MikroTik

Posted: **Mon Oct 26, 2015 9:53 am**

Hi forum.
I'm trying to make this mikriotiuk Router to our new network.
But needing 5 VLAN for making it all work - and have tried to follow some guide . Men now I'm stuck and hoping you can help me further.
I've bought the CCR1009-8G-1s-1s+
ether1 is the WAN access and ether8 is my DMZ zone
The rest is a bridged incl ether2-7 and sfp+1

Here's my setup:

# Creating Interface 
/interface ethernet set ether1 name=WAN
/interface ethernet set ether8 name=DMZ_Zone

# DHCP
/ip dhcp-client add interface=WAN add-default-route=yes use-peer-dns=yes use-peer-ntp=yes comment=wan-ip-address disabled=no

# Setting up DNS
/ip dns set allow-remote-requests=yes 

# Creating the bridge 
/interface bridge add name=LOCAL comment="Internal Network" disabled=no
# Adding Interfaces to bridge
/interface bridge port add bridge=LOCAL interface=ether2
/interface bridge port add bridge=LOCAL interface=ether3
/interface bridge port add bridge=LOCAL interface=ether4
/interface bridge port add bridge=LOCAL interface=ether5
/interface bridge port add bridge=LOCAL interface=ether6
/interface bridge port add bridge=LOCAL interface=ether7
/interface bridge port add bridge=LOCAL interface=sfp-sfpplus1

# Creating VLAN
/interface vlan
add name=LAN interface=LOCAL vlan-id=10
add name=RD interface=LOCAL vlan-id=30
add name=MON interface=LOCAL vlan-id=40
add name=GUEST interface=LOCAL vlan-id=50
add name=DMZ interface=DMZ_Zone vlan-id=20
# IP-addresses for VLANS
/ip address
add address=172.16.100.1/23 interface=LAN
add address=192.168.100.1/24 interface=DMZ
add address=172.16.110.1/24 interface=RD
add address=172.16.120.1/24 interface=MON
add address=192.168.150.1/24 interface=GUEST

# Create DHCP server Pool addresses
/ip pool add name=LAN ranges=172.16.100.100-172.16.101.254
/ip pool add name=RD ranges=172.16.110.10-172.16.110.254
/ip pool add name=MON ranges=172.16.120.10-172.16.120.254
/ip pool add name=DMZ ranges=192.168.100.100-192.168.100.254
/ip pool add name=GUEST ranges=192.168.150.10-192.168.150.254

# DHCP Server Configuration for VLAN
/ip dhcp-server enable 0
/ip dhcp-server add interface=LOCAL address-pool=LAN
/ip dhcp-server add interface=LOCAL address-pool=RD
/ip dhcp-server add interface=LOCAL address-pool=MON
/ip dhcp-server add interface=LOCAL address-pool=GUEST
/ip dhcp-server add interface=DMZ address-pool=DMZ
/ip dhcp-server network add address=172.16.100.0/23 gateway=172.16.100.1 dns-server=4.4.4.4,8.8.8.8 comment=LAN_GREEN
/ip dhcp-server network add address=172.16.110.0/24 gateway=172.16.110.1 dns-server=4.4.4.4,8.8.8.8 comment=RD_BLUE
/ip dhcp-server network add address=172.16.120.0/24 gateway=172.16.120.1 dns-server=4.4.4.4,8.8.8.8 comment=MON_YELLOW
/ip dhcp-server network add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=4.4.4.4,8.8.8.8 comment=DMZ_RED
/ip dhcp-server network add address=192.168.150.0/24 gateway=192.168.150.1 dns-server=4.4.4.4,8.8.8.8 comment=GUEST_GREY

/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=5000KiB max-udp-packet-size=512 servers=4.4.4.4,8,8.8.8.8

# NAT Configuration
/ip firewall nat
add chain=srcnat action=masquerade src-address=172.16.100.0/23 out-interface=WAN
add chain=srcnat action=masquerade src-address=172.16.110.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=172.16.120.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface=WAN
add chain=srcnat action=masquerade src-address=192.168.150.0/24 out-interface=WAN

# DEFAULT ROUTE
/ip route
add dst-address=0.0.0.0/0  gateway=172.16.50.1

But whenever I'm connecting a RJ45 cable - I'm not getting any IP address from DHCP ( eventhough I've manually enabled the Servers)

Can anyone see my mistakes and help med further in this case

Or could anyone guide me to the right setup for this.
I'm having WAN on ether2 .
a switch with ether2-7+sfp+
DMZ zone on ether8
--------------------------------------------------------------------------------
sfp+ should be used for connecting to other switches using Fiber.
But cannot make this work with these VLANS -so I must be doing something wrong

THanks in advance
P

Posted: **Mon Oct 26, 2015 7:48 pm**

First thing I see is the dhcp servers are on the wrong interfaces. Should be with their respective ips on the vlan interfaces.

Posted: **Tue Oct 27, 2015 8:43 am**

Well thanks for the answer.
When I'm trying to attach the DHCP server to the interface - it can not be connected to it self - so not sure how to do that Correctly.
I can make it work on DMZ interface ( But this is only 1 port/Interface )
But would really have using the sfp+ for 10GB connection between switches and all VLAN running on this afterwards

But cannot seem to figure out how to connect sfp+ & ether2-7 in one switch/bridge

Posted: **Tue Oct 27, 2015 9:36 am**

Usual VLAN setup is

no-configuration.
1) create separate VLANS on every physical interface ( for example you need VLAN1 and VLAN2 on ether2, but only VLAN2 on ether3 ...)
2) Bridge all same Vlan-ID VLANs under same bridge ( bridge-vlan1, bridge-vlan2 etc)
3) create your DHCP servers on birdge-vlanX interfaces

Posted: **Tue Oct 27, 2015 10:35 am**

I've done that now - and just to be sure for now.
Ive created 5 bridge-vlanXX and attached the interfaces sfp+ & ether2-7 on each bridge.
Afterwards I've created DHCP server for each VLAN and attached the DHCP on the bridged VLANS

But when connecting a RJ45 Cable to one of these ports with a normal PC will not give me a IP -address. Is this right ?
I would though I've been giving some IP from One of the bridge-VlanXX but not recieving any IP.

But the DMZ zone (ether8) is working fine but thats not bridged - only interfaces.

Posted: **Tue Oct 27, 2015 10:49 am**

ok, i will try to simplify.

VLAN - virtual LAN - each have different vlan-id, this vlan-id is added to packet when it leaves specific VLAN interface. If packet have vlan-id, devices from default LAN or with other vlan-ids will not be able to work with that packet.

I'm starting to have suspicion that you don't need VLANs here, but without network diagram and precise tasks noone will be able to help you.
I suggest to read on VLAN stuff a little more also.

MikroTik

How to get 5 VLAN working

How to get 5 VLAN working

Re: How to get 5 VLAN working

Re: How to get 5 VLAN working

Re: How to get 5 VLAN working

Re: How to get 5 VLAN working

Re: How to get 5 VLAN working