Community discussions

MikroTik App
 
User avatar
MrAmos123
just joined
Topic Author
Posts: 1
Joined: Sat Jun 11, 2022 11:05 pm

Dual WAN DHCP & Routing Oddities

Fri Nov 11, 2022 12:56 am

Hi,
I'm having issues where replacing my current router with my new RB5009UPr+S+ and my cfg is yielding strange behaviours.
The current router is a home pfSense setup with almost exactly the same configuration as the diagram below. I'm trying to recreate it in RouterOS to replace pfSense.

Issues:
  • DHCP only seems to provide to a handful of clients(? I wonder if it's some remembered 'route')
  • it doesn't even seem to provide my Switches and APs IPs. (They're DHCP-enabled)
  • WAN connectivity is intermittent.
  • I can access/ping any WAN address from the Mikrotik itself.
  • DNS is non-existent.
I'm trying to configure for Dual WAN, exposing the 'Vodafone' link strictly only on VLAN 103.
I was trying to use DHCP to direct the traffic via a NAT rule for this. "Any device on VLAN 103 given from DHCP pool X.X.3.X. Where network X.X.3.X/24 use ETH2-WAN-VF"
I've drawn a small diagram explaining how I wish it would work.
102 should be isolated.
101 and 103 can cross-talk. (I didn't yet add this rule in below cfg)

I'm certain this is a lack of understanding and misconfiguration on my behalf. So apologies for the silly mistakes.

I'd appreciate any help/pointers that may help fix these problems.
/interface bridge
add admin-mac=18:FD:74:CC:B3:14 auto-mac=no comment="LAN Bridge" name=BRIDGE1-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ETH1-WAN-VM
set [ find default-name=ether2 ] name=ETH2-WAN-VF
set [ find default-name=ether3 ] name=ETH3-LAN-TRUNK
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=BRIDGE1-LAN name=VLAN-102 vlan-id=101
add interface=BRIDGE1-LAN name=VLAN-102 vlan-id=102
add interface=BRIDGE1-LAN name=VLAN-103 vlan-id=103
/interface pppoe-client
add add-default-route=yes disabled=no interface=ETH1-WAN-VF keepalive-timeout=disabled name=PPPoE-WAN-VF user=XXXXXXXX@broadband.vodafone.co.uk
/interface list
add comment=WAN-VM name=WAN-VM
add comment=LAN name=LAN
add comment=WAN-VF name=WAN-VF
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VL101-IoT ranges=10.10.1.100-10.10.1.199
add name=VL102-Guest ranges=10.10.2.100-10.10.2.199
add name=VL103-VF ranges=10.10.3.100-10.10.3.199
/ip dhcp-server
add address-pool=VL101-IoT interface=VLAN-101 lease-time=1h name="VL101 - IoT"
add address-pool=VL102-Guest interface=VLAN-102 lease-time=1h name="VL102 - Guest"
add address-pool=VL103-VF interface=VLAN-103 lease-time=1h name="VL103 - VF"
/interface bridge port
add bridge=BRIDGE1-LAN comment=defconf interface=ETH3-LAN-TRUNK
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment="LAN Trunk" interface=BRIDGE1-LAN list=LAN
add comment="WAN VM" interface=ETH2-WAN-VM list=WAN-VM
add comment="WAN VF" interface=ETH1-WAN-VF list=WAN-VF
/ip address
add address=10.10.1.1/24 comment="VLAN101 - Virgin Media" interface=VLAN-101 network=10.10.1.0
add address=10.10.2.1/24 comment="VLAN102 - Virgin Media Guest" interface=VLAN-102 network=10.10.2.0
add address=10.10.3.1/24 comment="VLAN103 - Vodafone" interface=VLAN-103 network=10.10.3.0
/ip dhcp-client
add comment="WAN DHCP" interface=ETH2-WAN-VM
/ip dhcp-server network
add address=10.10.1.0/24 comment="VL101 - IoT" dns-server=1.1.1.1 gateway=10.10.1.1
add address=10.10.2.0/24 comment="VL102 - Guest" dns-server=1.1.1.1 gateway=10.10.2.1
add address=10.10.3.0/24 comment="VL103 - Vodafone" dns-server=1.1.1.1 gateway=10.10.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN-VM
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN-VF
/ip firewall nat
add action=masquerade chain=srcnat comment="VL101 to WAN" out-interface-list=WAN-VM src-address=10.10.1.0/24
add action=masquerade chain=srcnat comment="VL102 to WAN" out-interface-list=WAN-VM src-address=10.10.2.0/24
add action=masquerade chain=srcnat comment="VL103 to WAN" out-interface-list=WAN-VF src-address=10.10.3.0/24
/ipv6 firewall filter
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system identity
set name=MTK-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Image

Appreciate anyone's comments and feedback. :)

Who is online

Users browsing this forum: Bing [Bot], ggepl70, jcbhnz, mvdswaluw, pmnxis, qmrk, Wacci and 46 guests