Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Advice: Beginner WAN config for /29 network

Post Reply
 
torchify
just joined
Topic Author
Posts: 5
Joined: Tue Apr 02, 2024 6:35 pm

Advice: Beginner WAN config for /29 network

Tue Apr 02, 2024 11:32 pm

Greetings,

I'm looking for some guidance on my first Mikrotik router. Background is Cisco CCNA from many, many years ago.

Installation is a datacenter rack with 1GB fiber cross connect. I have the CCR2004-16G-2S+ with MikroTik S+85DLC03D SFP+ module installed in SFP+1 port . Starting off with one server connected via 1GbE to Ether1, plans for future expansion to fill my rack(hopefully).

I've been provided with a /29 subnet x.x.x.176/29.
Gateway is to be x.x.x.177/29.
I want the first server to be on x.x.x.178.
.179-.181 will be for future server expansion and mapped to Ether2-4
Ether 9-16 will be bridged for LAN running DHCP for 10.100.100.0/24 network

My first thought was to create a bridge for the WAN. Now that I'm further into the config, I'm second guessing my setup. I would like to firewall these servers to allow only certain ports through. I'm not sure if a bridge is the best way to do this or statically routing each address is better.

Note: that I'm not out at the Datacenter yet, hope to set an appt for installation by the end of this week. My config is purely theoretical at this point and I realize that much will need to be changed so feel free to steer me away from my chosen pitfalls.
Note2: the LAN part of this is not important. There will be no devices connected to the LAN, it is only for internal config, etc. DHCP is not needed, was just setting it up to see it work.

Here is where I'm at so far:
Code: Select all
/interface bridge
add name=bridge1_Internet
add name=bridge2_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_S178
set [ find default-name=ether2 ] name=ether2_S179
set [ find default-name=ether3 ] name=ether3_S180
set [ find default-name=ether4 ] name=ether4_S181
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.100.100-10.100.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2_LAN lease-time=1d name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1_Internet interface=sfp-sfpplus1_WAN
add bridge=bridge1_Internet interface=ether1_S178
add bridge=bridge1_Internet interface=ether2_S179
add bridge=bridge1_Internet interface=ether3_S180
add bridge=bridge1_Internet interface=ether4_S181
add bridge=bridge2_LAN interface=ether9
add bridge=bridge2_LAN interface=ether10
add bridge=bridge2_LAN interface=ether11
add bridge=bridge2_LAN interface=ether12
add bridge=bridge2_LAN interface=ether13
add bridge=bridge2_LAN interface=ether14
add bridge=bridge2_LAN interface=ether15
add bridge=bridge2_LAN interface=ether16
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=x.x.x.177/29 interface=bridge1_Internet network=x.x.x.176
add address=10.100.100.1/24 interface=bridge2_LAN network=10.100.100.0
/ip dhcp-server network
add address=10.100.100.0/24 gateway=10.100.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.100.100.0/24 comment="LAN Group " list=LAN
add address=x.x.x.176/29 comment="WAN Group" list=WAN
add address=x.x.x.178-x.x.x.181 list=SERVERS
/ip firewall filter
add action=accept chain=input comment="Allow established INPUT traffic" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid INPUT connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow INPUT pings" protocol=icmp
add action=drop chain=input comment="Drop all non-LAN INPUT traffic" \
    src-address-list=!LAN
add action=accept chain=forward comment="Allow established FORWARD traffic" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid FORWARD connections" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "Allow TCP HTTP port access from LAN to WAN" dst-port=\
    80,443,8080,8443,9191,9443 out-interface=bridge1_Internet protocol=tcp \
    src-address-list=LAN
add action=accept chain=forward comment=\
    "Allow TCP DNS port access from LAN to WAN" dst-port=53 out-interface=\
    bridge1_Internet protocol=tcp src-address-list=LAN
add action=accept chain=forward comment=\
    "Allow UDP DNS port access from LAN to WAN" dst-port=53 out-interface=\
    bridge1_Internet protocol=udp src-address-list=LAN
add action=accept chain=forward comment="Allow ICMP FORWARD" out-interface=\
    bridge1_Internet protocol=icmp
add action=drop chain=forward comment="Drop all other FORWARD traffic" \
    out-interface=bridge1_Internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1_Internet
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    x.x.x.177 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
Please let me know if I'm on the general right path or if I should retool this. Also, let me know if I'm an idiot :shock: :D
Top
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun May 03, 2015 5:22 pm

Re: Advice: Beginner WAN config for /29 network

Wed Apr 03, 2024 2:48 pm

You could use the "Use IP Firewall" in the bridge settings menu but i recommend you a layer 3 approach. Also since hardware accelerated bridges ware introduced, it is no longer recommended, in most cases to setup 2 bridges. Your setup is such a case. Setup one bridge with internal VLAN and add all your internal port accordingly.

One disadvantage with the layer 3 approach, you will "lose" one public ip to the router because you didn't mention a public ip for the mikrotik router in your post. The question is how you want to manage your router from remote. If an public ip on the router your can setup for example a vpn server, to access your internal ips or management interfaces that are firewalled for public ips.

To go the layer 3 approach:
  1. Setup a /32 subnet on the wan interface with one of your public ips for example .178/32. In the Network field enter the gateway .177
  2. Add a default route to .177, so you have internet access
  3. On our vlan interface for public VLAN add the same ip address from the wan interface but with /29.
  4. Add an arp entry for all your internal public ips (.179 - .182) on the wan interface and check the "Published" checkbox.
  5. Add .179/29 to your first server with .178 as gateway.

With this you can than setup your firewall rules as you need them. One more note the internal hosts can reach each other directly, the mikrotik firewall (layer 3) is not involved this communication because is layer 2 traffic. If you don't want this, you can ether setup a local firewall on the server it self or also use /32 subnets with separate vlans for each server. You could even assign the /32 subnets directly to the interfaces and kick those ports out of the bridge.
Top
 
torchify
just joined
Topic Author
Posts: 5
Joined: Tue Apr 02, 2024 6:35 pm

Re: Advice: Beginner WAN config for /29 network

Thu Apr 04, 2024 1:18 am

I started over with a fresh config. I created a bridge that includes all interfaces. I added address .178/32 to sfp+1. I added the .177 default route.
On our vlan interface for public VLAN add the same ip address from the wan interface but with /29.
Not sure I have this correct. I created 2 VLANS, one for the servers and one for management. I did this by going Bridge > VLANS. I added VLAN 10 (mgmt) and 77 (servers). I tagged Ether1-4. I untagged port 15 and both sfp+ ports.

I added the VLANS to the created bridge interface in Interfaces menu.

My laptop is static configured to .180/29 gw: .178 on port ether2
My server is static configured to .179/29 gw: .178 on port ether1

Neither can ping .178,

here is current export
Code: Select all
/interface bridge
add name=MAIN_BRIDGE
/interface vlan
add interface=MAIN_BRIDGE name=mgmt vlan-id=10
add interface=MAIN_BRIDGE name=servers vlan-id=77
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=MAIN_BRIDGE interface=all
/interface bridge vlan
add bridge=MAIN_BRIDGE untagged=ether15,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10
add bridge=MAIN_BRIDGE tagged=ether1,ether2,ether3,ether4 untagged=ether15,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=77
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=x.x.x.178 comment="WAN port" interface=sfp-sfpplus1 network=x.x.x.177
add address=x.x.x.178/29 comment=public_vlan interface=servers network=x.x.x.176
add address=10.100.100.1/24 comment=mgmt_vlan interface=mgmt network=10.100.100.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.177 routing-table=main suppress-hw-offload=no
/system routerboard settings
set enter-setup-on=delete-key
What am I missing? I don't have the vlan filtering checked yet either since that seems to kick me out if turned on.
Top
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun May 03, 2015 5:22 pm

Re: Advice: Beginner WAN config for /29 network

Thu Apr 04, 2024 11:14 am

Yeah, that's not how you configure vlans in routeros. You can't assign ip addresses to the slave/member ports of the bridge. You did not add vlan interface to the bridge and the bridge is not a tagged member for your vlans (/interface bridge vlan).

Take a look at the links below. Btw the CCR2004 uses a 88E6191X switch chip

https://www.youtube.com/watch?v=US2EU6cgHQU
https://www.youtube.com/watch?v=YMwOrc0LDP8
https://help.mikrotik.com/docs/display/ ... +switching
Top
Post Reply

Who is online

Users browsing this forum: dzo, NecroRAM, Pinacolada88 and 12 guests
  4. RouterOS
  5. Beginner Basics