So, I'm looking to use a WAN connection that's physically located elsewhere on the network from the main RB1100 router. Switch at that location is a CSS610, with 5 VLANs set up.
Network uses VLANs 10, 20, 30 and 40 for various other things and I've set up VLAN90 for this WAN connection.
Topology:
Mikrotik RB1100 - WAN1 and WAN2 are local to here (on ether1 and ether2 respectively, although only WAN2 is active currently). ether6-10 are trunk ports.
||
||trunk port
||
Mikrotik CSS610 switch (Ports 7 and 8 are members of VLAN90).
> ether1 is for local access point on vlan10 + 20.
> ether7 is for WAN3 connection to modem. Set as access port. Optional (to allow untagged packets on ingress) with PVID of 90. Allow any packets.
> ether8 is set as trunk port. Strict VLAN. Only tagged packets allowed.
ISP has advised no PPPoE authentication is required - address will be assigned using DHCP to LAN cable on fibre modem.
I've proven this works by creating an access port on the RB1100 on vlan90, and my laptop's ethernet has picked up a DHCP address with my laptop jumping on the internet using WAN3. However... I now need to create a DHCP client within the RB1100 which can pickup up VLAN90 in order to set up NAT/routes etc. I'm sure there's a way to do that as I don't really want to end up devoting two physical ethernet ports on the router (ie. ether3 as an access port on VLAN90 and ether4 as a WAN port with DCHP client).
Grateful of any guidance on where I'm going wrong here. I can't see an interface that would virtually achieve this. Would the right solution here to create another bridge?
Config below for the RB1100....
Code: Select all
# apr/29/2024 17:06:32 by RouterOS 6.49.14
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = HEY09AX5MMT
/interface bridge
add name=bridge1 vlan-filtering=yes
add name=bridgeWAN3 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3-Future
set [ find default-name=ether4 ] name=WAN4-Future
set [ find default-name=ether6 ] comment=TRNK-REC-18
set [ find default-name=ether7 ] comment=TRNK-REC-21
set [ find default-name=ether8 ] comment=TRNK-REC-34
set [ find default-name=ether9 ] comment=TRNK-SPARE
set [ find default-name=ether10 ] comment=TRNK-REC-SWITCH
set [ find default-name=ether11 ] name=ether11-StaffMGMT
set [ find default-name=ether12 ] name=ether12-StaffMGMT
set [ find default-name=ether13 ] name=ether13-Guest
/interface pppoe-client
add disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\
HIDDEN
/interface l2tp-server
add name=l2tp-in-VPN user=HIDDEN
/interface vlan
add interface=bridge1 name=vlan1_setup vlan-id=1
add interface=bridge1 name=vlan10_StaffMGMT vlan-id=10
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_VOIP vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add comment=FutureWAN interface=WAN3-Future name=vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_StaffMGMT vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_StaffMGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest \
datapath.client-to-client-forwarding=no datapath.vlan-id=20 \
datapath.vlan-mode=use-tag installation=indoor mode=ap name=cfg_GuestWifi \
security=security_Guest ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_StaffMGMT datapath.bridge=\
bridge1 installation=indoor mode=ap name=cfg_StaffMGMT security=\
security_StaffMGMT ssid=OldMill_Staff
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_StaffMGMT ranges=10.10.100.1-10.10.199.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_VOIP ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
add name=dhcp_VPN ranges=10.10.200.1-10.10.200.254
/ip dhcp-server
add address-pool=dhcp_StaffMGMT disabled=no interface=vlan10_StaffMGMT \
lease-time=4w2d name=dhcpStaffMGMT
add address-pool=dhcp_Guest disabled=no interface=vlan20_Guest lease-time=1d \
name=dhcpGuest
add address-pool=dhcp_VOIP disabled=no interface=vlan30_VOIP lease-time=\
4w2d10m name=dhcpVOIP
add address-pool=dhcp_VOIP disabled=no interface=vlan40_CCTV lease-time=\
4w2d10m name=dhcpCCTV
/ppp profile
set *0 interface-list=LAN
add bridge=bridge1 interface-list=LAN local-address=dhcp_StaffMGMT name=\
SquibbyVPN remote-address=dhcp_VPN
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M
/queue simple
add disabled=yes max-limit=900M/900M name=Global queue=\
ethernet-default/ethernet-default target=\
10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16
add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\
pcq-upload-guest/pcq-download-guest target=10.20.0.0/16
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no interface=vlan10_StaffMGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_StaffMGMT \
name-format=identity slave-configurations=cfg_GuestWifi
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether10
add bridge=bridge1 ingress-filtering=yes interface=ether11-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether12-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether13-Guest pvid=20
add bridge=bridge1 ingress-filtering=yes interface=WAN3-Future pvid=90
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=bridge1 tagged=\
bridge1,ether6,ether7,ether8,ether9,ether10,WAN3-Future vlan-ids=\
20,30,40,90
/interface l2tp-server server
set default-profile=SquibbyVPN enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1 list=WAN
add interface=vlan10_StaffMGMT list=LAN
add interface=vlan20_Guest list=LAN
add interface=vlan30_VOIP list=LAN
add interface=vlan40_CCTV list=LAN
add interface=vlan10_StaffMGMT list=MGMT
add interface=OffBridge-5 list=MGMT
add interface=WAN2GradwellSoGEA list=WAN
/interface pppoe-server server
add default-profile=SquibbyVPN disabled=no interface=<l2tp> service-name=\
service1
/ip address
add address=10.30.0.1/16 interface=vlan30_VOIP network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=vlan10_StaffMGMT network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN1
/ip dhcp-server lease
#LOTS OF LEASES HERE - REMOVED FOR CLARITY#
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
add address=10.10.100.0/24 list=local
add address=10.20.100.0/24 list=local
add address=10.30.100.0/24 list=local
add address=10.40.100.0/24 list=local
add address=10.10.0.1-10.10.199.254 list=localLAN
add address=10.10.200.1-10.10.200.254 list=VPN
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=WAN2GradwellSoGEA protocol=\
ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=\
WAN2GradwellSoGEA protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disabled to allow queue function" connection-state=\
established,related disabled=yes
add action=accept chain=forward comment=related-establ-untracked \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="MGMT to all vlans" \
in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward comment=VPN dst-address-list=localLAN \
src-address-list=VPN
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN1 passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN2 passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Disabled as not load balancing" disabled=yes distance=1 gateway=\
192.168.2.1 routing-mark=useWAN1
add comment="Disabled as not load balancing" disabled=yes distance=1 gateway=\
WAN2GradwellSoGEA routing-mark=useWAN2
add check-gateway=ping distance=1 gateway=WAN1
add distance=2 gateway=WAN2GradwellSoGEA
/ppp secret
add name=squibby profile=HIDDEN routes=10.10.0.0/16
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception
/tool sniffer
set filter-interface=WAN1
