MikroTik

Hi,

In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface has their own allowed subnets. I tried using ip-firewall but it looks messy because I have to define many rules per interface. Is there a simpler approach using ip-mangle?

I would like to know if there is something similar to this in mikrotik.

Please provide an optimized sample configuration having multiple allowed subnets per vlan interface.

Thanks,
TCC

 
ip firewall address-list add list=allowed443 address=10.0.0.0/16
ip firewall address-list add list=allowed443 address=10.0.0.0/16

ip firewall filter add chain=forward action=drop out-interface=vlan443 src-address-list=!allowed443

Hi,

In cisco routers there is a command that is called route-map. A command where you provide access-list of allowed subnets that is pointed to the next-hop router. Anything that doesn't match in the access-list will be discarded. This setup is targeted to huge number of VLAN's. Each VLAN interface has their own allowed subnets. I tried using ip-firewall but it looks messy because I have to define many rules per interface. Is there a simpler approach using ip-mangle?

I would like to know if there is something similar to this in mikrotik.

Please provide an optimized sample configuration having multiple allowed subnets per vlan interface.

Thanks,
TCC

Hello,

I suppose what you want to do is allow only specific subnets getting to or going out of a vlan. In case you have not done this yet you can use address lists and specify a subnet.

Say :

10.0.0.0/16
10.1.0.0/16

Are the only allowed subnets going towards vlan 443 interface (as in only traffic sourced from these can go through that interface) you could write a rule using address list like this:

Code: Select all

 
ip firewall address-list add list=allowed443 address=10.0.0.0/16
ip firewall address-list add list=allowed443 address=10.0.0.0/16

ip firewall filter add chain=forward action=drop out-interface=vlan443 src-address-list=!allowed443

Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk

   interface Serial0
   ip address 172.16.5.1 255.255.255.0
   ip policy route-map Sally
  !

   access-list 1 permit 172.16.6.0 0.0.0.255
   access-list 2 permit 172.16.7.0 0.0.0.255
   !

   route-map Sally permit 10
    match ip address 1
    set ip next-hop 172.16.4.2
   !

   route-map Sally permit 15
    match ip address 2
    set ip next-hop 172.16.4.3

You can use a combination of Routing Filters, Routing Rules and Mangle Rules to accomplish this with separate routing tables.

https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters
https://wiki.mikrotik.com/wiki/Manual:R ... le_Matcher

You could do something like this:

Code: Select all

 
/ip route add gateway=172.16.4.2 routing-mark=list1

/ip route add gateway=172.16.4.3 routing-mark=list2

/ip firewall mangle add chain=prerouting src-address=172.16.6.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list1 

/ip firewall mangle add chain=prerouting src-address=172.16.7.0/24 in-interface=serial0 action=mark-routing new-routing-mark=list2

There may be errors with the sintax but that's the general idea



Enviado desde mi SAMSUNG-SM-G920A mediante Tapatalk

I can't improve on @shaoranrch.

Here is an alternate if you want to use VLANs and VRF's on the same router. The last two routes are for redistributing into your IGP and from there you can use Route Filters to do any further manipulation of route information. Obviously there are a few different ways to accomplish what you want to do depending on complexity, your specific design, etc.

Again if what you are trying to accomplish mirrors the cisco config that you pasted below then @shaoranrch post will be the best solution.

Hope this helps and best of luck!

Code: Select all

/ip address
add address=172.16.6.1/24 interface=vlan200 network=172.16.6.0
add address=172.16.7.1/24 interface=vlan300 network=172.16.7.0

/ip route vrf
add export-route-targets=200:0 import-route-targets=200:0 interfaces=vlan200 route-distinguisher=200:0 routing-mark=VLAN200
add export-route-targets=300:0 import-route-targets=300:0 interfaces=vlan300 route-distinguisher=300:0 routing-mark=VLAN300

/ip route
add distance=1 gateway=172.16.4.2@main routing-mark=VLAN200
add distance=1 gateway=172.16.4.3@main routing-mark=VLAN300
add distance=1 dst-address=172.16.6.0/24 gateway=vlan200
add distance=1 dst-address=172.16.7.0/24 gateway=vlan300

This is a sample config from cisco website. Can you help me translate these instructions to mikrotik equivalent?

Code: Select all

   interface Serial0
   ip address 172.16.5.1 255.255.255.0
   ip policy route-map Sally
  !

   access-list 1 permit 172.16.6.0 0.0.0.255
   access-list 2 permit 172.16.7.0 0.0.0.255
   !

   route-map Sally permit 10
    match ip address 1
    set ip next-hop 172.16.4.2
   !

   route-map Sally permit 15
    match ip address 2
    set ip next-hop 172.16.4.3