding.
Where is the VPN terminating? If the ASUS is in bridge mode then there's no point terminating a VPN tunnel on it, because it's not routing so it won't be routing anything down the VPN tunnel.
It would make more sense to terminate the VPN on your existing router rather than adding a router behind it and terminating the VPN on the new router.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2307
Joined: Mon May 14, 2012 9:30 pm

Re: How to configure MikroTik to be primary router?

Wed Feb 21, 2018 7:39 pm

I might be able to help with this.

I have used expressVPN with a Mikrotik.
They use L2TP+IPSec or OpenVPN.

OpenVPN is not supported in the flavor they use by Mikrotik.

Also many of their Servers have been BLOCKED by services. IE Netflix blocks several of the servers I tried via L2TP. I found one that had not yet been banned by netflix... but it needed a OVPN tunnel.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Thu Feb 22, 2018 12:45 am

I feel we lost the focus of the topic and the help I wanted to ask from you.

I was with the intention to use only the ASUS. But then came the recommendation clearly stated on ExpressVPN website "We recommend that you preserve your existing network setup and just connect the ASUS as a second router". I got this confirmed by their 24/7 support on several live chats with them. There must be a reason why they advise so and I am sure it is a good reason. I dont think all of their 24/7 support is comptent, which they proved they are not, but the technical guys giving out this recommendation probably know what they are doing. So it is clear, that they provide their best service when the new router is added to the old and not just replacing it and this is what they recommend. The reason why I bought the ASUS is that Mikrotik does not support this lzo compression on OpenVPN.

@ someone who mentioned blocked servers. When using L2TP this is true. When using proper OpenVPN of the type ExpressVPN recommends there are no blocked servers. Also there are specific VPN locations from ExpressVPN which they say "are optimized for Netflix" and I guess it might be that they are changing every now and then the IP adresses of some VPN servers to go around blacklisting from Netflix.

I have the brand new ASUS RT-AC87U here but still have not configured it because I got lost. Topologies, Router mode, Bridge mode, Access Point mode. It's too much.
It remains to be decided which modes should the two routers be. I think I figured out that the primary router (Mikrotik) should not be in Bridge mode because if it is in Bridge mode it is useless, it does not server a function.

However if it is in router mode you might say that it provides some isolation/separation of the VPN router (ASUS) and the outside? is that an advantage? I don't even know :))

Please look at this. Watch all.
https://youtu.be/RZTT30ICnFg
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: How to configure MikroTik to be primary router?

Thu Feb 22, 2018 5:42 pm

I feel we lost the focus of the topic and the help I wanted to ask from you.

I was with the intention to use only the ASUS. But then came the recommendation clearly stated on ExpressVPN website "We recommend that you preserve your existing network setup and just connect the ASUS as a second router". I got this confirmed by their 24/7 support on several live chats with them. There must be a reason why they advise so and I am sure it is a good reason. I dont think all of their 24/7 support is comptent, which they proved they are not, but the technical guys giving out this recommendation probably know what they are doing. So it is clear, that they provide their best service when the new router is added to the old and not just replacing it and this is what they recommend. The reason why I bought the ASUS is that Mikrotik does not support this lzo compression on OpenVPN.

@ someone who mentioned blocked servers. When using L2TP this is true. When using proper OpenVPN of the type ExpressVPN recommends there are no blocked servers. Also there are specific VPN locations from ExpressVPN which they say "are optimized for Netflix" and I guess it might be that they are changing every now and then the IP adresses of some VPN servers to go around blacklisting from Netflix.

I have the brand new ASUS RT-AC87U here but still have not configured it because I got lost. Topologies, Router mode, Bridge mode, Access Point mode. It's too much.
It remains to be decided which modes should the two routers be. I think I figured out that the primary router (Mikrotik) should not be in Bridge mode because if it is in Bridge mode it is useless, it does not server a function.

However if it is in router mode you might say that it provides some isolation/separation of the VPN router (ASUS) and the outside? is that an advantage? I don't even know :))

Please look at this. Watch all.
https://youtu.be/RZTT30ICnFg
A little practical advice on posting to forums with questions:

Do not add known requirements randomly in a thread. Many people have asked *WHY* you want to do this. The answer to that question has been for LZO compression on OpenVPN. When you were asked why you would want to do this, LZO on OpenVPN should have been your next answer. Are there any other requirements you wish to add?

Here's the thing: You're in a state where you wish to do this yourself, but you do not understand enough of how it works to make an educated decision. The responses I've seen have mostly been pretty clear, but you don't have enough of a fundamental understanding of how to gauge the comments and where they fit in with your perceived requirements.

The ExpressVPN advice of "follow our recommendations" is simply because if you don't, when the VPN isn't working you'll be talking to them for hours or days for help. They know how to make the MT work, so they want you to leave it alone. That way when you call them because it isn't working, they can say "We show the tunnel up and can ping your Asus router, it isn't our problem."

Is LZO compression REQUIRED by whoever you are trying to connect to? If not, I'd suggest considering dropping the Asus and let the Mikrotik do it.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Thu Feb 22, 2018 8:49 pm

I accept the first part of your post about being random but not everything is as you say.
First: Yes, lzo was the reason why MT was not good enough.
Second: ExpressVPN do not support MT and have no plans to.
So, about their recommendation to keep your existing set up with preexisting router and add one router dedicated to VPN. This is regardless of what brand/model your primary router is. It is not for no reason they recommend this and I'm quite sure it is solid (that much at least I can gauge). When you want to use a service you follow the advice of those providing you the service not because they are the most knowledgeable about Networking but because they know best their service. The simple fact that you don't know the reason and I haven't got it from them in plain text is not a big deal and doesn't change much.

Updating the thread with new input is not a result of my changing moods but a result of new information I have gotten from both ASUS and ExpressVPN support.

I hope this helps.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: How to configure MikroTik to be primary router?

Thu Feb 22, 2018 11:20 pm

I accept the first part of your post about being random but not everything is as you say.
First: Yes, lzo was the reason why MT was not good enough.
Second: ExpressVPN do not support MT and have no plans to.
So, about their recommendation to keep your existing set up with preexisting router and add one router dedicated to VPN. This is regardless of what brand/model your primary router is. It is not for no reason they recommend this and I'm quite sure it is solid (that much at least I can gauge). When you want to use a service you follow the advice of those providing you the service not because they are the most knowledgeable about Networking but because they know best their service. The simple fact that you don't know the reason and I haven't got it from them in plain text is not a big deal and doesn't change much.

Updating the thread with new input is not a result of my changing moods but a result of new information I have gotten from both ASUS and ExpressVPN support.

I hope this helps.
You've referred to an "old" router, a "new" router, a "Mikrotik" router and an "Asus" router, so it's been confusing. My impression was that ExpressVPN wanted the MT. If ExpressVPN wants the Asus, then why do you want to keep the MT? Simply because they said "don't change anything."? I haven't read the original URL you posted, but I think others have established that it was not written by someone that knows what they're doing.
 
martincho8002
just joined
Topic Author
Posts: 24
Joined: Sun Jun 12, 2016 4:49 pm

Re: How to configure MikroTik to be primary router?

Thu Feb 22, 2018 11:56 pm

It is both on their Video guide for settings up ASUS as well as a warning box that the old router should be kept. ExpressVPN do not support Mikrotik and Mikrotik's implementation of OpenVPN does not work with EspressVPN (as I understand due to lack of lzo compression support).

See attachments please.
crop1.png
crop2.png
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2307
Joined: Mon May 14, 2012 9:30 pm

Re: How to configure MikroTik to be primary router?

Fri Feb 23, 2018 4:47 pm

The reason you should keep your old router...

ExpressVPN doesn't want to have to support the "rest of your network".

The set up they recommend is a SIMPLE DOUBLE NAT. You don't need to change anything on the Tik. Plug the Asus into it and it will pull and IP from the TIK and setup a new LAN BEHIND THE MIKROTIK LAN. All traffic from the Asus LAN is set to be sent to the ExpressVPN servers.

So if you want to use the VPN... connect to the Asus's Ports or Wireless.

Who is online

Users browsing this forum: sindy and 26 guests